mind your keys a security evaluation of java keystores
play

Mind Your Keys? A Security Evaluation of Java Keystores Marco - PowerPoint PPT Presentation

Aug 16, 2022 •167 likes •582 views

Mind Your Keys? A Security Evaluation of Java Keystores Marco Squarcina (Universit Ca Foscari & Cryptosense) Riccardo Focardi Francesco Palmarini Graham Steel Mauro Tempesta Universit Ca Foscari Universit Ca Foscari

  1. Mind Your Keys? A Security Evaluation of Java Keystores Marco Squarcina (Università Ca’ Foscari & Cryptosense) Riccardo Focardi Francesco Palmarini Graham Steel Mauro Tempesta Università Ca’ Foscari Università Ca’ Foscari Cryptosense Università Ca’ Foscari Cryptosense Yarix

  2. BACKGROUND MOTIVATIONS

  3. Key Storage HW Solutions HSM ● Smartcards ● PKCS#11

  4. Key Storage Keystore File containing crypto keys ● and certificates Content is secured by a ● password ******

  5. Key Storage Keystore File containing crypto keys ● and certificates Key Confidentiality Content is secured by a ● Key Integrity password S y s t e m I n t e g r i t y ******

  6. Password-based Key Derivation Ciphers require a key of a specific length ● Produce a key which can be used as a cryptographic key for a given ● cipher (e.g. 3DES) 160b 10K Password: 192b 3DES key KDF (pwd,salt,ic) ********** SHA1

  7. Password-based Key Derivation Ciphers require a key of a specific length ● Produce a key which can be used as a cryptographic key for a given ● cipher (e.g. 3DES) AVOID PREVENT PRECOMPUTATION BRUTEFORCE 160b 10K Password: 192b 3DES key KDF (pwd,salt,ic) ********** SHA1

  8. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  9. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  10. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  11. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  12. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  13. ATTACKS FLAWS

  14. Oracle JKS Password Cracking E = Encrypted Key Key Decryption in JKS W = Keystream W 0 = Salt W i = SHA1(pw||W i-1 ) K i = E i ⊕ W i CK = SHA1(pw||K)

  15. Oracle JKS Password Cracking E = Encrypted Key Key Decryption in JKS ~100X speedup W = Keystream W 0 = Salt W i = SHA1(pw||W i-1 ) K i = E i ⊕ W i CK = SHA1(pw||K) DER / ASN . 1

  16. Oracle JKS Password Cracking E = Encrypted Key Key Decryption in JKS ~100X speedup W = Keystream 8 billions pw/s with one NVIDIA W 0 = Salt W i = SHA1(pw||W i-1 ) GTX 1080 K i = E i ⊕ W i CK = SHA1(pw||K) DER / ASN . 1

  17. Oracle JKS/JCEKS Integrity Password Cracking SHA1(...)

  18. Oracle JKS/JCEKS Integrity Password Cracking Integrity Keystore password content “Mighty Aphrodite” SHA1( ***** || || ) SHA1(...)

  19. Oracle JKS/JCEKS Integrity Password Cracking Integrity Keystore password content “Mighty Aphrodite” SHA1( ***** || || ) SHA1(...) Efficient integrity-password bruteforce ( better w. rainbow-tables � ) ● Length extension attacks? ● Watch out when integrity password = confidentiality password! ●

  20. Oracle JKS/JCEKS Integrity Password Cracking Integrity Keystore password content “Mighty Aphrodite” SHA1( ***** || || ) SHA1(...) Efficient integrity-password bruteforce ( better w. rainbow-tables � ) ● Length extension attacks? ● Watch out when integrity password = confidentiality password! ●

  21. DoS by Integrity Parameters Abuse Oracle PKCS12 ● Bouncy Castle BKS ● Bouncy Castle PKCS12 ● KDF+HMAC

  22. DoS by Integrity Parameters Abuse Oracle PKCS12 ● Bouncy Castle BKS ● Bouncy Castle PKCS12 ● ASN.1 Structure … SEQUENCE (3 elem) SEQUENCE (2 elem) SEQUENCE (2 elem) KDF+HMAC OBJECT IDENTIFIER 1.3.14.3.2.26 sha1 (OIW) NULL OCTET STRING (20 byte) C9C2AF5A... OCTET STRING (20 byte) 7B223BBC... Parameters INTEGER 1024

