why you shouldn t write cryptographic algorithms yourself
play

Why you shouldn't write cryptographic algorithms yourself - PowerPoint PPT Presentation

Jan 25, 2023 •48 likes •348 views

Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto is harder than it seems at frst. Simo Sorce Sr. Principal Sw. Engineer RHEL Crypto Team 2019-01-26 Everyone tells you that you shouldnt

  1. Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto is harder than it seems at frst. Simo Sorce Sr. Principal Sw. Engineer – RHEL Crypto Team 2019-01-26

  2. Everyone tells you that you shouldn’t write your own crypto, but they don’t tell you why. 2

  4. Instead let’s see what it takes to write software to handle a cryptographic function like RSA* *I chose RSA only because I had to deal with it recently, could have used any Symmetric or asymmetric cryptographic primitive 4

  6. Clear text Public exponent C = M e mod N Encrypted message 6

  7. Private exponent Encrypted message M = C d mod N Clear text 7

  9. No really, no tricks! RSA is really simple 9

  11. Let’s look at those “useless” details the cryptographers talk about from time to time! 11

  12. Attacks based on poor practices Easy stuff :-) These attacks are based on the math, not the implementation. ● Common Modulus - (Simmons) ● Yeah, please never reuse p, q ● Low Private Exponent (d) - (Wiener) ● Breaks cryptosystem – hey but decryption is real fast! ● Low Public Exponent (e) - (Coppersmith, Hastad, Franklin-Reiter) ● Not a total break, but still please use e > 2 16 -1 ● Also use randomized padding ● … for more details, search for: ● Twenty Years of Attacks on the RSA Cryptosystem (Dan Boneh) 12

  13. WE LOOKED AT THE MATH!!!

  14. Basic tools needed to implement RSA Usually beyond what standard languages provide ● Infnite precision math library ● You really need to deal with BIG numbers, as in several thousands bits large numbers, so they won’t ft in your processor registers as normal integers, or long integers or even long long integers, and you can’t use foats. ● Fast, prime number generation tools to fnd good large primes ● For key generation ● A good CSPRNG ● Also for key generation and other things 14

  15. RSA decryption using GMP * Simplest code / * compute root (raise to private exponent) * / / * compute root (raise to private exponent) * / 1 mpz_powm(message, ciphertext, key->d, key->n); mpz_powm(message, ciphertext, key->d, key->n); This is a bit slow ... *GNU Multiple Precision Arithmetic Library 15

  17. Faster RSA decryption A bit faster using CRT dp = d mod (P – 1) dq = d mod (Q - 1) M = C d mod N Mp = C dp mod P Mq = C dq mod Q Find: M = Mp mod P == Mq mod Q x10 / * compute root (derived from CRT) * / / * compute root (derived from CRT) * / mpz_fdiv_r(m_mod_p, C, key->p); mpz_fdiv_r(m_mod_p, C, key->p); mpz_powm(Mp, m_mod_p, key->a, key->p); mpz_powm(Mp, m_mod_p, key->a, key->p); mpz_fdiv_r(m_mod_q, ciphertext, key->q); mpz_fdiv_r(m_mod_q, ciphertext, key->q); mpz_powm(Mq, m_mod_q, key->b, key->q); mpz_powm(Mq, m_mod_q, key->b, key->q); mpz_sub(tmp1, Mp, Mq); mpz_sub(tmp1, Mp, Mq); mpz_mul(tmp2, tmp1, key->c); mpz_mul(tmp2, tmp1, key->c); mpz_fdiv_r(Xp, tmp2, key->p); mpz_fdiv_r(Xp, tmp2, key->p); mpz_mul(tmp1, key->q, Xp); mpz_mul(tmp1, key->q, Xp); mpz_add(M, tmp1, Mq); mpz_add(M, tmp1, Mq); 17

  18. Attacks on implementations Where *everyone* gets it wrong the frst 42 times! These attacks use math to defeat implementation issues. They all need an Oracle , conveniently any TLS server is one. ● Timing attacks (Kocher) ● Use blinding to defeat this (Rivest) ● Random Faults (Boneh, DeMillo, and Lipton) ● Check signature before sending out ● Bleichenbacher's Attack on PKCS 1 (Bleichenbacher) ● In TLS defeated by using a random session key instead of returning error 18

