mining your p s and q s detection of widespread weak keys
play

Mining Your P s and Q s Detection of Widespread Weak Keys in - PowerPoint PPT Presentation

Oct 28, 2022 •30 likes •490 views

Mining Your P s and Q s Detection of Widespread Weak Keys in Embedded Devices Nadia Heninger UC San Diego Microsoft Research New England Zakir Durumeric Eric Wustrow Alex Halderman University of Michigan January 10, 2012 or

  1. Mining Your P s and Q s Detection of Widespread Weak Keys in Embedded Devices Nadia Heninger UC San Diego ↓ Microsoft Research New England Zakir Durumeric Eric Wustrow Alex Halderman University of Michigan January 10, 2012

  2. —or— Requirements for random number generators II

  3. —or— Requirements for random number generators II: Seed them.

  4. Mining your Ps and Qs: Widespread Weak Keys in Network Devices Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman Usenix Security 2012 factorable.net

  5. Cryptography and randomness Randomness is required for cryptography. Long list of failures in practice: 1996 Goldberg and Wagner Netscape SSL vulnerability 2008 Bello Debian OpenSSL entropy disaster

  6. Cryptography and randomness Randomness is required for cryptography. Long list of failures in practice: 1996 Goldberg and Wagner Netscape SSL vulnerability 2008 Bello Debian OpenSSL entropy disaster Our research plan: 1. Acquire cryptographic keys. 2. Look for obvious key generation problems.

  7. Step 1: Acquire cryptographic keys. 1. Scan IPv4 space on port 443 (https) and 22 (ssh). ◮ nmap from 25 hosts on Amazon ec2, < 24 hours. 2. For each host with port open, initiate handshake. ◮ 3 hosts, < 48 hours 3. Store certificate/key.

  8. Step 1: Acquire cryptographic keys. 1. Scan IPv4 space on port 443 (https) and 22 (ssh). ◮ nmap from 25 hosts on Amazon ec2, < 24 hours. 2. For each host with port open, initiate handshake. ◮ 3 hosts, < 48 hours 3. Store certificate/key. Our SSH Scans Our SSL Scan EFF Observatory (02-04/2012) (10/2011) (10/2010) Open Port 23,237,081 28,923,800 16,000,000 Handshake 10,216,369 12,828,612 7,704,837 Distinct Certs - 5,847,957 4,021,766 Browser-Trusted - 1,956,267 1,455,391

  9. Step 2: Look for problems. Repeated keys. ◮ Two hosts share same public key: → both know private key of the other.

  10. Step 2: Look for problems. Repeated keys. ◮ Two hosts share same public key: → both know private key of the other. SSH SSL Handshake 10,216,369 12,828,612 Distinct Certs - 5,847,957 Browser-Trusted - 1,956,267 Distinct RSA keys 3,821,639 5,656,519 Distinct DSA keys 2,789,662 6,241

  11. Looking for problems. Repeated public keys Many valid (and common) reasons to share keys: ◮ Shared hosting situations. Virtual hosting. ◮ A single organization registers many domain names with the same key.

  12. Looking for problems. Repeated public keys Common (and unwise) reasons to share keys: ◮ Device default certificates/keys. ◮ Apparent entropy problems in key generation.

  13. Looking for problems. Repeated public keys Common (and unwise) reasons to share keys: ◮ Device default certificates/keys. ◮ Apparent entropy problems in key generation. TLS: SSH: default certificates/keys: default or low-entropy keys: 670,000 hosts (5%) 1,000,000 hosts (10%) low-entropy repeated keys: 40,000 hosts (0.3%)

  14. Looking for problems. Repeated keys Devices Number of repeats 10 5 Hosting providers Unknown/other 10 4 50 most repeated RSA SSH keys

  15. Step 2: Look for problems. Factoring RSA moduli N 1 = pq 1 N 2 = pq 2 gcd( N 1 , N 2 ) = p ◮ Two hosts share RSA moduli with a prime factor in common → outside observer can factor both keys by calculating the GCD of public moduli. Time to factor 768-bit RSA Time to calculate GCD for modulus: 1024-bit RSA moduli: two years [Kleinjung et al. 2010] 15 µ s

