pseudorandom black swans
play

Pseudorandom Black Swans Cache Attacks on CTR DRBG Shaanan Cohney 1 - PowerPoint PPT Presentation

Jan 15, 2023 •190 likes •727 views

Pseudorandom Black Swans Cache Attacks on CTR DRBG Shaanan Cohney 1 , Andrew Kwong 2 , Shahar Paz 3 , Daniel Genkin 2 , Nadia Heninger 4 , Eyal Ronen 5 , Yuval Yarom 6 1 University of Pennsylvania 2 University of Michigan 3 Tel Aviv University 4

  1. Pseudorandom Black Swans Cache Attacks on CTR DRBG Shaanan Cohney 1 , Andrew Kwong 2 , Shahar Paz 3 , Daniel Genkin 2 , Nadia Heninger 4 , Eyal Ronen 5 , Yuval Yarom 6 1 University of Pennsylvania 2 University of Michigan 3 Tel Aviv University 4 University of California, San Diego , 5 Tel Aviv University and COSIC (KU Leuven) 6 University of Adelaide and Data61

  2. Lesson Learned (the hard way) Plenty of real-world, random number generation disasters: 1 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  3. Lesson Learned (the hard way) Plenty of real-world, random number generation disasters: ◮ Dual EC Backdoor 1 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  4. Lesson Learned (the hard way) Plenty of real-world, random number generation disasters: ◮ Dual EC Backdoor ◮ Juniper Dual EC Incident (RWC 2016) 1 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  5. Lesson Learned (the hard way) Plenty of real-world, random number generation disasters: ◮ Dual EC Backdoor ◮ Juniper Dual EC Incident (RWC 2016) ◮ DUHK Attack on ANSI X9.31 1 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  6. Standardized Designs NIST SP 800-90 series lists approved designs: 2 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  7. Standardized Designs NIST SP 800-90 series lists approved designs: ◮ Dual EC (deprecated in disgrace) ◮ HMAC DRBG ◮ HASH DRBG ◮ CTR DRBG 2 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  8. Standardized Designs NIST SP 800-90 series lists approved designs: ◮ Dual EC (deprecated in disgrace) ◮ HMAC DRBG ◮ HASH DRBG ◮ CTR DRBG Limited formal analysis until Woodage and Shumow (RWC 2018) 2 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  9. CTR DRBG ◮ Highly popular (67.8% of FIPS certifications), integrated into libraries, OSes, CPUs 3 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  10. CTR DRBG ◮ Highly popular (67.8% of FIPS certifications), integrated into libraries, OSes, CPUs ◮ Design: • State consists of key K and counter V 3 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  11. CTR DRBG ◮ Highly popular (67.8% of FIPS certifications), integrated into libraries, OSes, CPUs ◮ Design: • State consists of key K and counter V • Encrypts incrementing counter to generate output 3 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  12. CTR DRBG ◮ Highly popular (67.8% of FIPS certifications), integrated into libraries, OSes, CPUs ◮ Design: • State consists of key K and counter V • Encrypts incrementing counter to generate output • Optional user-provided additional entropy 3 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  13. CTR DRBG: Generate Function K , counter + 1, addin Three Stage Process: 1. Advance State & Add Entropy AES K , counter 4 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  14. CTR DRBG: Generate Function K , counter + 1 Three Stage Process: 1. Advance State & Add Entropy AES 2. Produce Output output 4 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  15. CTR DRBG: Generate Function K , counter + 1, addin Three Stage Process: 1. Advance State & Add Entropy AES 2. Produce Output 3. Advance State & Add Entropy K , counter 4 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  16. Key Rotation Flaw [WS19][CWPG+19] Problem 1: Key is not rotated until after encryptions are done–not safe against key compromise! Problem 2: Additional entropy is optional and implementer chosen. 5 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  17. Problem 1: Key Not Rotated Often Enough K , counter + 1 Attacker may be able to compromise K using a side channel attack An attacker then decrypts PRG output to AES learn state: D K ( output ) = counter + 1 output 6 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  18. Problem 2: Lack of Entropy K , counter + 1, addin Once attacker has ( K , counter ), guesses AES addin and calculates updated state K , counter 7 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  19. Problem 2: Lack of Entropy K , counter + 1, addin Once attacker has ( K , counter ), guesses addin and calculates updated state AES If addin is used at all! K , counter 7 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  20. Is a side-channel attack on CTR DRBG realistic? Condition #1: Are CTR DRBG implementations vulnerable to side-channel attacks? “T-table” AES has been a canonical target for cache attacks for 15 years. Most crypto libraries now use AES-NI by default. 