Secured implementations for cryptographypeople.irisa.fr/Benoit.Gerard/data/SIMP_cours4_en.pdf ·...

Secured implementations forcryptography

Part 4 : Remote security

Benoıt Gerard1 December 2020

Classes schedule

Step 1

System requirements and architecture.

Step 2

Product interface definition : API exposed to the terminal.

Step 3

Securing implementation against non-cryptographic attacks.

Step 4

Securing cryptographic implementations against remote attacks.

Step 5

Securing cryptographic implementations against local attacks.

B. Gerard Part 4 : Remote security 2 / 42

Sommaire de la session

Format/Padding oracle attacksCBC mode malleabilityPadding Oracle : IPSEC in ESP modePadding Oracle on PKCS#1 RSA padding

Attacks leveraging bias in the random generationRC4Taiwanese Citizen Digital CertificateBiased nonce generation in ECDSAUniform random generation mod n

Timing attacksConstant-time comparisonCryptography and processing timeMicro-architecture and security


Plan





CBC mode malleabilityPrinciple

C1 D M1

K

C2 D M2

K

C3 D M3

K

IV

......

......



C1 D M1

K

C2 D M2

K

C3 D M3

K

IV

......

......

M1



C1 D M1

K

C2 D M2

K

C3 D M3

K

IV

......

......


CBC mode malleabilityESP and IPsec

Cryptogaphy in IPsec

I AH (authentication and integrity),

I ESP (encryption + integrity),

I IKE (key exchange).

Integrity :

I Mac-then-Encrypt,

I Encrypt-then-MAC.

Encryption using ESP

I CBC mode

I padding


CBC mode malleabilityAttacking ESP

The attacker can change the IV ⇒ header modification

I change the sender address,

I change the protocol field (to an invalid value).

The gateway processes the packet (decrypts the header)

I invalid protocol → ICMP message sent,

I ICMP sent to the sender address (that is the attacker’s one now),

I the attacker receives the ICMP message only if a checksum is correct.

For debugging purpose part of the plaintext is in the ICMP message ! ! !


Plan





Padding Oracle : IPSEC in ESP modeESP frame format

ESP frame in tunnel mode :

data to encrypt 1 2 . . . length 4

Padding rule :

I adding bytes 1, 2, 3, . . .

I adding a byte containing the number of previously added bytes,

I adding a last byte (whose value is 4 in tunnel mode).

The last encrypted block will contain a valid padding :I 0 | 4

I 1 | 2 | 2 | 4

I . . .

I 1 | 1 | 4

I 1 | 2 | 3 | 3 | 4

I 1 | 2 | . . .| 13 | 14 | 14 | 4


Padding Oracle : IPSEC in ESP modeAttack 1/3

We received a packet we want to decrypt :

header C∗0 C∗1 C∗2 . . . C∗n

We obtain another packet encrypted using the same key :

header C0 C1 C2 . . . Cn

To decrypt C∗i we send packets of the form :

header C0 C1 C2 . . . Cn R C∗i

The attacker will play with R to decrypt C∗i .



Cn

R

C∗i

Mn

?

D

K

D

K

D

K

Cn−1

??

??

Padding0—4



Cn

R

C∗i

Mn

?

D

K

D

K

D

K

Cn−1

42

40

Padding0—4



Cn

R

C∗i

Mn

?

D

K

D

K

D

K

Cn−1

43?

41?

Padding1—1—4



Cn

R

C∗i

Mn

?

D

K

D

K

D

K

Cn−1

437

411

Padding1—1—4



Cn

R

C∗i

Mn

?

D

K

D

K

D

K

Cn−1

404?

422?

Padding1—2—2—4



Cn

R

C∗i

Mn

?

D

K

D

K

D

K

Cn−1

4049

4221

Padding1—2—2—4



At the end we get R = (r0, r1, . . . , r15) such that :

DK

(C∗i)⊕R = (1, 2, 3, 4, . . . , 14, 14, 4).

And thus,

P ∗i = C∗i−1 ⊕DK

(C∗i)= C∗i−1 ⊕ (r0 ⊕ 1, r1 ⊕ 2, . . . , r15 ⊕ 4).

Attack complexity

The mean number of requests is :

I 215 for the first step,

I 27 for the 14 following ones.

Finally one needs 34560 = 215.08 decryption requests to decrypt a block.


Padding Oracle : IPSEC in ESP modeOracle instanciation for IPsec

Unfortunately . . . the oracle exists :

I valid padding : answer to the packet.

I invalid padding : no answer.

Many technical difficulties but solved.For instance :I Authentication before encapsulation.