  16. Looking for problems: Factoring RSA keys Implemented efficient algorithm due to [Bernstein 2004]. N 1 N 2 N 3 N 4 product × × ◮ 350 lines of C using GMP tree N 1 N 2 N 3 N 4 N 1 N 2 N 3 N 4 Ran on 11,170,883 distinct remainder mod N 2 1 N 2 mod N 2 3 N 2 moduli in SSL, SSH, and EFF 2 4 tree datasets mod N 2 mod N 2 mod N 2 mod N 2 3 1 2 4 ◮ 1.5 hours on 16 cores. / N 1 / N 2 / N 3 / N 4 ◮ $ 5 of Amazon ec2 time. gcd ( , N 1 ) gcd ( , N 2 ) gcd ( , N 3 ) gcd ( , N 4 ) · · · ·

  17. Looking for problems: Factoring RSA keys Implemented efficient algorithm due to [Bernstein 2004]. N 1 N 2 N 3 N 4 product × × ◮ 350 lines of C using GMP tree N 1 N 2 N 3 N 4 N 1 N 2 N 3 N 4 Ran on 11,170,883 distinct remainder mod N 2 1 N 2 mod N 2 3 N 2 moduli in SSL, SSH, and EFF 2 4 tree datasets mod N 2 mod N 2 mod N 2 mod N 2 3 1 2 4 ◮ 1.5 hours on 16 cores. / N 1 / N 2 / N 3 / N 4 ◮ $ 5 of Amazon ec2 time. gcd ( , N 1 ) gcd ( , N 2 ) gcd ( , N 3 ) gcd ( , N 4 ) · · · · Results: ◮ 2,314 distinct prime factors factored 16,717 moduli ◮ Private keys for 64,081 TLS (0.50%) and 2,459 SSH (0.03%) hosts in our scan

  18. Step 2: Looking for problems. Weak DSA signature nonce DSA signatures require a random nonce. ◮ If the nonce is predictable → can easily compute long-term private key. ◮ Two distinct signatures use same nonce and private key → can easily compute nonce → can easily compute long-term private key.

  19. Step 2: Looking for problems. Weak DSA signature nonce DSA signatures require a random nonce. ◮ If the nonce is predictable → can easily compute long-term private key. ◮ Two distinct signatures use same nonce and private key → can easily compute nonce → can easily compute long-term private key. ◮ Collected 9,114,925 signatures from two scans. ◮ 4,365 contained the same nonce as another signature. ◮ Computed 281 distinct private DSA keys. ◮ Keys were served by 105,728 (1.03%) of SSH DSA hosts.

  20. ... only two of the factored certificates were signed by a CA, and both are expired. The web pages aren’t active.