  23. DoS by Integrity Parameters Abuse Iteration Count = 2 31 –1 Oracle PKCS12 ● DoS the application Bouncy Castle BKS ● loading the keystore! Bouncy Castle PKCS12 ● ASN.1 Structure … SEQUENCE (3 elem) SEQUENCE (2 elem) SEQUENCE (2 elem) KDF+HMAC OBJECT IDENTIFIER 1.3.14.3.2.26 sha1 (OIW) NULL OCTET STRING (20 byte) C9C2AF5A... OCTET STRING (20 byte) 7B223BBC... Parameters INTEGER 1024

  24. JCEKS Secret Keys Code Exec

  25. JCEKS Secret Keys Code Exec SecretKey

  26. JCEKS Secret Keys Code Exec SealedObject SecretKey

  27. JCEKS Secret Keys Code Exec SealedObject SecretKey

  28. JCEKS Secret Keys Code Exec SealedObject SecretKey KeyStore Load Mechanism deserialize each SealedObject ● then perform Integrity Check ●

  29. JCEKS Secret Keys Code Exec SealedObject SecretKey KeyStore Load Mechanism deserialize each SealedObject ● then perform Integrity Check ●

  30. JCEKS Secret Keys Code Exec SealedObject SecretKey Command execution ● JDK≤1.7.21 & JDK≤1.8.20 DoS JDK>1.8.20 ● KeyStore Load Mechanism Fixed Oct 2017 CPU ● deserialize each SealedObject ● then perform Integrity Check ●

  31. JCEKS Secret Keys Code Exec after Decrypt SealedObject SecretKey

  32. JCEKS Secret Keys Code Exec after Decrypt SealedObject Deserialize of SecretKey Extended classpath ● Use gadgets from any 3rd-party library ●

  33. JCEKS Secret Keys Code Exec after Decrypt SealedObject Command execution on Deserialize of SecretKey latest JDK if integrity & key password are known! Extended classpath ● Use gadgets from any 3rd-party library ●

  34. JCEKS Secret Keys Code Exec after Decrypt JCEKS SealedObject SecretKey Rebrand ---------------------------- J ava C ode E xecution K ey S tore Command execution on Deserialize of SecretKey latest JDK if integrity & key password are known! Extended classpath ● Use gadgets from any 3rd-party library ●

  35. DISCLOSURE CONTRIBUTIONS

  36. Disclosure Timeline … 2017 May 2017 Aug 2017 Nov 2017 Keystore Report to Oracle BC1.58 released JCEKS code exec, Analysis and BC fixing some issues again... Apr 2017 Jul 2017 Oct 2017 TODAY Discovered code Issues fixed by Oracle CPU Full disclosure execution Oracle CVE-2017-10345, @NDSS18 at RuCTF finals CVE-2017-10356

  37. Responses Oracle Keytool, warning on JKS/JCEKS ● ○ The JCEKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format [...] Oracle JCEKS KDF params for PBE ● from 20 to 200K iterations (max 5M) ○ Oracle PKCS12 ● from 1024 to 50K iterations for PBE (max 5M) ○ from 1024 to 100K iterations for HMAC (max 5M) ○ Partial fix to the Oracle JCEKS code execution ● Similar improvements in Bouncy Castle ●

  38. Responses CVE-2017-10356 CVSS 6.2 Oracle Keytool, warning on JKS/JCEKS ● ○ The JCEKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format [...] Oracle JCEKS KDF params for PBE ● from 20 to 200K iterations (max 5M) ○ Oracle PKCS12 ● from 1024 to 50K iterations for PBE (max 5M) ○ from 1024 to 100K iterations for HMAC (max 5M) ○ Partial fix to the Oracle JCEKS code execution ● CVE-2017-10345 CVSS 3.1 Similar improvements in Bouncy Castle ●

  39. Contributions Threat model for password-protected keystores, design rules for ● secure keystores Analysis of 7 keystores ● Cryptographic implementation ○ Weaknesses & Attacks ○ Brute force time comparison for key confidentiality and integrity ● passwords Concrete improvements to the security of Oracle JDK and Bouncy ● Castle keystores

