automated analysis of the security of xor based key
play

Automated Analysis of the Security of XOR-Based Key Management - PowerPoint PPT Presentation

Jan 28, 2023 •275 likes •736 views

Automated Analysis of the Security of XOR-Based Key Management Schemes V eronique Cortier, Gavin Keighren, Graham Steel I V N E U R S E I H T Y T O H F G R E U D B I N 1 Automated Teller Machines Graham Steel

  1. Automated Analysis of the Security of XOR-Based Key Management Schemes V´ eronique Cortier, Gavin Keighren, Graham Steel I V N E U R S E I H T Y T O H F G R E U D B I N

  2. 1 Automated Teller Machines Graham Steel Security API Analysis March 2007

  3. 2 Graham Steel Security API Analysis March 2007

  4. 3 Criticality of Key Management PIN derived by: Write account number (PAN) as 0000AAAAAAAAAAAA Graham Steel Security API Analysis March 2007

  5. 3 Criticality of Key Management PIN derived by: Write account number (PAN) as 0000AAAAAAAAAAAA 3DES encrypt under a PDK (PIN Derivation Key) Decimalise first 4 digits of result Graham Steel Security API Analysis March 2007

  6. 3 Criticality of Key Management PIN derived by: Write account number (PAN) as 0000AAAAAAAAAAAA 3DES encrypt under a PDK (PIN Derivation Key) Decimalise first 4 digits of result PIN = IPIN + Offset (modulo 10 each digit) Offset NOT secure! Graham Steel Security API Analysis March 2007

  7. 4 Graham Steel Security API Analysis March 2007

  8. 4 data, pin, imp,... Graham Steel Security API Analysis March 2007

  9. 4 data, pin, imp,... { | d1 } | km ⊕ data { | pdk1 } | km ⊕ pin Graham Steel Security API Analysis March 2007

  10. 5 CCA API - Examples Encrypt Data: → { | D1 } | km ⊕ data , Message Host HSM : → { | Message } | D1 HSM Host : Graham Steel Security API Analysis March 2007

  11. 5 CCA API - Examples Encrypt Data: → { | D1 } | km ⊕ data , Message Host HSM : → { | Message } | D1 HSM Host : Verify PIN: → { | PINBlock } | p1 , PAN, { | pdk1 } | km ⊕ pin , Host HSM : OFFSET, { | p1 } | km ⊕ ipinenc → HSM Host : yes/no Graham Steel Security API Analysis March 2007

  12. 6 Importing Key Parts ‘Separation of duty’ Key k = k1 ⊕ k2 → Host HSM : k1, TYPE → { | k1 } | km ⊕ kp ⊕ TYPE HSM Host : Graham Steel Security API Analysis March 2007

  13. 6 Importing Key Parts ‘Separation of duty’ Key k = k1 ⊕ k2 → Host HSM : k1, TYPE → { | k1 } | km ⊕ kp ⊕ TYPE HSM Host : → { | k1 } | km ⊕ kp ⊕ TYPE , k2, TYPE Host HSM : → { | k1 ⊕ k2 } | km ⊕ TYPE HSM Host : Usually used to import a ‘key encrypting key’ ( { | KEK } | km ⊕ imp ) Graham Steel Security API Analysis March 2007

  14. 7 Importing Encrypted Keys Exported from another 4758 encrypted under KEK ⊕ TYPE Key Import: → { | KEY1 } | KEK ⊕ TYPE , TYPE, { | KEK } | km ⊕ imp Host HSM : → { | KEY1 } | km ⊕ TYPE HSM Host : Graham Steel Security API Analysis March 2007

  15. 8 Attack (Bond, 2001) (part 1) PIN derivation key: { | pdk } | kek ⊕ pin Have key part { | kek ⊕ k2 } | km ⊕ imp ⊕ kp for known k2 Graham Steel Security API Analysis March 2007

  16. 8 Attack (Bond, 2001) (part 1) PIN derivation key: { | pdk } | kek ⊕ pin Have key part { | kek ⊕ k2 } | km ⊕ imp ⊕ kp for known k2 → { | kek ⊕ k2 } | km ⊕ kp ⊕ imp , k2 ⊕ pin ⊕ data , imp Host HSM : → { | kek ⊕ pin ⊕ data } | km ⊕ imp HSM Host : Graham Steel Security API Analysis March 2007

