automated analysis of the security of xor based key
play

Automated Analysis of the Security of XOR-Based Key Management - PowerPoint PPT Presentation

Jan 28, 2023 •275 likes •736 views

Automated Analysis of the Security of XOR-Based Key Management Schemes V eronique Cortier, Gavin Keighren, Graham Steel I V N E U R S E I H T Y T O H F G R E U D B I N 1 Automated Teller Machines Graham Steel

  1. Automated Analysis of the Security of XOR-Based Key Management Schemes V´ eronique Cortier, Gavin Keighren, Graham Steel I V N E U R S E I H T Y T O H F G R E U D B I N

  2. 1 Automated Teller Machines Graham Steel Security API Analysis March 2007

  3. 2 Graham Steel Security API Analysis March 2007

  4. 3 Criticality of Key Management PIN derived by: Write account number (PAN) as 0000AAAAAAAAAAAA Graham Steel Security API Analysis March 2007

  5. 3 Criticality of Key Management PIN derived by: Write account number (PAN) as 0000AAAAAAAAAAAA 3DES encrypt under a PDK (PIN Derivation Key) Decimalise first 4 digits of result Graham Steel Security API Analysis March 2007

  6. 3 Criticality of Key Management PIN derived by: Write account number (PAN) as 0000AAAAAAAAAAAA 3DES encrypt under a PDK (PIN Derivation Key) Decimalise first 4 digits of result PIN = IPIN + Offset (modulo 10 each digit) Offset NOT secure! Graham Steel Security API Analysis March 2007

  7. 4 Graham Steel Security API Analysis March 2007

  8. 4 data, pin, imp,... Graham Steel Security API Analysis March 2007

  9. 4 data, pin, imp,... { | d1 } | km ⊕ data { | pdk1 } | km ⊕ pin Graham Steel Security API Analysis March 2007

  10. 5 CCA API - Examples Encrypt Data: → { | D1 } | km ⊕ data , Message Host HSM : → { | Message } | D1 HSM Host : Graham Steel Security API Analysis March 2007

  11. 5 CCA API - Examples Encrypt Data: → { | D1 } | km ⊕ data , Message Host HSM : → { | Message } | D1 HSM Host : Verify PIN: → { | PINBlock } | p1 , PAN, { | pdk1 } | km ⊕ pin , Host HSM : OFFSET, { | p1 } | km ⊕ ipinenc → HSM Host : yes/no Graham Steel Security API Analysis March 2007

  12. 6 Importing Key Parts ‘Separation of duty’ Key k = k1 ⊕ k2 → Host HSM : k1, TYPE → { | k1 } | km ⊕ kp ⊕ TYPE HSM Host : Graham Steel Security API Analysis March 2007

  13. 6 Importing Key Parts ‘Separation of duty’ Key k = k1 ⊕ k2 → Host HSM : k1, TYPE → { | k1 } | km ⊕ kp ⊕ TYPE HSM Host : → { | k1 } | km ⊕ kp ⊕ TYPE , k2, TYPE Host HSM : → { | k1 ⊕ k2 } | km ⊕ TYPE HSM Host : Usually used to import a ‘key encrypting key’ ( { | KEK } | km ⊕ imp ) Graham Steel Security API Analysis March 2007

  14. 7 Importing Encrypted Keys Exported from another 4758 encrypted under KEK ⊕ TYPE Key Import: → { | KEY1 } | KEK ⊕ TYPE , TYPE, { | KEK } | km ⊕ imp Host HSM : → { | KEY1 } | km ⊕ TYPE HSM Host : Graham Steel Security API Analysis March 2007

  15. 8 Attack (Bond, 2001) (part 1) PIN derivation key: { | pdk } | kek ⊕ pin Have key part { | kek ⊕ k2 } | km ⊕ imp ⊕ kp for known k2 Graham Steel Security API Analysis March 2007

