nonce disrespecting adversaries practical forgery attacks
play

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in - PowerPoint PPT Presentation

Nov 04, 2022 •664 likes •956 views

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

  1. Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1

  2. TLS Encryption 1. Asymmetric key exchange – RSA, DHE, ECDHE 2. Symmetric encryption 2

  3. TLS Encryption 1. Asymmetric key exchange – RSA, DHE, ECDHE 2. Symmetric encryption – CBC/HMAC – RC4 (stream cipher) – (new: ChaCha20/Poly1305) – AES-GCM 3

  4. CBC / HMAC • Arbitrary padding in SSLv3 • Implicit IVs in TLS 1.0 2002 Padding • MAC-then-Pad-then-Encrypt Oracles 5

  5. TLS Encryption 1. Asymmetric key exchange – RSA, DHE, ECDHE 2. Symmetric encryption – CBC/HMAC – RC4 (stream cipher) – (new: ChaCha20/Poly1305) – AES-GCM 7

  6. RC4 • Generates a key stream – Some bytes more likely to occur 2013: AlFardan et al. • https://www.rc4nomore.com/ • RFC 7465: Prohibiting RC4 Cipher Suites 8

  7. TLS Encryption 1. Asymmetric key exchange – RSA, DHE, ECDHE 2. Symmetric encryption – CBC/HMAC – RC4 (stream cipher) – (new: ChaCha20/Poly1305) – AES-GCM 9

  8. TLS Encryption 1. Asymmetric key exchange – RSA, DHE, ECDHE 2. Symmetric encryption – CBC/HMAC – RC4 (stream cipher) – (new: ChaCha20/Poly1305) – AES-GCM 10

  9. Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario

  10. AES Counter Mode Nonce || Counter J 1 J 2 AES-Enc AES-Enc P 1 P 2 C 1 C 2 13

  11. Bit Flipping in AES Counter Mode J 1 J 2 AES-Enc AES-Enc C 1 C 2 P 1 P 2 Attacker can modify messages 14

  12. AES-GCM • GCM – Galois Counter Mode • AEAD (Authenticated Encryption with Additional Data) • Only in TLS 1.2 • Combination of Counter Mode and GHASH authentication – Computed over Galois field 15

  13. AES-GCM J 1 J 2 J 0 AES-Enc AES-Enc AES-Enc P 1 P 2 C 1 C 2 Gmul H Gmul H Gmul H Hash key H A len(A)||len(C) Encryption of 128 Gmul H zero bits: H=Enc(0) Output: C || T T 16

  14. GCM: Opinions of Cryptographers • "Do not use GCM. Consider using one of the other authenticated encryption modes, such as CWC, OCB, or CCM." (Niels Ferguson) • "We conclude that common implementations of GCM are potentially vulnerable to authentication key recovery via cache timing attacks." (Emilia Käsper, Peter Schwabe, 2009) • "AES-GCM so easily leads to timing side-channels that I'd like to put it into Room 101." (Adam Langley, 2013) • "The fragility of AES-GCM authentication algorithm" (Shay Gueron, Vlad Krasnov, 2013) • "GCM is extremely fragile" (Kenny Paterson, 2015) 17

  15. Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario

  16. The Forbidden Attack • Nonce: – Number used once – TLS: 8 Byte / 64 Bit nonce • Joux (2006): Nonce reuse allows an attacker to recover the authentication key • Attacker can modify messages 19

  17. Consider one block J 0 J 1 H = AES (0) AES-Enc AES-Enc P 1 T = ( C 1 * H + L) * H + AES (J 0 ) C 1 T = C 1 * H 2 + L * H + AES (J 0 ) Gmul H len(A)||len(C) Unknown values: • H Gmul H • AES (J 0 ) T 21

  18. Duplicate nonce J 0 J 1 H = AES (0) AES-Enc AES-Enc P 1 T 1 = C 1,1 * H 2 + L 1 * H + AES (J 0 ) C 1 T 2 = C 2,1 * H 2 + L 2 * H + AES (J 0 ) Gmul H T 1 - T 2 = (C 1,1 – C 2,1 ) * H 2 len(A)||len(C) + (L 1 – L 2 ) * H Gmul H T 22

