P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg PV204 Security technologies Trust, trusted element, usage scenarios, side-channel attacks Petr Švenda svenda@fi.muni.cz @rngsec Centre for Research on Cryptography and Security, Masaryk University P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI 2 | PV204 Trusted element 2.3.2020 What is untrusted, trusted and trustworthy Trusted Element (TE) Modes of usage of TE Attacks against trusted element Timing side-channels Logical attacks Power analysis Protections and testing P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI TRUSTED ELEMENT • | PV204 Trusted element 2.3.2020 3 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI What is “Trusted” system (plain language) •Many different notions 1.System trusted by someone 2.System that you can’t verify and therefore must trust not to betray you –If a trusted component fails, security can be violated 3.System build according to rigorous criteria so you are willing to trust it 4.… •Why Trust is Bad for Security, D. Gollman, 2006 –http://www.sciencedirect.com/science/journal/15710661/157/3 – | PV204 Trusted element 2.3.2020 We need more precise specification of Trust 4 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI UNTRUSTED VS. TRUSTED VS. TRUSTWORTHY • | PV204 Trusted element 2.3.2020 5 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Untrusted system •System itself explicitly unable to fulfill specified security policy •Additional layer of protection must be employed –E.g., Encryption of data before storage –E.g., Digital signature of email before send over network –E.g., End-to-end encryption in instant messaging • | PV204 Trusted element 2.3.2020 6 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Trusted system •“…system that is relied upon to a specified extent to enforce a specified security policy. As such, a trusted system is one whose failure may break a specified security policy.” (TCSEC, Orange Book) •Trusted subjects are those excepted from mandatory security policies (Bell LaPadula model) •User must trust (if wants to use the system) –E.g., you and your bank • | PV204 Trusted element 2.3.2020 7 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Trustworthy system (computer) •“Computer system where software, hardware, and procedures are secure, available and functional and adhere to security practices” (Black's Law Dict.) •User have reasons to trust reasonably •Trustworthiness is subjective –Limited interface and hardware protections can increase trustworthiness (e.g., append-only log server) •Example: Payment card - Trusted? Trustworthy? • •Trusted does not mean automatically Trustworthy • | PV204 Trusted element 2.3.2020 8 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Trusted computing base (TCB) •The set of all hardware, firmware, and/or software components that are critical to its security •The vulnerabilities inside TCB might breach the security properties of the entire system –E.g., server hardware + virtualization (VM) software •The boundary of TCB is relevant to usage scenario –TCB for datacentre admin is around HW + VM (to protect against compromise of underlying hardware and services) –TCB for web server client also contains Apache web server •Very important factor is size and attack surface of TCB –Bigger size implies more space for bugs and vulnerabilities – | PV204 Trusted element 2.3.2020 https://en.wikipedia.org/wiki/Trusted_computing_base 9 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Cryptography on client • 10 | PV204 Trusted element 2.3.2020 D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Key-icon.png Which parts are trusted? What are threats? What are attacker models? What is trusted computing base? D:\Documents\Obrazky\question.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI On client, but with secure hardware • 11 | PV204 Trusted element 2.3.2020 D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\SmartCard\sim-card-md_green.png D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrázky\is2\Computer_Icon.png Which parts are trusted? What are threats? What are attacker models? What is trusted computing base? D:\Documents\Obrazky\question.png Problem: how to get key where is necessary? - generate on device - import into device (securely) P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Group activity: Make trusted trustworthy •Write 2 different examples of trusted system you regularly use •Write down why exactly it needs to be trusted and with what operations •(5 minutes) • •Pick one system and propose 3 changes to make it more trustworthy •(5 minutes) • •Combine results found by groups 1. • • • | PV204 Trusted element 2.3.2020 12 Group activity: Make trusted trustworthy Took almost 20 minutes Moderately interesting, but good opportunity to discuss nuances during answers collection P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI