Secured implementations for cryptographypeople.irisa.fr/Benoit.Gerard/data/SIMP_cours4_en.pdf ·...
Transcript of Secured implementations for cryptographypeople.irisa.fr/Benoit.Gerard/data/SIMP_cours4_en.pdf ·...
Secured implementations forcryptography
Part 4 : Remote security
Benoıt Gerard1 December 2020
Classes schedule
Step 1
System requirements and architecture.
Step 2
Product interface definition : API exposed to the terminal.
Step 3
Securing implementation against non-cryptographic attacks.
Step 4
Securing cryptographic implementations against remote attacks.
Step 5
Securing cryptographic implementations against local attacks.
B. Gerard Part 4 : Remote security 2 / 42
Sommaire de la session
Format/Padding oracle attacksCBC mode malleabilityPadding Oracle : IPSEC in ESP modePadding Oracle on PKCS#1 RSA padding
Attacks leveraging bias in the random generationRC4Taiwanese Citizen Digital CertificateBiased nonce generation in ECDSAUniform random generation mod n
Timing attacksConstant-time comparisonCryptography and processing timeMicro-architecture and security
B. Gerard Part 4 : Remote security 2 / 42
Plan
Format/Padding oracle attacksCBC mode malleabilityPadding Oracle : IPSEC in ESP modePadding Oracle on PKCS#1 RSA padding
Attacks leveraging bias in the random generationRC4Taiwanese Citizen Digital CertificateBiased nonce generation in ECDSAUniform random generation mod n
Timing attacksConstant-time comparisonCryptography and processing timeMicro-architecture and security
B. Gerard Part 4 : Remote security 2 / 42
CBC mode malleabilityPrinciple
C1 D M1
K
C2 D M2
K
C3 D M3
K
IV
......
......
B. Gerard Part 4 : Remote security 3 / 42
CBC mode malleabilityPrinciple
C1 D M1
K
C2 D M2
K
C3 D M3
K
IV
......
......
M1
B. Gerard Part 4 : Remote security 3 / 42
CBC mode malleabilityPrinciple
C1 D M1
K
C2 D M2
K
C3 D M3
K
IV
......
......
B. Gerard Part 4 : Remote security 3 / 42
CBC mode malleabilityESP and IPsec
Cryptogaphy in IPsec
I AH (authentication and integrity),
I ESP (encryption + integrity),
I IKE (key exchange).
Integrity :
I Mac-then-Encrypt,
I Encrypt-then-MAC.
Encryption using ESP
I CBC mode
I padding
B. Gerard Part 4 : Remote security 4 / 42
CBC mode malleabilityAttacking ESP
The attacker can change the IV ⇒ header modification
I change the sender address,
I change the protocol field (to an invalid value).
The gateway processes the packet (decrypts the header)
I invalid protocol → ICMP message sent,
I ICMP sent to the sender address (that is the attacker’s one now),
I the attacker receives the ICMP message only if a checksum is correct.
For debugging purpose part of the plaintext is in the ICMP message ! ! !
B. Gerard Part 4 : Remote security 5 / 42
CBC mode malleabilityAttacking ESP
The attacker can change the IV ⇒ header modification
I change the sender address,
I change the protocol field (to an invalid value).
The gateway processes the packet (decrypts the header)
I invalid protocol → ICMP message sent,
I ICMP sent to the sender address (that is the attacker’s one now),
I the attacker receives the ICMP message only if a checksum is correct.
For debugging purpose part of the plaintext is in the ICMP message ! ! !
B. Gerard Part 4 : Remote security 5 / 42
Plan
Format/Padding oracle attacksCBC mode malleabilityPadding Oracle : IPSEC in ESP modePadding Oracle on PKCS#1 RSA padding
Attacks leveraging bias in the random generationRC4Taiwanese Citizen Digital CertificateBiased nonce generation in ECDSAUniform random generation mod n
Timing attacksConstant-time comparisonCryptography and processing timeMicro-architecture and security
B. Gerard Part 4 : Remote security 5 / 42
Padding Oracle : IPSEC in ESP modeESP frame format
ESP frame in tunnel mode :
data to encrypt 1 2 . . . length 4
Padding rule :
I adding bytes 1, 2, 3, . . .
I adding a byte containing the number of previously added bytes,
I adding a last byte (whose value is 4 in tunnel mode).