  16. 8 Attack (Bond, 2001) (part 1) PIN derivation key: { | pdk } | kek ⊕ pin Have key part { | kek ⊕ k2 } | km ⊕ imp ⊕ kp for known k2 → { | kek ⊕ k2 } | km ⊕ kp ⊕ imp , k2 ⊕ pin ⊕ data , imp Host HSM : → { | kek ⊕ pin ⊕ data } | km ⊕ imp HSM Host : Graham Steel Security API Analysis March 2007

  17. 9 Attack (Bond, 2001) (part 2) Key Import → { | pdk } | kek ⊕ pin , data, { | kek ⊕ pin ⊕ data } | km ⊕ imp Host HSM : → { | pdk } | km ⊕ data HSM Host : Graham Steel Security API Analysis March 2007

  18. 9 Attack (Bond, 2001) (part 2) Key Import → { | pdk } | kek ⊕ pin , data, { | kek ⊕ pin ⊕ data } | km ⊕ imp Host HSM : → { | pdk } | km ⊕ data HSM Host : Encrypt data → { | pdk } | km ⊕ data , pan Host HSM : → { | pan } | pdk (= PIN!) HSM Host : Graham Steel Security API Analysis March 2007

  19. 10 IBM Recommendations Published in response to attacks Graham Steel Security API Analysis March 2007

  20. 10 IBM Recommendations Published in response to attacks 1. Use asymmetric key crypto for key import – 2 officer protocol to generate key pair at destination, transfer public key to source – PKA S YMMETRIC K EY I MPORT command Graham Steel Security API Analysis March 2007

  21. 10 IBM Recommendations Published in response to attacks 1. Use asymmetric key crypto for key import – 2 officer protocol to generate key pair at destination, transfer public key to source – PKA S YMMETRIC K EY I MPORT command 2. More access control – security officers access fewer commands Graham Steel Security API Analysis March 2007

  22. 10 IBM Recommendations Published in response to attacks 1. Use asymmetric key crypto for key import – 2 officer protocol to generate key pair at destination, transfer public key to source – PKA S YMMETRIC K EY I MPORT command 2. More access control – security officers access fewer commands 3. Procedural controls to check entered key parts Graham Steel Security API Analysis March 2007

  23. 10 IBM Recommendations Published in response to attacks 1. Use asymmetric key crypto for key import – 2 officer protocol to generate key pair at destination, transfer public key to source – PKA S YMMETRIC K EY I MPORT command 2. More access control – security officers access fewer commands 3. Procedural controls to check entered key parts Not to be confused with Bond’s own recommendations Graham Steel Security API Analysis March 2007

  24. 11 Formal Modelling Following the classical ‘Dolev-Yao’ style: Bitstrings modelled as terms Cryptography modelled as function on terms Graham Steel Security API Analysis March 2007

  25. 11 Formal Modelling Following the classical ‘Dolev-Yao’ style: Bitstrings modelled as terms Cryptography modelled as function on terms API rules modelled as Horn clauses Graham Steel Security API Analysis March 2007

  26. 11 Formal Modelling Following the classical ‘Dolev-Yao’ style: Bitstrings modelled as terms Cryptography modelled as function on terms API rules modelled as Horn clauses Security problem modelled as derivability of a secret term Graham Steel Security API Analysis March 2007

  27. 12 Examples Encrypt data: x , { | xd1 } | km ⊕ data → { | x } | xd1 Graham Steel Security API Analysis March 2007

  28. 12 Examples Encrypt data: x , { | xd1 } | km ⊕ data → { | x } | xd1 Intruder rules: → { | x } | y x , y { | x } | y , y → x → x ⊕ y x , y Graham Steel Security API Analysis March 2007

  29. 12 Examples Encrypt data: x , { | xd1 } | km ⊕ data → { | x } | xd1 Intruder rules: → { | x } | y x , y { | x } | y , y → x → x ⊕ y x , y Secrecy problem undecidable in general Graham Steel Security API Analysis March 2007