  21. ... only two of the factored certificates were signed by a CA, and both are expired. The web pages aren’t active. Look at subject information for certificates: CN=self-signed, CN=system generated, CN=0168122008000024 CN=self-signed, CN=system generated, CN=0162092009003221 CN=self-signed, CN=system generated, CN=0162122008001051 C=CN, ST=Guangdong, O=TP-LINK Technologies CO., LTD., OU=TP-LINK SOFT, CN=TL-R478+1145D5C30089/emailAddress=service C=CN, ST=Guangdong, O=TP-LINK Technologies CO., LTD., OU=TP-LINK SOFT, CN=TL-R478+139819C30089/emailAddress=service CN=self-signed, CN=system generated, CN=0162072011000074 CN=self-signed, CN=system generated, CN=0162122009008149 CN=self-signed, CN=system generated, CN=0162122009000432 CN=self-signed, CN=system generated, CN=0162052010005821 CN=self-signed, CN=system generated, CN=0162072008005267 C=US, O=2Wire, OU=Gateway Device/serialNumber=360617088769, CN=Gateway Authentication CN=self-signed, CN=system generated, CN=0162082009008123 CN=self-signed, CN=system generated, CN=0162072008005385 CN=self-signed, CN=system generated, CN=0162082008000317 C=CN, ST=Guangdong, O=TP-LINK Technologies CO., LTD., OU=TP-LINK SOFT, CN=TL-R478+3F5878C30089/emailAddress=service CN=self-signed, CN=system generated, CN=0162072008005597 CN=self-signed, CN=system generated, CN=0162072010002630 CN=self-signed, CN=system generated, CN=0162032010008958 CN=109.235.129.114 CN=self-signed, CN=system generated, CN=0162072011004982 CN=217.92.30.85 CN=self-signed, CN=system generated, CN=0162112011000190 CN=self-signed, CN=system generated, CN=0162062008001934 CN=self-signed, CN=system generated, CN=0162112011004312 CN=self-signed, CN=system generated, CN=0162072011000946 C=US, ST=Oregon, L=Wilsonville, CN=141.213.19.107, O=Xerox Corporation, OU=Xerox Office Business Group, CN=XRX0000AAD53FB7.eecs.umich.edu, CN=(141.213.19.107|XRX0000AAD53FB7.eecs.umich.edu) CN=self-signed, CN=system generated, CN=0162102011001174 CN=self-signed, CN=system generated, CN=0168112011001015 CN=self-signed, CN=system generated, CN=0162012011000446 CN=self-signed, CN=system generated, CN=0162112011004041

  22. Attributing vulnerabilities to implementations ◮ Used information in certificate subjects, version strings, served over https or http, etc. to cluster hosts by implementation. Vast majority of compromised keys generated by headless or embedded network devices. ◮ Routers, firewalls, switches, server management cards, cable modems, VOIP devices, printers, projectors... Identified compromised devices from > 50 manufacturers.

  23. How could this happen?

  24. http://xkcd.com/221/

  25. Linux: A tale of two RNGs /dev/random /dev/urandom “high-quality” randomness pseudorandomness blocks if insufficient entropy never blocks available As a general rule, /dev/urandom should be used for everything except long-lived GPG/SSL/SSH keys. — man random

  26. Linux: A tale of two RNGs /dev/random /dev/urandom “high-quality” randomness pseudorandomness blocks if insufficient entropy never blocks available As a general rule, /dev/urandom should be used for everything except long-lived GPG/SSL/SSH keys. — man random

  27. /* We’ll use /dev/urandom by default, since /dev/random is too much hassle. If system developers aren’t keeping seeds between boots nor getting any entropy from somewhere it’s their own fault. */ #define DROPBEAR RANDOM DEV "/dev/urandom"

  31. Linux boot-time entropy hole 25 , 000 250 Bytes read from nonblocking pool Input pool entropy (bits) 20 , 000 200 15 , 000 150 10 , 000 100 Input pool entropy estimate Input threshold to update entropy pool Bytes read from nonblocking pool 5 , 000 50 SSH process seeds from /dev/urandom 0 0 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 Time since boot (s)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Weak keys remain widespread in network devices Marcella Hastings, Joshua Fried, Nadia Heninger

Weak keys remain widespread in network devices Marcella Hastings, Joshua Fried, Nadia Heninger

Weak keys remain widespread in network devices Marcella Hastings, Joshua Fried, Nadia Heninger University of Pennsylvania Motivation [Mining Your Ps &amp; Qs: Detection of Widespread Weak Keys in Network Devices: Heninger Durumeric Wustrow

358 views • 22 slides
H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning Vulnerability Mitigation with Internet wide Scanning J. Alex Halderman Mining Your Ps and Qs: Widespread Weak Keys in Network Devices Nadia Heninger, Zakir

640 views • 53 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Fast Internet-Wide Scanning, ZMap Weak Keys and the HTTPS Certificate Ecosystem Zakir Durumeric Michael Bailey University of Michigan ZMap: Fast Internet-Wide Scanning, Weak Keys, and the HTTPS Certificate Ecosystem Zakir Durumeric

