analysis of security apis part i
play

Analysis of Security APIs (part I) Riccardo Focardi Universit` a - PowerPoint PPT Presentation

Sep 03, 2022 •34 likes •1.33k views

Analysis of Security APIs (part I) Riccardo Focardi Universit` a Ca Foscari di Venezia, Italy focardi@dsi.unive.it http://www.dsi.unive.it/~focardi http://secgroup.ext.dsi.unive.it/ FOSAD 2010 Bertinoro, Italy, September 6-11, 2010

  1. Guessing a secret via API calls Playing mastermind on PIN V? Can we ‘play mastermind’ on this API? Encrypted PIN Block : contains the PIN at the ATM PIN V( EPB , vdata,len,dectab,offset ) Data for computing the user PIN Returns the equality of the two PINs Example: PIN V( { 4104 , r } k ,vdata,4,0123456789012345,4732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 0472 ⊕ 4732 mod 10 = 4104 3 The two values coincide: PIN V returns ‘true’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 14 / 42

  2. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,0123456789012345,4732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 0472 ⊕ 4732 mod 10 = 4104 3 PIN V returns ‘true’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  3. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,0123456789012345,4732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 0472 ⊕ 4732 mod 10 = 4104 3 PIN V returns ‘true’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  4. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,4732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 0472 ⊕ 4732 mod 10 = 4104 3 PIN V returns ‘true’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  5. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,4732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 0472 ⊕ 4732 mod 10 = 4104 3 PIN V returns ‘true’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  6. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,4732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 4732 mod 10 = 4104 3 PIN V returns ‘true’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  7. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,4732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 4732 mod 10 = 4104 3 PIN V returns ‘true’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  8. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,4732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 4732 mod 10 = 5104 3 PIN V returns ‘true’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  9. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,4732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 4732 mod 10 = 5104 3 PIN V returns ‘true’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  10. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,4732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 4732 mod 10 = 5104 3 PIN V returns ‘false’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  11. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,4732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 4732 mod 10 = 5104 3 PIN V returns ‘false’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  12. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,3732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 3732 mod 10 = 5104 3 PIN V returns ‘false’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  13. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,3732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 3732 mod 10 = 5104 3 PIN V returns ‘false’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  14. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,3732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 3732 mod 10 = 4104 3 PIN V returns ‘false’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  15. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,3732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 3732 mod 10 = 4104 3 PIN V returns ‘false’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  16. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,3732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 3732 mod 10 = 4104 3 PIN V returns ‘true’ FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  17. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,3732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 3732 mod 10 = 4104 3 PIN V returns ‘true’ We discover that the first digit is 4 with 2 API calls, being lucky FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  18. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,3732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 3732 mod 10 = 4104 3 PIN V returns ‘true’ We discover that the first digit is 4 with 2 API calls, being lucky Has this kind of attack been tried on real bank systems? FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  19. Guessing a secret via API calls The ‘decimalization’ attack on PIN V The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03] PIN V( { 4104 , r } k ,vdata,4,1123456789112345,3732) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1472 ⊕ 3732 mod 10 = 4104 3 PIN V returns ‘true’ We discover that the first digit is 4 with 2 API calls, being lucky Has this kind of attack been tried on real bank systems? How long does it take to discover the whole PIN? FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 15 / 42

  20. Guessing a secret via API calls The ‘decimalization’ attack on PIN V Reports suggest something has been going on ... Verizon Breach Report 2008 “Were seeing entirely new attacks that a year ago were thought to be only academically possible” “What we see now is people going right to the source [..] and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks.” (Quotes from Wired Magazine interview with report author, Bryan Sartin) FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 16 / 42

  21. Analysis of PIN processing APIs Finding efficient strategies How many API calls are needed? For a four digit PIN: [Bond, Zielinski ’03] Average 16.5 API calls [Steel, TCS06] Average 16.145 API calls [Focardi, Luccio, FUN’10] Average 14.47 API calls (as instance of Mastermind) Lower-bound of 13.362 API calls FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 17 / 42