I bypassed using IP fragmentation.

Solution

Use Encrypt-then-MAC so that the MAC will be invalid and not decryption(hence no padding check) will be performed.


Plan





Padding Oracle on PKCS#1 RAS paddingRSA raw and chosen cipher security

RSA Encryption

c = me mod N

RSA Decryption

m = cd mod N

Attack : recover m from c (without decrypting c)

1. s random → c′ = c se mod N ,

2. send c′ to the decryption oracle,

3. m′ = (c′)d = cdsed = ms mod N ,

4. compute m = m′s−1 mod N .


Padding Oracle on PKCS#1 RSA paddingPrinciple

0x00 0x02 non-zero bytes 0x00 data

Table – Padding defined in PKCS#1.

Attacker model

I No decryption oracle.

I Oracle on the padding validity.

Obtained information

If m′ has a correct padding then

2B ≤ ms mod N ≤ 3B,

with B = 2len(N)−16.


Padding Oracle on PKCS#1 RSA paddingAttack

Goal

Recover m = cd mod N .

Principle

Find messages ci = c sei mod N corresponding to valid padding messages.

I Use information from msi mod N to reduce the set of possiblevalues for m.

I s0 = 1 because c is obviously valid.

I From si, find a new si+1 (becomes simpler and simpler).


Plan





RC4Weaknesses

Stream cipher from Ron Rivest :

I easy to implement,

I fast,

I biased ! ! !


RC4Attack on SSL

“Broadcast” attack (Usenix 2013)

I fixed plaintext,

I encrypted with many keys.

Attack principle

Observing many ci’s corresponding to the same p :

ci = p⊕ si

Since si is biased (here often leads to 0x00) then

p = argmaxx∈[[0,255]]

#{i, ci = x}


RC4But also

RC4 weaknesses involved in the attacks on

I WEP,

I WPA,

I HIVE (proven secure).

Stream cipher without authentication ⇒ malleability

I attacks on SSH,

I attacks on BitTorrent.

Bonus : same encryption stream used multiple times (Microsoft Office).


Plan





Taiwanese Citizen Digital CertificateIntroduction

Personal smartcard with certificate,

I given by the state administration,

I allows some administrative tasks,

I certificates using RSA (with modulus of 1024/2048 bits).

RSA modulus

N = p× q with

I p large prime (secret),

I q large prime (secret),

I N large composite number (public).


Taiwanese Citizen Digital CertificateRump session of CRYPTO 2013

Remark

N = p× qN ′ = p× q′

}=⇒ gcd(N,N ′) = p

I 3 millions of certificates obtained through the official website,I 2.3 millions 1024-bit RSA modulusI 0.7 millions 2048-bit RSA modulus

I gcd between all key pairs,

x 103 modulus get factored !

Example of found factors

c000 0000 0000 0000 0000 0000 0000 [. . .] 0000 0000 0000 02f9 c924 24922492 9249 9249 4924 4924 [. . .] 9924 9492 4492 424e5


Taiwanese Citizen Digital CertificateRump session of CRYPTO 2013 (continued)

Testing with factors presenting similar patterns :

x 22 new keys !

I new factors are sparse (cf. previous example).

Use of LLL :

x 39 new keys !

I again very sparse factors.

Remark

A college student can abuse the identity of more than 100 Taiwanese . . .


Plan





Biased nonce generation in ECDSAECDSA presentation

Parameters :

I elliptic curve E of order n,

I generating point G,

I hash function H,

I message to sign m,

I private key s ∈ [[1;n− 1]],

I public key Q = [s]G.

Signature :

1. uniformly pick k in [[1;n− 1]],

2. (x, ·) = [k]G,

3. if x = 0 go back to 1.

4. y = k−1(H(m) + s · x) mod n

5. if y = 0 go back to 1.

6. return (x, y).

k is named nonce or ephemeral key and is sensitive !

x−1(y · k −H(m)

)= s


Biased nonce generation in ECDSAImpact of a biased nonce

One bias definition

Bn =1

L

L∑j=1

e2πikj/n

Recall thatk = y−1(H(m) + s · x) mod n.

Attack

If kj ’s generation is biased :

1. obtain L “biased” signatures,

2. for each possible s compute the bias,

3. take the s that maximises the bias.


Biased nonce generation in ECDSAA few precisions on the attack

Testing each value for s⇐⇒ exhaustive search !

Solution

Try to spread the pic and use a sieve then refine.


Plan





Uniform random generation mod nUsing formulas

Issues

I Need : uniformly generating k in [[0;n− 1]].

I But we only can : generate random bits.

