Random Data and Key Generation Evaluation of Some - - PowerPoint PPT Presentation

random data and key generation evaluation of some
SMART_READER_LITE
LIVE PREVIEW

Random Data and Key Generation Evaluation of Some - - PowerPoint PPT Presentation

Jan 20, 2023 310 likes •545 views

Random Data and Key Generation Evaluation of Some Commercial Tokens and Smart Cards Ahmad Boorghany, Siavash Bayat Sarmadi, Parnian Yousefi, Pouneh Gorji, Rasool Jalili Data & Network Security Lab

slide-1
SLIDE 1

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

میحرلا نمحرلا للوا مسب

Random Data and Key Generation Evaluation of Some Commercial Tokens and Smart Cards

Ahmad Boorghany, Siavash Bayat Sarmadi, Parnian Yousefi, Pouneh Gorji, Rasool Jalili

Data & Network Security Lab (DNSL) Computer Engineering Dept., Sharif Univ. of Technology ISCISC’14 September 3, 2014

slide-2
SLIDE 2

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

 Background

  • Randomness Failures in Cryptography
  • Common Prime Attack on RSA Keys

 Our Experiments

  • Idea
  • Methodology and Tools

 Evaluation Results

  • Randomness Evaluation
  • RSA Key Evaluation

 Conclusion and Future Works

Outline

2 / 20

slide-3
SLIDE 3

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

Background

  • Eval. Results

Our Experiments Background

3 / 20

slide-4
SLIDE 4

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

 Crucial for CPA security [GM84]

  • CPA is a weak security notion (respecting CCA or CCA2)

 Some stories:

  • Debian’s Openssl Bug [YRS+09]
  • RNG output domain < 65536
  • For two years: 2006~2008
  • 2012: still 57000 vulnerable HTTPS/SSH servers on the

Internet [HDWH12]

  • Android’s RNG Bug [MMS13]
  • Successful thefts from Bitcoin users [But13]

Randomness in Cryptography

Background

4 / 20

slide-5
SLIDE 5

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

 RSA Cryptosystem:

  • Depends on the factoring problem
  • 𝑞 and 𝑟 are large random primes
  • 512 bits each in RSA-1024

 Common Prime Factor?

  • If the RNG is good, probability < 2−500
  • If 𝑂1 = 𝑞 × 𝑟1 and 𝑂2 = 𝑞 × 𝑟2:

 𝑞 = GCD 𝑂1, 𝑂2

→ Done efficiently

 𝑟1 = 𝑂1/𝑞 , 𝑟2 = 𝑂2/𝑞

Common Prime Attack on RSA Keys

𝑂 = 𝑞 × 𝑟

GCD

𝑂1 𝑂2 𝑞

Background

5 / 20

slide-6
SLIDE 6

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

 Heninger et al. [HDWH12] in USENIX Sec 2012  Crawled the Internet looking for common factors

  • Live hosts: 23,044,976
  • Vulnerable ones: 66,540 (≅ 3 in 1000)

 Almost all failures: on embedded/constrained

devices

  • Lack of good entropy sources

Common Prime Attack on RSA Keys

Background

6 / 20

slide-7
SLIDE 7

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

 Bernstein et al. [BCC+13] in Asiacrypt 2013  Tested Taiwanese DB of certificates

  • Personal smart cards
  • More than 3,000,000 RSA public keys

Common Prime Attack on RSA Keys

Background

7 / 20

slide-8
SLIDE 8

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

 105 moduli factored easily by pair-wise GCD  The most popular modulus (46 occurrences):  Why? Maybe randomness failures.

Common Prime Attack on RSA Keys

c0000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 000000000000000000000000000002f9

Background

8 / 20

slide-9
SLIDE 9

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

Our Experiments

Our Experiments

9 / 20

slide-10
SLIDE 10

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

 Evaluate hardware security modules in the market

  • Tokens
  • Smart Cards

 So, what to do?