  22. Analysis of PIN processing APIs An extended mastermind The Extended Mastermind Game Colors: C = { 0 , 1 , . . . , N − 1 } Secret sequence: ( c 1 , c 2 , . . . , c k ), with c 1 , . . . , c k ∈ C Extended guess: ( S 1 , S 2 , . . . , S k ), with S 1 , . . . , S k ⊆ C FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 18 / 42

  23. Analysis of PIN processing APIs An extended mastermind The Extended Mastermind Game Colors: C = { 0 , 1 , . . . , N − 1 } Secret sequence: ( c 1 , c 2 , . . . , c k ), with c 1 , . . . , c k ∈ C Extended guess: ( S 1 , S 2 , . . . , S k ), with S 1 , . . . , S k ⊆ C Example 6 colors: C = { 0 , 1 , . . . , 5 } Secret: (1 , 2 , 3 , 1) Extended guess: ( { 1 } , { 3 } , { 1 } , { 1 , 3 } ) what’s the answer? FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 18 / 42

  24. Analysis of PIN processing APIs An extended mastermind The Extended Mastermind Game Colors: C = { 0 , 1 , . . . , N − 1 } Secret sequence: ( c 1 , c 2 , . . . , c k ), with c 1 , . . . , c k ∈ C Extended guess: ( S 1 , S 2 , . . . , S k ), with S 1 , . . . , S k ⊆ C Example 6 colors: C = { 0 , 1 , . . . , 5 } Secret: (1 , 2 , 3 , 1) Extended guess: ( { 1 } , { 3 } , { 1 } , { 1 , 3 } ) what’s the answer? 2 red and 1 white markers FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 18 / 42

  25. Analysis of PIN processing APIs An extended mastermind Red Markers Colors: C = { 0 , 1 , . . . , N − 1 } Secret sequence: ( c 1 , c 2 , . . . , c k ), with c 1 , . . . , c k ∈ C Extended guess: ( S 1 , S 2 , . . . , S k ), with S 1 , . . . , S k ⊆ C Definition (Red markers) The number b of red markers is computed as r = |{ i ∈ [1 , k ] | c i ∈ S i }| . FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 19 / 42

  26. Analysis of PIN processing APIs An extended mastermind Red Markers Colors: C = { 0 , 1 , . . . , N − 1 } Secret sequence: ( c 1 , c 2 , . . . , c k ), with c 1 , . . . , c k ∈ C Extended guess: ( S 1 , S 2 , . . . , S k ), with S 1 , . . . , S k ⊆ C Definition (Red markers) The number b of red markers is computed as r = |{ i ∈ [1 , k ] | c i ∈ S i }| . Example Secret: (1 , 2 , 3 , 1) Extended guess: ( { 1 } , { 3 } , { 1 } , { 1 , 3 } ) r = |{ i ∈ [1 , k ] | c i ∈ S i }| = 2 FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 19 / 42

  27. Analysis of PIN processing APIs An extended mastermind White Markers Secret : ( c 1 , c 2 , . . . , c k ), Extended guess: ( S 1 , S 2 , . . . , S k ) p j = |{ i ∈ [1 , k ] | j = c i }| occurrences of a color j in the secret q j = |{ i ∈ [1 , k ] | j ∈ S i }| occurrences of a color j in the guess Definition (White markers) N � The number w of white markers is computed as w = min ( p j , q j ) − r . j =1 FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 20 / 42

  28. Analysis of PIN processing APIs An extended mastermind White Markers Secret : ( c 1 , c 2 , . . . , c k ), Extended guess: ( S 1 , S 2 , . . . , S k ) p j = |{ i ∈ [1 , k ] | j = c i }| occurrences of a color j in the secret q j = |{ i ∈ [1 , k ] | j ∈ S i }| occurrences of a color j in the guess Definition (White markers) N � The number w of white markers is computed as w = min ( p j , q j ) − r . j =1 Example Secret (1 , 2 , 3 , 1) and extended guess ( { 1 } , { 3 } , { 1 } , { 1 , 3 } ): p 1 = |{ 1 , 4 }| = 2, q 1 = |{ 1 , 3 , 4 }| = 3 , min ( p 1 , q 1 ) = 2 p 2 = 1, q 2 = 0 , min ( p 2 , q 2 ) = 0; p 3 = 1, q 3 = 2 , min ( p 3 , q 3 ) = 1 N � w = min ( p j , q j ) − r = 2 + 0 + 1 − 2 = 1 j =1 FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 20 / 42

