got hw crypto
play

got HW crypto? On the (in)security of a Self-Encrypting Drive - PowerPoint PPT Presentation

Nov 24, 2022 •144 likes •718 views

got HW crypto? On the (in)security of a Self-Encrypting Drive series Research motivation is HW crypto more secure? JMS538S SW6316 OXUF943SE INIC-1607E x x x x JMS569 INIC-3608 x x 2 Speakers intro Gunnar Alendal: Christian Kison:

  1. got HW crypto? On the (in)security of a Self-Encrypting Drive series

  2. Research motivation is HW crypto more secure? JMS538S SW6316 OXUF943SE INIC-1607E x x x x JMS569 INIC-3608 x x 2

  3. Speakers intro Gunnar Alendal: Christian Kison: Master’s degree in Cryptography Holds a Master's degree in from the University of Bergen, UiB, Informations- Systemtechnik from Norway. the TU Braunschweig , Brunswick, Germany. Reverse engineering anything with an opcode; x86, x64, ARM, MIPS, Started PhD December 2014. M68k, ARC, 8051, .. Main research topic involve Side Security researcher with 15 years of Channel Analysis, physical attacks, professional experience. silicon and digital forensic and hardware reversing approaches. 3

  4. Western Digital My Passport / Book ● Self-encrypting external HDD series* ● crypto done in either: 1. 1st-gen : USB/FW-to-SATA bridge 2. 2nd-gen : HDD itself ● Can’t fit everything in talk ⇒ read full paper * Some models don’t support encryption 4

  5. Generic setup 5

  6. Different USB bridges researched Vendor Model (1st-gen/2nd-gen) Architecture JMicron JMS538S Intel 8051 Symwave SW6316 Motorola M68k PLX OXUF943SE ARM7 Initio INIC-1607E Intel 8051 Initio INIC-3608 ARC 600 JMicron JMS569 Intel 8051 6

  7. Overall security design ● User PW ⇒ Key-Encryption-Key (KEK): ○ KDF(salt+PW) = KEK ○ salt + KDF iterations are constant in SWices ● KEK protects Data-Encryption-Key (DEK) ● DEK = holy long-term HW AES Key 7

  8. 1st-gen bridges w/AES 8

  9. Overall security design 9

  10. The protected DEK - eDEK ● a KEK-encrypted blob containing the raw DEK ● eDEK stored on disk + USB bridge EEPROM ○ EEPROM is marked “U14” on most PCBs ● retrieve eDEK ⇒ off-device pw brute force 10

  11. Authentication - JMS538S/INIC-1607E 11

  12. Mandatory HW encryption ● No PW set ⇔ hardcoded KEK unlocks DEK ● Hardcoded KEK = “ PI ” AES-256 key 03 14 15 92 65 35 89 79 32 38 46 26 43 38 32 79 FC EB EA 6D 9A CA 76 86 CD C7 B9 D9 BC C7 CD 86 12

  13. data recovery ● no pw + broken USB bridge? no problem: ○ eDEK stored on HDD + EEPROM ○ decrypt eDEK with “ PI ” KEK ⇒ DEK decrypts HDD ● pw set? off-device brute force ○ Constant salt + KDF iteration counter ○ GPU-impl. benchmark: ~1 mill pw/s (single card) ○ Pre-calculated hash-table 13

  14. Retrieve the eDEK: “no eeprom for you” ● no EEPROM on boot.. ● ⇒ raw USB-to-SATA bridge or “DFU mode” ● ⇒ read eDEK from HDD VID/PID: 1058/0748 Bridge: JMS538S 14

  15. Retrieve the eDEK ● JMS538S - “no eeprom for you” ● SW6316 - PC-3k / “no eeprom for you” ● OXUF943SE - SATA + hidden eDEK sector ● INIC-1607E - “no eeprom for you” + 3-byte FW patch to dump eDEK 15

  16. Attackers progress... Model no pw set, pw brute force break auth. crack DEK recovery ✓ ✓ JMS538S ✓ ✓ SW6316 ✓ ✓ OXUF943SE ✓ ✓ INIC-1607E 16

  17. Breaking auth. - aka. backdoors ● Two 1st-gen chips fail on authentication ● SW6316 stores the KEK in EEPROM/HDD ○ Protection: Hardcoded key (0x29A2607A..) ● OXUF943SE saves a “PI” encrypted eDEK ○ Protection: Hardcoded key (0x03141592..) 17