D:\Documents\Obrázky\is2\Plain-Blue-icon.png Cryptography in cloud D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrázky\is2\Plain-Blue-icon.png WS API: JSON Which parts are trusted? What are threats? What are attacker models? What is trusted computing base? D:\Documents\Obrazky\question.png | PV204 Trusted element 2.3.2020 13 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI TRUSTED ELEMENT • | PV204 Trusted element 2.3.2020 14 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI What exactly can be trusted element (TE)? •Recall: Anything user entity of TE is willing to trust J –Depends on definition of “trust” and definition of “element” –We will use narrower definition •Trusted element is element (hardware, software or both) in the system intended to increase security level w.r.t. situation without the presence of such element 1.By storage of sensitive information (keys, measured values) 2.By enforcing integrity of execution of operation (firmware update) 3.By performing computation with confidential data (DRM) 4.By providing unforged reporting from untrusted environment (TPM) 5.… | PV204 Trusted element 2.3.2020 15 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Typical examples •Payment smart card –TE for issuing bank •SIM card –TE for phone carriers •Trusted Platform Module (TPM) –TE for user as storage of Bitlocker keys, TE for remote entity during attestation •Trusted Execution Environment in mobile/set-top box –TE for issuer for confidentiality and integrity of code •Hardware Security Module for TLS keys –TE for web admin •Energy meter –TE for utility company •Server under control of service provider –TE for user – private data, TE for provider – business operation | PV204 Trusted element 2.3.2020 16 For whom is TE trusted? D:\Documents\Obrazky\question.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Risk management •No system is completely secure (® risk is present) •Risk management allows to evaluate and eventually take additional protection measures •Example: payment transaction limit –“My account/card will never be compromised” vs. “Even if compromised, the loss is bounded” •Example: medical database –central governmental DB vs. doctor’s local DB •Good design practice is to allow for risk management | PV204 Trusted element 2.3.2020 17 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI TRUSTED ELEMENT MODES OF USAGE • | PV204 Trusted element 2.3.2020 18 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Trusted (hardware) element - modes of usage 1.Element carries fixed information 2. 2.Element as a secure carrier 3. 3.Element as encryption/signing device 4. 4.Element as programmable device 5. 5.Element as root of trust (TPM) 6. 6. 19 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Element carries fixed information •Fixed information ID transmitted, no secure channel •Low cost solution (nothing “smart” needed) •Problem: Attacker can eavesdrop and clone chip • | PV204 Trusted element 2.3.2020 laptop D:\Documents\Obrázky\SmartCard\card_cloner_800px.jpg D:\Documents\Obrázky\Id-icon.png D:\Documents\Obrázky\Id-icon.png Element is trusted with ID carriage But is it trustworthy? D:\Documents\Obrazky\question.png 20 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Element as a secure carrier •Key(s) stored on a card, loaded to a PC before encryption/signing/authentication, then erased •High speed usage of key possible (>>MB/sec) •Attacker with an access to PC during operation will obtain the key –key protected for transport, but not during the usage – • | PV204 Trusted element 2.3.2020 Element is trusted as confidential key storage, but cannot perform (or not trusted with) operation 21 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI laptop D:\Documents\Obrázky\SmartCard\gc-tpm.jpg Element as root of trust (TPM) •Secure boot process, remote attestation •Element provides robust storage with integrity •Application can verify before pass control (measured boot) •Computer can authenticate with remote entity… • – – • • | PV204 Trusted element 2.3.2020 D:\Documents\Obrázky\SmartCard\Header_TPM_module_onboard_IMGP6409_wp_800px.jpg Element is trusted with integrity of stored values 22 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Element as encryption/signing device •PC just sends data for encryption/signing… •Key never leaves element –personalized in secure environment –protected during transport and usage •Attacker must attack the element –or wait until card is inserted and PIN entered! •Potentially low speed encryption (~kB/sec) –low communication speed / limited element performance • | PV204 Trusted element 2.3.2020 23 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Element as computational device •PC just sends input for application on smart card •Application code & keys never leave the element –Element can do complicated programmable actions –Can open secure channels to other entity •secure server, trusted time service… •PC act as a transparent relay only (no access to data) •Attacker must attack the element or input – – • • | PV204 Trusted element 2.3.2020 laptop sc word-file-icon word-file-icon if_switch_naive key_icon key_icon key_icon server key_icon D:\Documents\Obrázky\Lock.png key_icon D:\Documents\Obrázky\Lock.png 24 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI • • • • 1.Trusted element shall be small (TCB) => Not whole system => How to extend desirable security properties from TE to whole system? 