  29. Analysis of PIN processing APIs An extended mastermind We can still play Mastermind Proposition The Mastermind game is an instance of the Extended game Proof. Trivial: just restrict the sets in the estended guesses to singletons. FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 21 / 42

  30. Analysis of PIN processing APIs PIN cracking by playing Mastermind Cracking a PIN by playing extended Mastermind Theorem PIN cracking is an instance of the Extended Mastermind game Proof. Intuition: Restrict to cases in which guesses ( S 1 , S 2 , . . . , S k ) minus offset provide either equal or disjoint sets. 1 Modify the dectab mapping of all elements of the i -th set from d to d + i (mod 10) 2 Compensate by − i (mod 10) the offset in the corresponding positions to find out whether those PIN digits are in the set. The answer is four red markers if and only if PIN verification succeeds. FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 22 / 42

  31. Analysis of PIN processing APIs PIN cracking by playing Mastermind Example Example: PIN V( { 4104 , r } k ,vdata,4, 0123456789012345,4732 ) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 0472 ⊕ 4732 mod 10 = 4104 We play: ( { 4 , 5 , 6 , 7 , 8 } , { 0 , 1 , 7 , 8 , 9 } , { 0 , 1 } , { 2 , 3 , 4 , 5 , 6 } ) FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 23 / 42

  32. Analysis of PIN processing APIs PIN cracking by playing Mastermind Example Example: PIN V( { 4104 , r } k ,vdata,4, 0123456789012345,4732 ) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 0472 ⊕ 4732 mod 10 = 4104 We play: ( { 4 , 5 , 6 , 7 , 8 } , { 0 , 1 , 7 , 8 , 9 } , { 0 , 1 } , { 2 , 3 , 4 , 5 , 6 } ) Subtract the offset: ( { 0 , 1 , 2 , 3 , 4 } , { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , { 0 , 1 , 2 , 3 , 4 } ) Two disjoint sets: { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , change the dectab FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 23 / 42

  33. Analysis of PIN processing APIs PIN cracking by playing Mastermind Example Example: PIN V( { 4104 , r } k ,vdata,4, 0123456789012345,4732 ) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 0472 ⊕ 4732 mod 10 = 4104 We play: ( { 4 , 5 , 6 , 7 , 8 } , { 0 , 1 , 7 , 8 , 9 } , { 0 , 1 } , { 2 , 3 , 4 , 5 , 6 } ) Subtract the offset: ( { 0 , 1 , 2 , 3 , 4 } , { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , { 0 , 1 , 2 , 3 , 4 } ) Two disjoint sets: { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , change the dectab FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 23 / 42

  34. Analysis of PIN processing APIs PIN cracking by playing Mastermind Example Example: PIN V( { 4104 , r } k ,vdata,4, 1234556909123455,4732 ) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 0472 ⊕ 4732 mod 10 = 4104 We play: ( { 4 , 5 , 6 , 7 , 8 } , { 0 , 1 , 7 , 8 , 9 } , { 0 , 1 } , { 2 , 3 , 4 , 5 , 6 } ) Subtract the offset: ( { 0 , 1 , 2 , 3 , 4 } , { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , { 0 , 1 , 2 , 3 , 4 } ) Two disjoint sets: { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , change the dectab FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 23 / 42

  35. Analysis of PIN processing APIs PIN cracking by playing Mastermind Example Example: PIN V( { 4104 , r } k ,vdata,4, 1234556909123455,4732 ) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 0472 ⊕ 4732 mod 10 = 4104 We play: ( { 4 , 5 , 6 , 7 , 8 } , { 0 , 1 , 7 , 8 , 9 } , { 0 , 1 } , { 2 , 3 , 4 , 5 , 6 } ) Subtract the offset: ( { 0 , 1 , 2 , 3 , 4 } , { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , { 0 , 1 , 2 , 3 , 4 } ) Two disjoint sets: { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , change the dectab Compensate the offset FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 23 / 42