Let ` = dlog2(n)e (ie. number of bits of n). We can

1. uniformly generate k in [[0; 2`−1 − 1]],

2. uniformly generate k in [[0; 2` − 1]] and

2.1 if k ≥ n restart,2.2 if k ≥ n then return k − n,

3. uniformly generate k in [[0; 2`+λ − 1]] and return k mod n.

One must use 2.1 or 3 !


Uniform random generation mod nUsing pictures

0But

n-1

01.

n-1

2`−1

02.1

n-1

2`

02.2

n-1

2`

03.

n-1

2`+λ



0But

n-1

01.

n-12`−1

02.1

n-1

2`

02.2

n-1

2`

03.

n-1

2`+λ



0But

n-1

01.

n-12`−1

02.1

n-1 2`

02.2

n-1

2`

03.

n-1

2`+λ



0But

n-1

01.

n-12`−1

02.1

n-1 2`

02.2

n-1 2`

03.

n-1

2`+λ



0But

n-1

01.

n-12`−1

02.1

n-1 2`

02.2

n-1 2`

03.

n-1 2`+λ


Processing time exploitationBasics

Rule

Processing time must not depend on the manipulated sensitive data.

I Sometimes very hard to implement,

I in software : language dependent,

I easier if the implementation is an hardware one.

Dependency sources

Essentially (but not only) :

I conditional branching,

I cached memory accesses.


Plan





Processing time exploitationPIN code example

4-digit PIN code =⇒ 5000 attempts on average.

If badly implemented =⇒ 37 attempts at most !

b o o l t e s t P I N ( i n t code [ 4 ] ){

f o r ( i n t i =0 ; i<4 ; i ++){

i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;

}r e t u r n t r u e ;

