TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk - - PowerPoint PPT Presentation

tpm fail
SMART_READER_LITE
LIVE PREVIEW

TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk - - PowerPoint PPT Presentation

Jun 05, 2023 47 likes •438 views

TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk Sunar Thomas Eisenbarth Nadia Heninger 01/08/2020 Real World Crypto TPM 2 Trusted Platform Module (TPM) Software is Hackers? insecure. Bad Guys? Heartbleed? Rootkits?

slide-1
SLIDE 1

TPM-Fail

TPM meets Timing and Lattice Attacks

Daniel Moghimi

Berk Sunar Thomas Eisenbarth Nadia Heninger

01/08/2020 Real World Crypto

slide-2
SLIDE 2

TPM

2

slide-3
SLIDE 3

Trusted Platform Module (TPM)

Software is insecure. Heartbleed? Computers are just Evil?! Hackers? Bad Guys?

3

Rootkits? Ransomware?

slide-4
SLIDE 4

Trusted Platform Module (TPM)

Software is insecure. Heartbleed? Computers are just Evil?! Hackers? Bad Guys? Hardware-based Root of Trust?!

4

Rootkits? Ransomware?

slide-5
SLIDE 5

Trusted Platform Module (TPM)

  • Security Chip for Computers?
  • Tamper Resistant
  • Side-Channel Resistant
  • Crypto Co-processor

5

slide-6
SLIDE 6

Trusted Platform Module (TPM)

  • Security Chip for Computers?
  • Tamper Resistant
  • Side-Channel Resistant
  • Crypto Co-processor

Trusted Computing Base

6

slide-7
SLIDE 7

Trusted Platform Module (TPM)

  • Cryptographic Co-processor, specified by Trusted Computing Group
  • Secure Storage
  • Integrity Measurement
  • TRNG
  • Hash Functions
  • Encryption
  • Digital Signatures

7

slide-8
SLIDE 8

Trusted Computing Group

  • https://trustedcomputinggroup

.org/membership/certification/

  • https://trustedcomputinggroup

.org/membership/certification/ tpm-certified-products/

8

slide-9
SLIDE 9

TPM – Digital Signatures

  • Applications
  • Trusted Execution of Signing Operations
  • Remote Attestation
  • TPM 2.0 supports Elliptic-Curve Digital Signature
  • ECDSA
  • ECSchnorr
  • ECDAA (Anonymous Remote Attestation)

9

slide-10
SLIDE 10

Are TPMs really side-channel resistant?

10

slide-11
SLIDE 11

High-resolution Timing Test

  • TPM frequency ~= 32-120 MHz
  • CPU Frequency is more than 2 GHz

11

slide-12
SLIDE 12

High-resolution Timing Test – Intel PTT (fTPM)

  • Intel Platform Trust Technology (PTT)
  • Integrated firmware-TPM inside the CPU package
  • Runs on top of Converged Security and

Management Engine (CSME)

  • Standalone low power processor
  • Has been around since Haswell
  • Linux TPM Command Response Buffer (CRB)

driver

12 CPU PCH CSME

slide-13
SLIDE 13

High-resolution Timing Test – Intel PTT (fTPM)

  • Intel Platform Trust Technology (PTT)
  • Integrated firmware-TPM inside the CPU package
  • Runs on top of Converged Security and

Management Engine (CSME)

13 CPU PCH CSME

Histogram

slide-14
SLIDE 14

High-resolution Timing Test – Intel PTT (fTPM)

14 CPU PCH CSME

  • Kernel Driver to increase the Resolution
slide-15
SLIDE 15

High-resolution Timing Test - Analysis

  • RSA and ECDSA timing test on 3 dedicated TPM and Intel fTPM
  • Various non-constant behaviour for both RSA and ECDSA

15

slide-16
SLIDE 16

High-resolution Timing Test – ECDSA Nonce

  • Intel fTPM: 4-bit Window Nonce

Length Leakage

  • ECDSA
  • ECSChnorr
  • BN-256 (ECDAA)

16

slide-17
SLIDE 17

17

slide-18
SLIDE 18

High-resolution Timing Test – ECDSA Nonce

  • Intel fTPM: 4-bit Window Nonce Length Leakage
  • ECDSA
  • ECSchnorr
  • BN-256(ECDAA)
  • STMicro TPM: Bit-by-Bit Nonce Length Leakage

18

slide-19
SLIDE 19

TPM-Fail – Recovering Private ECDSA Key

  • TPM is programmed with an unknown key
  • We already have a template for 𝑢𝑗.
  • 1. Collect list of signatures (𝑠

𝑗, 𝑡𝑗) and timing samples 𝑢𝑗.

  • 2. Filter signatures based on 𝑢𝑗 and keeps (𝑠

𝑗, 𝑡𝑗) with a known bias.

  • 3. Lattice-based attack to recover private key 𝑒, from signatures

with biased nonce 𝑙𝑗.