  18. SW6316 authentication/backdoor 18

  19. Attackers progress... Model no pw set, pw brute break auth. crack DEK recovery force ✓ ✓ JMS538S ✓ ✓ ✓ SW6316 ✓ ✓ ✓ OXUF943SE ✓ ✓ INIC-1607E 19

  20. ..but before we crack DEKs: 2nd-gen bridges with no AES 20

  21. Initio INIC-3608 / JMicron JMS 569 ● no HW AES in USB bridge ● HDD does crypto: ○ “ATA Security feature Set”; ATA 0xF1, 0xF2, ... ● VSC “status” (0xC045) reports only cipher mode 0x30 (FDE) 21

  22. INIC-3608 backdoor ● INIC-3608 does authentication, no crypto ● EEPROM, U14, contains the raw KEK(!) ● Dump EEPROM ⇒ Get KEK ⇒ authenticate ● .. or get KEK with secret VSC ⇒ authenticate 22

  23. INIC-3608 authentication 23

  24. INIC-3608 backdoor 24

  25. INIC-3608 Backdoor DEMO 25

  26. JMicron JMS569 ● Connect to pc3k in kernel-mode ○ Get privileges as always by bit shifting ○ Erase ATA-module XX ○ HDD unlocks, decrypting everything on the fly ● By now, pc3k found their own way ○ Details in the forums 26

  27. Attackers progress... Model no pw set, recovery pw brute force break auth. crack DEK ✓ ✓ JMS538S ✓ ✓ ✓ SW6316 ✓ ✓ ✓ OXUF943SE ✓ ✓ INIC-1607E ✓ ✓ ✓ INIC-3608 ✓ ✓ JMS569 27

  28. JMS538S and INIC-1607E still standing tall* 28 * From the devices available to the researchers

  29. Recap: Authentication - JMS538S brute force? :( brute force?? 29

  30. Crack DEK directly? ● How is the HW AES-256 DEK created? ● Entropy source? ● can we beat a 2 256 complexity? 30

  31. DEK creation ⇒ device “erase” ● How is the DEK created on a device “erase”? ○ aka. “I forgot my password” ● Entropy source(s)? ● Can we assume the factory uses this “erase” command? 31

  32. DEK creation by device “erase” ● “erase” VSC: CDB[0:1] = 0xC1E3 ● 2 entropy sources: ○ host computer ⇒ Key material source 1 ○ on-board RNG ⇒ Key material source 2 32

  33. JMS538S “erase” VSC 33

  34. JMS538S on-board RNG ● Implemented in chip “somewhere” ● Gather samples and plot ● Gather by “status” (4 bytes) or “erase” (32 bytes) VSC 34

  35. /dev/urandom - 32-bit x 10 000 35

  36. JMS538S “status” unmask x 10 000 36

  37. JMS538S on-board RNG ● “status” command masks RNG output: ○ xor with 0x271828af ● “erase” uses raw RNG - no mask ● RNG turns out to be a 8-bit LFSR with period 255 37

  38. JMS538S on-board RNG ● ..eh, a RNG with period of 255?! ● ..adding a poor ~2 8 to the complexity! ● ..so we have total 2 32 x ~2 8 = ~2 40 complexity! 38

  39. JMS538S “erase” attack ● You erase the drive + set sooper pw ● We recover the DEK with 2 40 complexity ○ ~2 36 if set from a MAC ● ..done in “no time” on any computer 39

  40. JMS538S “erase” VSC 40

  41. JMS538S factory keys ● “most people don’t erase their drives” ● ..so what about the factory set DEKs? ● Does the factory use the “erase” command? 41

  42. JMS538S factory keys analysis ● Grab factory set DEK from an eDEK + reverse the “erase” command flow ● Generate 255 possible “Host provided key material” (source 1) ● Find the correct one by guessing…? 42

  43. JMS538S factory keys - RNG leak ● The default out-of-the-box eDEK leaks ● Decrypted eDEK leaks RNG status at creation time ● … which is the same time as DEK creation! 43

  44. decrypted factory eDEK - RNG leak Magic 0x00: "DEK1" factory DEK CRC 0x04: 3f97 Unknown 0x06: 0000 random1 0x08: b1f065be key 0x3ee2 128 bit 0x0c: dde91629a8f503a41847e9956386a5d3 random2 0x1c: 2aa98576 key 0x3ef2 128 bit 0x20: fea9c0d0ad395397772420a0563a604b random3 0x30: 074195db key 0x3f02 256 bit 0x34: 3b00e300f7002700e1004d003800040069003e00d70048000c00bb0042006400 random4 0x54: 8e832cf3 key size (byte) 0x58: 20 => 256 bits Unknown 0x59: 00000000000000 RNG status leak 44