  36. Analysis of PIN processing APIs PIN cracking by playing Mastermind Example Example: PIN V( { 4104 , r } k ,vdata,4, 1234556909123455,3611 ) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 0472 ⊕ 4732 mod 10 = 4104 We play: ( { 4 , 5 , 6 , 7 , 8 } , { 0 , 1 , 7 , 8 , 9 } , { 0 , 1 } , { 2 , 3 , 4 , 5 , 6 } ) Subtract the offset: ( { 0 , 1 , 2 , 3 , 4 } , { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , { 0 , 1 , 2 , 3 , 4 } ) Two disjoint sets: { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , change the dectab Compensate the offset FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 23 / 42

  37. Analysis of PIN processing APIs PIN cracking by playing Mastermind Example Example: PIN V( { 4104 , r } k ,vdata,4, 1234556909123455,3611 ) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 0472 ⊕ 4732 mod 10 = 4104 We play: ( { 4 , 5 , 6 , 7 , 8 } , { 0 , 1 , 7 , 8 , 9 } , { 0 , 1 } , { 2 , 3 , 4 , 5 , 6 } ) Subtract the offset: ( { 0 , 1 , 2 , 3 , 4 } , { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , { 0 , 1 , 2 , 3 , 4 } ) Two disjoint sets: { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , change the dectab Compensate the offset FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 23 / 42

  38. Analysis of PIN processing APIs PIN cracking by playing Mastermind Example Example: PIN V( { 4104 , r } k ,vdata,4, 1234556909123455,3611 ) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1593 ⊕ 3611 mod 10 = 4104 We play: ( { 4 , 5 , 6 , 7 , 8 } , { 0 , 1 , 7 , 8 , 9 } , { 0 , 1 } , { 2 , 3 , 4 , 5 , 6 } ) Subtract the offset: ( { 0 , 1 , 2 , 3 , 4 } , { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , { 0 , 1 , 2 , 3 , 4 } ) Two disjoint sets: { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , change the dectab Compensate the offset FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 23 / 42

  39. Analysis of PIN processing APIs PIN cracking by playing Mastermind Example Example: PIN V( { 4104 , r } k ,vdata,4, 1234556909123455,3611 ) dec k ( { 4104 , r } k ) = 4104 , r 1 4104 enc pdk (vdata) = A 47295 FDE 32 A 48 B 1 2 1593 ⊕ 3611 mod 10 = 4104 We play: ( { 4 , 5 , 6 , 7 , 8 } , { 0 , 1 , 7 , 8 , 9 } , { 0 , 1 } , { 2 , 3 , 4 , 5 , 6 } ) Subtract the offset: ( { 0 , 1 , 2 , 3 , 4 } , { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , { 0 , 1 , 2 , 3 , 4 } ) Two disjoint sets: { 0 , 1 , 2 , 3 , 4 } , { 7 , 8 } , change the dectab Compensate the offset PIN V returns ‘true’ iff PIN digits are in the sets FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 23 / 42

  40. Analysis of PIN processing APIs PIN cracking by playing Mastermind An algorithm for the Extended Mastermind Problem Based on [Knuth JRM76]: an algorithm for the solution of the standard Mastermind problem (quasi optimal solutions). 1 Tries all the possible guesses. For each guess, computes the number of ‘surviving’ solutions related to each possible outcome of the guess; 2 Picks the guess from the previous step which minimizes the maximum number of surviving solutions among all the possible outcomes and performs the guess. FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 24 / 42

  41. Analysis of PIN processing APIs PIN cracking by playing Mastermind An algorithm for the Extended Mastermind Problem Based on [Knuth JRM76]: an algorithm for the solution of the standard Mastermind problem (quasi optimal solutions). 1 Tries all the possible guesses. For each guess, computes the number of ‘surviving’ solutions related to each possible outcome of the guess; 2 Picks the guess from the previous step which minimizes the maximum number of surviving solutions among all the possible outcomes and performs the guess. Focus on two kinds of guesses: ( { 0 , 1 , 2 , 3 , 4 , 5 } , { 0 , 1 , 2 , 3 , 4 , 5 } , { 0 , 1 , 2 , 3 , 4 , 5 } , { 0 , 1 , 2 , 3 , 4 , 5 } ), the same set repeated: checks if 6,7,8,9 are in the PIN ( { 1 , 3 } , { 0 , 2 , 4 , 5 , 6 , 7 , 8 , 9 } , { 0 , 2 , 4 , 5 , 6 , 7 , 8 , 9 } , { 1 , 3 } ), one set and its complementary perform very well and still find a complete strategy FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 24 / 42

