hidden semantics why how and what to do
play

Hidden Semantics: why? how? and what to do? Mike Bond, Cryptomathic - PowerPoint PPT Presentation

Feb 21, 2023 •307 likes •647 views

Hidden Semantics: why? how? and what to do? Mike Bond, Cryptomathic Ltd. George French, Barclays Bank Plc. ASA-4 Edinburgh 2010 Crypomathic Logo Here Hidden Semantics: Why Why worry about it: Hidden semantics is important to the API analysis

  1. Hidden Semantics: why? how? and what to do? Mike Bond, Cryptomathic Ltd. George French, Barclays Bank Plc. ASA-4 Edinburgh 2010 Crypomathic Logo Here

  2. Hidden Semantics: Why Why worry about it: Hidden semantics is important to the API analysis community because it may limit the applicability of results based on API messages alone, indeed it has driven the creation of tools and a lot of work surround analysis of variants of PKCS#11 which all exist within the same framework . Furthermore it raises the question whether the adaptation of standard protocol notation to Security APIs presents a full enough picture to be useful; while formal analysis has yielded new notations well suited to model checkers and other tools, analysis has yielded new notations well suited to model checkers and other tools, what is the most appropriate way of expressing hidden semantics in a way which bridges the gap between formal and applied communities? Why do they occur: o Patch to fix a vulnerability o Vendor specific implementations Cryptomathic Logo Here

  3. Hidden Semantics: Why Drivers: o Economics • Cost of change • Cost of accreditation • Time to market • Business model o Interoperability • • Silo Standards with lack of interoperability (e.g card schemes) Silo Standards with lack of interoperability (e.g card schemes) • Support of Legacy Systems • Support for New Standards e.g. KMIP o Technical • Poorly Defined Standards (e.g. pkcs#11) • Constrained by computing platform • Supporting market requirements (high availability/fail over support ) Cryptomathic Logo Here

  4. Hidden Semantics: How? Let’s look at some examples: o PKCS#11 CBC Padding Oracle o Statistical PIN Block Attack Cryptomathic Logo Here

  5. PKCS#11 CBC Padding Oracle Padding oracle attacks not new: o SSL attacks (Vaudenay et al circa 2003) o IPSec attacks (e.g. more recent by Patterson et al) o PKCS#11 is vulnerable to this sort of API attack during key import when mechanisms supporting PKCS#7 padding are used. Cryptomathic Logo Here

  6. The context of the attack We want to transfer key from key source to destination HSM { Key }KEK1 Key Source (KMS or other HSM) HSM KEK1 KEK1 KEK1 (1) both endpoints share KEK1 (2) source wraps key under KEK1 (3) destination PKCS11 HSM unwraps using C_UnwrapKey

  7. Lets look at an example wrapped key… Block 0 Block 1 Block 2 Mode=CBC DEADBEEFDEADBEEF FACEFEEDFACEFEED 0808080808080808 IV=0 KEK1 PKCS#7 Padding Our target 128-bit key We attack each block one at a time… • Strip padding block (block 2) • Append block 0 instead • • Do attack on final block Do attack on final block • Swap in block 1 on end • Do attack on final block Block 0 Block 1 Block 2 9712467E26C1D0FD 29FD960D658E64EE 9712467E26C1D0FD First Attack Block 0 Block 1 Block 2 9712467E26C1D0FD 29FD960D658E64EE 29FD960D658E64EE Second Attack Lets just consider first attack…

  8. What the encrypted data looks like after we swapped last block… P0 P1 P0 DE AD BE EF DE AD BE EF DE AD BE EF DE AD BE EF DE AD BE EF DE AD BE EF IV=0 IV=0 e e e C0 C1 C0 97 12 46 7E 26 C1 D0 FD 29 FD 96 0D 65 8E 64 EE 97 12 46 7E 26 C1 D0 FD

  9. Now lets try unwrapping this block using HSM… C0 C1 C0 97 12 46 7E 26 C1 D0 FD 29 FD 96 0D 65 8E 64 EE 97 12 46 7E 26 C1 D0 FD d d d IV=0 DE DE AD AD BE BE EF EF DE DE AD AD BE BE EF EF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? DE DE AD AD BE BE EF EF DE DE AD AD BE BE EF EF FAILS! … invalid key because padding is bad NOT VALID PADDING! CKM_DES3_CBC_PAD our trial data C_UnwrapKey(hsession,mech,unwrapkey,wrappedkey,len,template,attc,ptrkeyh) returns either CKR_WRAPPED_KEY_INVALID or CKR_OK