  19. Blinding Prevents using the server as a signing Oracle Cr = C * r e mod N M = C d mod N M * r = Cr d mod N M = Cr d / r mod N random_func(R); /* generate random R * / random_func(R); /* generate random R * / x2 mpz_invert(Ri, R, key->n); /* ..and its inverse Ri * / mpz_invert(Ri, R, key->n); /* ..and its inverse Ri * / / * blinding * / / * blinding * / mpz_powm(tmp1, R, key->e, key->n); mpz_powm(tmp1, R, key->e, key->n); mpz_mul(tmp2, tmp1, C); mpz_mul(tmp2, tmp1, C); mpz_fdiv_r(Cr, tmp2, key->n); mpz_fdiv_r(Cr, tmp2, key->n); rsa_compute_root(Mr, Cr); rsa_compute_root(Mr, Cr); /* unblinding * / /* unblinding * / mpz_mul(tmp1, Mr, Ri); mpz_mul(tmp1, Mr, Ri); mpz_fdiv_r(M, tmp1, key->n); mpz_fdiv_r(M, tmp1, key->n); 19

  20. Checking Prevents sending faulty signatures + M = C d mod N C = M e mod N +2 /* blinding * / /* blinding * / rsa_blind(Cr, Ri, C); rsa_blind(Cr, Ri, C); rsa_compute_root(Mr, Cr); rsa_compute_root(Mr, Cr); /* check * / /* check * / mpz_powm(Cr2, Mr, key->e, key→n); mpz_powm(Cr2, Mr, key->e, key→n); if(Cr2 != Cr) goto error; if(Cr2 != Cr) goto error; /* unblinding * / /* unblinding * / rsa_unblind(M, Ri, Mr); rsa_unblind(M, Ri, Mr); 20

  21. One defense from Bleichenbacher +2 if (error) { if (error) { random_func(M); random_func(M); return M; return M; } } 21

  24. Attacks based on CPU architecture Here is were people give up! :-) These attacks use timing and caching issues to retrieve your keys. They all need a LOCAL Oracle , conveniently any TLS server on a SHARED host is one. ● The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations (Ronen, Gillham, Genkin, Shamir, Wong, Yarom) ● Attacks the RSA implementation by timing how much time computations take ● Attacks the RSA implementation by checking which memory area is accessed and when via CPU cache inspection and manipulation ● Funny note: OpenSSL did not raise a CVE because their threat model does not involve protecting from “local” attacks … ● Do you run Virtual Machines or Containers ? 24

  25. Attacks based on CPU architecture Here is were people give up! :-) These attacks are use timing and caching issues to retrieve your keys. They all need a LOCAL Oracle , conveniently any TLS server on a SHARED host is one. ● The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations (Ronen, Gillham, Genkin, Shamir, Wong, Yarom) ● Attacks the RSA implementation by timing how much time computations take ● Attacks the RSA implementation by checking which memory area is accessed and when via CPU cache inspection and manipulation ● Funny note: OpenSSL did not raise a CVE because their threat model does not involve protecting from “local” attacks … ● Do you run Virtual Machines or Containers ? 25

  26. Defeating Cache/Timing attacks Or at least we tried to … Luckily some of this work was already done to solve other timing issues ● GMP needs “security” functions that compute in constant time and constant space ● mpz_powm mpn_sec_powm → ● … ● Change rsa_compute_root() to be side-channel silent ● Remove all input dependent conditional operations ● 1 function of about 10 lines 8 functions for a total of about 100 lines → ● Obviously slower, also a lot more complicated ● Change pkcs1 (de)padding function to be side-channel silent ● 1 function of about 20 lines 2 functions for a total of about 40 lines → ● All considered about 40 commits upstream 26

  27. Example memcpy(message, terminator + 1, message_length); memcpy(message, terminator + 1, message_length); *length = message_length; *length = message_length; /* fill destination buffer fully regardless of outcome. Copies the message /* fill destination buffer fully regardless of outcome. Copies the message * in a memory access independent way. The destination message buffer will * in a memory access independent way. The destination message buffer will * be clobbered past the message length. */ * be clobbered past the message length. */ x3 - x5 shift = padded_message_length - buflen; shift = padded_message_length - buflen; cnd_memcpy(ok, message, padded_message + shift, buflen); cnd_memcpy(ok, message, padded_message + shift, buflen); offset -= shift; offset -= shift; /* In this loop, the bits of the 'offset' variable are used as shifting /* In this loop, the bits of the 'offset' variable are used as shifting * conditions, starting from the least significant bit. The end result is * conditions, starting from the least significant bit. The end result is * that the buffer is shifted left exactly 'offset' bytes. */ * that the buffer is shifted left exactly 'offset' bytes. */ for (shift = 1; shift < buflen; shift <<= 1, offset >>= 1) for (shift = 1; shift < buflen; shift <<= 1, offset >>= 1) { { /* 'ok' is both a least significant bit mask and a condition */ /* 'ok' is both a least significant bit mask and a condition */ cnd_memcpy(offset & ok, message, message + shift, buflen - shift); cnd_memcpy(offset & ok, message, message + shift, buflen - shift); } } /* update length only if we succeeded, otherwise leave unchanged */ /* update length only if we succeeded, otherwise leave unchanged */ *length = (msglen & (-(size_t) ok)) + (*length & ((size_t) ok - 1)); *length = (msglen & (-(size_t) ok)) + (*length & ((size_t) ok - 1)); 27