The last encrypted block will contain a valid padding :I 0 | 4
I 1 | 2 | 2 | 4
I . . .
I 1 | 1 | 4
I 1 | 2 | 3 | 3 | 4
I 1 | 2 | . . .| 13 | 14 | 14 | 4
B. Gerard Part 4 : Remote security 6 / 42
Padding Oracle : IPSEC in ESP modeAttack 1/3
We received a packet we want to decrypt :
header C∗0 C∗1 C∗2 . . . C∗n
We obtain another packet encrypted using the same key :
header C0 C1 C2 . . . Cn
To decrypt C∗i we send packets of the form :
header C0 C1 C2 . . . Cn R C∗i
The attacker will play with R to decrypt C∗i .
B. Gerard Part 4 : Remote security 7 / 42
Padding Oracle : IPSEC in ESP modeAttack 2/3
Cn
R
C∗i
Mn
?
D
K
D
K
D
K
Cn−1
??
??
Padding0—4
B. Gerard Part 4 : Remote security 8 / 42
Padding Oracle : IPSEC in ESP modeAttack 2/3
Cn
R
C∗i
Mn
?
D
K
D
K
D
K
Cn−1
42
40
Padding0—4
B. Gerard Part 4 : Remote security 8 / 42
Padding Oracle : IPSEC in ESP modeAttack 2/3
Cn
R
C∗i
Mn
?
D
K
D
K
D
K
Cn−1
43?
41?
Padding1—1—4
B. Gerard Part 4 : Remote security 8 / 42
Padding Oracle : IPSEC in ESP modeAttack 2/3
Cn
R
C∗i
Mn
?
D
K
D
K
D
K
Cn−1
437
411
Padding1—1—4
B. Gerard Part 4 : Remote security 8 / 42
Padding Oracle : IPSEC in ESP modeAttack 2/3
Cn
R
C∗i
Mn
?
D
K
D
K
D
K
Cn−1
404?
422?
Padding1—2—2—4
B. Gerard Part 4 : Remote security 8 / 42
Padding Oracle : IPSEC in ESP modeAttack 2/3
Cn
R
C∗i
Mn
?
D
K
D
K
D
K
Cn−1
4049
4221
Padding1—2—2—4
B. Gerard Part 4 : Remote security 8 / 42
Padding Oracle : IPSEC in ESP modeAttack 3/3
At the end we get R = (r0, r1, . . . , r15) such that :
DK
(C∗i)⊕R = (1, 2, 3, 4, . . . , 14, 14, 4).
And thus,
P ∗i = C∗i−1 ⊕DK
(C∗i)= C∗i−1 ⊕ (r0 ⊕ 1, r1 ⊕ 2, . . . , r15 ⊕ 4).
Attack complexity
The mean number of requests is :
I 215 for the first step,
I 27 for the 14 following ones.
Finally one needs 34560 = 215.08 decryption requests to decrypt a block.
B. Gerard Part 4 : Remote security 9 / 42
Padding Oracle : IPSEC in ESP modeOracle instanciation for IPsec
Unfortunately . . . the oracle exists :
I valid padding : answer to the packet.
I invalid padding : no answer.
Many technical difficulties but solved.For instance :I Authentication before encapsulation.
I bypassed using IP fragmentation.
Solution
Use Encrypt-then-MAC so that the MAC will be invalid and not decryption(hence no padding check) will be performed.
B. Gerard Part 4 : Remote security 10 / 42
Plan
Format/Padding oracle attacksCBC mode malleabilityPadding Oracle : IPSEC in ESP modePadding Oracle on PKCS#1 RSA padding
Attacks leveraging bias in the random generationRC4Taiwanese Citizen Digital CertificateBiased nonce generation in ECDSAUniform random generation mod n
Timing attacksConstant-time comparisonCryptography and processing timeMicro-architecture and security
B. Gerard Part 4 : Remote security 10 / 42
Padding Oracle on PKCS#1 RAS paddingRSA raw and chosen cipher security
RSA Encryption
c = me mod N
RSA Decryption
m = cd mod N
Attack : recover m from c (without decrypting c)
1. s random → c′ = c se mod N ,
2. send c′ to the decryption oracle,
3. m′ = (c′)d = cdsed = ms mod N ,
4. compute m = m′s−1 mod N .