  10. Our HSM “Oracle” tells us information about the clear key… Unwrap key (KEK) Wrapped key C_UnwrapKey is the padding in the is the padding in the last block ok? OK/Failed

  11. Now we cycle through all possible values of the last byte of C1… try all values C0 C1 C0 97 12 46 7E 26 C1 D0 FD 29 FD 96 0D 65 8E 64 00 97 12 46 7E 26 C1 D0 FD d d d IV=0 DE DE AD AD BE BE EF EF DE DE AD AD BE BE EF EF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? DE DE AD AD BE BE EF EF DE DE AD AD BE BE EF EF NOT VALID PADDING! val = 0x00

  12. Now we cycle through all possible values of the last byte of C1… try all values C0 C1 C0 97 12 46 7E 26 C1 D0 FD 29 FD 96 0D 65 8E 64 01 97 12 46 7E 26 C1 D0 FD d d d IV=0 DE DE AD AD BE BE EF EF DE DE AD AD BE BE EF EF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? DE DE AD AD BE BE EF EF DE DE AD AD BE BE EE EE NOT VALID PADDING! val = 0x01

  13. Now we cycle through all possible values of the last byte of C1… try all values C0 C1 C0 97 12 46 7E 26 C1 D0 FD 29 FD 96 0D 65 8E 64 02 97 12 46 7E 26 C1 D0 FD d d d IV=0 DE DE AD AD BE BE EF EF DE DE AD AD BE BE EF EF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? DE DE AD AD BE BE EF EF DE DE AD AD BE BE ED ED NOT VALID PADDING! val = 0x02 keep on trying…

  14. Now we cycle through all possible values of the last byte of C1… try all values C0 C1 C0 97 12 46 7E 26 C1 D0 FD 29 FD 96 0D 65 8E 64 EE 97 12 46 7E 26 C1 D0 FD d d d IV=0 DE DE AD AD BE BE EF EF DE DE AD AD BE BE EF EF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? DE DE AD AD BE BE EF EF DE DE AD AD BE BE 01 01 VALID PADDING! val = 0xEE SUCCESS! 0xEE ^ 0xEF = 0x01 and 0x01 means final block contains valid padding

  15. Now lets crack the next byte… adjust this so final byte becomes 0x02 try all values C0 C1 C0 97 12 46 7E 26 C1 D0 FD 29 FD 96 0D 65 8E 64 ED 97 12 46 7E 26 C1 D0 FD d d d IV=0 DE DE AD AD BE BE EF EF DE DE AD AD BE BE EF EF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? DE DE AD AD BE BE EF EF DE DE AD AD BE BE 02 02 NOT VALID PADDING! now we discover key one byte at a time.

  16. The oracle implemented (Java PKCS11 with IAIK wrapper)… public boolean unwrapKey(byte[] keyToUnwrap) { GenericTemplate kt = new GenericTemplate(); Mechanism um = new Mechanism(PKCS11Constants.CKM_DES3_CBC_PAD); byte[] iv = new byte[BLOCKSIZE]; // Pure 0s. um.setParameters(new InitializationVectorParameters(iv)); CharArrayAttribute ckaFlabel = new CharArrayAttribute( PKCS11Constants.CKA_LABEL); String flabel = “key_" + KEYNAME + ctr; ctr++; ckaFlabel.setCharArrayValue(flabel.toCharArray()); kt.addAttribute(ckaFlabel); ObjectClassAttribute objectClassAttribute = new ObjectClassAttribute(); objectClassAttribute.setLongValue(PKCS11Constants.CKO_SECRET_KEY); kt.addAttribute(objectClassAttribute); KeyTypeAttribute keyTypeAttribute = new KeyTypeAttribute(); keyTypeAttribute.setLongValue(KeyType.AES); kt.addAttribute(keyTypeAttribute); BooleanAttribute ckaEncrypt = new BooleanAttribute(PKCS11Constants.CKA_ENCRYPT); ckaEncrypt.setBooleanValue(true); kt.addAttribute(ckaEncrypt); try { session.unwrapKey(um, knownKey, keyToUnwrap, kt); return true; } catch( Exception e ) { //System.out.println(e); } return false; }