  17. 9 Attack (Bond, 2001) (part 2) Key Import → { | pdk } | kek ⊕ pin , data, { | kek ⊕ pin ⊕ data } | km ⊕ imp Host HSM : → { | pdk } | km ⊕ data HSM Host : Graham Steel Security API Analysis March 2007

  18. 9 Attack (Bond, 2001) (part 2) Key Import → { | pdk } | kek ⊕ pin , data, { | kek ⊕ pin ⊕ data } | km ⊕ imp Host HSM : → { | pdk } | km ⊕ data HSM Host : Encrypt data → { | pdk } | km ⊕ data , pan Host HSM : → { | pan } | pdk (= PIN!) HSM Host : Graham Steel Security API Analysis March 2007

  19. 10 IBM Recommendations Published in response to attacks Graham Steel Security API Analysis March 2007

  20. 10 IBM Recommendations Published in response to attacks 1. Use asymmetric key crypto for key import – 2 officer protocol to generate key pair at destination, transfer public key to source – PKA S YMMETRIC K EY I MPORT command Graham Steel Security API Analysis March 2007

  21. 10 IBM Recommendations Published in response to attacks 1. Use asymmetric key crypto for key import – 2 officer protocol to generate key pair at destination, transfer public key to source – PKA S YMMETRIC K EY I MPORT command 2. More access control – security officers access fewer commands Graham Steel Security API Analysis March 2007

  22. 10 IBM Recommendations Published in response to attacks 1. Use asymmetric key crypto for key import – 2 officer protocol to generate key pair at destination, transfer public key to source – PKA S YMMETRIC K EY I MPORT command 2. More access control – security officers access fewer commands 3. Procedural controls to check entered key parts Graham Steel Security API Analysis March 2007

  23. 10 IBM Recommendations Published in response to attacks 1. Use asymmetric key crypto for key import – 2 officer protocol to generate key pair at destination, transfer public key to source – PKA S YMMETRIC K EY I MPORT command 2. More access control – security officers access fewer commands 3. Procedural controls to check entered key parts Not to be confused with Bond’s own recommendations Graham Steel Security API Analysis March 2007

  24. 11 Formal Modelling Following the classical ‘Dolev-Yao’ style: Bitstrings modelled as terms Cryptography modelled as function on terms Graham Steel Security API Analysis March 2007

  25. 11 Formal Modelling Following the classical ‘Dolev-Yao’ style: Bitstrings modelled as terms Cryptography modelled as function on terms API rules modelled as Horn clauses Graham Steel Security API Analysis March 2007

  26. 11 Formal Modelling Following the classical ‘Dolev-Yao’ style: Bitstrings modelled as terms Cryptography modelled as function on terms API rules modelled as Horn clauses Security problem modelled as derivability of a secret term Graham Steel Security API Analysis March 2007

  27. 12 Examples Encrypt data: x , { | xd1 } | km ⊕ data → { | x } | xd1 Graham Steel Security API Analysis March 2007

  28. 12 Examples Encrypt data: x , { | xd1 } | km ⊕ data → { | x } | xd1 Intruder rules: → { | x } | y x , y { | x } | y , y → x → x ⊕ y x , y Graham Steel Security API Analysis March 2007

  29. 12 Examples Encrypt data: x , { | xd1 } | km ⊕ data → { | x } | xd1 Intruder rules: → { | x } | y x , y { | x } | y , y → x → x ⊕ y x , y Secrecy problem undecidable in general Graham Steel Security API Analysis March 2007

  30. 13 Characterisation of Class Finite set of atoms (km, imp, data, pin, ... ) XOR term ::= atom atom ⊕ XOR term { | XOR term } | XOR term Encryption term ::= Well Formed Term ::= Encryption term XOR term WFT, ... , WFT → WFT Well Formed Rule ::= Graham Steel Security API Analysis March 2007

