using low cost cryptographic hardware to rob a bank
play

UsingLow-CostCryptographic HardwaretoRobaBank RichardClayton - PowerPoint PPT Presentation

Apr 25, 2023 •301 likes •648 views

UsingLow-CostCryptographic HardwaretoRobaBank RichardClayton &MichaelBond

  1. Using�Low-Cost�Cryptographic� Hardware�to�“Rob�a�Bank” Richard�Clayton &�Michael�Bond ��������������������������� � �� �������������

  2. Summary • Keys�and�Ciphers • The�IBM�4758�Cryptoprocessor • How�PIN�values�work • The�low-cost�hardware�“DES�cracker” • How�to�extract�3DES�keys�from�a�IBM�4758 • Mike�Bond’s�“API�attacks”

  3. Keys�and�Ciphers • Kerckhoff’s�doctrine�(1883) – the�security�of�a�system�should�depend�upon�its� key�and�not�upon�its�design�remaining�obscure • If�there�is�no�shortcut�then�the�security�of�a� system�depends�upon�its�key�length – trying�all�possibilities�@�33�million�keys/sec • 2 40 =�9�hours • 2 56 =�69�years • 2 80 =�1.1�billion�years

  4. A�History�of�Tamper�Resistance Problem :�another�program�on�the�same machine�can�access�your�sensitive�data • Put�keys�into�separate�microprocessor • Put�microprocessor�into�a�tin�box • Photocells�and�tilt�detection • Epoxy�“potting” • Tamper�detecting�barriers

  5. The�IBM�4758 • Protective�barrier�with�wires�of�chemically� similar�compound • Detectors�for�temperature�&�X-Rays • “Tempest”�shielding�for�RF�emission • Low�pass�filters�on�power�supply�rails • Multi-stage�“ratchet”�boot�sequence =�STATE�OF�THE�ART�PROTECTION!

  7. CCA�and�PIN�values • Common�Cryptographic�Architecture – runs�on�many�IBM�platforms – available�for�free�to�run�on�a�4758 • A�PIN�value�(in�the�CCA�world)�is�the� account�number�encrypted�with�(112�bit)� 3DES�key�and�last�few�bytes�made�decimal • Changing�a�PIN�=>�changing�an�offset

  8. Key�Entry�under�CCA • Each�key�is�loaded�in�two�parts,�which�are� then�XORed together – XOR�means�that�knowing�one�part�tells�you� NOTHING�about�the�final�key�value • Two�security�officers,�“trusted”�not�to� collude,�are�given�one�part�of�the�key�each. – They�authenticate�themselves�and�then� separately�load�these�into�the�4758. • This�makes�the�key�entirely�secure...

  9. The�Meet�in�the�Middle�Attack • A�thief�walks�into�a�car�park�and�tries�to� steal�a�car...� • How�many�keys�must�he�try?

  10. The�Meet�in�the�Middle�Attack

  11. The�Meet-in-the-Middle�Attack Idea:� Attack�multiple�keys�in�parallel� • Encrypt�the�same�plaintext�under�each�of� the�multiple�keys�to�get�a�“test�vector” • Attack�by�trying�all�keys�in�sequence�but� check�for�a�match�against�any�test�vector� value� (check�is�faster�than�encrypt) • Typical�case:�A�2 56 search�for�one�key� becomes�a�2 42 search�for�2 14 keys

  12. Attacking�the�CCA�:�Part�1 • Create�unknown�DES�key�part • XOR�in�“...001”,�“...002”,�“...003”�etc • Encrypt�zero�value�under�each�key • Repeat�to�get�16384�(2 14 )�results • Some�complexity�because�of�parity�issues,� but�essentially�simple�&�takes�10�minutes. • Use�“brute-force”�attack�to�get�the�DES�key

  13. zero X 001 X�xor�001 V1 002 X xor 002 V2 003 X xor 003 V3 004 X xor 004 V4 005 X xor 005 V5 006 X xor 006 V6 007 X xor 007 V7 008 X xor 008 V8 4,5,6,7,8,9,10... 3 1 2 $995� Value�3 Value�1 Value�2 Etc�etc DES� zero Cracker

  14. Low-cost�DES�Cracker • $995�Excalibur�kit�(Altera�20K200�FPGA) – chip�cost�is�~$5�(in�volume;�$178�one-off) • 33MHz�pipeline�(&�60MHz�possible) • 2 25 keys/second – 56�bit�DES�=�69�years • However...�look�for�16384�keys�in�parallel – with�average�luck�find�first�key�in�25.4�hours

