attacking and fixing pkcs 11 security tokens
play

Attacking and Fixing PKCS#11 Security Tokens Matteo Bortolozzo, - PowerPoint PPT Presentation

Mar 27, 2024 •158 likes •520 views

Attacking and Fixing PKCS#11 Security Tokens Matteo Bortolozzo, Matteo Centenaro Riccardo Focardi and Graham Steel Universit` a Ca Foscari, Venezia and LSV, INRIA & CNRS & ENS-Cachan RSA PKCS#11 Describes cryptoki:

  1. Attacking and Fixing PKCS#11 Security Tokens Matteo Bortolozzo, Matteo Centenaro Riccardo Focardi and Graham Steel Universit` a Ca’ Foscari, Venezia and LSV, INRIA & CNRS & ENS-Cachan

  2. RSA PKCS#11 Describes ‘cryptoki’: cryptographic token interface Widely adopted in industry for authentication tokens, smartcards (and HSMs, other devices, ... ) 1/20

  3. RSA PKCS#11 Describes ‘cryptoki’: cryptographic token interface Widely adopted in industry for authentication tokens, smartcards (and HSMs, other devices, ... ) Authentication tokens used for secure login to VPN etc. Devices cost from 20 to 400 USD, global market estimated at 5 billion USD by InfoSecurity Magazine 1/20

  4. RSA PKCS#11 Describes ‘cryptoki’: cryptographic token interface Widely adopted in industry for authentication tokens, smartcards (and HSMs, other devices, ... ) Authentication tokens used for secure login to VPN etc. Devices cost from 20 to 400 USD, global market estimated at 5 billion USD by InfoSecurity Magazine Cryptoki provides a logical view of objects on the token Keys (etc.) stored on the device and accessed by handles Attributes stored with keys to control usage 1/20

  5. 2/20

  6. PKCS#11 Security Section 7 of standard: 3/20

  7. PKCS#11 Security Section 7 of standard: “1. Access to private objects on the token, and possibly to cryptographic functions and/or certificates on the token as well, requires a PIN. 3/20

  8. PKCS#11 Security Section 7 of standard: “1. Access to private objects on the token, and possibly to cryptographic functions and/or certificates on the token as well, requires a PIN. 2. Additional protection can be given to private keys and secret keys by marking them as “sensitive” or “unextractable”. Sensitive keys cannot be revealed in plaintext off the token, and unextractable keys cannot be revealed off the token even when encrypted” 3/20

  9. PKCS#11 Security Section 7 of standard: “1. Access to private objects on the token, and possibly to cryptographic functions and/or certificates on the token as well, requires a PIN. 2. Additional protection can be given to private keys and secret keys by marking them as “sensitive” or “unextractable”. Sensitive keys cannot be revealed in plaintext off the token, and unextractable keys cannot be revealed off the token even when encrypted” “Rogue applications and devices may also change the commands sent to the cryptographic device to obtain services other than what the application requested [but cannot] compromise keys marked “sensitive,” since a key that is sensitive will always remain sensitive. Similarly, a key that is unextractable cannot be modified to be extractable.” 3/20

  10. 4/20

  11. Clulow, CHES 2003 5/20

  12. Formal Model (Delaune, Kremer, S., CSF 2008) Abstract ‘Dolev-Yao’ style h ( n1 , k1 ) - a handle n1 for key k1 ( h is a private symbol ) a1 ( n1 ) - setting of attribute a1 for handle n1 Command : input ; state new output ; state ′ − − → 6/20

  13. Key Management - 1 KeyGenerate : new n , k h ( n , k ) ; L − − − − → Where L = extract ( n ) , ¬ wrap ( n ) , ¬ unwrap ( n ) , ¬ encrypt ( n ) , ¬ decrypt ( n ) , ¬ sensitive ( n ) 7/20

