format oracles on openpgp
play

Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. - PowerPoint PPT Presentation

Dec 30, 2022 •750 likes •1.05k views

Format Oracles on OpenPGP Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France CT-RSA April 22, 2015 Maury et al. | ANSSI | CT-RSA 2015 1 / 19 Format Oracles on OpenPGP | Introduction Contribution We

  1. Format Oracles on OpenPGP Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France CT-RSA April 22, 2015 Maury et al. | ANSSI | CT-RSA 2015 1 / 19

  2. Format Oracles on OpenPGP | Introduction Contribution We identify new format oracles on OpenPGP implementations of symmetrically (authenticated and) encrypted data We study the number of oracle requests necessary to recover a plaintext Format oracle Requests per byte Affected implementation Invalid packet tag 2 GnuPG 2 6 Double literal GnuPG 2 8 MDC packet header GnuPG, End-to-End Maury et al. | ANSSI | CT-RSA 2015 2 / 19

  3. Format Oracles on OpenPGP | Introduction Padding Oracles An encryption scheme is modeled by two (inverse processes) E : P , K → C D : → P (or ⊥ , in authenticated encryption) C , K Issue: Before encryption, the plaintext is usually prepared following a specific format, e.g., a padding is applied After decryption, this format has to be removed. This process may raise errors if the format is not followed The presence/absence of error P E M format C leaks information on the result of decryption ˜ P ˜ ˜ D unformat M C Using malleability of D , this leakage can be aggregated to error decipher a target ciphertext Maury et al. | ANSSI | CT-RSA 2015 3 / 19

  4. Format Oracles on OpenPGP | Introduction Padding/Format Oracles Attacks This principle can be used to mount chosen ciphertext attacks enabling to decipher a target ciphertext adversary C ∗ = E K ( P ∗ ) decryption process for D K purpose: recover P ∗ C i chosen variants of C ∗ computes P i = D K ( C i ) OK or KO information about P i is leaked derives P ∗ (error message, timing info) Previous results Bleichenbacher on RSA-PKCS#1v1.5, in SSL/TLS [Bl98] Vaudenay on CBC mode used with specific padding schemes, in SSL or IPsec [Va02] Kl´ ıma and Rosa noted that the format has not to be restricted to cryptographic padding, but may be applicative [KR03] Maury et al. | ANSSI | CT-RSA 2015 4 / 19

  5. Format Oracles on OpenPGP | OpenPGP OpenPGP Maury et al. | ANSSI | CT-RSA 2015 5 / 19

  6. Format Oracles on OpenPGP | OpenPGP OpenPGP Pretty Good Privacy: published by P. Zimmermann in 1991 Application enabling to protect Confidentiality e.g. of emails, through hybrid encryption Authenticity, through signature Standardized by IETF from 1997: OpenPGP message format RFC 2440, november 1998 Updated by RFC 4880, november 2007 Main free implementation of the standard: GnuPG Renewed interest following the Snowden revelations Increase in the number of monthly registered public keys Multiple promotional campaigns Maury et al. | ANSSI | CT-RSA 2015 6 / 19

  7. Format Oracles on OpenPGP | OpenPGP OpenPGP Number of keys registered (by month) Pretty Good Privacy: published by P. Zimmermann in 1991 45 , 000 Snowden 40 , 000 Application enabling to protect 35 , 000 Confidentiality e.g. of emails, through hybrid encryption Authenticity, through signature 30 , 000 Standardized by IETF from 1997: OpenPGP message format 25 , 000 GnuPG RFC 2440, november 1998 20 , 000 Updated by RFC 4880, november 2007 15 , 000 Main free implementation of the standard: GnuPG 10 , 000 Renewed interest following the Snowden revelations 5 , 000 Increase in the number of monthly registered public keys 0 Multiple promotional campaigns 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Maury et al. | ANSSI | CT-RSA 2015 6 / 19

  8. Format Oracles on OpenPGP | OpenPGP OpenPGP Pretty Good Privacy: published by P. Zimmermann in 1991 Application enabling to protect Confidentiality e.g. of emails, through hybrid encryption Authenticity, through signature Standardized by IETF from 1997: OpenPGP message format RFC 2440, november 1998 Updated by RFC 4880, november 2007 Main free implementation of the standard: GnuPG Renewed interest following the Snowden revelations Increase in the number of monthly registered public keys Multiple promotional campaigns Maury et al. | ANSSI | CT-RSA 2015 6 / 19