491 views • 46 slides
Overview Weak entity sets and keys Design principles CS 235: Examples Introduction to

Overview Weak entity sets and keys Design principles CS 235: Examples Introduction to

Overview Weak entity sets and keys Design principles CS 235: Examples Introduction to Databases Svetlozar Nestorov Lecture Notes #3 CS 235: Intro to DB; S. Nestorov 12 Example: Email Addresses Weak Entity Sets Sometimes an

522 views • 3 slides
Automatic Defect Detection Andrzej Wasylkowski Overview Automatic Defect Detection

Automatic Defect Detection Andrzej Wasylkowski Overview Automatic Defect Detection

Automatic Defect Detection Andrzej Wasylkowski Overview Automatic Defect Detection Horizontal Techniques Specification-checking Techniques Mining-based Techniques Mining Repositories Mining Traces Mining Source Code Mining

683 views • 44 slides
On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos

On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos

On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos Cid Information Security Group, Royal Holloway, University of London Our Contributions 1 Study the underlying algebraic structure of

409 views • 24 slides
Widespread concern about undergraduate academic

Widespread concern about undergraduate academic

Widespread concern about undergraduate academic English writing skills. Pleasures and pitfalls: Early detection + support = better outcomes developing faculty-specific online

170 views • 4 slides
Mining Data Streams (Part 2) Determine which elements of stream have keys in S Obvious

Mining Data Streams (Part 2) Determine which elements of stream have keys in S Obvious

2/19/2010 Each element of data stream is a tuple Given a list of keys S Mining Data Streams (Part 2) Determine which elements of stream have keys in S Obvious solution: hash table But suppose we dont have enough memory to

284 views • 6 slides
A New Class Of Weak Keys for Blowfish Orhun KARA and Cevat MANAP T UB ITAK - UEKAE

A New Class Of Weak Keys for Blowfish Orhun KARA and Cevat MANAP T UB ITAK - UEKAE

A New Class Of Weak Keys for Blowfish Orhun KARA and Cevat MANAP T UB ITAK - UEKAE (National Research Institute of Electronics and Cryptology) 1 Redefining Blowfish Key XORs in Blowfish can be moved around to generate two building blocks

286 views • 12 slides
Data Mining Based Detection Methods Data Mining in Intrusion detection Feng Pan Outline

Data Mining Based Detection Methods Data Mining in Intrusion detection Feng Pan Outline

Outline Related Data Mining Background Data Mining Based Detection Methods Data Mining in Intrusion detection Feng Pan Outline Typical Dataset in Data Mining Related Data Mining Background Dataset consists of records.

433 views • 8 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

984 views • 72 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

905 views • 74 slides
To the weak I became weak, that I might win the weak. I have become all things to all people,

To the weak I became weak, that I might win the weak. I have become all things to all people,

To the weak I became weak, that I might win the weak. I have become all things to all people, that by all means I might save some. I do it all for the sake of the gosepl, that I might share with them in its blessing. Do you not know that in

652 views • 40 slides
Weak Detection of Signal in the Spiked Wigner Model Hye Won Chung and Ji Oon Lee Korea Advanced

Weak Detection of Signal in the Spiked Wigner Model Hye Won Chung and Ji Oon Lee Korea Advanced

Weak Detection of Signal in the Spiked Wigner Model Hye Won Chung and Ji Oon Lee Korea Advanced Institute of Science and Technology (KAIST) 2019 ICML H. W. Chung and J. O. Lee (KAIST) Weak detection in spiked Wigner model 2019 ICML 1 / 9

109 views • 9 slides
CSE 190 Lecture 6 Data Mining and Predictive Analytics Community Detection Community

CSE 190 Lecture 6 Data Mining and Predictive Analytics Community Detection Community

CSE 190 Lecture 6 Data Mining and Predictive Analytics Community Detection Community detection versus clustering So far we have seen methods to reduce the dimension of points based on their features Principal Component Analysis (Tuesday)