  16. Attacking�the�CCA�:�Part�2 • Recall�we�had�16K�related�DES�keys • We�can�crack�one�of�these�in�~1�day • Now�create�16K�related�3DES�keys�with� “replicate”�halves�and�“exporter”�capability – 3DES�=�EncryptA;�DecryptB;�EncryptA • Export�the�DES�key�under�the�3DES�keys • Since�replicate�can�also�crack�in�~1�day

  17. Attacking�the�CCA�:�Part�3 • Create�non-replicate�3DES�key�by�combining� two�unequal�halves�with�the�replicate�halves� that�we’ve�now�determined • Export�all�the�CCA�keys�under�this�key • Download�list�of�PIN�offsets • Use�magnetic�stripe�writer�to�create�cards • Use�any�ATM�to�extract�money�from�accounts • Go�to�Bermuda!

  18. Michael�Bond’s�“API�attacks” • New�type�of�attack:�use�standard�API�in� non-standard�way�to�cause�dumb�things – Overloaded�key�types – Unauthorised�type�casting – 3DES�binding�attack – Related�keys Mike’s�PhD�topic�targets�formal�methods�that will�detect�(and�avoid)�these�problems

  19. Who�am�I? • 2 nd Year�PhD�student�at�the�Computer� Laboratory,�University�of�Cambridge,�Age:22 • Studied�“Computer�Science”�as�an� undergraduate�at�Cambridge,�before�that�KSB • Studied�Maths,�Physics,�Chemistry,�DT,�IT� etc…�at�A-Level • Currently�live�in�Cambridge,�a�mile�or�so�from� town�centre�&�computer�lab

  20. What�is�a�PhD? • In�theory:�“an�original�and�significant�contribution� to�the�general�body�of�knowledge�in�the�chosen� subject”�– a�thesis�of�40,000-100,000�words • In�practice:�three�years�of�supervised�research�into� a�particular�topic�as�a�member�of�a�research�group� studying�similar�topics. • Year�1�– Explore • Year�2�– Understand • Year�3�– Write�Up

  21. My�PhD • “Understanding�Security�APIs” • Security�API�=�Software�interface�to�a� processor�performing�security�functions,� usually�tamper-resistant�hardware • Year�1�:�Analysed�6�different�cryptoprocessors,� published�academic�papers�explaining�attacks • Year�2�:�Producing�design�rules,�and�building� analysis�tools

  22. The�PRISM�Security�Module

  23. The�Visa�Security�Module

  24. VSM�Type�Diagram

  25. Example�Security�API�Commands U->C�:�{�A�} KM ,�{�B�} KM C->U�:�{�A+B�} KM U->C�:�GUESS�,�{�ANS�} KM C->U�:�YES��(if�GUESS=ANS�else�NO) U->C�:�{�X�} K1 ,�{�K1�} KM ,�{�K2�} KM C->U�:�{�X�} K2

  26. Computer�Security • Cryptography,�Anonymity,�Protocols,�Tamper- Resistance,�Operating�Systems,�Copy-Protection • Nowadays:�Economics,�Law,�Politics • Deals�with�fundamental�conflicts�of�interest: – Good�guys�vs.�bad�guys – Competing�corporations – International�warfare – Personal�privacy�concerns

  27. • 30�academic�staff�=�teaching/research 40�research�assistants�=�research�on�lab�money 80�research�students�=�research�on�grant�money (+300�undergraduate�students) • Groups:�Security,�Graphics&Hardware,� Systems�Research,�Theory,�Natural� Languages…

  29. In�My�Office

  30. What�is�Computer�Science? • Practical�and�theoretical�study�of�the�details� and�principles�of�software,�hardware�and� communications�technology • Cambridge�course�aims�to�be�technology� independent,�split�50/50�between�practice� and�theory • Includes�a�60�man/h�group�project,�and�500� man/h�individual�project

  31. Computer�Science�Career�Paths Academia Industry Lobbyist Funded Lecturer Research Theorist EPSRC Civil� Industrial Research Research Service R&D�Lab Assistant Think�Tank Freelance Consultancy Consultant Firm Security CESG Freelance Officer Consultant O/S GCHQ Security MI5 Security DERA Product�Group Defence Contractor Industry Government MI6