  9. Format Oracles on OpenPGP | OpenPGP OpenPGP Promotion of GnuPG by FSF Europe Pretty Good Privacy: published by P. Zimmermann in 1991 Application enabling to protect Confidentiality e.g. of emails, through hybrid encryption Authenticity, through signature Standardized by IETF from 1997: OpenPGP message format RFC 2440, november 1998 Updated by RFC 4880, november 2007 Main free implementation of the standard: GnuPG Renewed interest following the Snowden revelations Increase in the number of monthly registered public keys Multiple promotional campaigns Maury et al. | ANSSI | CT-RSA 2015 6 / 19

  10. Format Oracles on OpenPGP | OpenPGP OpenPGP Encryption Mode Symmetric encryption is done in OpenPGP with CFB mode CFB is used with an all zero IV, and is made non-deterministic by prepending a random block to the plaintext The first 2 bytes of the initial random block are repeated This provides a quick consistency check at the beginning of decryption, useful for password based encryption This check has been used by [MZ05] to decipher 2 bytes per block with an oracle attack No padding, truncation of the keystream Authenticated encryption uses an ad-hoc mode Security? Maury et al. | ANSSI | CT-RSA 2015 7 / 19

  11. Format Oracles on OpenPGP | OpenPGP OpenPGP Message Format Packet Structure T L V Encrypted Packet (with Integrity Protection) SHA-1 plaintext packet(s) Digest MDC packet $ $ 0xD3 0x14 Encryption K encrypted data C T L Maury et al. | ANSSI | CT-RSA 2015 8 / 19

  12. Format Oracles on OpenPGP | Oracles Oracles Maury et al. | ANSSI | CT-RSA 2015 9 / 19

  13. Format Oracles on OpenPGP | Oracles Format Oracles in OpenPGP Implementations We investigated implementations that are (or can be seen) as libraries, to use to develop higher-level applications relying on OpenPGP Application OpenPGP library We expect these implementations to act as cryptographic back ends for the front end applications: Perform all cryptographic operations As a consequence, be the only part where keys are manipulated Issue: The interaction between application and library often goes beyond the ideal model of encryption schemes Error messages are output (or logged) The API of the library does not state whether these errors are sensitive There is a risk that the front end may leak them Result: Identification of 3 types of leakage, potential oracles (over 50 distinct oracles) Maury et al. | ANSSI | CT-RSA 2015 10 / 19

  14. Format Oracles on OpenPGP | Oracles Format Oracles in OpenPGP Implementations We investigated implementations that are (or can be seen) as libraries, to use to develop higher-level applications relying on OpenPGP Application OpenPGP library Investigated implementations GnuPG, originally an application, but can be used as a We expect these implementations to act as cryptographic back ends library through scripting, even produces status messages for for the front end applications: the calling application for such cases. Perform all cryptographic operations As a consequence, be the only part where keys are manipulated End-to-End, Google OpenPGP implementation in JavaScript Issue: The interaction between application and library often goes OpenPGP.js, another library developed in JavaScript beyond the ideal model of encryption schemes Error messages are output (or logged) The API of the library does not state whether these errors are sensitive There is a risk that the front end may leak them Result: Identification of 3 types of leakage, potential oracles (over 50 distinct oracles) Maury et al. | ANSSI | CT-RSA 2015 10 / 19

  15. Format Oracles on OpenPGP | Oracles Format Oracles in OpenPGP Implementations We investigated implementations that are (or can be seen) as libraries, to use to develop higher-level applications relying on OpenPGP Application OpenPGP library We expect these implementations to act as cryptographic back ends for the front end applications: Perform all cryptographic operations As a consequence, be the only part where keys are manipulated Issue: The interaction between application and library often goes beyond the ideal model of encryption schemes Error messages are output (or logged) The API of the library does not state whether these errors are sensitive There is a risk that the front end may leak them Result: Identification of 3 types of leakage, potential oracles (over 50 distinct oracles) Maury et al. | ANSSI | CT-RSA 2015 10 / 19

  16. Format Oracles on OpenPGP | Oracles MDC Packet Header Oracle For integrity-protected encrypted packets, the last 22 bytes of the decrypted ciphertext form a Modification Detection Code packet 20-byte SHA-1 Digest 0xD3 0x14 GnuPG and End-to-End enforced this format by specifically checking for the two byte values 0xD314 at position 22 and 21 from the end of the decrypted ciphertext, and returning specific error messages in case of mismatch Using this leakage and CFB malleability, it is possible to recover any two bytes of plaintext by performing 2 16 oracle queries Maury et al. | ANSSI | CT-RSA 2015 11 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OpenPGP? mailing lists? OpenPGP on mailing lists? let's fix that! manual all subscribers have

OpenPGP? mailing lists? OpenPGP on mailing lists? let's fix that! manual all subscribers have