2.The trusted element itself can still be directly attacked 25 | PV204 Trusted element 2.3.2020 Is secure hardware trusted element a silver bullet? D:\Documents\Obrazky\question.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI ATTACKS AGAINST TRUSTED ELEMENT • 26 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Trusted hardware (TE) is not panacea! 1.Can be physically attacked –Christopher Tarnovsky, BlackHat 2010 –Infineon SLE 66 CL PE TPM chip, bus read by tiny probes –9 months to carry the attack, $200k –https://youtu.be/w7PT0nrK2BE (great video with details) 2.Attacked via vulnerable API implementation –IBM 4758 HSM (Export long key under short DES one) 3.Provides trusted anchor != trustworthy system –Weakness can be introduced later –E.g., bug in newly updated firmware | PV204 Trusted element 2.3.2020 27 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Motivation: Bell’s Model 131-B2 / Sigaba •Encryption device intended for US army, 1943 –Oscilloscope patterns detected during usage –75 % of plaintexts intercepted from 80 feets –Protection devised (security perimeter), but forgot after the war •CIA in 1951 – recovery over ¼ mile of power lines •Other countries also discovered the issue –Russia, Japan… •More research in use of (eavesdropping) and defense against (shielding) ® TEMPEST – • • | PV204 Trusted element 2.3.2020 28 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Common and realizable attacks on Trusted Element 1.Non-invasive attacks –API-level attacks •Incorrectly designed and implemented application •Malfunctioning application (code bug, faulty generator) –Communication-level attacks •Observation and manipulation of communication channel –Side-channel attacks •Timing/power/EM/acoustic/cache-usage/error… analysis attacks 2.Semi-invasive attacks –Fault induction attacks (power/light/clock glitches…) 3.Invasive attacks –Dismantle chip, microprobes… | PV204 Trusted element 2.3.2020 29 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI How to reason about attack and countermeasures? 1.Where does an attack come from (principle)? –Understand the principles 2.Different hypothesis for the attack to be practical –More ways how to exploit the same weakness 3.Attack’s countermeasures by cancel of hypothesis –For every way you are aware of 4.Costs and benefits of the countermeasures –Cost of the assets protected –Cost for an attacker to perform attack –Cost of a countermeasure • •Important: Consider Break Once, Run Everywhere (BORE) | PV204 Trusted element 2.3.2020 30 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Where are the frequent problems with crypto algs nowadays? •Security mathematical algorithms –OK, we have very strong ones (AES, SHA-3, RSA…) (but quantum computers) •Implementation of algorithm –Problems ® implementation attacks •Randomness for keys –Problems ® achievable brute-force attacks •Key distribution –Problems ® old keys, untrusted keys, key leakage •Operation security –Problems ® where we are using crypto, key leakage 31 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI NON-INVASIVE LOGICAL ATTACKS •Non-invasive attacks | PV204 Trusted element 2.3.2020 32 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI What if faulty Truly Random Number Generator (TRNG)? •Good source of randomness is critical –TRNG can be weak or malfunctioning •How to inspect TRNG correctness? 1.Analysis of TRNG implementation (but usually blackbox) 2.Output data can be statistically tested (100MB-8GB stream, NIST STS, Dieharder, TestU01 batteries) http://www.phy.duke.edu/~rgb/General/dieharder.php 3.Behaviour in extreme condition (+70/-50° C, radiation…) •Analyse data stream gathered during extreme conditions 4.Simple power analysis of TRNG generation •Is hidden/unknown operation present? • • – – – | PV204 Trusted element 2.3.2020 33 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Serial test: Histogram of 16bits patterns | PV204 Trusted element 2.3.2020 Normal distribution (expected) Biased distribution (lower entropy) 34 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Algorithmic flaw in Infineon’s RSALib (CVE-2017-15361) •All keys generated by Infineon library are affected •Practical factorization of common lengths 512/1024/2048b •All public keys have unique “fingerprint” (easy to scan for) –Tool for detection (public since 16th