Pseudorandom Black Swans Cache Attacks on CTR DRBG Shaanan Cohney 1 - - PowerPoint PPT Presentation

Pseudorandom Black Swans

Cache Attacks on CTR DRBG

Shaanan Cohney1, Andrew Kwong2, Shahar Paz3, Daniel Genkin2, Nadia Heninger4, Eyal Ronen5, Yuval Yarom6

1University of Pennsylvania 2University of Michigan 3Tel Aviv University 4University of California, San Diego, 5Tel Aviv University and COSIC (KU Leuven) 6University of Adelaide and Data61

Lesson Learned (the hard way) Plenty of real-world, random number generation disasters:

1

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Lesson Learned (the hard way) Plenty of real-world, random number generation disasters: ◮ Dual EC Backdoor

1

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Lesson Learned (the hard way) Plenty of real-world, random number generation disasters: ◮ Dual EC Backdoor ◮ Juniper Dual EC Incident (RWC 2016)

1

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Lesson Learned (the hard way) Plenty of real-world, random number generation disasters: ◮ Dual EC Backdoor ◮ Juniper Dual EC Incident (RWC 2016) ◮ DUHK Attack on ANSI X9.31

1

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Standardized Designs NIST SP 800-90 series lists approved designs:

2

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Standardized Designs NIST SP 800-90 series lists approved designs: ◮ Dual EC (deprecated in disgrace) ◮ HMAC DRBG ◮ HASH DRBG ◮ CTR DRBG

2

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Standardized Designs NIST SP 800-90 series lists approved designs: ◮ Dual EC (deprecated in disgrace) ◮ HMAC DRBG ◮ HASH DRBG ◮ CTR DRBG Limited formal analysis until Woodage and Shumow (RWC 2018)

2

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

CTR DRBG ◮ Highly popular (67.8% of FIPS certifications), integrated into libraries, OSes, CPUs

3

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

CTR DRBG ◮ Highly popular (67.8% of FIPS certifications), integrated into libraries, OSes, CPUs ◮ Design:

• State consists of key K and counter V

3

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

CTR DRBG ◮ Highly popular (67.8% of FIPS certifications), integrated into libraries, OSes, CPUs ◮ Design:

• State consists of key K and counter V
• Encrypts incrementing counter to generate output

3

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

CTR DRBG ◮ Highly popular (67.8% of FIPS certifications), integrated into libraries, OSes, CPUs ◮ Design:

• State consists of key K and counter V
• Encrypts incrementing counter to generate output
• Optional user-provided additional entropy

3

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

CTR DRBG: Generate Function Three Stage Process:

• 1. Advance State & Add Entropy

K, counter + 1, addin AES K, counter

4

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

CTR DRBG: Generate Function Three Stage Process:

• 1. Advance State & Add Entropy
• 2. Produce Output

K, counter + 1 AES

• utput

4

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

CTR DRBG: Generate Function Three Stage Process:

• 1. Advance State & Add Entropy
• 2. Produce Output
• 3. Advance State & Add Entropy

K, counter + 1, addin AES K, counter

4

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Key Rotation Flaw [WS19][CWPG+19]

Problem 1: Key is not rotated until after encryptions are done–not safe against key compromise! Problem 2: Additional entropy is optional and implementer chosen.

5

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Problem 1: Key Not Rotated Often Enough Attacker may be able to compromise K using a side channel attack An attacker then decrypts PRG output to learn state: DK(output) = counter + 1 K, counter + 1 AES

• utput

6

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Problem 2: Lack of Entropy Once attacker has (K, counter), guesses addin and calculates updated state K, counter + 1, addin AES K, counter

7

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Problem 2: Lack of Entropy Once attacker has (K, counter), guesses addin and calculates updated state If addin is used at all! K, counter + 1, addin AES K, counter

7

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Is a side-channel attack on CTR DRBG realistic?

Condition #1: Are CTR DRBG implementations vulnerable to side-channel attacks? “T-table” AES has been a canonical target for cache attacks for 15 years. Most crypto libraries now use AES-NI by default.

8

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Is a side-channel attack on CTR DRBG realistic?

Condition #1: Are CTR DRBG implementations vulnerable to side-channel attacks? “T-table” AES has been a canonical target for cache attacks for 15 years. Most crypto libraries now use AES-NI by default. ... but not for AES when used in CTR DRBG.

8

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Is a side-channel attack on CTR DRBG realistic?