8 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  21. Is a side-channel attack on CTR DRBG realistic? Condition #1: Are CTR DRBG implementations vulnerable to side-channel attacks? “T-table” AES has been a canonical target for cache attacks for 15 years. Most crypto libraries now use AES-NI by default. ... but not for AES when used in CTR DRBG. 8 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  22. Is a side-channel attack on CTR DRBG realistic? Condition #1: Are CTR DRBG implementations vulnerable to side-channel attacks? “T-table” AES has been a canonical target for cache attacks for 15 years. Most crypto libraries now use AES-NI by default. ... but not for AES when used in CTR DRBG. Vulnerable T-table AES CTR DRBG implementations: ◮ OpenSSL 1.0.2 FIPS module ◮ NetBSD kernel systemwide PRG ◮ FortiOSv5 ◮ mbedTLS-SGX ◮ nist rng library 8 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  23. FIPS Requirements “Cryptographic modules may be susceptible to other attacks for which testable security requirements were not available at the time this version of the standard was issued (e.g., power analysis, timing analysis, and/or fault induction) or the attacks were outside of the scope of the standard (e.g., TEMPEST)” – Mitigation of Other Attacks (FIPS 140-2) 9 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  24. Is a side-channel attack on CTR DRBG realistic? Condition #2: Discover an attack scenario that produces enough output. Is this a problem in real world protocols like TLS? Scenario: Attacker compromises PRG state during protocol execution, uses it to compromise cryptographic secrets 10 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  25. Is a side-channel attack on CTR DRBG realistic? Condition #2: Discover an attack scenario that produces enough output. Is this a problem in real world protocols like TLS? Scenario: Attacker compromises PRG state during protocol execution, uses it to compromise cryptographic secrets Empirically, cache attacks require around 2000 bytes of AES output to recover key. 10 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  26. Is a side-channel attack on CTR DRBG realistic? Condition #2: Discover an attack scenario that produces enough output. Is this a problem in real world protocols like TLS? Scenario: Attacker compromises PRG state during protocol execution, uses it to compromise cryptographic secrets Empirically, cache attacks require around 2000 bytes of AES output to recover key. Juniper and DUHK used nonces for state compromise, but these are too short for a cache attack. 10 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  27. Finding long PRG outputs in TLS handshake Brainstorming sources of additional PRG output in TLS handshake: 11 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  28. Finding long PRG outputs in TLS handshake Brainstorming sources of additional PRG output in TLS handshake: ◮ RSA-PSS padding? 11 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  29. Finding long PRG outputs in TLS handshake Brainstorming sources of additional PRG output in TLS handshake: ◮ RSA-PSS padding? ✗ • Randomized signature padding • RFC 8446 restricts PSS salt length for TLS 1.2, so not enough output 11 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  30. Finding long PRG outputs in TLS handshake Brainstorming sources of additional PRG output in TLS handshake: ◮ RSA-PSS padding? ✗ • Randomized signature padding • RFC 8446 restricts PSS salt length for TLS 1.2, so not enough output ◮ ExtendedRandom? 11 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

  31. Finding long PRG outputs in TLS handshake Brainstorming sources of additional PRG output in TLS handshake: ◮ RSA-PSS padding? ✗ • Randomized signature padding • RFC 8446 restricts PSS salt length for TLS 1.2, so not enough output ◮ ExtendedRandom? ✗ • Non-standard IETF proposal to permit clients to request up to 216 bytes of randomness from server • No known functional implementations 11 Pseudorandom Black Swans Cohney, Kwong, Paz, Genkin, Heninger, Ronen, Yarom

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A taxonomy of black swans What is a Black Swan? Outlier event Hard to predict

A taxonomy of black swans What is a Black Swan? Outlier event Hard to predict

What breaks our systems: A taxonomy of black swans What is a Black Swan? Outlier event Hard to predict Severe in impact Every black swan is unique But there are patterns, and sometimes we can use those to create defences