October, try it!) –https://keychest.net/roca, https://github.com/crocs-muni/roca/ •Tool for factorization (made public by Lange&Bernstein) –Our implementation of factorization tool provided to Infineon in February 2017 –Random 2048b key: 6442450944000000 vCPU years –Infineon 2048b key: 140 vCPU years • – • 35 | PV204 Trusted element 2.3.2020 https://roca.crocs.fi.muni.cz Attack is perfectly parallelizable 1000 cores => 1000x speedup P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Algorithmic flaw in Infineon’s RSALib (CVE-2017-15361) 36 | PV204 Trusted element 2.3.2020 https://roca.crocs.fi.muni.cz Austria, Estonia, Slovakia, Spain… 25-30% TPMs worldwide, Bitlocker, ChromeOS… Firmware update available Commit signing, Application signing GitHub, Maven… Gemalto .NET Yubikey 4… Yubikey 4… Very few keys, but all tied to SCADA management P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Flawed use of random data to make primes 37 | PV204 Trusted element 2.3.2020 ~310 bits of entropy for 1024-bit prime •Factorization difficulty –Random 2048b key: 6442450944000000 vCPU years –Infineon 2048b key: 140 vCPU years • – • Special structure of primes to facilitate its faster generation P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Transformation of prime to make the attack practical • 38 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI POWER ANALYSIS •Non-invasive side-channel attacks | PV204 Trusted element 2.3.2020 39 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Basic setup for power analysis • | PV204 Trusted element 2.3.2020 osci Smart card Smart card reader Inverse card connector Oscilloscope Resistor 20-80 ohm Probe 40 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI More advanced setup for power analysis scsat04_board_noboundary | PV204 Trusted element 2.3.2020 Ethernet Tested smartcard External power supply SCSAT04 measurement board 41 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Simple vs. differential power analysis 1.Simple power analysis –Direct observation of single / few power traces –Visible operation => reverse engineering –Visible patterns => data dependency 2.Differential power analysis –Statistical processing of many power traces –More subtle data dependencies found – 42 | PV204 Trusted element 2.3.2020 DPAspikes P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Reverse engineering of JavaCard bytecode •Goal: obtain code back from smart card –JavaCard defines around 140 bytecode instructions –JVM fetch instruction and execute it • | PV204 Trusted element 2.3.2020 R32_JCBytecode_example (source code) m_ram1[0] = (byte) (m_ram1[0] % 1); (bytecode) getfield_a_this 0; sconst_0; baload; sconst_1; srem; bastore; (power trace) compiler oscilloscope 43 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Conditional jumps •may reveal sensitive info •keys, internal branches, … 44 | PV204 Trusted element 2.3.2020 ifeq_w_nojump_cut ifeq_w_jump_cut (bytecode) sload_1; ifeq_w L2; L1: getfield_a_this 0; sconst_0; sconst_0; bastore; goto L3; L2: getfield_a_this 0; sconst_0; sconst_1; bastore; goto L3; L3: … (source code) if (key == 0) m_ram1[0] = 1; else m_ram1[0] = 0; compiler oscilloscope (power trace, k != 0) (power trace, k == 0) Can you use timing attack? D:\Documents\Obrazky\question.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Simple power analysis – data leakage •Data revealed directly when processed –e.g., Hamming weight of instruction argument •hamming weight of separate bytes of key (256® 238) • • • • • • | PV204 Trusted element 2.3.2020 45 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Differential power analysis (DPA) •DPA attack recovers secret key (e.g., AES) •Requires large number of power traces (102-106) –Every trace measured on AES key invocation with different input data •Key recovered iteratively –One recovered byte at the time (KEYi Å INPUT_DATAi) –Guess possible key byte value (0-255), group measurements, compute average, determine match – • 46 | PV204 Trusted element 2.3.2020 DPAspikes DPAspikes P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Differential power analysis DPAspikes 47 | PV204 Trusted element 2.3.2020 DPAspikes •Very Powerful attack on secret values (keys) –E.g., KEY Å INPUT_DATA 1.Obtain multiple power traces with (fixed) key usage and variable data –103-105 traces with known I/O data => S(n) –KEY Å KNOWN_DATA 2.Guess key byte-per-byte –All possible values of single byte tried (256) –D = HammWeight(KEY Å KNOWN_DATA > 4) –Correct guess reveals correlation with traces –Incorrect guess not 3.Divide and test approach –Traces divided into 2 groups –Groups are averaged A0,A1 (noise reduced) –Subtract group’s averaged signals T(n) –Significant peaks if guess was correct •No need for knowledge of exact implementation –big advantage P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Tool: DPA simulator •Generate simulated DPA traces •Perform DPA •Can be used to inspect influence of noise, number of traces… •https://github.com/crocs-muni/PowerTraceSimulator • | PV204 Trusted element 2.3.2020 48 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Timing attack: principle • 49 | PV204 Trusted element 2.3.2020 D:\Documents\Obrázky\SmartCard\sim-card-md_green.png D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrázky\is2\Key-icon.png + devil ® 57ms D:\Documents\Obrázky\is2\Key-icon.png + ® 49ms D:\Documents\Obrázky\is2\Key-icon.