  14. Key Management - 2 Set Wrap : h ( x 1 , y 1 ) ; ¬ wrap ( x 1 ) ; wrap ( x 1 ) → Set Encrypt : h ( x 1 , y 1 ) ; ¬ encrypt ( x 1 ) ; encrypt ( x 1 ) → . . . . . . UnSet Wrap : h ( x 1 , y 1 ) ; wrap ( x 1 ) ; ¬ wrap ( x 1 ) → UnSet Encrypt : h ( x 1 , y 1 ) ; encrypt ( x 1 ) ; ¬ encrypt ( x 1 ) → . . . . . . Some restrictions, e.g. can’t unset sensitive, can’t set extract 8/20

  15. Key Management - 3 Wrap : h ( x 1 , y 1 ) , h ( x 2 , y 2 ) ; wrap ( x 1 ) , → { y 2 } y 1 extract ( x 2 ) Unwrap : new n 1 h ( x 2 , y 2 ) , { y 1 } y 2 ; unwrap ( x 2 ) h ( n 1 , y 1 ) ; L − − − − → Where L = extract ( n ) , ¬ wrap ( n ) , ¬ unwrap ( n ) , ¬ encrypt ( n ) , ¬ decrypt ( n ) , ¬ sensitive ( n ) 9/20

  16. Key Usage Encrypt : h ( x 1 , y 1 ) , y 2 ; encrypt ( x 1 ) → { y 2 } y 1 Decrypt : h ( x 1 , y 1 ) , { y 2 } y 1 ; decrypt ( x 1 ) → y 2 10/20

  17. Fix decrypt/wrap, (and encrypt/unwrap): 11/20

  18. Fix decrypt/wrap, (and encrypt/unwrap): Intruder knows : h ( n 1 , k 1 ) , h ( n 2 , k 2 ) , k 3 State : sensitive ( n 1 ) , extract ( n 1 ) , extract ( n 2 ) ; wrap ( n 2 ) h ( n 2 , k 2 ) → Set wrap: ; wrap ( n 1 ) h ( n 1 , k 1 ) → Set wrap: Wrap: h ( n 1 , k 1 ) , h ( n 2 , k 2 ) → { k 2 } k 1 ; unwrap ( n 1 ) h ( n 1 , k 1 ) → Set unwrap: newn 3 Unwrap: h ( n 1 , k 1 ) , { k 2 } k 1 − − − − → h ( n 3 , k 2 ) Wrap: h ( n 2 , k 2 ) , h ( n 1 , k 1 ) → { k 1 } k 2 ; decrypt ( n 3 ) h ( n 3 , k 2 ) → Set decrypt: Decrypt: h ( n 3 , k 2 ) , { k 1 } k 2 → k 1 11/20

  19. ‘Tool for cryptoKi Analysis’ 12/20

  20. Templates new n , k KeyGenerate : h ( n , k ) ; A ( n , B ) − − − − → ( with B ∈ G ) new n , s KeyPairGenerate : h ( n , s ) , pub ( s ) ; A ( n , B ) − − − − → ( with B ∈ G ) Unwrap ( sym / sym ) : new n 1 } y 2 ; unwrap ( x , ⊤ ) h ( n 1 , y 1 ) ; A ( n 1 , B ) h ( x , y 2 ) , { | y 1 | − − − − → ( with B ∈ U ) new n CreateObject : x ; h ( n , x ) ; A ( n , B ) − − − → ( with B ∈ C ) 13/20

  21. Configuration Language Functions Attributes Always on/off Conflicts Tied Templates Flags (see http://secgroup.ext.dsi.unive.it/tookan for full description) 14/20

  22. Abstractions for Proof (based on Fr¨ oschle & Steel WITS ’09) KeyGenerate : h ( n i , k i ) ; A ( n i , B i ) → ( with B i ∈ G ) KeyPairGenerate : h ( n j , s j ) , pub ( s j ) ; A ( n j , B j ) → ( with B j ∈ G ) Unwrap ( sym / sym ) : } y 2 ; unwrap ( x , ⊤ ) h ( n k , y 1 ) ; A ( n k , B k ) h ( x , y 2 ) , { | y 1 | → ( with B k ∈ U ) CreateObject : x ; h ( n l , x ) ; A ( n l , B l ) → ( with B l ∈ C ) 15/20