  45. JMS538S factory keys - RNG leak ● The default out-of-the-box eDEK says it all ● It gives the raw DEK ● + the state of the RNG after DEK creation ● ⇒ We know the host provided key material! 45

  46. example host provided key material Raw stream: 14 F9 DD 69 49 81 D4 63 CE 22 30 51 23 1B 2C 18 28 3B 3D 15 0F 3F 98 39 E4 C3 1F 4A 57 F3 9A 79 Little endian, 32-bit values: 69DDF914 63D48149 513022CE 182C1B23 153D3B28 39983F0F 4A1FC3E4 799AF357 srand(0x4fd45d3f) ⇐ Seed with this... rand() ⇒ 69DDF914 ⇐ ... and get these rand() ⇒ 63D48149 ⇐ ... .. rand() ⇒ 799AF357 ⇐ ... 46

  47. example host provided key material ● srand( 0x4fd45d3f ) is the entropy source ● 0x4fd45d3f ⇒ UNIX time ● 0x4fd45d3f ⇒ 2012-06-10 08:39:27 UTC ● It was on a Sunday ..and it was sunny 47

  48. DEK created: 10 JUN 2012 08:39:27 UTC Ouch! HDDs have a printed production date.. 48

  49. JMS538S factory DEK attack ● a single 128-bit known-plaintext AES block needed from HDD ⇒ e.g. E DEK (00..00) ● Recover the 256-bit DEK with 2 36 complexity: ○ Brute force creation time (2007 - 2015) + RNG state 49

  50. JMS538S factory DEK attack ● ..done in “no time” on any computer ● ..or instant with a 1.2 TB lookup-table! ○ pre-gen all 2 36 possible factory DEKs ○ store E DEK (00..00) + seed + RNG idx 50

  51. JMS538S factory DEK attack DEMO 51

  52. Attackers progress... Model no pw set, recovery pw brute force break auth. crack DEK ✓ ✓ ✓ JMS538S ✓ ✓ ✓ SW6316 ✓ ✓ ✓ OXUF943SE ( ✓ ) ✓ ✓ INIC-1607E ✓ ✓ ✓ INIC-3608 ✓ ✓ JMS569 52

  53. badUSB and evil-maid? 53

  54. No FW signing ⇒ security problems ● can patch FW devices, pre authentication ⇒ bad, bad USB ● ..resulting in spreading of evilness ○ malware in 8051, M68k and ARC. Infect-on-the-fly. ○ no easy clean (self-protecting evil FW) ○ add crypto backdoor ○ nullifying poor auth. schemes 54

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops Did you know? Our payment system has ZERO FEES for processing payments How it works? It takes only a few minutes to complete Merchant Initiate

269 views • 11 slides
Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on Real-World Crypto January 2013 promote openness, innovation & opportunity on the Web. previously easy to deploy easy to use privacy

610 views • 22 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Public key crypto Public key crypto RSA Essentials RSA Essentials Public Key Crypto in Java Public Key Crypto in Java Radboud University Nijmegen Radboud University Nijmegen Public key protocols Public key protocols Diffie-Hellman and El

448 views • 16 slides
w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

Aditus Luxury Access Platform for Crypto A ffl uents Presentation 21 Nov 2017 w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals Crypto-currency values have been the best performing asset class

206 views • 19 slides
Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO Use this space to add an image. IMPLEMENTATION, OR CRYPTO RNG Insert an image and change the scale to cover this box. ALSO, KEY MANAGEMENT IS

1.01k views • 81 slides
19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

Is 2 255 19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a strong elliptic curve 128-bit crypto: Okay. over the field Z (2 255 19). 256-bit crypto: High security! Is that safe? 512-bit

121 views • 11 slides
Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform

Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform

Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform Stable Coin Dapps Sum $ Bitcoin 154.00 $ Ethereum 29.00 $ XRP 18.70 $ BCH 7.70 $ EOS 7.20 $ LiteCoin 7.00 $ BNB 4.70 $ Tether

160 views • 12 slides
Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for 2020 Tim Gneysu Hardware Security Group Horst Grtz Institute for IT-Security, Bochum 1/24/2013 Outline Introduction Alternative Public-Key

735 views • 55 slides
Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020, Tenerife, January 2013 Outline 1 1. Past results 2. Future challenges 1. Block ciphers 2 TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT,