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Timing attacks •Execution of crypto algorithm takes different time to process input data with some dependence on secret value (secret/private key, secret operations…) 1.Due to performance optimizations (developer, compiler) 2.Due to conditional statements (branching) 3.Due to cache misses 4.Due to operations taking different number of CPU cycles •Measurement techniques 1.Start/stop time (aggregated time, local/remote measurement) 2.Power/EM trace (very precise if operation can be located) 3. | PV204 Trusted element 2.3.2020 50 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Naïve modular exponentiation (modexp) (RSA/DH…) •M = Cd mod N • • •M = C * C * C * … * C mod N • •Easy, but extremely slow for large d (e.g., >1000s bits for RSA) –Faster algorithms exist • 51 | PV204 Trusted element 2.3.2020 d-times Is there any dependency of time on secret value? D:\Documents\Obrazky\question.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Faster modexp: Square and multiply algorithm • • • • • • •How to measure? –Exact detection from simple power trace –Extraction from overall time of multiple measurements • | PV204 Trusted element 2.3.2020 52 Gilbert Goodwill, http://www.embedded.com/print/4408435 // M = C^d mod N // Square and multiply algorithm x = C // start with ciphertext for j = 1 to n { // process all bits of private exponent x = x*x mod N // shift to next bit by x * x (always) if (d_j == 1) { // j-th bit of private exponent d x = x*C mod N // if 1 then multiple by Ciphertext } } return x // plaintext M Executed always How to attack: -What if you have debugger? -What if you have just breakpoint inside d_j condition? P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Faster and more secure modexp: Montgomery ladder •Computes xd mod N •Create binary expansion of d as d = (dk-1...d0) with dk-1=1 • • • • • • •Be aware: timing leakage still possible via cache side channel, non-constant time CPU instructions, variable k-1… 53 | PV204 Trusted element 2.3.2020 x1=x; x2=x2 for j=k-2 to 0 { if dj=0 x2=x1*x2; x1=x12 else x1=x1*x2; x2=x22 x2=x2 mod N x1=x1 mod N } return x1 Both branches with the same number and type of operations (unlike square and multiply on previous slide) P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Gather data ® Analyse ® Bias found ® Impact Run ECC operations ® MSB/time ® Bias found in ECDSA ® CVE-2019-15809 | PV204 Trusted element 2.3.2020 54 A picture containing computer Description automatically generated A picture containing computer Description automatically generated Nonce MSB value Gather data, Analysis, Bias, Impact P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI 55 | PV204 Trusted element 2.3.2020 vulnerability CVE-2019-15809 (10/2019) •Discovered by ECTester (https://github.com/crocs-muni/ECTester) •Athena IDProtect smartcard (CC EAL 4+) –FIPS140-2 #1711, ANSSI-CC-2012/23 –Inside Secure AT90SC28872 Microcontroller –(possibly also SafeNet eToken 4300…) •Libgcrypt, wolfSSL, MatrixSSL, Crypto++ •SunEC/OpenJDK/Oracle JDK •Small time difference leaking few top bits of nonce •Enough to extract whole ECC private key in 20-30 min –~thousands of signatures + lattice-based attack • A picture containing drawing Description automatically generated A picture containing computer Description automatically generated https://minerva.crocs.fi.muni.cz/ P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Example: Botan library, ECC, CVE-2018-20187 (Jan Jančár) 56 | PV204 Trusted element 2.3.2020 Heatmap of private key MSBs to keygen time • Montgomery ladder used, but leakage of exponent size via k for j=k-2 to 0 do P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Example: Remote extraction OpenSSL RSA •Brumley, Boneh, Remote timing attacks are practical –https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf •Scenario: OpenSSL-based TLS with RSA on remote server –Local network, but multiple routers –Attacker submits multiple ciphertexts and observe processing time (client) •OpenSSL’s RSA CRT implementation –Square and multiply with sliding windows exponentiation –Modular multiplication in every step: x*y mod q (Montgomery alg.) –From timing can be said if normal or Karatsuba was used •If x and y has unequal size, normal multiplication is used (slower) •If x and y has equal size, Karatsuba multiplication is used (faster) •Attacker learns bits