B. Gerard Part 4 : Remote security 11 / 42
Padding Oracle on PKCS#1 RSA paddingPrinciple
0x00 0x02 non-zero bytes 0x00 data
Table – Padding defined in PKCS#1.
Attacker model
I No decryption oracle.
I Oracle on the padding validity.
Obtained information
If m′ has a correct padding then
2B ≤ ms mod N ≤ 3B,
with B = 2len(N)−16.
B. Gerard Part 4 : Remote security 12 / 42
Padding Oracle on PKCS#1 RSA paddingAttack
Goal
Recover m = cd mod N .
Principle
Find messages ci = c sei mod N corresponding to valid padding messages.
I Use information from msi mod N to reduce the set of possiblevalues for m.
I s0 = 1 because c is obviously valid.
I From si, find a new si+1 (becomes simpler and simpler).
B. Gerard Part 4 : Remote security 13 / 42
Plan
Format/Padding oracle attacksCBC mode malleabilityPadding Oracle : IPSEC in ESP modePadding Oracle on PKCS#1 RSA padding
Attacks leveraging bias in the random generationRC4Taiwanese Citizen Digital CertificateBiased nonce generation in ECDSAUniform random generation mod n
Timing attacksConstant-time comparisonCryptography and processing timeMicro-architecture and security
B. Gerard Part 4 : Remote security 13 / 42
RC4Weaknesses
Stream cipher from Ron Rivest :
I easy to implement,
I fast,
I biased ! ! !
B. Gerard Part 4 : Remote security 14 / 42
RC4Attack on SSL
“Broadcast” attack (Usenix 2013)
I fixed plaintext,
I encrypted with many keys.
Attack principle
Observing many ci’s corresponding to the same p :
ci = p⊕ si
Since si is biased (here often leads to 0x00) then
p = argmaxx∈[[0,255]]
#{i, ci = x}
B. Gerard Part 4 : Remote security 15 / 42
RC4But also
RC4 weaknesses involved in the attacks on
I WEP,
I WPA,
I HIVE (proven secure).
Stream cipher without authentication ⇒ malleability
I attacks on SSH,
I attacks on BitTorrent.
Bonus : same encryption stream used multiple times (Microsoft Office).
B. Gerard Part 4 : Remote security 16 / 42
Plan
Format/Padding oracle attacksCBC mode malleabilityPadding Oracle : IPSEC in ESP modePadding Oracle on PKCS#1 RSA padding
Attacks leveraging bias in the random generationRC4Taiwanese Citizen Digital CertificateBiased nonce generation in ECDSAUniform random generation mod n
Timing attacksConstant-time comparisonCryptography and processing timeMicro-architecture and security
B. Gerard Part 4 : Remote security 16 / 42
Taiwanese Citizen Digital CertificateIntroduction
Personal smartcard with certificate,
I given by the state administration,
I allows some administrative tasks,
I certificates using RSA (with modulus of 1024/2048 bits).
RSA modulus
N = p× q with
I p large prime (secret),
I q large prime (secret),
I N large composite number (public).
B. Gerard Part 4 : Remote security 17 / 42
Taiwanese Citizen Digital CertificateRump session of CRYPTO 2013
Remark
N = p× qN ′ = p× q′
}=⇒ gcd(N,N ′) = p
I 3 millions of certificates obtained through the official website,I 2.3 millions 1024-bit RSA modulusI 0.7 millions 2048-bit RSA modulus
I gcd between all key pairs,
x 103 modulus get factored !
Example of found factors
c000 0000 0000 0000 0000 0000 0000 [. . .] 0000 0000 0000 02f9 c924 24922492 9249 9249 4924 4924 [. . .] 9924 9492 4492 424e5
B. Gerard Part 4 : Remote security 18 / 42
Taiwanese Citizen Digital CertificateRump session of CRYPTO 2013 (continued)
Testing with factors presenting similar patterns :
x 22 new keys !
I new factors are sparse (cf. previous example).
Use of LLL :
x 39 new keys !
I again very sparse factors.
Remark
A college student can abuse the identity of more than 100 Taiwanese . . .