  23. 16/20

  24. Device Supported Functionality Attacks found Brand Model s as cobj chan w ws wd rs ru su Tookan Aladdin eToken PRO � � � � � � � wd Athena ASEKey � � � � � � � � � � Bull Trustway RCI wd � � Eutron Crypto Id. ITSEC � � � � � � � � � Feitian StorePass2000 rs Feitian ePass2000 � � � � � � � � � rs Feitian ePass3003Auto � � � � � � � � � rs � � Gemalto SEG � � � MXI Stealth MXP Bio � � � � � � � RSA SecurID 800 rs SafeNet iKey 2032 � � � � � � � � � � � � � � Sata DKey rs � � � � ACS ACOS5 � � � Athena ASE Smartcard Gemalto Cyberflex V2 � � � � � � wd Gemalto SafeSite V1 � � � � � � � � � � � � Gemalto SafeSite V2 rs � � � � � Siemens CardOS V4.3 B ru 17/20

  25. Manufacturer Reaction All 7 received notification at least 5 months before publication. We offered to publish responses on project website 18/20

  26. Manufacturer Reaction All 7 received notification at least 5 months before publication. We offered to publish responses on project website RSA sent response, registered vulnerability with Mitre (CVE-2010-3321), will issue patch details today Aladdin (now Safenet) sent a 2-page response for website 18/20

  27. Manufacturer Reaction All 7 received notification at least 5 months before publication. We offered to publish responses on project website RSA sent response, registered vulnerability with Mitre (CVE-2010-3321), will issue patch details today Aladdin (now Safenet) sent a 2-page response for website Bull invited me for a private meeting at their HQ 18/20

  28. Manufacturer Reaction All 7 received notification at least 5 months before publication. We offered to publish responses on project website RSA sent response, registered vulnerability with Mitre (CVE-2010-3321), will issue patch details today Aladdin (now Safenet) sent a 2-page response for website Bull invited me for a private meeting at their HQ Gemalto responded to Cyberflex vulnerability, but not to SafeSite, and not to request to publish their reponse. Minimal response from anyone else (e.g. requests to know who else is vulnerable) 18/20

  29. OpencryptokiX IBM Opencryptoki is a library including a software token Vulnerable to many attacks (but it’s a software token) 19/20

  30. OpencryptokiX IBM Opencryptoki is a library including a software token Vulnerable to many attacks (but it’s a software token) We have coded two fixed versions one implements config from Fr¨ oschle & Steel WITS ’09 one is a new fix with no new crypto mechanisms Uses a carefully chosen set of templates G = { wu , ed } , U = { eu } 19/20

  31. OpencryptokiX IBM Opencryptoki is a library including a software token Vulnerable to many attacks (but it’s a software token) We have coded two fixed versions one implements config from Fr¨ oschle & Steel WITS ’09 one is a new fix with no new crypto mechanisms Uses a carefully chosen set of templates G = { wu , ed } , U = { eu } Available to download from http://secgroup.ext.dsi.unive.it/cryptokix 19/20

  32. Conclusions Tookan: our tool for formal analysis of PKCS#11 configurations OpencryptokiX: a sandbox for trying token configurations Bees: a library for programming PKCS#11 tokens using symbolic model language 20/20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Attacking and Fixing PKCS#11 Security Tokens with Tookan Graham Steel LSV, INRIA & CNRS

Attacking and Fixing PKCS#11 Security Tokens with Tookan Graham Steel LSV, INRIA & CNRS