  19. Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario

  20. TLS 1.2 / RFC 5288 "Each value of the nonce_explicit must be distinct for each distinct invocation of the GCM encrypt function for any fixed key. Failure to meet this uniqueness requirement can significantly degrade security. The nonce_explicit may be the 64-bit sequence number .“ Two problems: • Random nonces: Collision probability • Repeating nonces 24

  21. Internet-wide Scan • 184 hosts with repeating nonces – Radware (Cavium chip) – Several pages from VISA Europe • 72445 hosts with random looking nonces – A10, IBM Lotus Domino (both published updates) – Sangfor (no response) • More devices that we were unable to identify 26

  22. 0100000003001741 Example: Radware 0100000003001741 f118cd0fa6ff5a15 f118cd0fa6ff5a16 f118cd0fa6ff5a74 OpenSSL 1.0.1j e_aes.c (EVP_CIPHER_CTX_ctrl/aes_gcm_ctrl): if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) return 0; t1_enc.c: if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { EVP_CipherInit_ex(dd,c,NULL,key,NULL,(which & SSL3_CC_WRITE)); EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv); } 27

  23. Open Source Libraries • Botan, BouncyCastle, MatrixSSL, SunJCE, OpenSSL • No real problems • Counter overflows in Botan and MatrixSSL 28

  24. Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario 29

  25. Attacking Vulnerable Websites GET visa.dk/index.html HTTP 1.1 200 OK HTTP 1.1 200 OK … … <html> <html> <script> … </script> <h1>Hello Visa</h1> </html> </html> 30

  26. Demo 32

  27. Attacking mi5.gov.uk 33

  28. Conclusions • TLS 1.2: no guidance how to use nonces correctly – Some people get it wrong • Implicit nonces needed: – Chacha20/Poly1305 and TLS 1.3 based on record number • Better test tools for TLS implementation flaws 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

566 views • 38 slides
Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1

Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1

Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1 , O guzhan Ersoy 2 , Ferhat Karako c 1 1 T 2 Bo UB ITAK-B ILGEM-UEKAE gazi ci University ASIACRYPT 2016, Hanoi, VIETNAM 1/27

860 views • 28 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017 Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi

894 views • 35 slides
On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos

On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos

On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos Cid Information Security Group, Royal Holloway, University of London Our Contributions 1 Study the underlying algebraic structure of

409 views • 24 slides
Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Introduction and Adversaries Attack

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Introduction and Adversaries Attack

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Introduction and Adversaries Attack Setups Attacks in Theory Example: Square and Multiply Combined Attacks Conclusion, Outlook Fault Type Transient Permanent

439 views • 22 slides
Genetic Algorithm to Study Practical Quantum Adversaries Walter O. Krawec Sam A. Markelon

Genetic Algorithm to Study Practical Quantum Adversaries Walter O. Krawec Sam A. Markelon

Genetic Algorithm to Study Practical Quantum Adversaries Walter O. Krawec Sam A. Markelon University of Connecticut, Storrs CT USA walter.krawec@gmail.com walterkrawec.org Quantum Key Distribution (QKD) Allows two users Alice (A) and

1.03k views • 55 slides
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud cole normale suprieure CHES September, 15th 2015 (with Aurlie Bauer) Damien Vergnaud (ENS) Key Recovery from Random

766 views • 48 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Computer Security Course. Dawn Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song Example Application Consider a social networking site, GraceBook, that allows users to share happenings from

696 views • 54 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Dept. Of Computer Science &amp; Engineering, IIT Kharagpur, INDIA 2 Dept. Of Mathematics, Vidyasagar University, INDIA DIAC 2014, Santa Barbara, USA Nonce-based Encryption

298 views • 19 slides
Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing attacks important? Clarifications Zero-One Gap / Neighborhood Size etc. Problems Questions Extensions Contribution Discussion

645 views • 26 slides
Measuring and Mitigating AS-level Adversaries Against Tor Oleksii Adva Phillipa Michael Starov

Measuring and Mitigating AS-level Adversaries Against Tor Oleksii Adva Phillipa Michael Starov