  42. Analysis of PIN processing APIs PIN cracking by playing Mastermind Summary of results for PIN cracking Four digit PINs [Bond, Zielinski ’03] Average 16.5 API calls [Steel, TCS06] Average 16.145 API calls [Focardi, Luccio, FUN’10] Average 14.47 API calls with the previous algorithm in Python on this laptop ≈ 18 seconds FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 25 / 42

  43. Analysis of PIN processing APIs PIN cracking by playing Mastermind Summary of results for PIN cracking Four digit PINs [Bond, Zielinski ’03] Average 16.5 API calls [Steel, TCS06] Average 16.145 API calls [Focardi, Luccio, FUN’10] Average 14.47 API calls with the previous algorithm in Python on this laptop ≈ 18 seconds Five digit PINs [Focardi, Luccio, FUN’10] Average 19.3 API calls ≈ 18 minutes FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 25 / 42

  44. Analysis of PIN processing APIs PIN cracking by playing Mastermind Summary of results for PIN cracking Four digit PINs [Bond, Zielinski ’03] Average 16.5 API calls [Steel, TCS06] Average 16.145 API calls [Focardi, Luccio, FUN’10] Average 14.47 API calls with the previous algorithm in Python on this laptop ≈ 18 seconds Five digit PINs [Focardi, Luccio, FUN’10] Average 19.3 API calls ≈ 18 minutes Lower bounds The lower bounds for 4 and 5 digit PINs are 13.362 and 16.689, for the average case FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 25 / 42

  45. Analysis of PIN processing APIs How to fix the API The ‘lunch-break’ attack A realistic scenario gaining access to the HSM and intercepting incoming data an insider might disclose thousands of PINs in a lunch-break! FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 26 / 42

  46. Analysis of PIN processing APIs How to fix the API The ‘lunch-break’ attack A realistic scenario gaining access to the HSM and intercepting incoming data an insider might disclose thousands of PINs in a lunch-break! How to prevent the attack? low-impact CVV-based fix [Focardi, Luccio, Steel, NORDSEC’09] mitigates the attack (50000 times slower) point-to-point MAC-based fix and type-based proof of security [Centenaro, Focardi, Luccio, Steel, ESORICS’09] prevents the attack but requires modifying each HSM efficient HSM upgrading strategies [Focardi, Luccio, ARSPA-WITS’10] securing subnetworks while keeping service up FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 26 / 42

  47. Analysis of PIN processing APIs How to fix the API What kind of attack? FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 27 / 42

  48. Analysis of PIN processing APIs How to fix the API What kind of attack? no cryptoanalysis and no broken protocols FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 27 / 42

  49. Analysis of PIN processing APIs How to fix the API What kind of attack? no cryptoanalysis and no broken protocols Information-flow: variations on the input produce unintended information leakage FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 27 / 42

  50. Information flow Noninterference Absence of information leakage [Goguen, Meseguer’82] Noninterference High behaviour is not observable by the Low attacker FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 28 / 42

  51. Information flow Noninterference Absence of information leakage [Goguen, Meseguer’82] Noninterference High behaviour is not observable by the Low attacker FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 28 / 42

  52. Information flow Noninterference Absence of information leakage [Goguen, Meseguer’82] Noninterference High behaviour is not observable by the Low attacker FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 28 / 42

  53. Information flow Noninterference Absence of information leakage [Goguen, Meseguer’82] Noninterference High behaviour is not observable by the Low attacker FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 28 / 42

  54. Information flow Noninterference Noninterference is too much PIN V( { 4104 , r } k ,vdata, 4, 0123456789012345, 4732) PIN V intentionally ‘leaks’ the correctness of the PIN FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 29 / 42

  55. Information flow Noninterference Noninterference is too much PIN V( { 5832 , r } k ,vdata, 4, 0123456789012345, 4732) PIN V intentionally ‘leaks’ the correctness of the PIN FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 29 / 42