  40. THANK YOU! (´ ▽ ` ) ノ

  41. ??? Q ?????????? U ???????????? E ????? ?????? S ??? T ??????????????? I ?????? ? O ??????????????? N ??????????? S ??? squarcina @ unive.it @ blueminimal https://www.linkedin.com/in/squarcina/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying security expectations To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

535 views • 19 slides
Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting applications against malicious / unauthorized actions Desktop What kind of code is executed by the application, on the client machine? Where

702 views • 33 slides
STARTING WITH THE END IN MIND How evaluation can support you in achieving program goals October

STARTING WITH THE END IN MIND How evaluation can support you in achieving program goals October

STARTING WITH THE END IN MIND How evaluation can support you in achieving program goals October 23, 2017 Sophia Mansori Sheila Rodriguez Gabriela Garcia Todays agenda Introduce our evaluation team 1 Review evaluation activities and

357 views • 16 slides
T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP

T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP

T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP Kaufman et al: Ch 17, 11.2 SSL/TLS 18, 19 11.3 IPSEC Stallings: Ch 16,17 1 Pretty Good Privacy Email encryption program

566 views • 8 slides
Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations IT Security Evaluation To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

70 views • 4 slides
You still use the password after all Exploring FIDO2 Security Keys in a Small Company

You still use the password after all Exploring FIDO2 Security Keys in a Small Company

You still use the password after all Exploring FIDO2 Security Keys in a Small Company Florian M. Farke, Lennart Lorenz, Theodor Schnitzler, Philipp Markert, and Markus Drmuth Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020)

571 views • 11 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Com puter Security Part Four Last tim e Cryptography Authentication Threats

Com puter Security Part Four Last tim e Cryptography Authentication Threats

Com puter Security Part Four Last tim e Cryptography Authentication Threats Key Management KDC Policy Symmetric keys Specification Asymmetric keys PKI Design Security Protocols Kerberos

617 views • 39 slides
Run-time Evaluation of Opportunities for Object Inlining in Java Ond rej Lhot ak and

Run-time Evaluation of Opportunities for Object Inlining in Java Ond rej Lhot ak and

Run-time Evaluation of Opportunities for Object Inlining in Java Ond rej Lhot ak and Laurie Hendren Sable Research Group McGill University November 5th, 2002 p. 1/30 Motivation Java allows only references to objects as fields,

318 views • 30 slides
The need for a formal model of Java Safety guarantees of Java definedness type safety

The need for a formal model of Java Safety guarantees of Java definedness type safety

Making the Java Memory Model Safe Andreas Lochbihler Institute for Information Security ETH Zurich supported by DFG Sn11/10-1,2 The need for a formal model of Java Safety guarantees of Java definedness type safety security

595 views • 44 slides
5 things to keep in mind as you design your evaluation strategy Using the example of Plans

5 things to keep in mind as you design your evaluation strategy Using the example of Plans

Presentation prepared for the Innovation for Education Program 5 things to keep in mind as you design your evaluation strategy Using the example of Plans Teachers Self- Learning Academy June 6th, 2013 www.laterite-africa.com What

987 views • 19 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens,

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens,

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens, iMinds-DistriNet, KU Leuven USENIX Security 2016 Security of Wi-Fi group keys? Protect broadcast and multicast Wi-Fi frames: All clients share a

564 views • 29 slides
Java Technologies Java EE - Introduction First of All Course Information The Goal The

Java Technologies Java EE - Introduction First of All Course Information The Goal The

Java Technologies Java EE - Introduction First of All Course Information The Goal The Motivation Teaching / Learning Bibliography Evaluation Lab: problems, personal projects, essays easy Exam: written test /

711 views • 22 slides
2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys > 100 uses 4450 keys > 1000 uses An excursion in to the world of OSM tagging presets Simon Poole, SOtM 2018 In the beginning Bus

686 views • 50 slides
Java Security: From HotJava to Netscape and Beyond Drew Dean, Ed Felten, Dan Wallach Safe

Java Security: From HotJava to Netscape and Beyond Drew Dean, Ed Felten, Dan Wallach Safe

Java Security: From HotJava to Netscape and Beyond Drew Dean, Ed Felten, Dan Wallach Safe Internet Programming Group Princeton University The Java Model Web server Web browser Java program URL lookup applet code byte code Verifier