Measuring and Mitigating AS-level Adversaries Against Tor Oleksii Adva Phillipa Michael Starov Zair Gill Schapira Rishab Nithyanand Network-level Traffic Correlation Attacks Internet rou,ng is asymmetric. Source -&gt; Entry != Entry

591 views • 11 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years &amp; proven

1.17k views • 68 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years &amp; proven

679 views • 63 slides
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

1.19k views • 77 slides
Co-simulation Design towards Cyber-Physical Robotic Applications Leveraging on FMI Standard and

Co-simulation Design towards Cyber-Physical Robotic Applications Leveraging on FMI Standard and

Co-simulation Design towards Cyber-Physical Robotic Applications Leveraging on FMI Standard and CSP Semantics Zhou Lu and Jan Broenink Robotics and Mechatronics, University of Twente 22 Aug, 2017 Introduction - Context Cyber-Physical

784 views • 31 slides
http://help.arcgis.com/en/arcgisdesktop/10.0/pdf/whats_new_in_arcgis_10.pdf Cathy Cole NCDOT GIS

http://help.arcgis.com/en/arcgisdesktop/10.0/pdf/whats_new_in_arcgis_10.pdf Cathy Cole NCDOT GIS

http://help.arcgis.com/en/arcgisdesktop/10.0/pdf/whats_new_in_arcgis_10.pdf Cathy Cole NCDOT GIS Unit ccole@ncdot.gov Table of Contents I. Administration II. Data Management A. Geodatabases B. Topology rules C. Editing D. Rasters E.

724 views • 43 slides
LibreOffice Calc Spreadsheets on the GPU Michael Meeks &lt;michael.meeks@collabora.com&gt;

LibreOffice Calc Spreadsheets on the GPU Michael Meeks &lt;michael.meeks@collabora.com&gt;

LibreOffice Calc Spreadsheets on the GPU Michael Meeks &lt;michael.meeks@collabora.com&gt; mmeeks, #libreoffice-dev, irc.freenode.net Stand at the crossroads and look; ask for the ancient paths, ask where the good way is, and walk in it,

454 views • 41 slides
Design Document Overview Client: Jon Mathews Advisor: Dr. Suraj Kothari Team Members Chaz

Design Document Overview Client: Jon Mathews Advisor: Dr. Suraj Kothari Team Members Chaz

Design Document Overview Client: Jon Mathews Advisor: Dr. Suraj Kothari Team Members Chaz Beck Shaun Brockhoff Jason Lackore Marcus Rosenow State of the Project New problem/need statements How did we get here?

505 views • 37 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Attribute-based Access Control Architectures with the eIDAS Protocols 21. SSR 2016 Frank

Attribute-based Access Control Architectures with the eIDAS Protocols 21. SSR 2016 Frank

Attribute-based Access Control Architectures with the eIDAS Protocols 21. SSR 2016 Frank Morgner (Bundesdruckerei) Paul Bastian (Bundesdruckerei) Marc Fischlin (TU Darmstadt) 13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1

404 views • 22 slides
Research Project I PROTECTING AGAINST RELAY ATTACKS FORGING INCREASED DISTANCE REPORTS Xavier

Research Project I PROTECTING AGAINST RELAY ATTACKS FORGING INCREASED DISTANCE REPORTS Xavier

SYSTEM AND NETWORK ENGINEERING MSc Research Project I PROTECTING AGAINST RELAY ATTACKS FORGING INCREASED DISTANCE REPORTS Xavier Torrent Gorjn xavier.torrentgorjon@os3.nl Supervisors: Paul van Iterson Jordi van

263 views • 23 slides
Analyzing BU Mining Protocol Ren Zhang &amp; Bart Preneel ren.zhang@esat.kuleuven.be

Analyzing BU Mining Protocol Ren Zhang &amp; Bart Preneel ren.zhang@esat.kuleuven.be

On the Necessity of a Prescribed Block Validity Consensus: Analyzing BU Mining Protocol Ren Zhang &amp; Bart Preneel ren.zhang@esat.kuleuven.be bart.preneel@esat.kuleuven.be What is A peer-to-peer network of public nodes Maintaining a

518 views • 32 slides

More recommend