  17. Implementation Results… NB KEK in this example is a 2 key 3DES key… 20202020202020207373737373737373 Block 0 Byte 7 offset 000102030405060708090A0B0C0D0E0F1011121314151617 trialKey 9712467E26C1D0FD29FD960D658E64 EE 9712467E26C1D0FD true (238) recoveredKey = 00000000000000EF trialKeyBase = 9712467E26C1D0FD29FD960D658E64ED9712467E26C1D0FD Block 0 Byte 6 offset 000102030405060708090A0B0C0D0E0F1011121314151617 trialKey 9712467E26C1D0FD29FD960D658E BCED 9712467E26C1D0FD true (188) recoveredKey = 000000000000BEEF trialKeyBase = 9712467E26C1D0FD29FD960D658EBDEC9712467E26C1D0FD Block 0 Byte 5 offset 000102030405060708090A0B0C0D0E0F1011121314151617 trialKey 9712467E26C1D0FD29FD960D65 AEBDEC 9712467E26C1D0FD true (174) recoveredKey = 0000000000ADBEEF trialKeyBase = 9712467E26C1D0FD29FD960D65A9BAEB9712467E26C1D0FD Block 0 Byte 4 offset 000102030405060708090A0B0C0D0E0F1011121314151617 trialKey 9712467E26C1D0FD29FD960D DAA9BAEB 9712467E26C1D0FD true (218) recoveredKey = 00000000DEADBEEF trialKeyBase = 9712467E26C1D0FD29FD960DDBA8BBEA9712467E26C1D0FD Block 0 Byte 3 Block 0 Byte 3 offset 000102030405060708090A0B0C0D0E0F1011121314151617 trialKey 9712467E26C1D0FD29FD96 EADBA8BBEA 9712467E26C1D0FD true (234) recoveredKey = 000000EFDEADBEEF trialKeyBase = 9712467E26C1D0FD29FD96E9D8ABB8E99712467E26C1D0FD Block 0 Byte 2 offset 000102030405060708090A0B0C0D0E0F1011121314151617 trialKey 9712467E26C1D0FD29FD B8E9D8ABB8E9 9712467E26C1D0FD true (184) recoveredKey = 0000BEEFDEADBEEF trialKeyBase = 9712467E26C1D0FD29FDB9E8D9AAB9E89712467E26C1D0FD Block 0 Byte 1 offset 000102030405060708090A0B0C0D0E0F1011121314151617 trialKey 9712467E26C1D0FD29 AAB9E8D9AAB9E8 9712467E26C1D0FD true (170) recoveredKey = 00ADBEEFDEADBEEF trialKeyBase = 9712467E26C1D0FD29A5B6E7D6A5B6E79712467E26C1D0FD Block 0 Byte 0 offset 000102030405060708090A0B0C0D0E0F1011121314151617 trialKey 9712467E26C1D0FD D6A5B6E7D6A5B6E7 9712467E26C1D0FD true (214) recoveredKey = DEADBEEFDEADBEEF trialKeyBase = 9712467E26C1D0FDD7A4B7E6D7A4B7E69712467E26C1D0FD Cryptogram : 9712467E26C1D0FD29FD960D658E64F3 Clear value : DEADBEEFDEADBEEF

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What is semantics? 2 / 21 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the

551 views • 21 slides
What do hidden representations learn? Other animals dont like onions (but primates do) Plaut

What do hidden representations learn? Other animals dont like onions (but primates do) Plaut

What do hidden representations learn? Other animals dont like onions (but primates do) Plaut and Shallice (1993) Mapped orthography to semantics (unrelated similarities) Compared similarities among hidden representations to those among

121 views • 9 slides
Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is

Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is

Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is semantics? 2 / 14 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the meaning of

588 views • 14 slides
Semantics so far in course Lexical Semantics, Distributions, Previous semantics lectures

Semantics so far in course Lexical Semantics, Distributions, Previous semantics lectures

11/13/18 Semantics so far in course Lexical Semantics, Distributions, Previous semantics lectures discussed Predicate-Argument Structure, and composing meanings of parts to produce the correct global sentence meaning Frame Semantic Parsing

460 views • 14 slides
Hidden$Terminals$ Nodes$A$and$C$are$hidden$terminals$when$sending$to$B$

