wombat one more bleichenbacher attack toolkit
play

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain - PowerPoint PPT Presentation

Jan 23, 2024 •352 likes •845 views

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom SudParis GreHack 2019 15 novembre 2019 Levillain & Rasoamanana Wombat 1/27 Plan RSA and PKCS#1 v1.5 in a nutshell Bleichenbacher : the

  1. Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Télécom SudParis GreHack 2019 15 novembre 2019 Levillain & Rasoamanana Wombat 1/27

  2. Plan RSA and PKCS#1 v1.5 in a nutshell Bleichenbacher : the million-message attack Wombat : one more Bleichenbacher toolkit Current results and future work Conclusion Levillain & Rasoamanana Wombat 2/27

  3. RSA and PKCS#1 v1.5 in a nutshell Plan RSA and PKCS#1 v1.5 in a nutshell Bleichenbacher : the million-message attack Wombat : one more Bleichenbacher toolkit Current results and future work Conclusion Levillain & Rasoamanana Wombat 3/27

  4. RSA and PKCS#1 v1.5 in a nutshell RSA 101 RSA ◮ a pervasive cryptosystem ◮ asymmetric encryption and signature Levillain & Rasoamanana Wombat 4/27

  5. RSA and PKCS#1 v1.5 in a nutshell RSA 101 RSA ◮ a pervasive cryptosystem ◮ asymmetric encryption and signature Details ◮ public key n = p · q , e ◮ private key d ◮ raw encryption : C = M e [ n ] ◮ raw decryption : C d = M ed = M [ n ] Levillain & Rasoamanana Wombat 4/27

  6. RSA and PKCS#1 v1.5 in a nutshell RSA 101 RSA ◮ a pervasive cryptosystem ◮ asymmetric encryption and signature Details ◮ public key n = p · q , e ◮ private key d ◮ raw encryption : C = M e [ n ] ◮ raw decryption : C d = M ed = M [ n ] Problems with raw RSA operations ◮ if e and M are small ◮ malleability w.r.t. the multiplication Levillain & Rasoamanana Wombat 4/27

  7. RSA and PKCS#1 v1.5 in a nutshell The need for a padding scheme We thus need to format the message before encrypting (or signing) it ◮ PKCS#1 standardize how to use RSA ◮ in particular, the document defines different padding scheme Levillain & Rasoamanana Wombat 5/27

  8. RSA and PKCS#1 v1.5 in a nutshell The need for a padding scheme We thus need to format the message before encrypting (or signing) it ◮ PKCS#1 standardize how to use RSA ◮ in particular, the document defines different padding scheme In this talk, we are most interested in padding type 2, described in version 1.5 of the standard, and used for encryption : ← − − − − − − − − − − − − − − − − − − − − n bytes − − − − − − − − − − − − − − − − − − − − → non zero random bytes Encapsulated data 00 02 00 ← − − − 8+ bytes − − − → Levillain & Rasoamanana Wombat 5/27

  9. RSA and PKCS#1 v1.5 in a nutshell Other padding schemes PKCS#1 v1.5 also describes two other schemes, which are deterministic ◮ padding type 0 (zero bytes, rarely used) ◮ padding type 1 ( ff bytes, used for signature) PKCS#1 v2.1 ◮ OAEP (Optimal Asymmetric Encryption Padding) for encryption ◮ PSS (Probabilistic Signature Scheme) for signature ◮ these schemes have better security properties... ◮ ... but are not always used in standards Levillain & Rasoamanana Wombat 6/27

  10. Bleichenbacher : the million-message attack Plan RSA and PKCS#1 v1.5 in a nutshell Bleichenbacher : the million-message attack Wombat : one more Bleichenbacher toolkit Current results and future work Conclusion Levillain & Rasoamanana Wombat 7/27

  11. Bleichenbacher : the million-message attack An observation about padding type 2 ← − − − − − − − − − − − − − − − − − − − − n bytes − − − − − − − − − − − − − − − − − − − − → non zero random bytes Encapsulated data 00 02 00 ← − − − 8+ bytes − − − → Levillain & Rasoamanana Wombat 8/27

  12. Bleichenbacher : the million-message attack An observation about padding type 2 ← − − − − − − − − − − − − − − − − − − − − n bytes − − − − − − − − − − − − − − − − − − − − → non zero random bytes Encapsulated data 00 02 00 ← − − − 8+ bytes − − − → With a correctly formated message to be encrypted ◮ the raw plaintext M starts with 00 02 ◮ interpreted as an integer, this means that M is an integer between 2 B and 3 B ◮ with B = 2 ( | n |− 16) ◮ where | n | is the size of the modulus n in bits Levillain & Rasoamanana Wombat 8/27