Condition #1: Are CTR DRBG implementations vulnerable to side-channel attacks? “T-table” AES has been a canonical target for cache attacks for 15 years. Most crypto libraries now use AES-NI by default. ... but not for AES when used in CTR DRBG. Vulnerable T-table AES CTR DRBG implementations: ◮ OpenSSL 1.0.2 FIPS module ◮ NetBSD kernel systemwide PRG ◮ FortiOSv5 ◮ mbedTLS-SGX ◮ nist rng library

8

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

FIPS Requirements

“Cryptographic modules may be susceptible to other attacks for which testable security requirements were not available at the time this version

• f the standard was issued (e.g., power analysis, timing analysis, and/or

fault induction) or the attacks were outside of the scope of the standard (e.g., TEMPEST)” – Mitigation of Other Attacks (FIPS 140-2)

9

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Is a side-channel attack on CTR DRBG realistic?

Condition #2: Discover an attack scenario that produces enough

• utput.

Is this a problem in real world protocols like TLS? Scenario: Attacker compromises PRG state during protocol execution, uses it to compromise cryptographic secrets

10

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Is a side-channel attack on CTR DRBG realistic?

Condition #2: Discover an attack scenario that produces enough

• utput.

Is this a problem in real world protocols like TLS? Scenario: Attacker compromises PRG state during protocol execution, uses it to compromise cryptographic secrets Empirically, cache attacks require around 2000 bytes of AES output to recover key.

10

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Is a side-channel attack on CTR DRBG realistic?

Condition #2: Discover an attack scenario that produces enough

• utput.

Is this a problem in real world protocols like TLS? Scenario: Attacker compromises PRG state during protocol execution, uses it to compromise cryptographic secrets Empirically, cache attacks require around 2000 bytes of AES output to recover key. Juniper and DUHK used nonces for state compromise, but these are too short for a cache attack.

10

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Finding long PRG outputs in TLS handshake Brainstorming sources of additional PRG output in TLS handshake:

11

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Finding long PRG outputs in TLS handshake Brainstorming sources of additional PRG output in TLS handshake: ◮ RSA-PSS padding?

11

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Finding long PRG outputs in TLS handshake Brainstorming sources of additional PRG output in TLS handshake: ◮ RSA-PSS padding? ✗

• Randomized signature padding
• RFC 8446 restricts PSS salt length for TLS 1.2, so not enough
• utput

11

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Finding long PRG outputs in TLS handshake Brainstorming sources of additional PRG output in TLS handshake: ◮ RSA-PSS padding? ✗

• Randomized signature padding
• RFC 8446 restricts PSS salt length for TLS 1.2, so not enough
• utput

◮ ExtendedRandom?

11

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Finding long PRG outputs in TLS handshake Brainstorming sources of additional PRG output in TLS handshake: ◮ RSA-PSS padding? ✗

• Randomized signature padding
• RFC 8446 restricts PSS salt length for TLS 1.2, so not enough
• utput

◮ ExtendedRandom? ✗

• Non-standard IETF proposal to permit clients to request up to 216

bytes of randomness from server

• No known functional implementations

11

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Finding long PRG outputs in TLS handshake Brainstorming sources of additional PRG output in TLS handshake: ◮ RSA-PSS padding? ✗

• Randomized signature padding
• RFC 8446 restricts PSS salt length for TLS 1.2, so not enough
• utput

◮ ExtendedRandom? ✗

• Non-standard IETF proposal to permit clients to request up to 216

bytes of randomness from server

• No known functional implementations

◮ PKCS#1 v1.5 in RSA Key Exchange?

11

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Finding long PRG outputs in TLS handshake Brainstorming sources of additional PRG output in TLS handshake: ◮ RSA-PSS padding? ✗

• Randomized signature padding
• RFC 8446 restricts PSS salt length for TLS 1.2, so not enough
• utput

◮ ExtendedRandom? ✗

• Non-standard IETF proposal to permit clients to request up to 216

bytes of randomness from server

• No known functional implementations

◮ PKCS#1 v1.5 in RSA Key Exchange? Maybe.

• Target client key exchange using RSA cipher suites
• If malicious server uses a 16534-bit RSA modulus, client generates

1996 padding bytes.