  56. Information flow Noninterference Noninterference is too much PIN V( { 5832 , r } k ,vdata, 4, 0123456789012345, 4732) PIN V intentionally ‘leaks’ the correctness of the PIN PIN correctness is declassified FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 29 / 42

  57. Information flow Robustness Robust declassification [Myers, Sabelfeld, Zdancewic ’06] Robustness Declassification is independent of the attacker behaviour the attacker cannot cause to release more information than intended FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 30 / 42

  58. Information flow Robustness Robust declassification [Myers, Sabelfeld, Zdancewic ’06] Robustness Declassification is independent of the attacker behaviour the attacker cannot cause to release more information than intended FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 30 / 42

  59. Information flow Robustness Robust declassification [Myers, Sabelfeld, Zdancewic ’06] Robustness Declassification is independent of the attacker behaviour the attacker cannot cause to release more information than intended FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 30 / 42

  60. Information flow Robustness Robust declassification [Myers, Sabelfeld, Zdancewic ’06] Robustness Declassification is independent of the attacker behaviour the attacker cannot cause to release more information than intended FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 30 / 42

  61. Information flow Robustness PIN V is not robust! PIN V( { 4104 , r } k ,vdata, 4, 0123456789012345 , 4732) PIN correctness is declassified FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 31 / 42

  62. Information flow Robustness PIN V is not robust! PIN V( { 5832 , r } k ,vdata, 4, 0123456789012345 , 4732) PIN correctness is declassified FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 31 / 42

  63. Information flow Robustness PIN V is not robust! PIN V( { 5832 , r } k ,vdata, 4, 0123456789012345 , 4732) PIN correctness is declassified the insider tries a decimalization attack FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 31 / 42

  64. Information flow Robustness PIN V is not robust! PIN V( { 5832 , r } k ,vdata, 4, 1123456789112345 , 4732) PIN correctness is declassified the insider tries a decimalization attack FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 31 / 42

  65. Information flow Robustness PIN V is not robust! PIN V( { 5832 , r } k ,vdata, 4, 1123456789112345 , 4732) PIN correctness is declassified the insider tries a decimalization attack PIN V now fails in both cases FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 31 / 42

  66. Information flow Robustness PIN V is not robust! PIN V( { 4104 , r } k ,vdata, 4, 1123456789112345 , 4732) PIN correctness is declassified the insider tries a decimalization attack PIN V now fails in both cases FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 31 / 42

  67. Information flow Robustness PIN V is not robust! PIN V( { 4104 , r } k ,vdata, 4, 1123456789112345 , 4732) PIN correctness is declassified the insider tries a decimalization attack PIN V now fails in both cases the attacker has influenced declassification FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 31 / 42

  68. Information flow Robustness The code for PIN verification, what is wrong ... ? PIN V( EPB , vdata , len , dectab , offset ) { x 1 := enc pdk ( vdata ); x 2 := left( len , x 1 ); x 3 := decimalize( dectab , x 2 ); u pin := sum mod10( x 3 , offset ); x 4 := dec k ( EPB ); t pin := fcheck( x 4 ); if ( t pin = ⊥ ) then return( ′′ format wrong ′′ ); if ( t pin = u pin ) then return( ′′ PIN is correct ′′ ); else return( ′′ PIN is wrong ′′ ) } FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 32 / 42

  69. Information flow Robustness How to be robust? declassify high-integrity data in high-integrity program points FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 33 / 42

  70. Information flow Robustness How to be robust? declassify high-integrity data in high-integrity program points declassify(x H = y H ); FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 33 / 42

  71. Information flow Robustness How to be robust? declassify high-integrity data in high-integrity program points declassify(x H = y H ); FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 33 / 42

  72. Information flow Robustness How to be robust? declassify high-integrity data in high-integrity program points declassify(x H = y H ); declassify(x H = z L ); FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 33 / 42

  73. Information flow Robustness How to be robust? declassify high-integrity data in high-integrity program points declassify(x H = y H ); declassify(x H = z L ); FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 33 / 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Analysis of Security APIs (ASA-2) June 26, 2008 Minimizing Threats from Flawed Security APIs:

Analysis of Security APIs (ASA-2) June 26, 2008 Minimizing Threats from Flawed Security APIs:

Minimizing Threats from Flawed Security APIs Analysis of Security APIs (ASA-2) June 26, 2008 Minimizing Threats from Flawed Security APIs: A Banking PIN Example Mohammad Mannan Carleton University Mohammad Mannan June 26, 2008 1/21

543 views • 21 slides
Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs

Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs

Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs from the Web December 10-11, 2008 Mat Ford http://www.isoc.org Background ISOC is focused on continued operation of the global Internet

512 views • 12 slides
Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats Policy Specification Design Implementation Operation and Maintenance Now Multilateral and Multilevel security Security policies

355 views • 24 slides
Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Formal Analysis of Key Integrity in PKCS#11 Andrea Falcone 1 Riccardo Focardi 1 1 Universit` a Ca Foscari di Venezia, Italy focardi@dsi.unive.it ARSPA-WITS10 Paphos, Cyprus March 27-28, 2010 Work partially supported by: Miur07

729 views • 17 slides
Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security Web Application Security Buffer Overflow Web content security: SSL Buffer Overflow Phishing attacks mitigation techniques

1.51k views • 84 slides
ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS DANIEL PECK Barracuda Labs Principle

ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS DANIEL PECK Barracuda Labs Principle

ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS DANIEL PECK Barracuda Labs Principle Researcher Studying Malicious Messaging (Email/Social Networks/etc) Data/Trend Analysis in Security @ramblinpeck @barracudalabs Past Lives SCADA,

879 views • 75 slides
Whats wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs Mikhail Egorov /

Whats wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs Mikhail Egorov /

Whats wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs Mikhail Egorov / @0ang3el #DeepSec2019 # whoami Security researcher / full-time bug hunter https://bugcrowd.com/0ang3el https://hackerone.com/0ang3el

989 views • 67 slides
Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New

Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New

Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New Zealand - Auckland August 2019 Wellhow did I get here? Born and raised in northeastern US Straight to university from high school

700 views • 34 slides
Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
A New Approach to Online Location Privacy W3C Workshop: Security for Access to Device APIs from

A New Approach to Online Location Privacy W3C Workshop: Security for Access to Device APIs from

A New Approach to Online Location Privacy W3C Workshop: Security for Access to Device APIs from the Web December 10, 2008 John Morris Center for Democracy & Technology 1 Need for New Approach Current failed model for privacy on the web

227 views • 7 slides
Security Assurance for Web Device APIs Maritza Johnson and Steven M. Bellovin

Security Assurance for Web Device APIs Maritza Johnson and Steven M. Bellovin

Security Assurance for Web Device APIs Maritza Johnson and Steven M. Bellovin http://www.cs.columbia.edu/~ { maritzaj,smb } Columbia University December 9, 2008 1 / 7 The Problem Web servers want access to very sensitive The Problem

260 views • 12 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
$ CURRENT STATE FUTURE: STATE DIGITAL ENTERPRISE Access layer (APIs) SECURITY INTEGRATION

$ CURRENT STATE FUTURE: STATE DIGITAL ENTERPRISE Access layer (APIs) SECURITY INTEGRATION

$ CURRENT STATE FUTURE: STATE DIGITAL ENTERPRISE Access layer (APIs) SECURITY INTEGRATION PERF/SCALE STANDARDS HOW: DIGITAL TRANSFORMATION WEB SERVICES REST MICROSERVICES TASKS (PROCESSES) DECISIONS IF IF (RULES) BUSINESS ON

488 views • 30 slides
How Bad APIs Compromise Security Tale of a Frustrated Android Developer Dr. Georg Lukas

How Bad APIs Compromise Security Tale of a Frustrated Android Developer Dr. Georg Lukas

Java's SSLSocket: How Bad APIs Compromise Security Tale of a Frustrated Android Developer Dr. Georg Lukas <lukas@rt-solutions.de> About the Speaker IT Consultant at rt-solutions.de (ITSec, Smartphone Payment) Open Source developer