  30. 13 Characterisation of Class Finite set of atoms (km, imp, data, pin, ... ) XOR term ::= atom atom ⊕ XOR term { | XOR term } | XOR term Encryption term ::= Well Formed Term ::= Encryption term XOR term WFT, ... , WFT → WFT Well Formed Rule ::= Graham Steel Security API Analysis March 2007

  31. 14 Theorem If: R finite set of well-formed rules S finite set of well-formed ground terms u some ground well-formed term Then: S ⊢ R u ⇐ ⇒ S ⊢ R u using only well-formed terms. Graham Steel Security API Analysis March 2007

  32. 14 Theorem If: R finite set of well-formed rules S finite set of well-formed ground terms u some ground well-formed term Then: S ⊢ R u ⇐ ⇒ S ⊢ R u using only well-formed terms. Corollary: The question of whether S ⊢ R u is decidable Graham Steel Security API Analysis March 2007

  33. 15 Decision Procedure 2 12 possible unencrypted terms 2 24 possible encrypted terms ( { | . } | . ) Graham Steel Security API Analysis March 2007

  34. 15 Decision Procedure 2 12 possible unencrypted terms 2 24 possible encrypted terms ( { | . } | . ) Encode terms as integers kek ⊕ pin ⊕ data → km kp kek imp exp data pin ← 19 0 0 1 0 0 1 1 Graham Steel Security API Analysis March 2007

  35. 15 Decision Procedure 2 12 possible unencrypted terms 2 24 possible encrypted terms ( { | . } | . ) Encode terms as integers kek ⊕ pin ⊕ data → km kp kek imp exp data pin ← 19 0 0 1 0 0 1 1 Each rule is a partial function f : N k → N for k inputs e.g. f 1 : x 1 , x 2 → x 1 ⊕ x 2 x 1 , x 2 → x 1 ⊕ x 2 ≡ Graham Steel Security API Analysis March 2007

  36. 15 Decision Procedure 2 12 possible unencrypted terms 2 24 possible encrypted terms ( { | . } | . ) Encode terms as integers kek ⊕ pin ⊕ data → km kp kek imp exp data pin ← 19 0 0 1 0 0 1 1 Each rule is a partial function f : N k → N for k inputs e.g. f 1 : x 1 , x 2 → x 1 ⊕ x 2 x 1 , x 2 → x 1 ⊕ x 2 ≡ f 2 : [ xky | x ] , xtype , [ xkek | km ⊕ imp ] → [ xky | km ⊕ xtype ] IF x = xkek ⊕ xtype Graham Steel Security API Analysis March 2007

  37. 16 Decision Procedure 1. Allocate sufficient memory for all possible terms 2. Set to 1 locations corresponding to initial knowledge, rest to 0 3. Exhaustively apply each rule, setting newly discovered terms to 1 4. Repeat 3 until no new terms are discovered Graham Steel Security API Analysis March 2007

  38. 16 Decision Procedure 1. Allocate sufficient memory for all possible terms 2. Set to 1 locations corresponding to initial knowledge, rest to 0 3. Exhaustively apply each rule, setting newly discovered terms to 1 4. Repeat 3 until no new terms are discovered Some optimisations used Graham Steel Security API Analysis March 2007

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis Powered by RIPS Technologies High-tech company based in Bochum, Germany Supports the full feature stack of the PHP language Detects

1.06k views • 47 slides
Automated Aspect Recommendation through Clustering-Based Fan-in Analysis Danfeng Zhang , Yao Guo,

Automated Aspect Recommendation through Clustering-Based Fan-in Analysis Danfeng Zhang , Yao Guo,

Automated Aspect Recommendation through Clustering-Based Fan-in Analysis Danfeng Zhang , Yao Guo, Xiangqun Chen Institute of Software, Peking University Talk Outline Background Motivation Clustering-Based Fan-in Analysis (CBFA)