  32. Computer�Hacking • Not�on�the�career�path�diagram? • You�can� really hack�hypothetical�systems,�and� really hack�real�systems • You�need�permission�for�the�latter • “Black�Hats”�and�“White�Hats”�can�both�hack� legally�– difference�is�ethics�of�disclosure • Real�hackers�are�just�common�criminals

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptographic Protocols Bank executes (valid) transactions. What is a Valid Transaction

Cryptographic Protocols Bank executes (valid) transactions. What is a Valid Transaction

Repetition: A Virtual Bank (1/4) 2 Alice $7535 Specification Bob $73227 Clara $8317 Bank keeps track of all balances. . . . Users send transactions to bank. transfer(Alice,Clara,$200) Cryptographic Protocols Bank

278 views • 5 slides
Cryptographic Protocols bank executes (valid) transactions What is a Valid Transaction Spring

Cryptographic Protocols bank executes (valid) transactions What is a Valid Transaction Spring

A Virtual Bank 2 Alice $7535 Specification Bob $73227 Clara $8317 bank keeps track of all balances . . . users send transactions to bank transfer(Alice,Clara,$200) Cryptographic Protocols bank executes (valid)

65 views • 3 slides
Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak Microelectronics Design Center, ETH Z urich 6 July 2012 My Goal To improve the quality of hardware evaluations for crypto algorithms. Microelectronics

798 views • 51 slides
Does gate count matter? Hardware efficiency of logic-minimization techniques for cryptographic

Does gate count matter? Hardware efficiency of logic-minimization techniques for cryptographic

Does gate count matter? Hardware efficiency of logic-minimization techniques for cryptographic primitives Shashank Raghuraman and Leyla Nazhandali Abstract Logical metrics such as gate count have been extensively used in estimating the hardware

401 views • 12 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded Systems (CHES) 2019 Alejandro Cabrera Aldaya 1 , Cesar Pereida Garca 2 , Luis Manuel Alvarez Tapia 1 , Billy Bob Brumley 2 , {aldaya,

371 views • 21 slides
Summary Introduction & Cryptographic Background Hardware Support for Physical Security

Summary Introduction & Cryptographic Background Hardware Support for Physical Security

Summary Introduction & Cryptographic Background Hardware Support for Physical Security Side Channel Attacks Arnaud Tisserand Fault Injection Attacks CNRS, Lab-STICC laboratory CRiSIS 2017, Dinard, France Protections Examples

266 views • 15 slides
Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15 000 Messages Graham Steel joint work with R. Bardou, R. Focardi, Y. Kawamoto, L. Simionato, J.-K. Tsay CRYPTO August 2012 BLUF (Bottom Line Up

602 views • 19 slides
Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15 000 Messages Graham Steel joint work with R. Bardou, R. Focardi, Y. Kawamoto, L. Simionato, J. Kai-Tsay CRYPTO August 2012 BLUF (Bottom Line Up

584 views • 42 slides
White-Box Cryptography Matthieu Rivain CARDIS 2017 How to protect a cryptographic key? How to

White-Box Cryptography Matthieu Rivain CARDIS 2017 How to protect a cryptographic key? How to

White-Box Cryptography Matthieu Rivain CARDIS 2017 How to protect a cryptographic key? How to protect a cryptographic key? Well, put it in a smartcard of course! ... or any piece of secure hardware But... Secure hardware is expensive

1.6k views • 98 slides
CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

9/9/2012 CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven, ESAT/SCD-COSIC CHES 2012 Crypto hardware 9/9/2012 CHES Tutorial: Crypto hardware design 3 1 9/9/2012 Smart card SoC (NXP P60C080)

826 views • 54 slides
The IBM 4758 Secure Cryptographic Coprocessor Hardware Architecture and Physical Security Steve

The IBM 4758 Secure Cryptographic Coprocessor Hardware Architecture and Physical Security Steve

The IBM 4758 Secure Cryptographic Coprocessor Hardware Architecture and Physical Security Steve Weingart Senior Engineer (561) 392 6100 c1shw@us.ibm.com Secure Systems and Smart Cards IBM T.J. Watson Research Center Hawthorne, NY 4758 PCI

386 views • 11 slides
Summary Security: Applications & Aspects Part I Cryptographic Features Introduction

Summary Security: Applications & Aspects Part I Cryptographic Features Introduction