802 views • 53 slides
VR-6: Reserve Risk Models, White, Grey and Black Swans

VR-6: Reserve Risk Models, White, Grey and Black Swans

VR-6: Reserve Risk Models, White, Grey and Black Swans Antitrust Notice The Casualty Actuarial Society is committed to adhering strictly to the letter and spirit of the antitrust laws. Seminars

551 views • 28 slides
Longevity black swans: Looking beyond past trends to what potential disruptive developments in

Longevity black swans: Looking beyond past trends to what potential disruptive developments in

LONGEVITY 13 Taipei, Taiwan Taipei, Taiwan September 2017 Longevity black swans: Looking beyond past trends to what potential disruptive developments in medicine, healthcare, technology and lifestyle may mean for life expectancy Guy Coughlan

1.04k views • 44 slides
Longevity Black Swans 112 188 31 148 205 87 183 Guy Coughlan , Chief Risk Officer,

Longevity Black Swans 112 188 31 148 205 87 183 Guy Coughlan , Chief Risk Officer,

60 0 141 109 64 170 157 127 198 206 Welcome! 191 226 23 131 @ClubVita 189 81 162 #longevityblackswans 206 139 193 222 197 224 238 Longevity Black Swans 112 188 31 148 205 87 183 Guy Coughlan , Chief Risk Officer,

766 views • 42 slides
Hunting Black Swans Dr Luke Kemp Centre for the Study of Existential Risk We suck at prediction.

Hunting Black Swans Dr Luke Kemp Centre for the Study of Existential Risk We suck at prediction.

Hunting Black Swans Dr Luke Kemp Centre for the Study of Existential Risk We suck at prediction. We suck at thinking systemically. We can suck less in the future. Predicting Doomsday is Hard Statistical Methods Expertise is not a Panacea

562 views • 8 slides
Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects: examples and constructions David Xiao LIAFA CNRS, Universit Paris 7 Plan Today: examples of pseudorandom objects Expander graphs

403 views • 17 slides
Dawes Reunion 2014 Healdsburg CA 1 Dawes Coat of Arms Silver: three gold swans on a blue

Dawes Reunion 2014 Healdsburg CA 1 Dawes Coat of Arms Silver: three gold swans on a blue

Dawes Reunion 2014 Healdsburg CA 1 Dawes Coat of Arms Silver: three gold swans on a blue diagonal bend between two narrow red diagonal bends, accompanied by six black battle axes. Above the shield and helmet is the crest which is

643 views • 61 slides
Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009 JASS09 Sankt Peterburg Pseudorandom Generators in Complexity Theory Informally, a pseudorandom generator is a (computable) function G n : { 0 , 1 }

624 views • 49 slides
Pseudorandom Algorithms Derek Soeder Christopher Abad Gabriel Acevedo

Pseudorandom Algorithms Derek Soeder Christopher Abad Gabriel Acevedo

Black-Box Assessment of Pseudorandom Algorithms Derek Soeder Christopher Abad Gabriel Acevedo dsoeder@cylance.com cabad@cylance.com gacevedo@cylance.com Agenda About PRNGs PRNGs by Example Attack Methodology

574 views • 29 slides
On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien Dupin - Pierrick Maux - Mlissa Rossi - Yann Rotella ASIACRYPT 2018/12/04 1 1 Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

795 views • 64 slides
Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money Theorems and Quantum Money Zhengfeng Ji (UTS:QSI) QCrypt 2018, Shanghai 1 . 1 A Joint Work With A Joint Work With Yi-Kai Liu Fang Song (NIST and

257 views • 24 slides
An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel Abdalla, Fabrice Benhamouda, Alain Passelgue Pseudorandom functions [GGM86] - efficiently computable function : -

1.01k views • 56 slides
1 2 3 4 5 6 7 Why do we anticipate? a lot of ideas and prejudice that have been accumulated

1 2 3 4 5 6 7 Why do we anticipate? a lot of ideas and prejudice that have been accumulated

1 2 3 4 5 6 7 Why do we anticipate? a lot of ideas and prejudice that have been accumulated over time: it is new, it is impossible, guess what we cannot predict the future, the unknown unknowns, there are black swans (i.e. unforeseeable