905 views • 32 slides
Semi-Automa+cally Modeling Web APIs to Create Linked APIs

Semi-Automa+cally Modeling Web APIs to Create Linked APIs

Semi-Automa+cally Modeling Web APIs to Create Linked APIs Mohsen Taheriyan, Craig A. Knoblock, Pedro Szekely, and Jose Luis Ambite USC Information

321 views • 28 slides
Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS & Web Security OS Security Web

Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS & Web Security OS Security Web

Safe Extension Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS & Web Security OS Security Web Security More esoteric topics Click fraud, etc. Reputation systems & trust metrics Few papers, but local experts

420 views • 5 slides
EMPIRICISM & EMPIRICAL PHILOSOPHY One of the most remarkable features of the

EMPIRICISM & EMPIRICAL PHILOSOPHY One of the most remarkable features of the

PCES 2.32 EMPIRICISM & EMPIRICAL PHILOSOPHY One of the most remarkable features of the developments in England was the way in which the pioneering scientific work was influenced by certain philosophers, and vice-versa. The most

96 views • 7 slides
Optical Cluster Beam Studies & Production of Laval Nozzles Silke Grieser Westflische

Optical Cluster Beam Studies & Production of Laval Nozzles Silke Grieser Westflische

Optical Cluster Beam Studies & Production of Laval Nozzles Silke Grieser Westflische Wilhelms-Universitt Mnster, Institut fr Kernphysik PANDA Meeting Jlich, December 10th 2014 1 / 20 pumps cluster source dump beam chamber

416 views • 24 slides
Unequal Gains, Prolonged Pain A Model of Protectionist Overshooting and Escalation Emily J.

Unequal Gains, Prolonged Pain A Model of Protectionist Overshooting and Escalation Emily J.

Unequal Gains, Prolonged Pain A Model of Protectionist Overshooting and Escalation Emily J. Blanchard Gerald Willmann Tuck at Dartmouth & CEPR U. Bielefeld & IFW Kiel April 2019 Brexit, Trump, Le Pen, AfD, Conte, Bolsanaro, AMLO...

1.31k views • 62 slides
Graphical Models 10-715 Fall 2015 Alexander Smola alex@smola.org Office hours - after class

Graphical Models 10-715 Fall 2015 Alexander Smola alex@smola.org Office hours - after class

Graphical Models 10-715 Fall 2015 Alexander Smola alex@smola.org Office hours - after class in my office Marianas Labs Directed Graphical Models Brain & Brawn p (brain) = 0 . 1 p (sports) = 0 . 2 smart strong 0 1 0 0.1 0.8 1

1.98k views • 176 slides
5/2/2017 1 Influence of teachers personal health behaviors on operationalizing obesity

5/2/2017 1 Influence of teachers personal health behaviors on operationalizing obesity

5/2/2017 1 Influence of teachers personal health behaviors on operationalizing obesity prevention policy in Head Start preschools: A project of the Childrens Healthy Living Program (CHL). Esquivel MK, Nigg C, Fialkowski JK, Braun K, Li F

414 views • 29 slides
Topic 4 Expressions and Variables "Once a person has understood the way variables are used

Topic 4 Expressions and Variables "Once a person has understood the way variables are used

Topic 4 Expressions and Variables "Once a person has understood the way variables are used in programming, they have understood the quintessence of programming." -Professor Edsger W. Dijkstra Based on slides bu Marty Stepp and

767 views • 39 slides
Chapter 3: Distributions of Random Variables OpenIntro Statistics, 3rd Edition Slides developed

Chapter 3: Distributions of Random Variables OpenIntro Statistics, 3rd Edition Slides developed

Chapter 3: Distributions of Random Variables OpenIntro Statistics, 3rd Edition Slides developed by Mine C etinkaya-Rundel of OpenIntro. The slides may be copied, edited, and/or shared via the CC BY-SA license. Some images may be included

1.76k views • 144 slides
and Visualizations with Examples for Slides by Michael Hahsler Purpose 1) Import data and

and Visualizations with Examples for Slides by Michael Hahsler Purpose 1) Import data and

Essential Data Preparation, Descriptive Statistics and Visualizations with Examples for Slides by Michael Hahsler Purpose 1) Import data and "get used" to the data. 2) Clean the data (e.g., find missing values, outliers, mistakes)

453 views • 23 slides

More recommend