B. Gerard Part 4 : Remote security 19 / 42
Plan
Format/Padding oracle attacksCBC mode malleabilityPadding Oracle : IPSEC in ESP modePadding Oracle on PKCS#1 RSA padding
Attacks leveraging bias in the random generationRC4Taiwanese Citizen Digital CertificateBiased nonce generation in ECDSAUniform random generation mod n
Timing attacksConstant-time comparisonCryptography and processing timeMicro-architecture and security
B. Gerard Part 4 : Remote security 19 / 42
Biased nonce generation in ECDSAECDSA presentation
Parameters :
I elliptic curve E of order n,
I generating point G,
I hash function H,
I message to sign m,
I private key s ∈ [[1;n− 1]],
I public key Q = [s]G.
Signature :
1. uniformly pick k in [[1;n− 1]],
2. (x, ·) = [k]G,
3. if x = 0 go back to 1.
4. y = k−1(H(m) + s · x) mod n
5. if y = 0 go back to 1.
6. return (x, y).
k is named nonce or ephemeral key and is sensitive !
x−1(y · k −H(m)
)= s
B. Gerard Part 4 : Remote security 20 / 42
Biased nonce generation in ECDSAImpact of a biased nonce
One bias definition
Bn =1
L
L∑j=1
e2πikj/n
Recall thatk = y−1(H(m) + s · x) mod n.
Attack
If kj ’s generation is biased :
1. obtain L “biased” signatures,
2. for each possible s compute the bias,
3. take the s that maximises the bias.
B. Gerard Part 4 : Remote security 21 / 42
Biased nonce generation in ECDSAA few precisions on the attack
Testing each value for s⇐⇒ exhaustive search !
Solution
Try to spread the pic and use a sieve then refine.
B. Gerard Part 4 : Remote security 22 / 42
Biased nonce generation in ECDSAA few precisions on the attack
Testing each value for s⇐⇒ exhaustive search !
Solution
Try to spread the pic and use a sieve then refine.
B. Gerard Part 4 : Remote security 22 / 42
Biased nonce generation in ECDSAA few precisions on the attack
Testing each value for s⇐⇒ exhaustive search !
Solution
Try to spread the pic and use a sieve then refine.
B. Gerard Part 4 : Remote security 22 / 42
Plan
Format/Padding oracle attacksCBC mode malleabilityPadding Oracle : IPSEC in ESP modePadding Oracle on PKCS#1 RSA padding
Attacks leveraging bias in the random generationRC4Taiwanese Citizen Digital CertificateBiased nonce generation in ECDSAUniform random generation mod n
Timing attacksConstant-time comparisonCryptography and processing timeMicro-architecture and security
B. Gerard Part 4 : Remote security 22 / 42
Uniform random generation mod nUsing formulas
Issues
I Need : uniformly generating k in [[0;n− 1]].
I But we only can : generate random bits.
Let ` = dlog2(n)e (ie. number of bits of n). We can
1. uniformly generate k in [[0; 2`−1 − 1]],
2. uniformly generate k in [[0; 2` − 1]] and
2.1 if k ≥ n restart,2.2 if k ≥ n then return k − n,
3. uniformly generate k in [[0; 2`+λ − 1]] and return k mod n.
One must use 2.1 or 3 !
B. Gerard Part 4 : Remote security 23 / 42
Uniform random generation mod nUsing pictures
0But
n-1
01.
n-1
2`−1
02.1
n-1
2`
02.2
n-1
2`
03.
n-1
2`+λ
B. Gerard Part 4 : Remote security 24 / 42
Uniform random generation mod nUsing pictures
0But
n-1
01.
n-12`−1
02.1
n-1
2`
02.2
n-1
2`
03.
n-1
2`+λ
B. Gerard Part 4 : Remote security 24 / 42
Uniform random generation mod nUsing pictures
0But
n-1
01.
n-12`−1
02.1
n-1 2`
02.2
n-1
2`
03.
n-1
2`+λ
B. Gerard Part 4 : Remote security 24 / 42
Uniform random generation mod nUsing pictures
0But
n-1
01.
n-12`−1
02.1
n-1 2`
02.2
n-1
2`
03.
n-1
2`+λ
B. Gerard Part 4 : Remote security 24 / 42
Uniform random generation mod nUsing pictures
0But
n-1
01.
n-12`−1
02.1
n-1 2`
02.2
n-1 2`
03.