607 views • 25 slides
Mytholo logy of AI Chry rysta tal Ball lls, Genie ies and Deit itie ies Victor Alexiev

Mytholo logy of AI Chry rysta tal Ball lls, Genie ies and Deit itie ies Victor Alexiev

B e t t e r F u t u r e s , T o g e t h e r Mytholo logy of AI Chry rysta tal Ball lls, Genie ies and Deit itie ies Victor Alexiev Black Swans and Black Elephants +65 9815 1543 victor@innovator.sg iRAHSs, 18 July 2017 What is is AI

884 views • 73 slides
Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego) Eshan Chattopadhyay (IAS Cornell) Pooya Hatami (UT Austin Ohio State) Shachar Lovett (UC San Diego) Outline Introduce Pseudorandom generators

1.41k views • 88 slides
Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and Pseudorandom Generators 1 Contents We present a new approach to construct extractors. Extractors transform a weakly random (realistic)

391 views • 27 slides
Lecture 1 Capacity of the Gaussian Channel Basic concepts in information theory: Appendix B

Lecture 1 Capacity of the Gaussian Channel Basic concepts in information theory: Appendix B

Lecture 1 Capacity of the Gaussian Channel Basic concepts in information theory: Appendix B Capacity of the Gaussian channel: Appendix B, Ch. 5.13 Mikael Skoglund, Theoretical Foundations of Wireless 1/23 Entropy and Mutual

307 views • 12 slides
The entanglement entropy and its universal behaviour in one dimension Benjamin Doyon Department

The entanglement entropy and its universal behaviour in one dimension Benjamin Doyon Department

The entanglement entropy and its universal behaviour in one dimension Benjamin Doyon Department of mathematical sciences, Durham University, UK Florence, September 2008 Entanglement in quantum mechanics Entanglement occurs when a

282 views • 26 slides
dra$-akiya-mpls-entropy-lsp-ping IETF 88, Vancouver,

dra$-akiya-mpls-entropy-lsp-ping IETF 88, Vancouver,

dra$-akiya-mpls-entropy-lsp-ping IETF 88, Vancouver, Canada Nobo Akiya George Swallow Carlos Pignataro Nagendra Kumar Background RFC4379

480 views • 10 slides
Noisy Channel Coding: Correlated Random Variables & Communication over a Noisy Channel Toni

Noisy Channel Coding: Correlated Random Variables & Communication over a Noisy Channel Toni

Noisy Channel Coding: Correlated Random Variables & Communication over a Noisy Channel Toni Hirvonen Helsinki University of Technology Laboratory of Acoustics and Audio Signal Processing Toni.Hirvonen@hut.fi T-61.182 Special Course in

242 views • 20 slides
Logistic Regression CMSC 678 UMBC Recap from last time Central Question: How Well Are We

Logistic Regression CMSC 678 UMBC Recap from last time Central Question: How Well Are We

Maximum Entropy Models/ Logistic Regression CMSC 678 UMBC Recap from last time Central Question: How Well Are We Doing? Precision, This does Recall, F1 Accuracy not have to Log-loss be the same Classification

930 views • 68 slides
Outline Morning program Preliminaries Text matching I Text matching II Afternoon program

Outline Morning program Preliminaries Text matching I Text matching II Afternoon program

Outline Morning program Preliminaries Text matching I Text matching II Afternoon program Learning to rank Modeling user behavior Generating responses Wrap up 116 Outline Morning program Preliminaries Text matching I Text matching II

572 views • 34 slides
Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro Mantovani (EURECOM), Simone Aonzo (UniGe), Xabier Ugarte Pedrero (CISCO), Alessio Merlo (UniGe), Davide Balzarotti (EURECOM) 1 Packing 2 Scope / Packing

256 views • 23 slides
On the roles of energy and entropy in thermodynamics by Ingo Mller & Wolf Weiss TU Berlin

On the roles of energy and entropy in thermodynamics by Ingo Mller & Wolf Weiss TU Berlin

On the roles of energy and entropy in thermodynamics by Ingo Mller & Wolf Weiss TU Berlin T q J.B. Fourier i x i v v t 2 i l ij ij x x j l G.

325 views • 13 slides

More recommend