Hidden$Terminals$ Nodes$A$and$C$are$hidden$terminals$when$sending$to$B$

Hidden$Terminals$ Nodes$A$and$C$are$hidden$terminals$when$sending$to$B$ Cant$hear$each$other$(to$coordinate)$yet$collide$at$B$ We$want$to$avoid$the$inefficiency$of$collisions $ CSE$461$University$of$Washington$ 53$

463 views • 31 slides
Preparatory course WS2011 - Semantics The job of semantics Referential theories Conceptual

Preparatory course WS2011 - Semantics The job of semantics Referential theories Conceptual

Semantics J. Ruppenhofer, A. Palmer Preliminaries Preparatory course WS2011 - Semantics The job of semantics Referential theories Conceptual Alexis Palmer semantics Some core problems Lexical analysis Sense and word October 10,

1.53k views • 133 slides
11/19/10 Introduction Semantics can mean quite different things in different

11/19/10 Introduction Semantics can mean quite different things in different

11/19/10 Introduction Semantics can mean quite different things in different contexts; fields concerned with semantics are as diverse as psychology, law, Formal Semantics and Pragmatics: computer science, lexicography, logic,

393 views • 10 slides
Hidden Markov Models Pratik Lahiri Introduction A hidden Markov model (HMM) is a

Hidden Markov Models Pratik Lahiri Introduction A hidden Markov model (HMM) is a

Hidden Markov Models Pratik Lahiri Introduction A hidden Markov model (HMM) is a statistical Markov model in which the system being modeled is assumed to be a Markov process with unobserved (hidden) states. We call the observed event

741 views • 13 slides
PL: A Whirlwind Tour Semantics and Foundations Program Semantics To analyze programs, we

PL: A Whirlwind Tour Semantics and Foundations Program Semantics To analyze programs, we

CMSC 430 Compilers Fall 2018 PL: A Whirlwind Tour Semantics and Foundations Program Semantics To analyze programs, we must know what they mean Semantics comes from the Greek semaino , to mean Most language semantics

883 views • 70 slides
Other Kinds of Semantics Introduction to Operational Semantics Denotational semantics

Other Kinds of Semantics Introduction to Operational Semantics Denotational semantics

Lecture Outline COOL operational semantics Operational Semantics of Cool Motivation Notation Adapted from Lectures by Profs. Alex Aiken and George Necula (UCB) The rules CS781(Prasad) L24CG 2 CS781(Prasad) L24CG 1

320 views • 7 slides
Introductory Notes Jigsaw Semantics or: Dynamic Semantics Put Together Again Formal semantics

Introductory Notes Jigsaw Semantics or: Dynamic Semantics Put Together Again Formal semantics

Jigsaw Semantics Introduction Introductory Notes Jigsaw Semantics or: Dynamic Semantics Put Together Again Formal semantics and formal pragmatics: the disciplines are much scattered and seriously challenged, or so it seems. Formal

164 views • 12 slides
Another view Hidden Input CEC is constant error Hidden carrousel No vanishing gradients

Another view Hidden Input CEC is constant error Hidden carrousel No vanishing gradients

Another view Hidden Input CEC is constant error Hidden carrousel No vanishing gradients Input f But, it is not always on Hidden s f Introducing gates: Input f Allow or disallow input Hidden Allow or

641 views • 28 slides
LSTMs Overview Subhashini Venugopalan Neural Networks z t Output B Hidden Hidden Input WHY

LSTMs Overview Subhashini Venugopalan Neural Networks z t Output B Hidden Hidden Input WHY

LSTMs Overview Subhashini Venugopalan Neural Networks z t Output B Hidden Hidden Input WHY RNNs/LSTMs? Can we operate over sequences of inputs? Limitations of vanilla Neural Networks z t Output Outputs a fixed size vector. B Hidden

737 views • 32 slides
15-411: Dynamic Semantics Jan Ho ff mann Dynamic Semantics Static semantics: definition of

15-411: Dynamic Semantics Jan Ho ff mann Dynamic Semantics Static semantics: definition of

15-411: Dynamic Semantics Jan Ho ff mann Dynamic Semantics Static semantics: definition of valid programs Dynamic semantics: definition of how programs are executed So far: Dynamic semantics is given in English on lab handouts This

1.54k views • 137 slides
The Hidden City The Hidden City Decay: To be slowly destroyed by natural processes and enter a