}

?0000000

0.3 ms

0

1000

0.6 ms

11

2000

0.4 ms

2 3 4 5 6 7 8 9

1 ?001700

770 1

23 4 5 6 8 9

17 ?01780

880 1 2 3 4 5 6 7 9

178 ?1789

990 1 2 3 4 5 6 7

8

f o r ( i n t i =0 ; i<4 ; i ++){



}

?000

0000

0.3 ms

0

1000

0.6 ms

11

2000

0.4 ms

2 3 4 5 6 7 8 9

1 ?001700

770 1

23 4 5 6 8 9

17 ?01780

880 1 2 3 4 5 6 7 9

178 ?1789

990 1 2 3 4 5 6 7

8

f o r ( i n t i =0 ; i<4 ; i ++){



}

?0000000

0.3 ms

0

1000

0.6 ms

1

1

2000

0.4 ms

2 3 4 5 6 7 8 9

1 ?001700

770 1

23 4 5 6 8 9

17 ?01780

880 1 2 3 4 5 6 7 9

178 ?1789

990 1 2 3 4 5 6 7

8

f o r ( i n t i =0 ; i<4 ; i ++){



}

?0000000

0.3 ms

0

1000

0.6 ms

1

1

2000

0.4 ms

2

3 4 5 6 7 8 9

1 ?001700

770 1

23 4 5 6 8 9

17 ?01780

880 1 2 3 4 5 6 7 9

178 ?1789

990 1 2 3 4 5 6 7

8

f o r ( i n t i =0 ; i<4 ; i ++){



}

?0000000

0.3 ms

0

1000

0.6 ms

1

1

2000

0.4 ms

2 3 4 5 6 7 8 9

1 ?001700

770 1

23 4 5 6 8 9

17 ?01780

880 1 2 3 4 5 6 7 9

178 ?1789

990 1 2 3 4 5 6 7

8

f o r ( i n t i =0 ; i<4 ; i ++){



}

?0000000

0.3 ms

0

1000

0.6 ms

11

2000

0.4 ms

2 3 4 5 6 7 8 9

1 ?00

1700

770 1

23 4 5 6 8 9

17 ?01780

880 1 2 3 4 5 6 7 9

178 ?1789

990 1 2 3 4 5 6 7

8

f o r ( i n t i =0 ; i<4 ; i ++){



}

?0000000

0.3 ms

0

1000

0.6 ms

11

2000

0.4 ms

2 3 4 5 6 7 8 9

1 ?00

1700

7

7

0 12

3 4 5 6 8 9

17 ?01780

880 1 2 3 4 5 6 7 9

178 ?1789

990 1 2 3 4 5 6 7

8

f o r ( i n t i =0 ; i<4 ; i ++){



}

?0000000

0.3 ms

0

1000

0.6 ms

11

2000

0.4 ms

2 3 4 5 6 7 8 9

1 ?00

1700

7

70 1

23 4 5 6 8 9

17 ?01780

880 1 2 3 4 5 6 7 9

178 ?1789

990 1 2 3 4 5 6 7

8

f o r ( i n t i =0 ; i<4 ; i ++){



}

?0000000

0.3 ms

0

1000

0.6 ms

11

2000

0.4 ms

2 3 4 5 6 7 8 9

1 ?001700

770 1

23 4 5 6 8 9

17 ?0

1780

880 1 2 3 4 5 6 7 9

178 ?1789

990 1 2 3 4 5 6 7

8

f o r ( i n t i =0 ; i<4 ; i ++){



}

?0000000

0.3 ms

0

1000

0.6 ms

11

2000

0.4 ms

2 3 4 5 6 7 8 9

1 ?001700

770 1

23 4 5 6 8 9

17 ?0

1780

8

8

0 1 2 3 4 5 6 7 9

178 ?1789

990 1 2 3 4 5 6 7

8

f o r ( i n t i =0 ; i<4 ; i ++){



}

?0000000

0.3 ms

0

1000

0.6 ms

11

2000

0.4 ms

2 3 4 5 6 7 8 9

1 ?001700

770 1

23 4 5 6 8 9

17 ?0

1780

8

80 1 2 3 4 5 6 7 9

178 ?1789

990 1 2 3 4 5 6 7

8

f o r ( i n t i =0 ; i<4 ; i ++){



}

?0000000

0.3 ms

0

1000

0.6 ms

11

2000

0.4 ms

2 3 4 5 6 7 8 9

1 ?001700

770 1

23 4 5 6 8 9

17 ?01780

880 1 2 3 4 5 6 7 9

178 ?

1789

990 1 2 3 4 5 6 7

8

f o r ( i n t i =0 ; i<4 ; i ++){



}

?0000000

0.3 ms

0

1000

0.6 ms

11

2000

0.4 ms

2 3 4 5 6 7 8 9

1 ?001700

770 1

23 4 5 6 8 9

17 ?01780

880 1 2 3 4 5 6 7 9

178 ?

1789

9

9

0 1 2 3 4 5 6 78

f o r ( i n t i =0 ; i<4 ; i ++){



}

?0000000

0.3 ms

0

1000

0.6 ms

11

2000

0.4 ms

2 3 4 5 6 7 8 9

1 ?001700

770 1

23 4 5 6 8 9

17 ?01780

880 1 2 3 4 5 6 7 9

178 ?

1789

9

90 1 2 3 4 5 6 7

8

Processing time exploitationCorrected PIN example

I Process the loop until the end.

I No branching on sensitive variables.

b o o l t e s t P I N ( i n t code [ 4 ] ) {u i n t 3 2 t d i f f = 0 ;f o r ( i n t i = 0 ; i < 4 ; i++ ) {

d i f f |= code [ i ] ˆ c o d e r e f [ i ] ;}r e t u r n ( d i f f == 0 ) ;

}

But what about comparing two big numbers ?

Processing time exploitationBig integers comparison (1/4)

t y p e d e f enum{ INF = −1, EQU = 0 , SUP = 1 } n u m o r d e r t ;n u m o r d e r t compareBIGINT ( i n t a [ 2 5 6 ] , i n t b [ 2 5 6 ] ) {

b o o l a i n f b = f a l s e ;b o o l a s u p b = f a l s e ;f o r ( i n t i = 255 ; i >= 0 ; i −= 1 ) {

i f ( a i n f b | | a s u p b ); // do n o t h i n g

e l s e {i f ( a [ i ] b [ i ] )

a s u p b = t r u e ;}

}i f ( a i n f b ) r e t u r n INF ;i f ( a s u p b ) r e t u r n SUP ;r e t u r n EQU;

}

e l s e {i f ( a [ i ] b [ i ] )

a s u p b = t r u e ;}


e l s e {a i n f b = ( a [ i ] b [ i ] ) ;

}

a i n f b = ( a i n f b | | ( a [ i ] b [ i ] ) ) & ! a i n f b ;

t y p e d e f enum{ INF = −1, EQU = 0 , SUP = 1 } n u m o r d e r t ;n u m o r d e r t compareBIGINT ( i n t a [ 2 5 6 ] , i n t b [ 2 5 6 ] ) {

b o o l a i n f b = f a l s e ;b o o l a s u p b = f a l s e ;i n t r e s ;f o r ( i n t i = 255 ; i >= 0 ; i −= 1 ) {

a i n f b = ( a i n f b | | ( a [ i ] b [ i ] ) ) & ! a i n f b ;

}r e s = EQU ∗ ( ! a i n f b & ! a s u p b ) ;r e s += INF ∗ a i n f b ;r e s += SUP ∗ a s u p b ;r e t u r n ( n u m o r d e r t ) r e s ;

}


. . .movl (% r a x ) , %eaxcmpl %eax , %edxj g e . L4

. L3 :movl $1 , %eaxjmp . L5

. L4 :movl $0 , %eax

. L5 :a n d l $1 , %eaxcmpl $0 , −12(%rbp )s e t e %d la n d l %edx , %eax

. . .