458 views • 14 slides
RECSM Summer School: Machine Learning for Social Sciences Session 3.3: K -Means Clustering Reto

RECSM Summer School: Machine Learning for Social Sciences Session 3.3: K -Means Clustering Reto

RECSM Summer School: Machine Learning for Social Sciences Session 3.3: K -Means Clustering Reto West Department of Political Science and International Relations University of Geneva 1 Clustering Clustering Clustering refers to a set of

352 views • 17 slides
INFO 4300 / CS4300 Information Retrieval slides adapted from Hinrich Sch utzes, linked from

INFO 4300 / CS4300 Information Retrieval slides adapted from Hinrich Sch utzes, linked from

INFO 4300 / CS4300 Information Retrieval slides adapted from Hinrich Sch utzes, linked from http://informationretrieval.org/ IR 13: Query Expansion and Probabilistic Retrieval Paul Ginsparg Cornell University, Ithaca, NY 8 Oct 2009 1 /

557 views • 34 slides
Generating asymptotics for factorially divergent sequences Michael Borinsky 1 Humboldt-University

Generating asymptotics for factorially divergent sequences Michael Borinsky 1 Humboldt-University

Generating asymptotics for factorially divergent sequences Michael Borinsky 1 Humboldt-University Berlin Departments of Physics and Mathematics ALEA in Europe, Vienna 2017 1 borinsky@physik.hu-berlin.de M. Borinsky (HU Berlin) Generating

543 views • 18 slides
Asset Pricing Chapter VIII. Arrow-Debreu Pricing June 22, 2006 Asset Pricing 8.1 Setting: An

Asset Pricing Chapter VIII. Arrow-Debreu Pricing June 22, 2006 Asset Pricing 8.1 Setting: An

8.1 Setting: An Arrow Debreu Economy 8.2 Competitive Equilibrium and Pareto Optimality Illustrated 8.3 Pareto Optimality and risk Sharing 8.4 Implementing Pareto Optimal Allocations: On the Possibility of Market failure 8.5 Arrow-Debreu pricing:

655 views • 19 slides
Model-Switching: Dealing with Fluctuating Workloads in MLaaS * Systems Jeff Zhang 1 , Sameh

Model-Switching: Dealing with Fluctuating Workloads in MLaaS * Systems Jeff Zhang 1 , Sameh

Model-Switching: Dealing with Fluctuating Workloads in MLaaS * Systems Jeff Zhang 1 , Sameh Elnikety 2 , Shuayb Zarar 2 , Atul Gupta 2 , Siddharth Garg 1 1 New York University, 2 Microsoft jeffjunzhang@nyu.edu [*] Machine Learning-as-a-Service

193 views • 17 slides
Alaska Native Womens Resource Center 101 Training Series FVPSA Webinar 2018-2020 Tami Truett

Alaska Native Womens Resource Center 101 Training Series FVPSA Webinar 2018-2020 Tami Truett

Alaska Native Womens Resource Center 101 Training Series FVPSA Webinar 2018-2020 Tami Truett Jerue Executive Director Michelle Demmert Law & Policy Consultant ALASKA NATIVE TRIBAL RESOURCE CENTER ON DOMESTIC VIOLENCE (ANTRC) Funded

452 views • 34 slides
Faster convex optimization Simulated annealing & Interior point Elad Hazan Joint work with

Faster convex optimization Simulated annealing & Interior point Elad Hazan Joint work with

Faster convex optimization Simulated annealing & Interior point Elad Hazan Joint work with Jacob Abernethy U MICH Convex optimization fundamental problem of optimization: minimize a convex (linear) function over a convex set min x

589 views • 54 slides
Unix and Undergraduate Teaching Carlo Kopp, BE(Hons), MSc, PhD, PEng Monash University,

Unix and Undergraduate Teaching Carlo Kopp, BE(Hons), MSc, PhD, PEng Monash University,

1/16 Computer Science & Software Engineering http://www.csse.monash.edu.au/ Unix and Undergraduate Teaching Carlo Kopp, BE(Hons), MSc, PhD, PEng Monash University, Clayton, Australia email: carlo@mail.csse.monash.edu.au

691 views • 16 slides

More recommend