Attacking and Fixing PKCS#11 Security Tokens with Tookan Graham Steel LSV, INRIA & CNRS & ENS-Cachan (joint work with Riccardo Focardi, Matteo Bortolozzo & Matteo Centenaro, Universit` a Ca Foscari, Venezia) 1/16 RSA Public

569 views • 17 slides
JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab

JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab

JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab louis@pentesterlab.com About me Security Engineer Pentester/Code Reviewer/Security consultant/Security architect/IANAC Run a website to help people learn security

1.28k views • 79 slides
Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Provable Security Meets the Real World Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH Binary Packet Protocol IPsec MAC-then-Encrypt Lessons learned? 2 Outline RSA encryption in PKCS#1

948 views • 61 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Provable Security RSA-PKCS Encryption - Signature Lawrence Berkeley National Lab August 2003

Provable Security RSA-PKCS Encryption - Signature Lawrence Berkeley National Lab August 2003

Provable Security RSA-PKCS Encryption - Signature Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Encryption PKCS #1 v1.5 PKCS #1 v2.0 : OAEP Signature

286 views • 17 slides
CONSISTENT PKCS#11 CONSISTENT PKCS#11 IN OPERATING SYSTEMS IN OPERATING SYSTEMS IMPROVING USER

CONSISTENT PKCS#11 CONSISTENT PKCS#11 IN OPERATING SYSTEMS IN OPERATING SYSTEMS IMPROVING USER

CONSISTENT PKCS#11 CONSISTENT PKCS#11 IN OPERATING SYSTEMS IN OPERATING SYSTEMS IMPROVING USER EXPERIENCE AND SECURITY IN RHEL AND FEDORA IMPROVING USER EXPERIENCE AND SECURITY IN RHEL AND FEDORA Jakub Jelen Software Engineer Red Hat

961 views • 38 slides
Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Formal Analysis of Key Integrity in PKCS#11 Andrea Falcone 1 Riccardo Focardi 1 1 Universit` a Ca Foscari di Venezia, Italy focardi@dsi.unive.it ARSPA-WITS10 Paphos, Cyprus March 27-28, 2010 Work partially supported by: Miur07

729 views • 17 slides
Security and Social Context or Why Facebook is Worth Fixing Security and Human Behavior Jun 12,

Security and Social Context or Why Facebook is Worth Fixing Security and Human Behavior Jun 12,

Security and Social Context or Why Facebook is Worth Fixing Security and Human Behavior Jun 12, 2009 Joseph Bonneau, Computer Laboratory Today I) Culture gap on social networks is hurting security II) The future of the internet is social

762 views • 17 slides
Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014 tm@azimuthsecurity.com @kernelpool About Me Senior Security Researcher at Azimuth Security Masters degree in Information Security

1.24k views • 76 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi Talbi Security researcher at Stormshield haka-security project. Past life: academia (phd, postdoc, ) Main research topics: advanced

1.61k views • 94 slides
Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher

ATTACK & & ATTACK labs DEFENSE DEFENSE Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher Working as a Lead Applica8on Security Specialist for an interna8onal so:ware development and

577 views • 28 slides
SRM Space Tokens SRM Space Tokens SRM Space Tokens SRM Space Tokens Scalla/xrootd Andrew

SRM Space Tokens SRM Space Tokens SRM Space Tokens SRM Space Tokens Scalla/xrootd Andrew

SRM Space Tokens SRM Space Tokens SRM Space Tokens SRM Space Tokens Scalla/xrootd Andrew Hanushevsky Stanford Linear Accelerator Center Stanford University Stanford University 27-May-08 http://xrootd slac stanford edu

550 views • 23 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Importance of checking every step of the process Simple ways to defend against this attack Data from an analysis of

368 views • 19 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Just like fishing, it can be frustrating at times most needed multiple attempts, which is fine casting

483 views • 19 slides
TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone

TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone

TPM Genie Attacking the Hardware Root of Trust For Less Than $50 Introduction Jeremy Boone @uffeux Principal Consultant @ NCC Group Focus on hardware and embedded systems security Previously: 10 years product security @