19

slide-20
SLIDE 20

Lattice and Hidden Number Problem

  • 𝑡 = 𝑙−1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜

20

slide-21
SLIDE 21

Lattice and Hidden Number Problem

  • 𝑡 = 𝑙−1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙−1 − 𝑡𝑗

−1𝑠 𝑗𝑒 − 𝑡𝑗 −1𝑨 ≡ 0 𝑛𝑝𝑒 𝑜

21

slide-22
SLIDE 22

Lattice and Hidden Number Problem

  • 𝑡 = 𝑙−1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙−1 − 𝑡𝑗

−1𝑠 𝑗𝑒 − 𝑡𝑗 −1𝑨 ≡ 0 𝑛𝑝𝑒 𝑜

  • 𝐵𝑗 = −𝑡𝑗

−1𝑠 𝑗, 𝐶𝑗 = −𝑡𝑗 −1𝑨 → ki + Aid + Bi = 0

22

slide-23
SLIDE 23

Lattice and Hidden Number Problem

  • 𝑡 = 𝑙−1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙−1 − 𝑡𝑗

−1𝑠 𝑗𝑒 − 𝑡𝑗 −1𝑨 ≡ 0 𝑛𝑝𝑒 𝑜

  • 𝐵𝑗 = −𝑡𝑗

−1𝑠 𝑗, 𝐶𝑗 = −𝑡𝑗 −1𝑨 → ki + Aid + Bi = 0

  • Let 𝑌 be the upper bound on ki and (d, k0, k1 … , 𝑙𝑜) is unknown

23

[8] Dan Boneh and Ramarathnam Venkatesan. Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

slide-24
SLIDE 24

Lattice and Hidden Number Problem

  • 𝑡 = 𝑙−1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙−1 − 𝑡𝑗

−1𝑠 𝑗𝑒 − 𝑡𝑗 −1𝑨 ≡ 0 𝑛𝑝𝑒 𝑜

  • 𝐵𝑗 = −𝑡𝑗

−1𝑠 𝑗, 𝐶𝑗 = −𝑡𝑗 −1𝑨 → ki + Aid + Bi = 0

  • Let 𝑌 be the upper bound on ki and (d, k0, k1 … , 𝑙𝑜) is unknown
  • Lattice Construction:

𝑜 𝑜 ⋱ 𝑜 𝐵1 𝐵2 … 𝐵𝑢

𝑌 𝑜

𝐶1 𝐶2 … 𝐶𝑢 𝑌

LLL/BKZ 24

slide-25
SLIDE 25

TPM-Fail – Key Recovery Results

  • Intel fTPM
  • ECDSA, ECSchnorr and BN-256 (ECDAA)
  • Three different threat model System, User, Network
  • STMicroelectronics TPM
  • CC EAL4+ Certified
  • Give you the key in 80 minutes

25

slide-26
SLIDE 26

26

slide-27
SLIDE 27

TPM-Fail Case Study: StrongSwan VPN

VPN Client VPN Server TPM Device

27

slide-28
SLIDE 28

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝐽, … ]

VPN Client VPN Server TPM Device

28

slide-29
SLIDE 29

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝐽, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈

𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝑆, … ]

𝑡𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺ℎ(𝑕𝑦𝑧) 29

slide-30
SLIDE 30

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝐽, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈

𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝑆, … ]

𝑡𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺ℎ(𝑕𝑦𝑧) 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ[ 𝑇𝑗𝑕𝑜𝑡𝑙𝐽, (𝑜𝑆, … ) ] 30

slide-31
SLIDE 31

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝐽, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈

𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝑆, … ]

𝑡𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺ℎ(𝑕𝑦𝑧) 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ[ 𝑇𝑗𝑕𝑜𝑡𝑙𝐽, (𝑜𝑆, … ) ] 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑇𝑗𝑕𝑜𝑡𝑙𝑆, (𝑜𝑆, … ) ] 31

slide-32
SLIDE 32

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝐽, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈

𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝑆, … ]

𝑡𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺ℎ(𝑕𝑦𝑧) 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ[ 𝑇𝑗𝑕𝑜𝑡𝑙𝐽, (𝑜𝑆, … ) ] 32

slide-33
SLIDE 33

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝐽, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_𝐽𝑂𝐽𝑈

𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕𝑦, 𝑜𝑆, … ]

𝑡𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺ℎ(𝑕𝑦𝑧) 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ[ 𝑇𝑗𝑕𝑜𝑡𝑙𝐽, (𝑜𝑆, … ) ] 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓[ 𝑇𝑗𝑕𝑜𝑡𝑙𝑆, (𝑜𝑆, … ) ] 33

slide-34
SLIDE 34

TPM-Fail Case Study: StrongSwan VPN Key Recovery

  • Remote Key Recovery after about 44,000 handshake ~= 5 hours

34

slide-35
SLIDE 35

35

System Adversary User Adversary Remote Synthetical Remote StrongSwan VPN

slide-36
SLIDE 36

Coordinated Disclosure - Intel

  • Intel (CVE-2019-11090)
  • 02/01/2019: Reported to IPSIRT
  • 02/12/2019: Acknowledged (Outdated Intel IPP Crypto library)
  • 11/12/2019: Firmware Update for Intel Management Engine

36

slide-37
SLIDE 37

Coordinated Disclosure - STMicroelectronics

  • STMicroelectronics (CVE-2019-16863)
  • 05/15/2019: Reported to ST
  • 05/17/2019: Acknowledged
  • Lots of calls/emails to clarify the disclosure process
  • 09/12/2019: Verified new version of STM TPM firmware
  • After 11/12/2019:
  • HP and Lenovo have issued firmware updates.
  • ST released a list of affected devices.

37

slide-38
SLIDE 38

Challenge?

  • Infineon TPM ECDSA Timing Histogram

38

slide-39
SLIDE 39

Questions?!

https://tpm.fail/ https://www.usenix.org/conference/us enixsecurity20/presentation/moghimi

TPM-FAIL

39 https://github.com/ VernamLab/TPM-Fail