OpenPGP? mailing lists? OpenPGP on mailing lists? let's fix that! manual all subscribers have all subscribers and all public keys doesn't scale list key scales works proxy re-encryption secure e-mail list service

472 views • 28 slides
Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM

Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM

Cryptocurrencies & Security on the Blockchain Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM execution must be deterministic. Cannot rely on outside information But sometimes that

591 views • 17 slides
Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner &

Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner &

Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner & Mattner Systemtechnik GmbH Berlin, Germany Overview Classification Tree Method Expected results Executable test scripts Test Oracles and

374 views • 25 slides
Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim Nivre, 2013 Seminarvortrag Pius Meinert July 13, 2018 Training Deterministic Parsers with Non-Deterministic Oracles root PRD SBJ DOBJ IOBJ

842 views • 47 slides
Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline

Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline

Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline Oracles, Test Automation and (Test) Models Oracles in TTCN-3 Test Automation (Oracle) Examples Test oracle as part of a test case A test

326 views • 30 slides
Secure Browsing and Email Web Browsing with HTTPS Secure Email with OpenPGP Organised by Steven

Secure Browsing and Email Web Browsing with HTTPS Secure Email with OpenPGP Organised by Steven

Free Technology Workshop Secure Browsing and Email Web Browsing with HTTPS Secure Email with OpenPGP Organised by Steven Gordon Room RS309 9am - 12noon Friday 27 June 2014 http://ict.siit.tu.ac.th/moodle/ Adresses Local copies of

667 views • 19 slides
FOSDEM 2019 Vincent Breitmoser 1 / 13 Intro I'm Vincent Developer of OpenKeychain OpenPGP

FOSDEM 2019 Vincent Breitmoser 1 / 13 Intro I'm Vincent Developer of OpenKeychain OpenPGP

FOSDEM 2019 Vincent Breitmoser 1 / 13 Intro I'm Vincent Developer of OpenKeychain OpenPGP support in K-9 Mail More holistic approach required 2 / 13 Overview - Goals 1. Make it easy to encrypt e-mail 2. Don't rely on infrastructure 3.

296 views • 13 slides
EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de |

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de |

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de | https://www.efail.de 1 Mnster University of Applied Sciences Damian Poddebniak 1 , Christian Dresen 1 , Jens Mller 2 , Fabian Ising 1 , 2 Ruhr

675 views • 41 slides
Test Oracles and Randomness S I T R T E V U I N L M U O S C D I N E

Test Oracles and Randomness S I T R T E V U I N L M U O S C D I N E

Test Oracles and Randomness S I T R T E V U I N L M U O S C D I N E A N R D U O C D O O D C N E Ralph Guderlei and Johannes Mayer rjg@mathematik.uni-ulm.de, jmayer@mathematik.uni-ulm.de

627 views • 40 slides
GPG4LIBRE: OPENPGP SIGNING & ENCRYPTION IN LIBREOFFICE LIBREOFFICE CONFERENCE ROME OCTOBER

GPG4LIBRE: OPENPGP SIGNING & ENCRYPTION IN LIBREOFFICE LIBREOFFICE CONFERENCE ROME OCTOBER

GPG4LIBRE: OPENPGP SIGNING & ENCRYPTION IN LIBREOFFICE LIBREOFFICE CONFERENCE ROME OCTOBER 12TH, 2017 Thorsten.Behrens@cib.de GPG4LIBRE - MOTIVATION we dont do enough crypto yet! put encryption and signing at users finger tips

188 views • 17 slides
Status of the Debian OpenPGP keyring Jonathan McDowell, Gunnar Wolf What do we do Daniel Kahn

Status of the Debian OpenPGP keyring Jonathan McDowell, Gunnar Wolf What do we do Daniel Kahn

Status of the Debian OpenPGP keyring Daniel Kahn Gillmor, Status of the Debian OpenPGP keyring Jonathan McDowell, Gunnar Wolf What do we do Daniel Kahn Gillmor Jonathan McDowell Gunnar Wolf Escaping algorithmic fragility: So far

492 views • 28 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Investigating the OpenPGP Web of Trust Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle

Investigating the OpenPGP Web of Trust Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle

Investigating the OpenPGP Web of Trust Alexander Ulrich, Ralph Holz , Peter Hauck, Georg Carle Diskrete Mathematik Universit at T ubingen Netzarchitekturen und Netzdienste Technische Universit at M unchen ESORICS 2011 Alexander

1.31k views • 55 slides
Strategic Issues for Binary/File Format ILDG4 May 21 2004, T.Yoshie CCS,Tsukuna Definition

Strategic Issues for Binary/File Format ILDG4 May 21 2004, T.Yoshie CCS,Tsukuna Definition