of prime by adaptively chosen ciphertexts –About 300k queries needed 57 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Defense introduced by OpenSSL •RSA blinding: RSA_blinding_on() –https://www.openssl.org/news/secadv_20030317.txt •Decryption without protection: M = cd mod N •Blinding of ciphertext c before decryption 1.Generate random value r and compute re mod N 2.Compute blinded ciphertext b = c * re mod N 3.Decrypt b and then divide result by r •r is removed and only decrypted plaintext remains – – – – – 58 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Example: Practical TEMPEST for $3000 •ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs –https://eprint.iacr.org/2016/129.pdf •E-M trace captured (across a wall) 59 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Example: Practical TEMPEST for $3000 •ECDH implemented in latest GnuPG's Libgcrypt •Single chosen ciphertext – used operands directly visible 60 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Example: How to evaluate attack severity? •What was the cost? –Not particularly high: $3000 •What was the targeted implementation? –Widely used implementation: latest GnuPG's Libgcrypt •What were preconditions? –Local physical presence, but behind the wall •Is it possible to mitigate the attack? –Yes: fix in library, physical shielding of device, perimeter… –What is the cost of mitigation? 61 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Example: Acoustic side channel in GnuPG •RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis –Insecure RSA computation in GnuPG –https://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf •Acoustic emanation used as side-channel –4096-bit key extracted in one hour –Acoustic signal picked by mobile phone microphone up to 4 meters away • | PV204 Trusted element 2.3.2020 62 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Example: Cache-timing attack on AES •Attacks not limited to asymmetric cryptography –Daniel J. Bernstein, http://cr.yp.to/antiforgery/cachetiming-20050414.pdf •Scenario: Operation with secret AES key on remote server –Key retrieved based on response time variations of table lookups cache hits/misses –225 x 600B random packets + 227 x 400B + one minute brute-force search •Very difficult to write high-speed but constant-time AES –Problem: table lookups are not constant-time –Not recognized / required by NIST during AES competition – •Cache-time attacks now more relevant due to processes co-location (cloud) | PV204 Trusted element 2.3.2020 63 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Other types of side-channel attacks •Acoustic emanation –Keyboard clicks, capacitor noise –Speech eavesdropping based on high-speed camera •Cache-occupation side-channel –Cache miss has impact on duration of operation –Other process can measure own cache hits/misses if cache is shared –https://github.com/defuse/flush-reload-attacks –http://software.imdea.org/projects/cacheaudit/ •Branch prediction side-channel (Meltdown, Spectre) –(2 lectures later in semester) – | PV204 Trusted element 2.3.2020 64 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI MITIGATIONS • 65 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Side-channels mitigation •Don’t use own implementation –Very hard to prevent side-channels •Don’t do data dependency –Fixed or completely randomized timings •Be very careful with optimizations –Data-dependent pre-computed tables –Data-dependent conditional branches (naïve Montgomery) •Lower layer leakage can be prevented on higher level –Blinding/masking… –Don’t use vulnerable constructions (ifeq instruction) –Implementation secure on higher level can be compromised on lower level – • | PV204 Trusted element 2.3.2020 66 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Generic protection techniques 1.Do not leak –Constant-time crypto, bitslicing… 2.Shielding - preventing leakage outside –Acoustic shielding, noisy environment 3.Creating additional “noise” –Parallel software load, noisy power consumption circuits 4.Compensating for leakage –Perform inverse computation/storage 5.Prevent leaking exploitability –Ciphertext blinding, key regeneration… 67 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Example: NaCl (“salt”) library •Relatively new cryptographic library (2012) –Designed for usable security and side-channel resistance –D. Bernstein, T. Lange, P. Schwabe –https://cr.yp.to/highspeed/coolnacl-20120725.pdf –Actively developed fork is libsodium https://github.com/jedisct1/libsodium •Designed for usable security (hard to misuse) –Fixed selection of good algorithms (AE: Poly1305, Sign: EC Curve25519) –C = crypto_box(m,n,pk,sk), m = crypto_box_open(c,n,pk,sk) •Implemented to have constant-time execution –No data flow from secrets to load addresses –No data flow from secrets to branch conditions –No padding oracles (recall CBC padding oracle in PA193) –Centralizing randomness and avoiding unnecessary randomness 68 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI How to test real implementation? 