Summary Security: Applications & Aspects Part I Cryptographic Features Introduction Software vs Hardware Support Hardware Acceleration Solutions Processor Extensions for Security Basic Cyphering Part II Symmetric vs Asymmetric

1.14k views • 21 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Good Practices for Designing Cryptographic Primitives in Hardware Miroslav Kne evi NXP

Good Practices for Designing Cryptographic Primitives in Hardware Miroslav Kne evi NXP

Good Practices for Designing Cryptographic Primitives in Hardware Miroslav Kne evi NXP Semiconductors miroslav.knezevic@nxp.com January 25, 2016 School on Design for a Secure IoT, Tenerife, 2016 THINGS Smart Plugs 3. January 28, 2016

1.09k views • 86 slides
Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal , Bu Lake, Alan Ehret, and Michel Kinsy Adaptive & Secure Computing Systems Lab Department of Electrical & Computer Engineering Boston

964 views • 48 slides
Ongoing Cyber Security Projects Salim Hariri, Director The University of Arizona

Ongoing Cyber Security Projects Salim Hariri, Director The University of Arizona

NSF Industry/University Cooperative Research (I/UCRC) Program Ongoing Cyber Security Projects Salim Hariri, Director The University of Arizona nsfcac.arizona.edu email: hariri@ece.arizona.edu (520) 977-7954 NSF IUCRC in US 2 75+ IUCRC

1.1k views • 65 slides
Online auhthentication methods Evaluate the strength of online authentication methods

Online auhthentication methods Evaluate the strength of online authentication methods

Online auhthentication methods Evaluate the strength of online authentication methods Introduction Cornel de Jong S ystem and Network Engineering Universiteit van Amsterdam S upervisors: S pui 21 UvA: 1012WX Amsterdam Cees de

481 views • 34 slides
Data and Financial Transactions Security - What You Need to Know, Now! Rick Diamond, VP, Agency

Data and Financial Transactions Security - What You Need to Know, Now! Rick Diamond, VP, Agency

Data and Financial Transactions Security - What You Need to Know, Now! Rick Diamond, VP, Agency I.T. Director, FNTG rick.diamond@fnf.com @rdiamondFNF Why are you doing this and why should you care? Not because the cfpb wants you to

730 views • 41 slides
Cybersecurity, Insurers, and the Department: What You Need to Know John J. Lacek IV, Esq.

Cybersecurity, Insurers, and the Department: What You Need to Know John J. Lacek IV, Esq.

Cybersecurity, Insurers, and the Department: What You Need to Know John J. Lacek IV, Esq. Department Counsel Chair Cybersecurity Incident Response Task Force Office of Chief Counsel | www.insurance.pa.gov A Growing Threat and Growing

531 views • 25 slides
Jetpack supercharges your self-hosted WordPress site with cool functionality from WordPress.com.

Jetpack supercharges your self-hosted WordPress site with cool functionality from WordPress.com.

Jetpack supercharges your self-hosted WordPress site with cool functionality from WordPress.com. WordPress.com Jetpack Protect allows you to protect yourself against traditional brute force attacks and distributed brute force attacks that

395 views • 27 slides
and Devices in a Network AIMS CONFERENCE 13. 7. 2017 Martin Latovika lastovicka@ics.muni.cz

and Devices in a Network AIMS CONFERENCE 13. 7. 2017 Martin Latovika lastovicka@ics.muni.cz

Situational Awareness: Detecting Critical Dependencies and Devices in a Network AIMS CONFERENCE 13. 7. 2017 Martin Latovika lastovicka@ics.muni.cz 1 Situational Awareness The knowledge and understanding of the current situation. 2 3

441 views • 17 slides
Evolutionary Computation Techniques for Constructing SAT-based Attacks in Algebraic Cryptanalysis

Evolutionary Computation Techniques for Constructing SAT-based Attacks in Algebraic Cryptanalysis

Evolutionary Computation Techniques for Constructing SAT-based Attacks in Algebraic Cryptanalysis Artem Pavlenko , Alexander Semenov, Vladimir Ulyantsev {alpavlenko,ulyantsev}@corp.ifmo.ru ITMO University, St. Petersburg, Russia ISDCT SB RAS,

431 views • 25 slides
DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya Upgrading BIND Why

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya Upgrading BIND Why

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya Upgrading BIND Why Upgrade? Almost all software has bugs Although BIND 9 is much more conservative than previous versions, it is not immune to software defects

906 views • 21 slides

More recommend