میحرلا نمحرلا للوا مسب Random Data and Key Generation Evaluation of Some Commercial Tokens and Smart Cards Ahmad Boorghany, Siavash Bayat Sarmadi, Parnian Yousefi, Pouneh Gorji, Rasool Jalili Data & Network Security Lab (DNSL) Computer Engineering Dept., Sharif Univ. of Technology ISCISC’ 14 September 3, 2014 Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014
Background Our Experiments Eval. Results Outline Background o Randomness Failures in Cryptography o Common Prime Attack on RSA Keys Our Experiments o Idea o Methodology and Tools Evaluation Results o Randomness Evaluation o RSA Key Evaluation Conclusion and Future Works Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 2 / 20
Background Background Our Experiments Our Experiments Eval. Results Eval. Results Background Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 3 / 20
Background Background Our Experiments Eval. Results Randomness in Cryptography Crucial for CPA security [GM84] o CPA is a weak security notion (respecting CCA or CCA2) Some stories: Debian’s Openssl Bug [YRS+09] RNG output domain < 65536 For two years: 2006~2008 2012: still 57000 vulnerable HTTPS/SSH servers on the Internet [HDWH12] Android’s RNG Bug [MMS 13] Successful thefts from Bitcoin users [But13] Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 4 / 20
Background Background Our Experiments Eval. Results Common Prime Attack on RSA Keys RSA Cryptosystem: Depends on the factoring problem 𝑂 = 𝑞 × 𝑟 𝑞 and 𝑟 are large random primes 512 bits each in RSA-1024 Common Prime Factor? 𝑂 1 𝑂 2 If the RNG is good, probability < 2 −500 If 𝑂 1 = 𝑞 × 𝑟 1 and 𝑂 2 = 𝑞 × 𝑟 2 : GCD 𝑞 = GCD 𝑂 1 , 𝑂 2 → Done efficiently 𝑟 1 = 𝑂 1 /𝑞 , 𝑟 2 = 𝑂 2 /𝑞 𝑞 Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 5 / 20
Background Background Our Experiments Eval. Results Common Prime Attack on RSA Keys Heninger et al. [HDWH12] in USENIX Sec 2012 Crawled the Internet looking for common factors o Live hosts: 23,044,976 o Vulnerable ones: 66,540 ( ≅ 3 in 1000) Almost all failures: on embedded/constrained devices o Lack of good entropy sources Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 6 / 20
Background Background Our Experiments Eval. Results Common Prime Attack on RSA Keys Bernstein et al. [BCC+13] in Asiacrypt 2013 Tested Taiwanese DB of certificates Personal smart cards More than 3,000,000 RSA public keys Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 7 / 20
Background Background Our Experiments Eval. Results Common Prime Attack on RSA Keys 105 moduli factored easily by pair-wise GCD The most popular modulus (46 occurrences): c0000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 000000000000000000000000000002f9 Why? Maybe randomness failures. Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 8 / 20
Background Our Experiments Our Experiments Eval. Results Our Experiments Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 9 / 20
Background Our Experiments Our Experiments Eval. Results The Idea Evaluate hardware security modules in the market o Tokens o Smart Cards So, what to do? o Generate RSA Keys, and compute pair-wise GCDs o Generate random streams, and evaluate them in advance Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 10 / 20
Background Our Experiments Our Experiments Eval. Results How to talk to these devices? PKCS#11 C_GenerateRandom C_GenerateKeyPair Java Card: Command 1 Import JavaCard . … public class TestCard { … Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 11 / 20
Background Our Experiments Our Experiments Eval. Results Methodology Targeted Tokens and Smart Cards: o Token 1 : PKCS#11 o Token 2 : PKCS#11 o Token 3 : PKCS#11 o Token 4 : PKCS#11 o Token 5 : PKCS#11 o Smart Card 1 : PKCS#11 o Smart Card 2 : Java Card o Smart Card 3 : Java Card Sorry, but no names Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 12 / 20
Background Our Experiments Our Experiments Eval. Results Methodology For each hardware: 10.000.000-bit stream generated Its randomness evaluated using NIST’s Statistical Test Suit (STS) 161 instances from 15 distinct tests o Frequency Test o Runs Test o Serial Test o Overlapping/Non-overlapping Template Test o etc. Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 13 / 20
Background Our Experiments Our Experiments Eval. Results Methodology For each hardware: 200 RSA key-pairs generated o 1024-bit and 2048-bit Pair-wise GCDs computed: o With each other o With the database of MOCCA - 25000 certificates o With the database of Heninger et al.’s crawling - Using factorable.net Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 14 / 20
Background Our Experiments Eval. Results Eval. Results Evaluation Results Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 15 / 20
Background Our Experiments Eval. Results Eval. Results Randomness Evaluation Simple frequency diagram Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 16 / 20
Background Our Experiments Eval. Results Eval. Results Randomness Evaluation – STS Results Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 17 / 20
Background Our Experiments Eval. Results Eval. Results RSA Key Evaluation Token 5: very small prime factors: 3, 5, 7 , … . Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 18 / 20
Background Our Experiments Eval. Results Conclusion and Future Works Evaluation is a must! Better evaluation methods required Note: only simple vulnerabilities can be found by statistical testing Other schemes: ECDSA, etc. Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 19 / 20
Background Our Experiments Eval. Results Thanks for your attention Questions? Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 20 / 20
Background Our Experiments Eval. Results References [GM84] S. Goldwasser, S. Micali , “Probabilistic encryption,” J. Computer and System Sciences , vol. 28, no. 2, pp. 270-299, 1984. [YRS+09] S. Yilek, E. Rescorla, H. Shacham , B. Enright, and S. Savage, “When private keys are public: results from the 2008 Debian OpenSSL vulnerability," In Proc. 9th ACM SIGCOMM Conf. , 2009, pp. 15-27. [HDWH12] N. Heninger, Z. Durumeric., E. Wustrow, and J. A. Halderman, “ Mining your Ps and Qs: Detection of widespread weak keys in network devices,” In Proc. 21st USENIX Security Symp. , 2012, pp. 205-220. [MMS13] K. Michaelis, C. Meyer, and J. Schwenk , “Randomly failed! The state of randomness in current Java implementations.” In Proc. Topics in Cryptology – CT-RSA , 2013, pp. 129-144. Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 21 / 20
Background Our Experiments Eval. Results References [But13] V. Buterin. (2013, August 11). Critical Vulnerability Found In Android Wallets [Online]. Available: http://bitcoinmagazine.com/6251/critical-vulnerability-found-in- android-wallets/ [BCC+13] D. J. Bernstein et al., “Factoring RSA keys from certified smart cards: Coppersmith in the wild,” In Proc. 19th Advances in Cryptology- ASIACRYPT , 2013, pp. 341-360. Boorghany et al. Random and Key Generation Evaluation of Tokens and Smart Cards ISCISC 2014 22 / 20
Recommend
More recommend