1.Be aware of various side-channels 2.Obtain measurement for given side-channel –Many times (103 - 107), compute statistics –Same input data and key –Same key and different data –Different keys and same data… 3.Compare groups of measured data –Is difference visible? => potential leakage –Is distribution uniform? Is distribution normal? 4.Try to measure again with better precision J • 69 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Activity: Side-channels (10 minutes) 1.Power consumption of memory write instruction depends on the Hamming weight of stored byte 2.Time required to execute inc instruction (a++) is faster than add instruction (a+b) 3.Temperature of CPU increases with every instruction executed (and CPU is cooled by fan) • •For every listed side-channel, argue within the group (Google if necessary): –Propose an attack(s) based on the particular side-channel –What is the cost of required equipment? –What are possible options to mitigate the attack? •Order given side-channels by –Seriousness with respect to security impact –Difficulty to systematically mitigate the side-channel leakage • • • • | PV204 Trusted element 2.3.2020 70 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI CONCLUSIONS • | PV204 Trusted element 2.3.2020 71 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Morale 1.Preventing implementation attacks is extra difficult –Naïve code is often vulnerable •Not aware of existing problems/attacks –Optimized code is often vulnerable •Time/power/acoustic… dependency on secret data •Dangerous optimizations (Infineon primes) 2.Use well-known libraries instead of own code –And follow security advisories and patch quickly 3.Security / mitigations are complex issues –Underlying hardware can leak information as well –Try to prevent large number of queries – • 72 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Mandatory reading •Constant-time crypto: https://bearssl.org/constanttime.html •Focus on: –What can cause cryptographic implementation to be non-constant? –Is there any impact by compiler? –How is bitslicing technique improving situation? –What particular techniques are used by BearSSL? • • 73 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Optional reading •G. Goodwill, Defending against side-channel attacks –http://www.embedded.com/print/4408435 –http://www.embedded.com/print/4409695 •Focus on: –What side channels are inspected? –What step in executed operation is misused for attack? –What are proposed defenses? • | PV204 Trusted element 2.3.2020 74 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Optional reading •Why Trust is Bad for Security, D. Gollman, 2006 –http://www.sciencedirect.com/science/journal/15710661/157/3 •Focus on: –Which definition of Trust Gollman uses? –Why Gollman claims that Trust is bad for security? • 75 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Conclusions •Trusted element is secure anchor in a system –Understand why it is trusted and for whom •Trusted element can be attacked –Non-invasive, semi-invasive, invasive methods •Side-channel attacks are very powerful techniques –Attacks against particular implementation of algorithm –Attack possible even when algorithm is secure (e.g., AES) •Use well-know libraries instead own implementation | PV204 Trusted element 2.3.2020 76 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI • 77 | PV204 Trusted element 2.3.2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI SEMI-INVASIVE ATTACKS • | PV204 Trusted element 2.3.2020 78 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Semi-invasive attacks •“Physical” manipulation (but card still working) •Micro probes placed on the bus –After removing epoxy layer •Fault induction –liquid nitrogen, power glitches, light flashes… –modify memory (RAM, EEPROM), e.g., PIN counter –modify instruction, e.g., conditional jump | PV204 Trusted element 2.3.2020 79 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI | PV204 Trusted element 2.3.2020 PINverif_1 PIN verification procedure • [Decrease counter, verify, increase] - correct • • • • – • [Verify, decrease/increase] • PINverif_2 80 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg www.crcs.cz/rsa @CRoCS_MUNI Fault induction •Attacker can induce bit faults in memory locations –power glitch, flash light, radiation... –harder to induce targeted then random fault •Protection with shadow variable –every variable has shadow counterpart –shadow variable contains inverse value –consistency is checked every read/write to memory • • •Robust protection, but cumbersome for developer | PV204 Trusted element 2.3.2020 01011010 10100101 01011010 10100101 if (a != ~a_inv) Exception(); a = 0x55; a_inv = ~0x55; 01010101 10101010 01010000 if (a != ~a_inv) Exception(); a = 0x13; a a_inv 81