n-1
2`+λ
B. Gerard Part 4 : Remote security 24 / 42
Uniform random generation mod nUsing pictures
0But
n-1
01.
n-12`−1
02.1
n-1 2`
02.2
n-1 2`
03.
n-1
2`+λ
B. Gerard Part 4 : Remote security 24 / 42
Uniform random generation mod nUsing pictures
0But
n-1
01.
n-12`−1
02.1
n-1 2`
02.2
n-1 2`
03.
n-1 2`+λ
B. Gerard Part 4 : Remote security 24 / 42
Uniform random generation mod nUsing pictures
0But
n-1
01.
n-12`−1
02.1
n-1 2`
02.2
n-1 2`
03.
n-1 2`+λ
B. Gerard Part 4 : Remote security 24 / 42
Processing time exploitationBasics
Rule
Processing time must not depend on the manipulated sensitive data.
I Sometimes very hard to implement,
I in software : language dependent,
I easier if the implementation is an hardware one.
Dependency sources
Essentially (but not only) :
I conditional branching,
I cached memory accesses.
B. Gerard Part 4 : Remote security 25 / 42
Plan
Format/Padding oracle attacksCBC mode malleabilityPadding Oracle : IPSEC in ESP modePadding Oracle on PKCS#1 RSA padding
Attacks leveraging bias in the random generationRC4Taiwanese Citizen Digital CertificateBiased nonce generation in ECDSAUniform random generation mod n
Timing attacksConstant-time comparisonCryptography and processing timeMicro-architecture and security
B. Gerard Part 4 : Remote security 25 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
11
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?001700
770 1
23 4 5 6 8 9
17 ?01780
880 1 2 3 4 5 6 7 9
178 ?1789
990 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?000
0000
0.3 ms
0
1000
0.6 ms
11
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?001700
770 1
23 4 5 6 8 9
17 ?01780
880 1 2 3 4 5 6 7 9
178 ?1789
990 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
1
1
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?001700
770 1
23 4 5 6 8 9
17 ?01780
880 1 2 3 4 5 6 7 9
178 ?1789
990 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
1
1
2000
0.4 ms
2
3 4 5 6 7 8 9
1 ?001700
770 1
23 4 5 6 8 9
17 ?01780
880 1 2 3 4 5 6 7 9
178 ?1789
990 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
1
1
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?001700
770 1
23 4 5 6 8 9
17 ?01780
880 1 2 3 4 5 6 7 9
178 ?1789
990 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
1
1
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?001700
770 1
23 4 5 6 8 9
17 ?01780
880 1 2 3 4 5 6 7 9
178 ?1789
990 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
11
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?00
1700
770 1
23 4 5 6 8 9
17 ?01780
880 1 2 3 4 5 6 7 9
178 ?1789
990 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
11
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?00
1700
7
7
0 12
3 4 5 6 8 9
17 ?01780
880 1 2 3 4 5 6 7 9
178 ?1789
990 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
11
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?00
1700
7
70 1
23 4 5 6 8 9
17 ?01780
880 1 2 3 4 5 6 7 9
178 ?1789
990 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
11
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?001700
770 1
23 4 5 6 8 9
17 ?0
1780
880 1 2 3 4 5 6 7 9
178 ?1789
990 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
11
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?001700
770 1
23 4 5 6 8 9
17 ?0
1780
8
8
0 1 2 3 4 5 6 7 9
178 ?1789
990 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
11
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?001700
770 1
23 4 5 6 8 9
17 ?0
1780
8
80 1 2 3 4 5 6 7 9
178 ?1789
990 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
11
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?001700
770 1
23 4 5 6 8 9
17 ?01780
880 1 2 3 4 5 6 7 9
178 ?
1789
990 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
11
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?001700
770 1
23 4 5 6 8 9
17 ?01780
880 1 2 3 4 5 6 7 9
178 ?
1789
9
9
0 1 2 3 4 5 6 78
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationPIN code example
4-digit PIN code =⇒ 5000 attempts on average.
If badly implemented =⇒ 37 attempts at most !
b o o l t e s t P I N ( i n t code [ 4 ] ){
f o r ( i n t i =0 ; i<4 ; i ++){
i f ( code [ i ] != c o d e r e f [ i ] )r e t u r n f a l s e ;
}r e t u r n t r u e ;
}
?0000000
0.3 ms
0
1000
0.6 ms
11
2000
0.4 ms
2 3 4 5 6 7 8 9
1 ?001700
770 1
23 4 5 6 8 9
17 ?01780
880 1 2 3 4 5 6 7 9
178 ?