1.41k views • 54 slides
OpenModelica Environment OpenModelica Environment and Modelica Overview and Modelica Overview

OpenModelica Environment OpenModelica Environment and Modelica Overview and Modelica Overview

OpenModelica Environment OpenModelica Environment and Modelica Overview and Modelica Overview Peter Fritzson, Adrian Pop, Peter Aronsson Peter Fritzson, Adrian Pop, Peter Aronsson OpenModelica Course at INRIA, 2006 06 08 OpenModelica Course

309 views • 18 slides
Monitoring Tools for Large Scale Systems Presented by David Dillow Ross Miller, Jason Hill,

Monitoring Tools for Large Scale Systems Presented by David Dillow Ross Miller, Jason Hill,

Monitoring Tools for Large Scale Systems Presented by David Dillow Ross Miller, Jason Hill, David Dillow, Raghul Gunasekaran, Galen Shipman, Don Maxwell 1 Brief overview of Spider 10 PB storage to users 244 GB/s demonstrated bandwidth

458 views • 16 slides
Revisiting the Top Background (and a little of B-tagging) G. Codispoti, J.F. de Trocniz

Revisiting the Top Background (and a little of B-tagging) G. Codispoti, J.F. de Trocniz

May12 Higgs 2l2q Working Meeting Revisiting the Top Background (and a little of B-tagging) G. Codispoti, J.F. de Trocniz Universidad Autnoma de Madrid Outline q Using e data for top(+X) background: full 2011 results. q First

378 views • 19 slides
Long lengths EHV electrical links by AC insulated power cable in Japan Shinsuke Naukawa Tokyo

Long lengths EHV electrical links by AC insulated power cable in Japan Shinsuke Naukawa Tokyo

Return to Session Long lengths EHV electrical links by AC insulated power cable in Japan Shinsuke Naukawa Tokyo Electric Power Company Return to Session Long length underground link in JAPAN Long length underground link have been

362 views • 8 slides
Embedded Systems Programming Synchronous Model (Module 26) Yann-Hang Lee Arizona State

Embedded Systems Programming Synchronous Model (Module 26) Yann-Hang Lee Arizona State

Embedded Systems Programming Synchronous Model (Module 26) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU Actor-Oriented Design Object

448 views • 8 slides
RIStAL Centre de Recherche en Informatique, Signal et Automatique de Lille 1 Parametric WCET

RIStAL Centre de Recherche en Informatique, Signal et Automatique de Lille 1 Parametric WCET

JNP : Symbolic WCET Computation Clment Ballabriga, Julien Forget, Giuseppe Lipari Real-Time System Symposium, Paris, December 2017 RIStAL Centre de Recherche en Informatique, Signal et Automatique de Lille 1 Parametric WCET Parametric

231 views • 4 slides
Integration of Architecture Specification, Testing and Dependability Analysis Swapna S. Gokhale

Integration of Architecture Specification, Testing and Dependability Analysis Swapna S. Gokhale

Integration of Architecture Specification, Testing and Dependability Analysis Swapna S. Gokhale Kishor S. Trivedi. Joseph R. Horgan Dept. of Electrical & Computer Engg. Applied Research Duke University Telcordia Technologies Durham, NC

406 views • 30 slides
The Good, The Bad and The Ug Ugly Ellis Jacobs, Ph.D., DABCC, FAACC Principal, EJ Clinical

The Good, The Bad and The Ug Ugly Ellis Jacobs, Ph.D., DABCC, FAACC Principal, EJ Clinical

Biotin and Immunoassays: The Good, The Bad and The Ug Ugly Ellis Jacobs, Ph.D., DABCC, FAACC Principal, EJ Clinical Consulting, LLC Agenda . 2 Biotin & Immunoassays - The Good, The Bad and The Ugly What is Biotin 3 Biotin &

739 views • 40 slides

More recommend