485 views • 30 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Program Analysis with PREfast & SAL Erik Poll Digital Security group Radboud University

Program Analysis with PREfast & SAL Erik Poll Digital Security group Radboud University

Software Security Program Analysis with PREfast & SAL Erik Poll Digital Security group Radboud University Nijmegen 1 Static analysis aka source code analysis Automated analysis at compile time to find potential bugs Broad range of

499 views • 36 slides
Automated Reasoning for Security Protocol Analysis The ASW Protocol Revisited: A Unified View

Automated Reasoning for Security Protocol Analysis The ASW Protocol Revisited: A Unified View

Automated Reasoning for Security Protocol Analysis The ASW Protocol Revisited: A Unified View Paul Hankes Drielsma and Sebastian M odersheim Information Security, ETH Zurich ARSPA Paul Hankes Drielsma 1 Introduction ASW: an

508 views • 14 slides
park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor Amit Vasudevan (CyLab-CMU), Sagar Chaki (SEI-CMU), Petros Maniatis (Google Inc.), Limin Jia, Anupam Datta (ECE/CSD-CMU)

517 views • 24 slides
Automated Reasoning for System Security and Privacy Laura Kovcs Chalmers Automated Reasoning

Automated Reasoning for System Security and Privacy Laura Kovcs Chalmers Automated Reasoning

Chalmers Automated Reasoning for System Security and Privacy Laura Kovcs Chalmers Automated Reasoning for Rigorous Systems Engineering In a vague sense, automated reasoning involves: 1. Representing a problem as a mathematical/logical

696 views • 53 slides
An Approach to Automated Thesaurus Construction Using Clusterization-Based Dictionary Analysis

An Approach to Automated Thesaurus Construction Using Clusterization-Based Dictionary Analysis

An Approach to Automated Thesaurus Construction Using Clusterization-Based Dictionary Analysis Nadezhda Lagutina P.G. Demidov Yaroslavl State University Yaroslavl, Russia Thesaurus definition Thesaurus is a vocabulary of controlled

379 views • 14 slides
Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele 2 , Maverick Woo 1 , David Brumley 1 1 Carnegie Mellon University, 2 Boston University {ddchen, pooh, dbrumley}@cmu.edu, megele@bu.edu 2 FIRMADYNE

404 views • 22 slides
Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Prevention: Program Analysis Any automated analysis at compile or dynamic time to find potential bugs

798 views • 61 slides
Automated Productivity Based Automated Productivity Based Schedule Animation (APBSA) Schedule

Automated Productivity Based Automated Productivity Based Schedule Animation (APBSA) Schedule

Automated Productivity Based Automated Productivity Based Schedule Animation (APBSA) Schedule Animation (APBSA) Gokhan Gelisen, PhD Cand, PE Cost Manager Polytechnic Institute of NYU / Skanska USA Civil Inc. How to Improve Productivity?

395 views • 35 slides
Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE SECURITY SPECIALIST Agenda Software Security Overview Software Security Methodologies Security Test Methods Analysis Tools Tools

497 views • 25 slides
Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng

Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng

Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng , Xiaojing Liao, XiaoFeng Wang, Haining Wang, Qiang Li, Kai Yang, Hongsong Zhu, Limin Sun USENIX Security 2019 Internet-of-Things (IoT) Devices IoT

422 views • 23 slides
Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based NFC M-coupon Protocol Ali Alshehri and Steve Schneider Agenda Introduc?on. Approach

498 views • 25 slides
Extending Security Protocol Analysis : New Challenges Mike Bond, Jolyon Clulow {Mike.Bond,

Extending Security Protocol Analysis : New Challenges Mike Bond, Jolyon Clulow {Mike.Bond,

Extending Security Protocol Analysis : New Challenges Mike Bond, Jolyon Clulow {Mike.Bond, Jolyon.Clulow}@cl.cam.ac.uk Workshop on Automated Reasoning for Security Protocols Analysis (ARSPA 2004) 4 th July 2004 Outline An introduction to