1789
9
90 1 2 3 4 5 6 7
8
B. Gerard Part 4 : Remote security 26 / 42
Processing time exploitationCorrected PIN example
I Process the loop until the end.
I No branching on sensitive variables.
b o o l t e s t P I N ( i n t code [ 4 ] ) {u i n t 3 2 t d i f f = 0 ;f o r ( i n t i = 0 ; i < 4 ; i++ ) {
d i f f |= code [ i ] ˆ c o d e r e f [ i ] ;}r e t u r n ( d i f f == 0 ) ;
}
But what about comparing two big numbers ?
B. Gerard Part 4 : Remote security 27 / 42
Processing time exploitationCorrected PIN example
I Process the loop until the end.
I No branching on sensitive variables.
b o o l t e s t P I N ( i n t code [ 4 ] ) {u i n t 3 2 t d i f f = 0 ;f o r ( i n t i = 0 ; i < 4 ; i++ ) {
d i f f |= code [ i ] ˆ c o d e r e f [ i ] ;}r e t u r n ( d i f f == 0 ) ;
}
But what about comparing two big numbers ?
B. Gerard Part 4 : Remote security 27 / 42
Processing time exploitationBig integers comparison (1/4)
t y p e d e f enum{ INF = −1, EQU = 0 , SUP = 1 } n u m o r d e r t ;n u m o r d e r t compareBIGINT ( i n t a [ 2 5 6 ] , i n t b [ 2 5 6 ] ) {
b o o l a i n f b = f a l s e ;b o o l a s u p b = f a l s e ;f o r ( i n t i = 255 ; i >= 0 ; i −= 1 ) {
i f ( a i n f b | | a s u p b ); // do n o t h i n g
e l s e {i f ( a [ i ] < b [ i ] )
a i n f b = t r u e ;i f ( a [ i ] > b [ i ] )
a s u p b = t r u e ;}
}i f ( a i n f b ) r e t u r n INF ;i f ( a s u p b ) r e t u r n SUP ;r e t u r n EQU;
}
B. Gerard Part 4 : Remote security 28 / 42
Processing time exploitationBig integers comparison (2/4)
i f ( a i n f b | | a s u p b ); // do n o t h i n g
e l s e {i f ( a [ i ] < b [ i ] )
a i n f b = t r u e ;i f ( a [ i ] > b [ i ] )
a s u p b = t r u e ;}
i f ( a i n f b | | a s u p b ); // do n o t h i n g
e l s e {a i n f b = ( a [ i ] < b [ i ] ) ;a s u p b = ( a [ i ] > b [ i ] ) ;
}
a i n f b = ( a i n f b | | ( a [ i ] < b [ i ] ) ) & ! a s u p b ;a s u p b = ( a s u p b | | ( a [ i ] > b [ i ] ) ) & ! a i n f b ;
B. Gerard Part 4 : Remote security 29 / 42
Processing time exploitationBig integers comparison (3/4)
t y p e d e f enum{ INF = −1, EQU = 0 , SUP = 1 } n u m o r d e r t ;n u m o r d e r t compareBIGINT ( i n t a [ 2 5 6 ] , i n t b [ 2 5 6 ] ) {
b o o l a i n f b = f a l s e ;b o o l a s u p b = f a l s e ;i n t r e s ;f o r ( i n t i = 255 ; i >= 0 ; i −= 1 ) {
a i n f b = ( a i n f b | | ( a [ i ] < b [ i ] ) ) & ! a s u p b ;a s u p b = ( a s u p b | | ( a [ i ] > b [ i ] ) ) & ! a i n f b ;
}r e s = EQU ∗ ( ! a i n f b & ! a s u p b ) ;r e s += INF ∗ a i n f b ;r e s += SUP ∗ a s u p b ;r e t u r n ( n u m o r d e r t ) r e s ;
}
B. Gerard Part 4 : Remote security 30 / 42
Processing time exploitationBig integers comparison (4/4)
. . .movl (% r a x ) , %eaxcmpl %eax , %edxj g e . L4
. L3 :movl $1 , %eaxjmp . L5
. L4 :movl $0 , %eax
. L5 :a n d l $1 , %eaxcmpl $0 , −12(%rbp )s e t e %d la n d l %edx , %eax
. . .