  13. Bleichenbacher : the million-message attack Attack principle (CRYPTO 1998) We assume there exists an oracle which ◮ accepts to decrypt messages ◮ returns true when the padding was correct, false otherwise ◮ (the decrypted message will be kept secret) Levillain & Rasoamanana Wombat 9/27

  14. Bleichenbacher : the million-message attack Attack principle (CRYPTO 1998) We assume there exists an oracle which ◮ accepts to decrypt messages ◮ returns true when the padding was correct, false otherwise ◮ (the decrypted message will be kept secret) An attacker wishing to recover m = c d can then ◮ send altered messages c · s e (with s known) ◮ let the server handle ( c · s e ) d = c d · s ed = ms ◮ infer that 2 B ≤ ms < 3 B in case the oracle returns true ◮ repeat the operations, and recover m with these equations ◮ (this is an adaptive chosen ciphertext attack) Levillain & Rasoamanana Wombat 9/27

  15. Bleichenbacher : the million-message attack Different oracle types (1/2) In practice, the attacker wants to find messages starting with 00 02 Levillain & Rasoamanana Wombat 10/27

  16. Bleichenbacher : the million-message attack Different oracle types (1/2) In practice, the attacker wants to find messages starting with 00 02 ← − − − − − − − − − − − − − − − − − − − − n bytes − − − − − − − − − − − − − − − − − − − − → non zero random bytes Encapsulated data 00 02 00 ← − − − 8+ bytes − − − → However, some oracles also make additional checks ◮ the padding contains at least 8 bytes ◮ the padding ends with a null byte ◮ the message obtained has the expected length Levillain & Rasoamanana Wombat 10/27

  17. Bleichenbacher : the million-message attack Different oracle types (2/2) If we assume an oracle returning true only for messages ◮ starting with 00 02 ◮ where the padding contains at least 8 bytes ◮ and where the padding ends The attacker thus loses good messages (starting with 00 02 ) which would have led to interesting equations Levillain & Rasoamanana Wombat 11/27

  18. Bleichenbacher : the million-message attack Different oracle types (2/2) If we assume an oracle returning true only for messages ◮ starting with 00 02 ◮ where the padding contains at least 8 bytes ◮ and where the padding ends The attacker thus loses good messages (starting with 00 02 ) which would have led to interesting equations Bardou et al. proposed a classification where each oracle type depends on the messages an attacker can distinguish Levillain & Rasoamanana Wombat 11/27

  19. Bleichenbacher : the million-message attack Results from Bardou et al. The article, published at CRYPTO 2012, improved the original algorithms (CRYPTO 1998) Oracle Average nb of requests type Original algo Improved algo FFF - 18 040 221 FFT 215 982 49 001 FTT 159 334 39 649 TFT 39 536 10 295 TTT 38 625 9 374 Levillain & Rasoamanana Wombat 12/27

  20. Wombat : one more Bleichenbacher toolkit Plan RSA and PKCS#1 v1.5 in a nutshell Bleichenbacher : the million-message attack Wombat : one more Bleichenbacher toolkit Current results and future work Conclusion Levillain & Rasoamanana Wombat 13/27

  21. Wombat : one more Bleichenbacher toolkit A modular way to implement the attack (1/2) To test an implementation, we write a stub , which allows ◮ to get the RSA public key ◮ to get a challenge (an encrypted message) ◮ to submit messages to be decrypted Levillain & Rasoamanana Wombat 14/27

  22. Wombat : one more Bleichenbacher toolkit A modular way to implement the attack (1/2) To test an implementation, we write a stub , which allows ◮ to get the RSA public key ◮ to get a challenge (an encrypted message) ◮ to submit messages to be decrypted The attacker can submit messages for which the plaintext is known, and assess the oracle type ◮ well formed messages ◮ messages not starting with 00 02 ◮ messages with a short padding ◮ messages with an unending padding Levillain & Rasoamanana Wombat 14/27

  23. Wombat : one more Bleichenbacher toolkit A modular way to implement the attack (2/2) If the attacker can identify good messages by observing the implementation behaviour, an oracle has been identified The attacker can then ◮ evaluate more precisely the cost of the attack ◮ attack the implementation to recover the plaintext corresponding to the challenge ◮ use the oracle to forge a signature Levillain & Rasoamanana Wombat 15/27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WOMBAT: towards a Worldwide Observatory of Malicious Behaviors and Attack Threats Fabien Pouget

WOMBAT: towards a Worldwide Observatory of Malicious Behaviors and Attack Threats Fabien Pouget

WOMBAT: towards a Worldwide Observatory of Malicious Behaviors and Attack Threats Fabien Pouget Institut Eurcom January 24th 2006 TF-CSIRT 2006 Observations There is a lack of valid and available data The understanding of Internet