555 views • 37 slides
s r t q q q q

s r t q q q q

s r t q q q q s q s t q s r s r s q s

70 views • 5 slides
10-701 Fall 2017 Recitation 3 Agenda Q1 - Decision Tree to KNN A1 Q2.1 - KNN to Decision

10-701 Fall 2017 Recitation 3 Agenda Q1 - Decision Tree to KNN A1 Q2.1 - KNN to Decision

10-701 Fall 2017 Recitation 3 Agenda Q1 - Decision Tree to KNN A1 Q2.1 - KNN to Decision Trees Q 2.1 A 2.1 Q2.2 A 2.2 A 2.2 A 2.2 HW 1 doubts ?

261 views • 12 slides
Parent Seminar Elevate Education Who are we? Research: Why do the top students get the top

Parent Seminar Elevate Education Who are we? Research: Why do the top students get the top

Parent Seminar Elevate Education Who are we? Research: Why do the top students get the top results? Work with the top students around the world (2000+ schools, across 5 countries) 13 key study habits 13 key skills Belief Goals Stress

375 views • 15 slides
His tp ries of dark ma tu er his tp rical perspec tj ve Book, chap tf r 17 R 9 7 3 . . 9 5

His tp ries of dark ma tu er his tp rical perspec tj ve Book, chap tf r 17 R 9 7 3 . . 9 5

His tp ries of dark ma tu er his tp rical perspec tj ve Book, chap tf r 17 R 9 7 3 . . 9 5 1 . . . J p A 0 7 9 1 P H VSICAL l a m R E r o V n I E The W the : etters to percent. 84 percent, LETTERS TO THE EDITOR

1.42k views • 116 slides
Quick-Start for DCCP draft-fairhurst-tsvwg-dccp-qs-00 Gorry Fairhurst Arjuna Sathiaseelan

Quick-Start for DCCP draft-fairhurst-tsvwg-dccp-qs-00 Gorry Fairhurst Arjuna Sathiaseelan

Quick-Start for DCCP draft-fairhurst-tsvwg-dccp-qs-00 Gorry Fairhurst Arjuna Sathiaseelan ELECTRONICS RESEARCH GROUP IETF-68, March 19-23, 2007 DEPARTMENT OF ENGINEERING QS for DCCP 0.5 RTT 0.5 RTT 1 RTT QS-Req QS-Resp QS-Mode

202 views • 7 slides
PUBLIC KEY INFRASTRUCTURE Nina Bindel PQCrypto 2017 Udyani Herath Utrecht, The Nederlands

PUBLIC KEY INFRASTRUCTURE Nina Bindel PQCrypto 2017 Udyani Herath Utrecht, The Nederlands

TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY INFRASTRUCTURE Nina Bindel PQCrypto 2017 Udyani Herath Utrecht, The Nederlands Matthew McKague 06/26/2017 Douglas Stebila 1 7 chance of breaking RSA-2048 (Michele Mosca Nov 2015) 1 2

283 views • 15 slides
The Overall Procedure I Given P = ( Q , , , , q 0 , { q accept } ) Construct a CFG G var(

The Overall Procedure I Given P = ( Q , , , , q 0 , { q accept } ) Construct a CFG G var(

The Overall Procedure I Given P = ( Q , , , , q 0 , { q accept } ) Construct a CFG G var( G ) = { A pq | p , q Q } Start variable: A q 0 , q accept Rules: see earlier slides October 15, 2020 1 / 7 Needed modifications of PDA I

334 views • 7 slides
The eect of RF on p olarization in a m uon storage ring Ra jendran Ra ja F

The eect of RF on p olarization in a m uon storage ring Ra jendran Ra ja F

The eect of RF on p olarization in a m uon storage ring Ra jendran Ra ja F ermi National A c c eler ator L ab or atory PO Box Batavia IL Abstract W e in v estigate the

610 views • 29 slides

More recommend