  • Generate RSA Keys, and

compute pair-wise GCDs

  • Generate random streams, and

evaluate them in advance

The Idea

Our Experiments

10 / 20

slide-11
SLIDE 11

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

 PKCS#11  Java Card:

How to talk to these devices?

C_GenerateRandom C_GenerateKeyPair Command 1 Import JavaCard. … public class TestCard { …

Our Experiments

11 / 20

slide-12
SLIDE 12

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

 Targeted Tokens and Smart Cards:

  • Token 1 : PKCS#11
  • Token 2 : PKCS#11
  • Token 3 : PKCS#11
  • Token 4 : PKCS#11
  • Token 5 : PKCS#11
  • Smart Card 1 : PKCS#11
  • Smart Card 2 : Java Card
  • Smart Card 3 : Java Card

 Sorry, but no names 

Methodology

Our Experiments

12 / 20

slide-13
SLIDE 13

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

  • For each hardware:

 10.000.000-bit stream generated  Its randomness evaluated using

NIST’s Statistical Test Suit (STS)

 161 instances from 15 distinct tests

  • Frequency Test
  • Runs Test
  • Serial Test
  • Overlapping/Non-overlapping Template Test
  • etc.

Methodology

Our Experiments

13 / 20

slide-14
SLIDE 14

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

  • For each hardware:

 200 RSA key-pairs generated

  • 1024-bit and 2048-bit

 Pair-wise GCDs computed:

  • With each other
  • With the database of MOCCA
  • 25000 certificates
  • With the database of Heninger et al.’s crawling
  • Using factorable.net

Methodology

Our Experiments

14 / 20

slide-15
SLIDE 15

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

Evaluation Results

  • Eval. Results

15 / 20

slide-16
SLIDE 16

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

 Simple frequency diagram

Randomness Evaluation

  • Eval. Results

16 / 20

slide-17
SLIDE 17

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

Randomness Evaluation – STS Results

  • Eval. Results

17 / 20

slide-18
SLIDE 18

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

 Token 5: very small prime factors: 3, 5, 7, … .

RSA Key Evaluation

  • Eval. Results

18 / 20

slide-19
SLIDE 19

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

 Evaluation is a must!  Better evaluation methods required  Note: only simple vulnerabilities can be found

by statistical testing

 Other schemes: ECDSA, etc.

Conclusion and Future Works

19 / 20

slide-20
SLIDE 20

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

Thanks for your attention

Questions?

20 / 20

slide-21
SLIDE 21

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

[GM84] S. Goldwasser, S. Micali, “Probabilistic encryption,” J. Computer and System Sciences, vol. 28, no. 2, pp. 270-299, 1984. [YRS+09] S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage, “When private keys are public: results from the 2008 Debian OpenSSL vulnerability," In Proc. 9th ACM SIGCOMM Conf., 2009, pp. 15-27. [HDWH12] N. Heninger, Z. Durumeric., E. Wustrow, and J. A. Halderman, “Mining your Ps and Qs: Detection of widespread weak keys in network devices,” In Proc. 21st USENIX Security Symp., 2012, pp. 205-220. [MMS13] K. Michaelis, C. Meyer, and J. Schwenk, “Randomly failed! The state

  • f randomness in current Java implementations.” In Proc. Topics in

Cryptology–CT-RSA, 2013, pp. 129-144.

References

21 / 20

slide-22
SLIDE 22

Random and Key Generation Evaluation of Tokens and Smart Cards Boorghany et al. ISCISC 2014

  • Eval. Results

Our Experiments Background

[But13] V. Buterin. (2013, August 11). Critical Vulnerability Found In Android Wallets [Online]. Available: http://bitcoinmagazine.com/6251/critical-vulnerability-found-in- android-wallets/ [BCC+13] D. J. Bernstein et al., “Factoring RSA keys from certified smart cards: Coppersmith in the wild,” In Proc. 19th Advances in Cryptology- ASIACRYPT, 2013, pp. 341-360.

References

22 / 20