844 views • 68 slides
Computer Security: Public Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Public Key Crypto B. Jacobs Institute for Computing and Information Sciences

Public key crypto RSA Essentials Public Key Crypto in Java Radboud University Nijmegen Public key protocols Diffie-Hellman and El Gamal Computer Security: Public Key Crypto B. Jacobs Institute for Computing and Information Sciences

1.23k views • 100 slides
Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska

Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska

CSE 484 / CSE M 584: Computer Security and Privacy Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi

849 views • 25 slides
Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements

Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements

Outline More crypto protocols CSci 5271 Introduction to Computer Security Announcements intermission More crypto protocols and failures Stephen McCamant More causes of crypto failure University of Minnesota, Computer Science &

430 views • 4 slides
Talk Overview Introduction 1 Table-based 2 Vector-Permutation 3 Bitslice 4 Results and

Talk Overview Introduction 1 Table-based 2 Vector-Permutation 3 Bitslice 4 Results and

Implementing Lightweight Block Ciphers on x86 Architectures Ryad Benadjila 1 Jian Guo 2 e 1 Thomas Peyrin 2 Victor Lomn 1 ANSSI, France 2 NTU, Singapore SAC, August 15, 2013 Introduction Table-based Vector-Permutation Bitslice Results and

899 views • 43 slides
Network Security Technology Project 1 Neng Li ln-fjpt@sjtu.edu.cn Part I 2 Implement the

Network Security Technology Project 1 Neng Li ln-fjpt@sjtu.edu.cn Part I 2 Implement the

Network Security Technology Project 1 Neng Li ln-fjpt@sjtu.edu.cn Part I 2 Implement the textbook RSA algorithm. The textbook RSA is essentially RSA without any padding. Part I 3 Goals Generate a random RSA key pair with a given

438 views • 18 slides
Getting started with ggplot2 STAT 133 Gaston Sanchez Department of Statistics, UCBerkeley

Getting started with ggplot2 STAT 133 Gaston Sanchez Department of Statistics, UCBerkeley

Getting started with ggplot2 STAT 133 Gaston Sanchez Department of Statistics, UCBerkeley gastonsanchez.com github.com/gastonstat/stat133 Course web: gastonsanchez.com/stat133 ggplot2 2 Resources for "ggplot2" Documentation:

1.27k views • 44 slides
Kernel TLS and hardware TLS offload in FreeBSD 13 by Mellanox, Chelsio and Netflix Why crypto?

Kernel TLS and hardware TLS offload in FreeBSD 13 by Mellanox, Chelsio and Netflix Why crypto?

Kernel TLS and hardware TLS offload in FreeBSD 13 by Mellanox, Chelsio and Netflix Why crypto? Bob and Alice and the secret message Mathematical dependance on a relatively small pre-shared key When used right: Prevents

801 views • 30 slides
Intels New AES Instructions Enhanced Performance and Security Shay Gueron - Intel

Intels New AES Instructions Enhanced Performance and Security Shay Gueron - Intel

Intels New AES Instructions Enhanced Performance and Security Shay Gueron - Intel Corporation, Israel Development Center, Haifa, Israel - University of Haifa, Israel 1 Overview AES basics Performance hungry applications The

776 views • 59 slides
Finite fields Definition Theorem (Field) Let F be a set with two binary operations + and . Let

Finite fields Definition Theorem (Field) Let F be a set with two binary operations + and . Let

Finite Fields Finite Fields AES AES Definition (Group) Let G be a set and be a binary operation defined on G , Definition i.e., : G G G . We say ( G , ) is a group if (Ring) Let R be a set with two binary operations + and

612 views • 5 slides
PRO CTCAEs The 2017 update PROs: context Usual description of adverse events with the

PRO CTCAEs The 2017 update PROs: context Usual description of adverse events with the

PRO CTCAEs The 2017 update PROs: context Usual description of adverse events with the 790-items CTCAE (Common Terminology of Adverse Events) criteria under-detects symptomatic, though significant events Patients reports better

521 views • 9 slides
Advanced Encryption Standard Simplified-AES Simplified-AES Example Details of AES Cryptography

Advanced Encryption Standard Simplified-AES Simplified-AES Example Details of AES Cryptography

Cryptography Advanced Encryption Standard Overview of AES Advanced Encryption Standard Simplified-AES Simplified-AES Example Details of AES Cryptography AES in OpenSSL AES in Python School of Engineering and Technology CQUniversity

456 views • 30 slides

More recommend