Compiled code extract.
B. Gerard Part 4 : Remote security 31 / 42
Plan
Format/Padding oracle attacksCBC mode malleabilityPadding Oracle : IPSEC in ESP modePadding Oracle on PKCS#1 RSA padding
Attacks leveraging bias in the random generationRC4Taiwanese Citizen Digital CertificateBiased nonce generation in ECDSAUniform random generation mod n
Timing attacksConstant-time comparisonCryptography and processing timeMicro-architecture and security
B. Gerard Part 4 : Remote security 31 / 42
RSA processing timeSquare & Multiply
RSA
Decryption/signature : cd mod N with secret d.
Square & Multiply :
Calcul de c37 02 → t2
12 → t2 × c
37 = 1001012
t = c12
= c = c1
t = c102
= c2 = c2
t = c1002
=(c2)2
= c4
t = c10012
=(c4)2 × c = c9
t = c100102
=(c9)2
= c18
t = c1001012
=(c18)2 × c = c37
B. Gerard Part 4 : Remote security 32 / 42
RSA processing timeSquare & Multiply
RSA
Decryption/signature : cd mod N with secret d.
Square & Multiply :
Calcul de c37 02 → t2
12 → t2 × c
37 = 1001012
t = c12
= c = c1
t = c102
= c2 = c2
t = c1002
=(c2)2
= c4
t = c10012
=(c4)2 × c = c9
t = c100102
=(c9)2
= c18
t = c1001012
=(c18)2 × c = c37
B. Gerard Part 4 : Remote security 32 / 42
RSA processing timeSquare & Multiply
RSA
Decryption/signature : cd mod N with secret d.
Square & Multiply :
Calcul de c37 02 → t2
12 → t2 × c
37 = 1001012
t = c12
= c = c1
t = c102
= c2 = c2
t = c1002
=(c2)2
= c4
t = c10012
=(c4)2 × c = c9
t = c100102
=(c9)2
= c18
t = c1001012
=(c18)2 × c = c37
B. Gerard Part 4 : Remote security 32 / 42
RSA processing timeSquare & Multiply
RSA
Decryption/signature : cd mod N with secret d.
Square & Multiply :
Calcul de c37 02 → t2
12 → t2 × c
37 = 1001012
t = c12
= c = c1
t = c102
= c2 = c2
t = c1002
=(c2)2
= c4
t = c10012
=(c4)2 × c = c9
t = c100102
=(c9)2
= c18
t = c1001012
=(c18)2 × c = c37
B. Gerard Part 4 : Remote security 32 / 42
RSA processing timeSquare & Multiply
RSA
Decryption/signature : cd mod N with secret d.
Square & Multiply :
Calcul de c37 02 → t2
12 → t2 × c
37 = 1001012
t = c12
= c = c1
t = c102
= c2 = c2
t = c1002
=(c2)2
= c4
t = c10012
=(c4)2 × c = c9
t = c100102
=(c9)2
= c18
t = c1001012
=(c18)2 × c = c37
B. Gerard Part 4 : Remote security 32 / 42
RSA processing timeSquare & Multiply
RSA
Decryption/signature : cd mod N with secret d.
Square & Multiply :
Calcul de c37 02 → t2
12 → t2 × c
37 = 1001012
t = c12
= c = c1
t = c102
= c2 = c2
t = c1002
=(c2)2
= c4
t = c10012
=(c4)2 × c = c9
t = c100102
=(c9)2
= c18
t = c1001012
=(c18)2 × c = c37
B. Gerard Part 4 : Remote security 32 / 42
RSA processing timeSquare & Multiply
RSA
Decryption/signature : cd mod N with secret d.
Square & Multiply :
Calcul de c37 02 → t2
12 → t2 × c
37 = 1001012
t = c12
= c = c1
t = c102
= c2 = c2
t = c1002
=(c2)2
= c4
t = c10012
=(c4)2 × c = c9
t = c100102
=(c9)2
= c18
t = c1001012
=(c18)2 × c = c37
B. Gerard Part 4 : Remote security 32 / 42
Branch predictionOn RSA
BIGINT modExp ( BIGINT m, b o o l d [ ] ) {BIGINT t = m;f o r ( i n t i = l ; i >= 0 ; i −− ) {
t = t ∗ t ;i f ( d [ i ] == 1 )
t = t ∗ m;}
}
I weak attacker : spying process and processing time analysis,
I strong attacker : use of pfmon.