11

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Attack Scenario ◮ Attacker co-located with victim TLS client using CTR DRBG

12

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Attack Scenario ◮ Attacker co-located with victim TLS client using CTR DRBG ◮ Client connects to malicious TLS server with ≈ 16K RSA modulus

12

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Attack Scenario ◮ Attacker co-located with victim TLS client using CTR DRBG ◮ Client connects to malicious TLS server with ≈ 16K RSA modulus ◮ Server requires RSA cipher suite, mutual authentication

12

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Attack Scenario ◮ Attacker co-located with victim TLS client using CTR DRBG ◮ Client connects to malicious TLS server with ≈ 16K RSA modulus ◮ Server requires RSA cipher suite, mutual authentication ◮ Client authenticates with ECDSA signature

12

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Attack Scenario ◮ Attacker co-located with victim TLS client using CTR DRBG ◮ Client connects to malicious TLS server with ≈ 16K RSA modulus ◮ Server requires RSA cipher suite, mutual authentication ◮ Client authenticates with ECDSA signature Obscure attack scenario, but instantiates theoretical weakness

12

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Attacking TLS 1.2 RSA key exchange with client auth

◮ Attacker recovers PRG state from RSA encryption padding. ◮ Attacker then derives ECDSA nonce (and long-term key) from PRG state.

client hello: client random [supported cipher suites] server hello: server random, [RSA] server cert = RSA pubkey k16534 client key exchange: RSAenck16534(pms)

KDF(pms, random) → kmc , kms , ke KDF(pms, random) → kmc , kms , ke

client cert: ECDSA pubkey, Sign(handshake) client finished: Authkmc (dialog) server finished: Authkms (dialog) Encke(request)

13

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Results: State Recovery ◮ Used flush+reload attack on T-Table AES

14

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Results: State Recovery ◮ Used flush+reload attack on T-Table AES ◮ Brute forced additional entropy

14

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Results: State Recovery ◮ Used flush+reload attack on T-Table AES ◮ Brute forced additional entropy ◮ From ECDSA signature nonce, computed victim’s ECDSA private key.

14

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Attack Complexity

Target Entropy Theory Actual Time OpenSSL FIPS time, PID, counter 224 221 30 min NetBSD rdtsc 232 221 30 min FortiOS none N/A

15

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Attack Complexity

Target Entropy Theory Actual Time OpenSSL FIPS time, PID, counter 224 221 30 min NetBSD rdtsc 232 221 30 min FortiOS none N/A

Bonus Attack:Victim runs inside SGX. Malicious OS can single-step victim and perform high resolution cache attack. ◮ Requires only two encryption blocks for state recovery ◮ Attack performed blind. No output needed!

15

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Lessons ◮ Random number generators can be side-channeled too.

16

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Lessons ◮ Random number generators can be side-channeled too. ◮ We don’t always learn the lessons we think we’ve learned

16

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Lessons ◮ Random number generators can be side-channeled too. ◮ We don’t always learn the lessons we think we’ve learned

• Don’t use T-Table AES anywhere

16

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Lessons ◮ Random number generators can be side-channeled too. ◮ We don’t always learn the lessons we think we’ve learned

• Don’t use T-Table AES anywhere
• Entropy, entropy, entropy

16

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Lessons ◮ Random number generators can be side-channeled too. ◮ We don’t always learn the lessons we think we’ve learned

• Don’t use T-Table AES anywhere
• Entropy, entropy, entropy

◮ CTR DRBG is not provably secure.

16

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Lessons ◮ Random number generators can be side-channeled too. ◮ We don’t always learn the lessons we think we’ve learned

• Don’t use T-Table AES anywhere
• Entropy, entropy, entropy

◮ CTR DRBG is not provably secure. ◮ FIPS 140-3 updates threat model (effective Sept 2019)

16

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Lessons ◮ Random number generators can be side-channeled too. ◮ We don’t always learn the lessons we think we’ve learned

• Don’t use T-Table AES anywhere
• Entropy, entropy, entropy

◮ CTR DRBG is not provably secure. ◮ FIPS 140-3 updates threat model (effective Sept 2019) ◮ Use Hash DRBG (HMAC DRBG also has problems! See Woodage and Shumow.)

16

Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Pseudorandom Black Swans

Cache Attacks on CTR DRBG

Shaanan Cohney1, Andrew Kwong2, Shahar Paz3, Daniel Genkin2, Nadia Heninger4, Eyal Ronen5, Yuval Yarom6

1University of Pennsylvania 2University of Michigan 3Tel Aviv University 4University of California, San Diego, 5Tel Aviv University and COSIC (KU Leuven) 6University of Adelaide and Data61