practical attacks on
play

Practical Attacks on Implementations Juraj Somorovsky Ruhr - PowerPoint PPT Presentation

Jan 14, 2023 •114 likes •406 views

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1 Recent years

  1. Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1

  2. Recent years revealed many crypto attacks… • ESORICS 2004, Bard: The Vulnerability of SSL to Chosen Plaintext Attack • Eurocrypt 2002, Vaudenay: Security Flaws Induced by CBC Padding — Applications to SSL, IPSEC, WTLS • Crypto 1998, Bleichenbacher: Chosen Ciphertext Attacks Against Protocols based on the RSA Encryption Standard PKCS #1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 2 2

  3. Standards updated • Countermeasures defined • What could go wrong in RWC implementations? Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 3 3

  4. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 4

  5. RSA-PKCS#1 v1.5 • Used to encrypt symmetric keys • Vulnerable to an adaptive chosen-ciphertext attack XML Encryption ciphertext C = Enc(M) Ciphertext C = Enc(M) C 1 valid/invalid C 2 Server Client valid/invalid … M = Dec(C) (repeated several times) Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 5 5

  6. RSA-PKCS#1 v1.5: Countermeasures 1. Use RSA-OAEP (PKCS#1 v2) 2. Apply specific countermeasure generate random decrypt ciphertext: m = dec(c) if ( padding correct ) proceed with m else proceed with random Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 6 6

  7. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 7

  8. RSA PKCS#1 v1.5 in XML Encryption • Hybrid encryption: k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs 1 k Dec_aes128 2 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 9 9

  9. Attack Countermeasure • Hybrid encryption: k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs 1 Random: k 128 b Dec_aes128 2 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 10 10

  10. Case Apache WSS4J • Hybrid encryption: k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs 1 Random: k 128 B Dec_aes128 2 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 11 11

  11. Case Apache WSS4J • Hybrid encryption: k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs 1 Random: k 128 B Dec_aes128 2 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 12 12

  12. Case Apache WSS4J • Original bug much more complicated • CVE-2015-0226 • Dennis Kupser, Christian Mainka, Jörg Schwenk, Juraj Somorovsky: How to Break XML Encryption – Automatically (WOOT‘15 ) • Found automatically using WS-Attacker • https://github.com/RUB-NDS/WS-Attacker Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 17 17

  13. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 18

  14. How About TLS? • Christopher Meyer, Juraj Somorovsky, Jörg Schwenk, Eugen Weiss, Sebastian Schinzel, Erik Tews: Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks . USENIX Security 2014 • Practical attacks on JSSE, Bouncy Castle, Cavium Accelerator • Bug in OpenSSL Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 19 19

  15. Case JSSE • No direct TLS error messages • Uses PKCS#1 unpadding function: private byte [] unpadV15 (byte[] padded) { if (PKCS valid) { return unpadded text; } else { throw new BadPaddingException(); } } • Caught, random generated…what’s wrong? Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 20 20

  16. Case JSSE (CVE-2014-411) • Exception consumes about 20 microseconds! PKCS#1 valid, no exception PKCS#1 invalid, exception Bleichenbacher’s Attack over LAN! Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 21 21

  17. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 22

  18. Elliptic Curve • Set of points over a finite field • Used e.g. for key exchange Client Server P Secret s P Key: sP Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 23 23

  19. Invalid Curve Attack • Crypto 2000: Biehl, Meyer, Müller • Attacker sends an invalid point of small order (e.g. 5) Server Secret s Q Q • Attacker computes: 𝒕 𝟐 = 𝒕 𝒏𝒑𝒆 𝟔 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 24 24

  20. Invalid Curve Attack • Choose points of small co- prime order (5, 7, 11, …) • Send to the server • Compute: 𝑡 1 = 𝑡 𝑛𝑝𝑒 5 𝑡 2 = 𝑡 𝑛𝑝𝑒 7 𝑡 3 = 𝑡 𝑛𝑝𝑒 11 𝑡 4 = 𝑡 𝑛𝑝𝑒 13 • Compute s with CRT Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 25 25

  21. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 26

  22. Practical Attacks? • Tibor Jager, Jörg Schwenk, Juraj Somorovsky: Practical Invalid Curve Attacks on TLS-ECDH. ESORICS 2015 • Analyzed 8 libraries • 2 vulnerable – Bouncy Castle: 3300 TLS queries – Oracle JSSE: 17000 TLS queries Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 27 27

  23. Impact • Attacks extract server private keys • Java servers using EC certificates vulnerable – For example Apache Tomcat Demo Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 28 28

  24. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 29

  25. Attacker Model in HSM Scenarios • Storage of crypto keys • Keys never leave HSMs dec (C) Keys (RSA, EC, AES …) m Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 30 30

  26. Attacker Model in HSM Scenarios • Storage of crypto keys • Keys never leave HSMs getKey Keys (RSA, EC, AES …) Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 31 31

  27. How about Invalid Curve Attacks? • CVE-2015-6924 (with Dennis Felsch) • Utimaco HSMs vulnerable • < 100 queries to get a key…Heartbleed effect • Thanks to cooperation of Utimaco – Provided sample code, fast fix "Catastrophic" is the right word. On the scale • Utimaco HSM is FIPS certified of 1 to 10, this is an 11. Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 32 32