764 views • 31 slides
Declare Your Linux Network State! with nmstate Edward Haas, Red Hat < edwardh@redhat.com >

Declare Your Linux Network State! with nmstate Edward Haas, Red Hat < edwardh@redhat.com >

Declare Your Linux Network State! with nmstate Edward Haas, Red Hat < edwardh@redhat.com > Till Maas, Red Hat < till@redhat.com > Linux kernel Hardware 3 Red Hat oVirt Ifcfg initscripts iproute2 ethtool Netlink Linux kernel

532 views • 37 slides
Discrete Dependent Variable Models James J. Heckman University of Chicago Econ 312, Spring 2019

Discrete Dependent Variable Models James J. Heckman University of Chicago Econ 312, Spring 2019

Discrete Dependent Variable Models James J. Heckman University of Chicago Econ 312, Spring 2019 Heckman Variable Models Heres the general approach of this lecture: Decision rule Economic model (e.g. utility

721 views • 56 slides
Unit 6: Introduction to linear regression 2. Outliers and inference for regression PA 6 and PS

Unit 6: Introduction to linear regression 2. Outliers and inference for regression PA 6 and PS

Announcements Unit 6: Introduction to linear regression 2. Outliers and inference for regression PA 6 and PS 6 due tomorrow (Tuesday) 12.30 pm STA 104 - Summer 2017 RA 7 (laste one!) tomorrow too at start of class Duke University,

286 views • 4 slides
Statistical Inference Fall 2018 Tyson S. Barrett, PhD The Whole Idea All can be done in R Why

Statistical Inference Fall 2018 Tyson S. Barrett, PhD The Whole Idea All can be done in R Why

EDUC 7610 Chapter 4 Statistical Inference Fall 2018 Tyson S. Barrett, PhD The Whole Idea All can be done in R Why Statistical Inference? So far, weve used regression just to describe our sample But our goal is to understand the

653 views • 40 slides
Dolores Santa Mara * , M. a ngeles Farrn, M. a ngeles Garca, and Rosa M. a Claramunt

Dolores Santa Mara * , M. a ngeles Farrn, M. a ngeles Garca, and Rosa M. a Claramunt

Dolores Santa Mara * , M. a ngeles Farrn, M. a ngeles Garca, and Rosa M. a Claramunt Departamento de Qumica Orgnica y Bio-Orgnica, Facultad de Ciencias, UNED, Paseo de Senda del Rey 9, E-28040 Madrid, Spain MOLECULAR MODELING:

325 views • 3 slides
Chemistry 2000 Slide Set 7: Band theory of bonding in crystalline solids Marc R. Roussel January

Chemistry 2000 Slide Set 7: Band theory of bonding in crystalline solids Marc R. Roussel January

Chemistry 2000 Slide Set 7: Band theory of bonding in crystalline solids Marc R. Roussel January 18, 2020 Marc R. Roussel Band theory January 18, 2020 1 / 26 Free electron model The free electron model of metals Distinguishing properties

443 views • 26 slides
Table of Contents Why DNA Computing? The Structure of DNA DNA Computing Operations on DNA

Table of Contents Why DNA Computing? The Structure of DNA DNA Computing Operations on DNA

Table of Contents Why DNA Computing? The Structure of DNA DNA Computing Operations on DNA Molecules Reading DNA Example of a Molecular Computer Information Processing with DNA Molecules Christian Jacob Why DNA Computing?

223 views • 9 slides
Scott Stanford # Topology Infrastructure Backups & Disaster Recovery

Scott Stanford # Topology Infrastructure Backups & Disaster Recovery

Scott Stanford # Topology Infrastructure Backups & Disaster Recovery Monitoring Lessons Learned Q&A # # Boston Traditional Proxy 1.2 Tb database, mostly db.have Average daily journal size 70 Gb

571 views • 27 slides

More recommend