Compiled code extract.


Plan





RSA processing timeSquare & Multiply

RSA

Decryption/signature : cd mod N with secret d.

Square & Multiply :

Calcul de c37 02 → t2

12 → t2 × c

37 = 1001012

t = c12

= c = c1

t = c102

= c2 = c2

t = c1002

=(c2)2

= c4

t = c10012

=(c4)2 × c = c9

t = c100102

=(c9)2

= c18

t = c1001012

=(c18)2 × c = c37


Branch predictionOn RSA

BIGINT modExp ( BIGINT m, b o o l d [ ] ) {BIGINT t = m;f o r ( i n t i = l ; i >= 0 ; i −− ) {

t = t ∗ t ;i f ( d [ i ] == 1 )

t = t ∗ m;}

}

I weak attacker : spying process and processing time analysis,

I strong attacker : use of pfmon.


ECDSA processing timeOptimizing induces variable timings

OpenSSL

I Point multiplication using Montgomery Ladder

I To fasten, first 0 bits are skipped.

Execution time depends on the number of nonce significant bits to 0.. . .

By filtering the fastest signatures,

I we obtain a bias on nonces (they are small),

I we can attack as if the nonces had been generated from a biasedsource.

DEMO sing LLL


Timing-attack de l’AES en tablesImplementation tabulee de l’AES

Coeur de l’AES :

AK SB SR MC

AK agit sur les octets (lineaire),

SB agit sur les octets,

SR agit sur les octets (lineaire),

MC agit sur les mots de 32 bits (lineaire).

Tableaux T0, T1, T2, T3 indexes par un octet (etat ⊕ clef) et contenant desmots de 32 bits.


T-table AES processing timeA few results

On a Galaxy S2 : training (top) then attacking (down)


Plan





Micro-architecture and securityCache : the Intel example

cœur 0

L1

L2

cœur 1

L1

L2

cœur 2

L1

L2

cœur 3

L1

L2

LLC

RAM

A mapping computes the location where will be stored a data in the cachefrom its memory address and the cache state.If the location is not free we evict a previously stored data.


Micro-architecture and securityCache : Flush+Reload

Flush and Reload attack

1. the spying process empties the cache,

2. the target process regains control and executes some instructions,

3. the spying process regains control,

4. the spying process performs memory accesses,

5. the spying process leverage the access times to deduce the memoryaccesses performed by the target.

I The attack is based on the inclusive property of the cache.

I The attack needs some shared memory content (e.g. library).


Micro-architecture and securityCache : Prime+Probe

Prime and Probe attack

1. the spying process fills the cache,

2. the target process regains control and executes some instructions,

3. the spying process regains control,

4. the spying process performs memory accesses,

5. the spying process leverage the access times to deduce the memoryaccesses performed by the target.

I The attack is based on the inclusive property of the cache.

I The attack needs to know the address of the targeted code.


Micro-architecture and securityCache : some applications

I The cache contains data but also code.I Thus we can find out which instructions have been executed.

I Exponentiation algorithms could be attacked (even some regular ones).

I We an also detect that two processes are colocated in the cloud.I This violates the partitioning property.

I Even better : we can mount an SSH connection between them (hiddenchannel).

SPECTRE/MELTDOWN

Thinks to a competition situation (race condition) and a cache mechanism,we can read the content of a forbidden memory (CVE-2017-5754).


Micro-architecture and securityVariable-time instruction

Figure – Intel divide instruction execution time.


Takeaway

Messages

I The attacker will try to exploit all the availableinformation.

I A small implementation detail can totally breakthe security.

Good practices

I Limit the number of auxiliary information sources provided to the user(and thus to the attacker).

I Do not minimise cryptographic primitives weaknesses.

I Avoid basing security on the presumption that some leakage cannotbe exploited.


Secured implementations for cryptographypeople.irisa.fr/Benoit.Gerard/data/SIMP_cours4_en.pdf ·...

Documents

Transcript of Secured implementations for cryptographypeople.irisa.fr/Benoit.Gerard/data/SIMP_cours4_en.pdf ·...