The Hidden City The Hidden City Decay: To be slowly destroyed by natural processes and enter a

The Hidden City The Hidden City Decay: To be slowly destroyed by natural processes and enter a state of ruin. Starting off.. St Fagans Llandaff Cathedral Laura Edgar www.lauraedgar.co.uk A little bit of history.. First ever Bute Docks,

661 views • 20 slides
Lexical Semantics in Formal Semantics: History and Challenges . Barbara H. Partee

Lexical Semantics in Formal Semantics: History and Challenges . Barbara H. Partee

Lexical Semantics in Formal Semantics: History and Challenges . Barbara H. Partee partee@linguist.umass.edu ESSLLI RefSemPlus Workshop, August 2016 1. Introduction n The early important achievements of formal semantics that made it of

1.01k views • 36 slides
Wireless Sensor Networks: Motes, NesC, and TinyOS J urgen Sch onw alder, Mat u s

Wireless Sensor Networks: Motes, NesC, and TinyOS J urgen Sch onw alder, Mat u s

Wireless Sensor Networks: Motes, NesC, and TinyOS J urgen Sch onw alder, Mat u s Harvan Jacobs University Bremen Bremen, Germany EECS Seminar, 24 April 2007 J urgen Sch onw alder, Mat u s Harvan Motes, NesC, and

688 views • 54 slides
RESOLUTION OF INTERNATIONAL BANKS: CAN SMALLER COUNTRIES COPE? DIRK SCHOENMAKER ROTTERDAM

RESOLUTION OF INTERNATIONAL BANKS: CAN SMALLER COUNTRIES COPE? DIRK SCHOENMAKER ROTTERDAM

RESOLUTION OF INTERNATIONAL BANKS: CAN SMALLER COUNTRIES COPE? DIRK SCHOENMAKER ROTTERDAM SCHOOL OF MANAGEMENT & BRUEGEL NZ TREASURY, 17 NOVEMBER 2017 Outline Reform after the Great Financial Crisis Need for fiscal backstop

289 views • 18 slides
CREATING VALUE BECOMING RELEVANT Action plan for concretising the strategic objectives

CREATING VALUE BECOMING RELEVANT Action plan for concretising the strategic objectives

Federal Office of Topography swisstopo CREATING VALUE BECOMING RELEVANT Action plan for concretising the strategic objectives Sharing Knowledge, Capacities and Infrastructure (EGS-Pillar 3). Brussels, 18 February 2020 Existing EGS

341 views • 18 slides
Marco Ferrazzani ESA Legal Counsel & Head of the Legal Services ESA UNCLASSIFIED - For

Marco Ferrazzani ESA Legal Counsel & Head of the Legal Services ESA UNCLASSIFIED - For

ESA Legal Framework and Competences Marco Ferrazzani ESA Legal Counsel & Head of the Legal Services ESA UNCLASSIFIED - For Official Use European Union in Space: Law and Technology Universit degli Studi di Genova ESA Legal Framework and

719 views • 32 slides
Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA

1.5k views • 57 slides
Molson Coors Brewing Company Barclays Back to School Consumer Conference September 5, 2012

Molson Coors Brewing Company Barclays Back to School Consumer Conference September 5, 2012

Molson Coors Brewing Company Barclays Back to School Consumer Conference September 5, 2012 Peter Swinburn Chief Executive Officer Molson Coors Brewing Company 2 Forward Looking Statement Forward Looking Statements: This presentation

443 views • 30 slides
during the Henry Ohlsson economic crisis Deputy Governor 17 June 2020 Three challenges The

during the Henry Ohlsson economic crisis Deputy Governor 17 June 2020 Three challenges The

Monetary policy during the Henry Ohlsson economic crisis Deputy Governor 17 June 2020 Three challenges The financial markets are not functioning as under normal circumstances Inflation statistics are difficult to interpret It is

523 views • 6 slides
A game changer for public debt markets? Daniel Gros Rome, Seminar LUISS, SEP March 8, 2018

A game changer for public debt markets? Daniel Gros Rome, Seminar LUISS, SEP March 8, 2018

QE A game changer for public debt markets? Daniel Gros Rome, Seminar LUISS, SEP March 8, 2018 Rome, March, 8, 2018 Thinking ahead for Europe Centre for European Policy Studies (CEPS) www.ceps.eu Bernanke: the problem with QE

823 views • 35 slides

More recommend