778 views • 49 slides
Potential Toolkit to Attack Nonperturbative Aspects of QFT -Resurgence and related topics- Sep

Potential Toolkit to Attack Nonperturbative Aspects of QFT -Resurgence and related topics- Sep

YITP-iTHEMS molecule-type international workshop Potential Toolkit to Attack Nonperturbative Aspects of QFT -Resurgence and related topics- Sep 7-25, 2020 Opening remarks &amp; Brief introduction to Resurgence Tatsuhiro MISUMI Masaru Hongo,

504 views • 47 slides
THE WOMBAT API handling incidents by querying a world-wide network of advanced honeypots Piotr

THE WOMBAT API handling incidents by querying a world-wide network of advanced honeypots Piotr

THE WOMBAT API handling incidents by querying a world-wide network of advanced honeypots Piotr Kijewski, Adam Kozakiewicz 15th June 2010 22nd Annual FIRST Conference, Miami WOMBAT Project EU 7th FRAMEWORK PROGRAMME (2008-2010)

518 views • 13 slides
Rooming Houses Womens Housing Ltd and Wombat Housing and Support Services Partnership

Rooming Houses Womens Housing Ltd and Wombat Housing and Support Services Partnership

wombat housing and support services Rooming Houses Womens Housing Ltd and Wombat Housing and Support Services Partnership Women's Housing Limited and Wombat Partnership 27/03/13 Wombat Housing and Support Services WHSS provides services

539 views • 31 slides
The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert Gillham, Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom Transport Layer Security (TLS) The most widely used cryptographic protocol

1.36k views • 120 slides
Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai

Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai

slides from presentation at Real World Crypto 2019 Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai Duong with contributions by Haris Andrianakis , Thanh Bui , Thomas Holenstein , Charles Lee , Erhan

657 views • 38 slides
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

818 views • 53 slides
Domesticating survey data Thomas Lumley University of Auckland @tslumley wombat by

Domesticating survey data Thomas Lumley University of Auckland @tslumley wombat by

Domesticating survey data Thomas Lumley University of Auckland @tslumley wombat by Flicker user Neerav Bhatt 1970s: 1-2/year Now: ~1/day continues to provide a highly readable, practical treatment of the subject. Keeping

760 views • 33 slides
New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi Tibouchi 1 , 2 Masayuki Abe 1 , 2 September 12, 2018 1 Kyoto University 2 NTT Secure Platform Laboratories 1 Outline Introduction Contribution 1.

1.89k views • 81 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Title I, Part A Directors Toolkit Title I, Part A Directors Toolkit Toolkit Format:

Title I, Part A Directors Toolkit Title I, Part A Directors Toolkit Toolkit Format:

Title I, Part A Directors Toolkit Title I, Part A Directors Toolkit Toolkit Format: Title I-A Directors Handbook Webinars Concise, informational, 5-10 minutes Covering critical topics in ESSA Viewers select the topic,

636 views • 25 slides
Sta ff Diversity Hiring Toolkit Sta ff Diversity Hiring Toolkit Toolkit accessible

Sta ff Diversity Hiring Toolkit Sta ff Diversity Hiring Toolkit Toolkit accessible

Sta ff Diversity Hiring Toolkit Sta ff Diversity Hiring Toolkit Toolkit accessible online: www.washington.edu/diversity/staffdiv/hiringtoolkit/ A resource for HR Directors and

322 views • 8 slides
Real Data Real Issues what they never told me at Uni Phil Brierley WOMBAT 18 th February

Real Data Real Issues what they never told me at Uni Phil Brierley WOMBAT 18 th February

Real Data Real Issues what they never told me at Uni Phil Brierley WOMBAT 18 th February 2016 Data Prep v Predictive Modelling Time wise 80% - Data Prep 5% - Model Building 50% - Explaining results Data Scientists like to over

910 views • 44 slides
The Joy of Text Andrew Robinson CEBRA / School of Mathematics &amp; Statistics University of

The Joy of Text Andrew Robinson CEBRA / School of Mathematics &amp; Statistics University of

The Joy of Text Andrew Robinson CEBRA / School of Mathematics &amp; Statistics University of Melbourne February 19, 2016 Centre of Excellence for Biosecurity Risk Analysis WOMBAT Making Data Analysis Easier WOMBAT Making Data

757 views • 38 slides
Continuous Improvement Toolkit Hypothesis H 0 H 1 Continuous Improvement Toolkit .

Continuous Improvement Toolkit Hypothesis H 0 H 1 Continuous Improvement Toolkit .