  28. From naive to reasonably secure implementation Two orders of magnitude more code (… and bugs ?) 28

  29. Chose Two One Compromises are necessary FAST SECURE SIMPLE 29

  30. THANK YOU plus.google.com/+RedHat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/RedHat youtube.com/user/RedHatVideos

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

outline development of cryptographic algorithms for a real life application introduction

outline development of cryptographic algorithms for a real life application introduction

Design and Analysis of Cryptographic Algorithms for Mobile Communication Systems Henri Gilbert Orange Labs {firstname.lastname@orange-ftgroup.com} research &amp; development outline development of cryptographic algorithms for a real life

486 views • 12 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak Microelectronics Design Center, ETH Z urich 6 July 2012 My Goal To improve the quality of hardware evaluations for crypto algorithms. Microelectronics

798 views • 51 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin CSC &amp; SnT, University of Luxembourg CryptoLUX Team ; supervised by Alex Biryukov July 5th 2018 Introduction What is cryptography?

1.14k views • 71 slides
Detection of cryptographic algorithms with grap Lonard Benedetti a , Aurlien Thierry a and

Detection of cryptographic algorithms with grap Lonard Benedetti a , Aurlien Thierry a and

Detection of cryptographic algorithms with grap Lonard Benedetti a , Aurlien Thierry a and Julien Francq a a Airbus CyberSecurity MetaPole, 1 bd Jean Moulin, CS 40001, 78996 lancourt Cedex, France benedetti@mlpo.fr

250 views • 14 slides
Several possibilities for combination: So far: had cryptographic algorithms to achieve

Several possibilities for combination: So far: had cryptographic algorithms to achieve

Several possibilities for combination: So far: had cryptographic algorithms to achieve Encrypt-then MAC: encrypt message, then compute MAC of Privacy: use encryption ciphertext. Integrity: use MAC MAC-then-encrypt: First compute MAC, and then

203 views • 3 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Let It Crash... Except When You Shouldn't Steve Vinoski Verivue, Inc. Westford, MA USA

Let It Crash... Except When You Shouldn't Steve Vinoski Verivue, Inc. Westford, MA USA

Let It Crash... Except When You Shouldn't Steve Vinoski Verivue, Inc. Westford, MA USA vinoski@ieee.org QCon London 10 March 2011 1 About This Talk Explore Erlangs Let It Crash approach to failure handling I dont assume you

793 views • 56 slides
7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published

7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published

7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published encryption functions E, D; {M} K is the ciphertext (another sequence of bits) Symmetric (secret key) cryptography E(K, M) = {M} K D(K, E(K, M)) = M

571 views • 30 slides
Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash Functions Bart Preneel KU Leuven - COS IC firstname.lastname@ esat.kuleuven.be Design and S ecurity of Cryptographic Functions, Algorithms and Devices

982 views • 67 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Overview Goals of Cryptography Cryptographic Technologies Encryption and Decryption

Overview Goals of Cryptography Cryptographic Technologies Encryption and Decryption

Overview Goals of Cryptography Cryptographic Technologies Encryption and Decryption Algorithms Symmetric Algorithms: DES and AES Asymmetric Algorithm: RSA Pretty Good Privacy (PGP) Chapter 5 Symmetric vs. Asymmetric

363 views • 8 slides
So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want both privacy and integrity Achieve this by combining encryption and MAC in appropriate way Eike Ritter Cryptography 2014/15 39 Several

1.18k views • 12 slides
Managing Localizations: What you should and shouldn't do Park Shinjo 2010. 7. 4. | T ampere,

Managing Localizations: What you should and shouldn't do Park Shinjo 2010. 7. 4. | T ampere,