Strategic Issues for Binary/File Format ILDG4 May 21 2004, T.Yoshie CCS,Tsukuna Definition binary format: array format of config. U(3,3,X,,,) numerical format (precision,IEEE,byte-order) file format: format of a file

88 views • 8 slides
IPO Investigating Polyhedra by Oracles Matthias Walter Otto-von-Guericke Universit at

IPO Investigating Polyhedra by Oracles Matthias Walter Otto-von-Guericke Universit at

IPO Investigating Polyhedra by Oracles Matthias Walter Otto-von-Guericke Universit at Magdeburg Joint work with Volker Kaibel (OVGU) Aussois Combinatorial Optimization Workshop 2016 Motivation Finding Facets Adjacency Affine Hull

334 views • 30 slides
Oracle and Netsure Acquisition Announcement Extends Oracles Leadership in Communications

Oracle and Netsure Acquisition Announcement Extends Oracles Leadership in Communications

<Insert Picture Here> Oracle and Netsure Acquisition Announcement Extends Oracles Leadership in Communications with Network Intelligence and Optimization September 2, 2007 The following is intended to outline our general product

151 views • 14 slides
Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Networking Secure apps Aims Crypto Basics Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 26 June 2014

389 views • 26 slides
Pretty Good Privacy Privacy Enhancing Technologies Leonardo A. Martucci CC-BY-4.0 Part 2:

Pretty Good Privacy Privacy Enhancing Technologies Leonardo A. Martucci CC-BY-4.0 Part 2:

Pretty Good Privacy Privacy Enhancing Technologies Leonardo A. Martucci CC-BY-4.0 Part 2: Secure Communications Why do we need secure communications? PGP We are here! TLS and Let's Encrypt Secure messaging Pretty Good Privacy

468 views • 21 slides
Security and Authorization Ramakrishnan & Gehrke, Chapter 21 320302 Databases & Web

Security and Authorization Ramakrishnan & Gehrke, Chapter 21 320302 Databases & Web

Security and Authorization Ramakrishnan & Gehrke, Chapter 21 320302 Databases & Web Applications (P . Baumann) Motivation Secrecy: Users should not be able to see things they are not supposed to Ex: student cant see other

766 views • 21 slides
Algorithmics Spring Semester 2020 Prof. Dr. Matthias Krause 2020/02/20, 16:22 University of

Algorithmics Spring Semester 2020 Prof. Dr. Matthias Krause 2020/02/20, 16:22 University of

Algorithmics Spring Semester 2020 Prof. Dr. Matthias Krause 2020/02/20, 16:22 University of Mannheim Prerequisites Classification into the Overall Context of Business Informatics Process Management in Business and Society: Identifying

1.34k views • 97 slides
The DigiNotar crisis from incident response to crisis coordination Aart Jochem NCSC-NL FIRST

The DigiNotar crisis from incident response to crisis coordination Aart Jochem NCSC-NL FIRST

The DigiNotar crisis from incident response to crisis coordination Aart Jochem NCSC-NL FIRST Conference Malta - 18 June 2012 Wave 1 Wave 1 Early nineties: Phil Zimmerman releases PGP Photo Phill Zimmerman Pretty Good Privacy Early

649 views • 31 slides
Crypto Wars 2.0 Abertay Hackers Michael Jack mikey$ whoami Michael Jack 2 nd Year

Crypto Wars 2.0 Abertay Hackers Michael Jack mikey$ whoami Michael Jack 2 nd Year

Crypto Wars 2.0 Abertay Hackers Michael Jack mikey$ whoami Michael Jack 2 nd Year Ethical Hacking @MikeyJck BSc @ Abertay Member Abertay Ethical mikeyjck.io Hacking Society I <3 Cryptography Whats all this then?

953 views • 37 slides
Security Protocols Key Establishment, Chapter 13 of Understanding Cryptography by Paar

Security Protocols Key Establishment, Chapter 13 of Understanding Cryptography by Paar

References Introduction to Cryptography Security Protocols Key Establishment, Chapter 13 of Understanding Cryptography by Paar & Pelzl Wide Mouth Frog Protocol from Wikipedia Jim Royer

281 views • 9 slides
Paranoid Habits Part 1: Security Tips Denis Rechkunov @pragmader / pragmader.me Whats this

Paranoid Habits Part 1: Security Tips Denis Rechkunov @pragmader / pragmader.me Whats this

Paranoid Habits Part 1: Security Tips Denis Rechkunov @pragmader / pragmader.me Whats this about? Topics: Authentication Phishing PGP SSH USB Networking Can I trust you, Denis? Trust no one,

531 views • 41 slides

More recommend