  28. Conclusions • Old attacks relevant for RWC implementations • Old algorithms in the newest standards – RSA PKCS#1 v1.5 (attack: 1998) 2008: TLS 1.2 2013: XML Encryption 1.1 2015: JSON Web Encryption – Positive example: TLS 1.3 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 33 33

  29. Conclusions • For standard designers: – Remove old crypto • For developers: – Analyze possible side-channels, best practices • Check point is on curve • For pentesters: – More tools / analyses of crypto applications needed Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 34 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing attacks important? Clarifications Zero-One Gap / Neighborhood Size etc. Problems Questions Extensions Contribution Discussion

645 views • 26 slides
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

1.19k views • 77 slides
Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Introduction Finding Padding Oracles Basic PO attacks Advanced PO attacks Summary Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong Practical Padding Oracle Attacks Introduction Finding Padding

1.33k views • 108 slides
Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 , Jacques Fournier 2 , Louis Goubin 3 , Ronan Lashermes 2 , 3 , Marie Paindavoine 4 , 5 . 1 - LIASD, Paris 8, France. 2 - CEA Tech, DPACA/LSAS, Gardanne,

446 views • 22 slides
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Motivation n 802.11-based networks have flourished

389 views • 25 slides
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

956 views • 28 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and Obfuscation August 14, 2016, Santa-Barbara, California, USA 1. What to White-Box? Comply with current Standardized standards / protocols

651 views • 35 slides
On evasion attacks against machine learning in practical settings Lujo Bauer Professor,

On evasion attacks against machine learning in practical settings Lujo Bauer Professor,

On evasion attacks against machine learning in practical settings Lujo Bauer Professor, Electrical &amp; Computer Engineering + Computer Science Director, Cyber Autonomy Research Center Collaborators: Mahmood Sharif, Sruti Bhagavatula, Mike

754 views • 31 slides
Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Electrical and Computer Engineering Department Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin Soltani, Amir Houmansadr, Dennis Goeckel, Don Towsley University of Massachusetts Amherst Instant

512 views • 40 slides
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg Schwenk 1 , Adam Czubak 2 , Marcin Szymanek 2 1 : Ruhr University Bochum, Germany 2 : University of Opole, Poland 27 TH USENIX SECURITY SYMPOSIUM

476 views • 25 slides
Expectation-Maximization Tensor Factorization for Practical Location Privacy Attacks Takao

Expectation-Maximization Tensor Factorization for Practical Location Privacy Attacks Takao

Expectation-Maximization Tensor Factorization for Practical Location Privacy Attacks Takao Murakami (AIST*, Japan) *AIST: National Institute of Advanced Industrial Science &amp; Technology 1 Outline [Shokri+,S&amp;P11] [Gambs+,JCSS14]

370 views • 19 slides
Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila

Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila

Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila 1 and Ricardo J. Rodr Jos guez 2 1 DIIS, University of Zaragoza, Spain 2 Research Institute of Applied Sciences in Cybersecurity, University

337 views • 17 slides
Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Universit Catholique de Louvain, Belgium Algebraic

995 views • 61 slides
Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias Schulz, Adrian Loch, Matthias Hollick Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias

607 views • 22 slides
Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven Royal Holloway December 2, 2018 Introduction 1/22 WalnutDSA is a Signature Scheme submitted to the NIST PQC project. Small signatures and keys

643 views • 27 slides
IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in

MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 1 Overview Notion of

396 views • 20 slides
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements

Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements

Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides two messages m0, m1

993 views • 43 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
Fast Prototyping Network Data Mining Applications Gianluca Iannaccone Intel Research Berkeley

Fast Prototyping Network Data Mining Applications Gianluca Iannaccone Intel Research Berkeley

Fast Prototyping Network Data Mining Applications Gianluca Iannaccone Intel Research Berkeley Motivation Developing new network monitoring apps is unnecessarily time-consuming Familiar development steps Need deep understanding of

874 views • 44 slides
Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

8.10.2019 Information Security Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak Can Network Security: Hacettepe University Ensure security of communication over insecure medium

267 views • 10 slides
Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 Part II

Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 Part II

Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 Part II http://www.cl.cam.ac.uk/teaching/1213/SecurityII/ 1 Related textbooks Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography Chapman &amp; Hall/CRC,

887 views • 39 slides
Fubswrjudskb Frxuvh qxpehu: 4003-482 / 4005-705 Lqvwuxfwru: Lyrqd Ehcdnryd Wrgdbv Wrslfv:

Fubswrjudskb Frxuvh qxpehu: 4003-482 / 4005-705 Lqvwuxfwru: Lyrqd Ehcdnryd Wrgdbv Wrslfv:

Fubswrjudskb Frxuvh qxpehu: 4003-482 / 4005-705 Lqvwuxfwru: Lyrqd Ehcdnryd Wrgdbv Wrslfv: 1. Orjlvwlfv: - Fodvv olvw - Vboodexv 2. Wkh Pdwk 3. Zkdw lv Fubswrjudskb 4. Vrph Fodvvlfdo Fubswrvbvwhpv Cryptography Course number: 4003-482

484 views • 21 slides
(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

Towards a better understanding of (post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya University) Akinori Hosoyamada @ASK 2019 (2019.12.13) Introduction Quantum Attacks against Symmetric

738 views • 56 slides

More recommend