Managing Localizations: What you should and shouldn't do Park Shinjo 2010. 7. 4. | T ampere, Finland | Akademy 2010 Contents 5W1H About localization Who When Where What Why How Who Musa is using KDE; he wants to

357 views • 33 slides
Quality Thinking in other Industries Dominic Parry Inspired Pharma Training WEB

Quality Thinking in other Industries Dominic Parry Inspired Pharma Training WEB

Quality Thinking in other Industries Dominic Parry Inspired Pharma Training WEB www.inspiredpharma.com GMP BLOG inspiredpharmablog.com Welcome The traditional focus on quality Quality in the eyes of GMP What does

978 views • 42 slides
Soft Threshold Weight Reparameterization for Learnable Sparsity Aditya Kusupati Vivek Ramanujan *

Soft Threshold Weight Reparameterization for Learnable Sparsity Aditya Kusupati Vivek Ramanujan *

Soft Threshold Weight Reparameterization for Learnable Sparsity Aditya Kusupati Vivek Ramanujan * , Raghav Somani * , Mitchell Wortsman * Prateek Jain, Sham Kakade and Ali Farhadi 1 Motivation Deep Neural Networks Highly accurate

353 views • 21 slides
Energy Storage for Rural Affordable Housing: The McKnight Lane Redevelopment Project September

Energy Storage for Rural Affordable Housing: The McKnight Lane Redevelopment Project September

Energy Storage for Rural Affordable Housing: The McKnight Lane Redevelopment Project September 27, 2017 Housekeeping Use the red arrow to open and close your control panel Join audio: Choose Mic &amp; Speakers to use VoIP Choose

633 views • 38 slides
Auto ma te d DR Sc re e ning a nd So la r Ma p b y: Ob je c tive a nd Go a ls T ra nspa re

Auto ma te d DR Sc re e ning a nd So la r Ma p b y: Ob je c tive a nd Go a ls T ra nspa re

Auto ma te d DR Sc re e ning a nd So la r Ma p b y: Ob je c tive a nd Go a ls T ra nspa re nt DR I nte rc o nne c tio n in GMP s e le c tric a l distrib utio n syste m b y ma king the te c hnic a l g rid info rma tio n a va ila b le

332 views • 6 slides
Almost Gorenstein rings of higher dimension . Naoki Taniguchi Meiji University Joint work with

Almost Gorenstein rings of higher dimension . Naoki Taniguchi Meiji University Joint work with

History Almost Gorenstein local rings Semi-Gorenstein local rings Almost Gorenstein graded rings References . Almost Gorenstein rings of higher dimension . Naoki Taniguchi Meiji University Joint work with Shiro Goto and Ryo Takahashi AMS

632 views • 29 slides
GRAVITATIONAL LENSING LESSON 1 - DEFLECTION OF LIGHT Massimo Meneghetti AA 2016-2017 TEACHER

GRAVITATIONAL LENSING LESSON 1 - DEFLECTION OF LIGHT Massimo Meneghetti AA 2016-2017 TEACHER

GRAVITATIONAL LENSING LESSON 1 - DEFLECTION OF LIGHT Massimo Meneghetti AA 2016-2017 TEACHER Massimo Meneghetti Researcher INAF - Osservatorio Astronomico di Bologna Ufficio: 2S5 (Via Ranzani) - 4W3 (navile) e-mail:

864 views • 63 slides
Assessing and Exploiting BigNum Vulnerabilities Ralf-Philipp Weinmann Director of Research -

Assessing and Exploiting BigNum Vulnerabilities Ralf-Philipp Weinmann Director of Research -

Assessing and Exploiting BigNum Vulnerabilities Ralf-Philipp Weinmann Director of Research - Comsecuris &lt;ralf@comsecuris.com&gt; PGP fingerprint : D244D6F2E79B529BF5548F39B27967D58C07C5B7 twitter: @esizkur 1 PARENTAL ADVISORY Sparse

419 views • 28 slides
Two types of GMs Directed edges give causality relationships ( Bayesian Network or Directed

Two types of GMs Directed edges give causality relationships ( Bayesian Network or Directed

School of Computer Science Undirected Graphical Models Probabilistic Graphical Models (10- Probabilistic Graphical Models (10 -708) 708) Lecture 2, Sep 17, 2007 Receptor A Receptor A X 1 X 1 X 1 Receptor B Receptor B X 2 X 2 X 2 Eric

692 views • 20 slides

More recommend