B. Gerard Part 4 : Remote security 33 / 42
ECDSA processing timeOptimizing induces variable timings
OpenSSL
I Point multiplication using Montgomery Ladder
I To fasten, first 0 bits are skipped.
Execution time depends on the number of nonce significant bits to 0.. . .
By filtering the fastest signatures,
I we obtain a bias on nonces (they are small),
I we can attack as if the nonces had been generated from a biasedsource.
DEMO sing LLL
B. Gerard Part 4 : Remote security 34 / 42
Timing-attack de l’AES en tablesImplementation tabulee de l’AES
Coeur de l’AES :
AK SB SR MC
AK agit sur les octets (lineaire),
SB agit sur les octets,
SR agit sur les octets (lineaire),
MC agit sur les mots de 32 bits (lineaire).
Tableaux T0, T1, T2, T3 indexes par un octet (etat ⊕ clef) et contenant desmots de 32 bits.
B. Gerard Part 4 : Remote security 35 / 42
T-table AES processing timeA few results
On a Galaxy S2 : training (top) then attacking (down)
B. Gerard Part 4 : Remote security 36 / 42
Plan
Format/Padding oracle attacksCBC mode malleabilityPadding Oracle : IPSEC in ESP modePadding Oracle on PKCS#1 RSA padding
Attacks leveraging bias in the random generationRC4Taiwanese Citizen Digital CertificateBiased nonce generation in ECDSAUniform random generation mod n
Timing attacksConstant-time comparisonCryptography and processing timeMicro-architecture and security
B. Gerard Part 4 : Remote security 36 / 42
Micro-architecture and securityCache : the Intel example
cœur 0
L1
L2
cœur 1
L1
L2
cœur 2
L1
L2
cœur 3
L1
L2
LLC
RAM
A mapping computes the location where will be stored a data in the cachefrom its memory address and the cache state.If the location is not free we evict a previously stored data.
B. Gerard Part 4 : Remote security 37 / 42
Micro-architecture and securityCache : Flush+Reload
Flush and Reload attack
1. the spying process empties the cache,
2. the target process regains control and executes some instructions,
3. the spying process regains control,
4. the spying process performs memory accesses,
5. the spying process leverage the access times to deduce the memoryaccesses performed by the target.
I The attack is based on the inclusive property of the cache.
I The attack needs some shared memory content (e.g. library).
B. Gerard Part 4 : Remote security 38 / 42
Micro-architecture and securityCache : Prime+Probe
Prime and Probe attack
1. the spying process fills the cache,
2. the target process regains control and executes some instructions,
3. the spying process regains control,
4. the spying process performs memory accesses,
5. the spying process leverage the access times to deduce the memoryaccesses performed by the target.
I The attack is based on the inclusive property of the cache.
I The attack needs to know the address of the targeted code.
B. Gerard Part 4 : Remote security 39 / 42
Micro-architecture and securityCache : some applications
I The cache contains data but also code.I Thus we can find out which instructions have been executed.
I Exponentiation algorithms could be attacked (even some regular ones).
I We an also detect that two processes are colocated in the cloud.I This violates the partitioning property.
I Even better : we can mount an SSH connection between them (hiddenchannel).
SPECTRE/MELTDOWN
Thinks to a competition situation (race condition) and a cache mechanism,we can read the content of a forbidden memory (CVE-2017-5754).
B. Gerard Part 4 : Remote security 40 / 42
Micro-architecture and securityVariable-time instruction
Figure – Intel divide instruction execution time.
B. Gerard Part 4 : Remote security 41 / 42
Takeaway
Messages
I The attacker will try to exploit all the availableinformation.
I A small implementation detail can totally breakthe security.
Good practices
I Limit the number of auxiliary information sources provided to the user(and thus to the attacker).
I Do not minimise cryptographic primitives weaknesses.
I Avoid basing security on the presumption that some leakage cannotbe exploited.
B. Gerard Part 4 : Remote security 42 / 42