Continuous Improvement Toolkit Hypothesis H 0 H 1 Continuous Improvement Toolkit . www.citoolkit.com Managing Deciding &amp; Selecting Planning &amp; Project Management* Pros and Cons Risk PDPC Importance-Urgency Mapping RACI Matrix

673 views • 31 slides
Migration Matters Policy Toolkit Katy MacMillan ODS Consulting We are live! } New toolkit on

Migration Matters Policy Toolkit Katy MacMillan ODS Consulting We are live! } New toolkit on

Migration Matters Policy Toolkit Katy MacMillan ODS Consulting We are live! } New toolkit on migration available at: } www.migrationscotland.org.uk } Leaflets with direct web address Today } Celebrate the launch of the toolkit }

339 views • 12 slides
How not to drown in a sea of information: An event recognition approach Elias Alevizos 1 ,

How not to drown in a sea of information: An event recognition approach Elias Alevizos 1 ,

How not to drown in a sea of information: An event recognition approach Elias Alevizos 1 , Alexander Artikis 2 , 1 , Kostas Patroumpas 2 , 3 , Marios Vodas 2 , Yannis Theodoridis 2 , Nikos Pelekis 2 1 NCSR Demokritos 2 University of Piraeus 3

281 views • 12 slides
UKNOF Jan 2014 NICC Standards Paul Rosbotham Director, NICC NICC Standards Ltd

UKNOF Jan 2014 NICC Standards Paul Rosbotham Director, NICC NICC Standards Ltd

UKNOF Jan 2014 NICC Standards Paul Rosbotham Director, NICC NICC Standards Ltd www.niccstandards.o January 2014 rg.uk Agenda What is NICC? Why UK standards? A potted history of NICC Current Activity Membership NICC

642 views • 22 slides
BTS 65 Floor spring BTS 65 FLOOR SPRING THE ECONOMIC FLOOR SPRING Technical Data BTS 65

BTS 65 Floor spring BTS 65 FLOOR SPRING THE ECONOMIC FLOOR SPRING Technical Data BTS 65

LayoutS.6DORMACI-2012EnglischStand11.09.2012 BTS 65 Floor spring BTS 65 FLOOR SPRING THE ECONOMIC FLOOR SPRING Technical Data BTS 65 SPECIALLY DESIGNED Spring strength Size EN 3 EN 4

314 views • 4 slides
Rethinking the Generation Orders of Sequence jcykcai Why left-to-right? Humans do it

Rethinking the Generation Orders of Sequence jcykcai Why left-to-right? Humans do it

Rethinking the Generation Orders of Sequence jcykcai Why left-to-right? Humans do it But humans also do First generate some abstract of what to say Then serialize them The Importance of Generation Order in Language Modeling

632 views • 45 slides
Fourth Quarter and Full Year Fiscal 2012 Earnings Call Executing our Strategy Driving

Fourth Quarter and Full Year Fiscal 2012 Earnings Call Executing our Strategy Driving

Fourth Quarter and Full Year Fiscal 2012 Earnings Call Executing our Strategy Driving Sustainable Growth 1 Diversifying Improving Expanding Safe Harbor Statement This presentation contains forward-looking statements within the meaning of

584 views • 22 slides
DECADAL VERITAS OBSERVATIONS OF LS I +61 303: DETECTION OF TEV EMISSION AROUND ENTIRE ORBIT

DECADAL VERITAS OBSERVATIONS OF LS I +61 303: DETECTION OF TEV EMISSION AROUND ENTIRE ORBIT

DECADAL VERITAS OBSERVATIONS OF LS I +61 303: DETECTION OF TEV EMISSION AROUND ENTIRE ORBIT Payel Kar, David Kieda, &amp; The VERITAS Collaboration ICRC 2017, Bexco, Busan Korea 12-20 July 2017 OUTLINE OF THE TALK An Outline of VERITAS

455 views • 13 slides
Tonight n Design of physical objects (Norman) Design n Show and Tell n Discussion of your

Tonight n Design of physical objects (Norman) Design n Show and Tell n Discussion of your

Tonight n Design of physical objects (Norman) Design n Show and Tell n Discussion of your artifacts n Design Principles CSEP 510 n Design Exercise Lecture 2, January 17, 2004 n Tablet PC Buttons Richard Anderson n Xerox Star Retrospective

95 views • 8 slides
Baumgartner, POLI 203 Fall 2014 Catching up and review Readings: Botched execution materials

Baumgartner, POLI 203 Fall 2014 Catching up and review Readings: Botched execution materials

Baumgartner, POLI 203 Fall 2014 Catching up and review Readings: Botched execution materials Nov 24, 2014 Botched Executions Ron Andrews cases Even when not botched they are hard to experience. Readings: Jesse Tafero case, 2

296 views • 8 slides

More recommend