  31. 14 Theorem If: R finite set of well-formed rules S finite set of well-formed ground terms u some ground well-formed term Then: S ⊢ R u ⇐ ⇒ S ⊢ R u using only well-formed terms. Graham Steel Security API Analysis March 2007

  32. 14 Theorem If: R finite set of well-formed rules S finite set of well-formed ground terms u some ground well-formed term Then: S ⊢ R u ⇐ ⇒ S ⊢ R u using only well-formed terms. Corollary: The question of whether S ⊢ R u is decidable Graham Steel Security API Analysis March 2007

  33. 15 Decision Procedure 2 12 possible unencrypted terms 2 24 possible encrypted terms ( { | . } | . ) Graham Steel Security API Analysis March 2007

  34. 15 Decision Procedure 2 12 possible unencrypted terms 2 24 possible encrypted terms ( { | . } | . ) Encode terms as integers kek ⊕ pin ⊕ data → km kp kek imp exp data pin ← 19 0 0 1 0 0 1 1 Graham Steel Security API Analysis March 2007

  35. 15 Decision Procedure 2 12 possible unencrypted terms 2 24 possible encrypted terms ( { | . } | . ) Encode terms as integers kek ⊕ pin ⊕ data → km kp kek imp exp data pin ← 19 0 0 1 0 0 1 1 Each rule is a partial function f : N k → N for k inputs e.g. f 1 : x 1 , x 2 → x 1 ⊕ x 2 x 1 , x 2 → x 1 ⊕ x 2 ≡ Graham Steel Security API Analysis March 2007

  36. 15 Decision Procedure 2 12 possible unencrypted terms 2 24 possible encrypted terms ( { | . } | . ) Encode terms as integers kek ⊕ pin ⊕ data → km kp kek imp exp data pin ← 19 0 0 1 0 0 1 1 Each rule is a partial function f : N k → N for k inputs e.g. f 1 : x 1 , x 2 → x 1 ⊕ x 2 x 1 , x 2 → x 1 ⊕ x 2 ≡ f 2 : [ xky | x ] , xtype , [ xkek | km ⊕ imp ] → [ xky | km ⊕ xtype ] IF x = xkek ⊕ xtype Graham Steel Security API Analysis March 2007

  37. 16 Decision Procedure 1. Allocate sufficient memory for all possible terms 2. Set to 1 locations corresponding to initial knowledge, rest to 0 3. Exhaustively apply each rule, setting newly discovered terms to 1 4. Repeat 3 until no new terms are discovered Graham Steel Security API Analysis March 2007

  38. 16 Decision Procedure 1. Allocate sufficient memory for all possible terms 2. Set to 1 locations corresponding to initial knowledge, rest to 0 3. Exhaustively apply each rule, setting newly discovered terms to 1 4. Repeat 3 until no new terms are discovered Some optimisations used Graham Steel Security API Analysis March 2007

Recommend

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis Powered by RIPS Technologies High-tech company based in Bochum, Germany Supports the full feature stack of the PHP language Detects

1.06k views • 47 slides
Automated Aspect Recommendation through Clustering-Based Fan-in Analysis Danfeng Zhang , Yao Guo,

Automated Aspect Recommendation through Clustering-Based Fan-in Analysis Danfeng Zhang , Yao Guo,

Automated Aspect Recommendation through Clustering-Based Fan-in Analysis Danfeng Zhang , Yao Guo, Xiangqun Chen Institute of Software, Peking University Talk Outline Background Motivation Clustering-Based Fan-in Analysis (CBFA)

485 views • 30 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Program Analysis with PREfast & SAL Erik Poll Digital Security group Radboud University

Program Analysis with PREfast & SAL Erik Poll Digital Security group Radboud University

Software Security Program Analysis with PREfast & SAL Erik Poll Digital Security group Radboud University Nijmegen 1 Static analysis aka source code analysis Automated analysis at compile time to find potential bugs Broad range of

499 views • 36 slides
Automated Reasoning for Security Protocol Analysis The ASW Protocol Revisited: A Unified View

Automated Reasoning for Security Protocol Analysis The ASW Protocol Revisited: A Unified View

Automated Reasoning for Security Protocol Analysis The ASW Protocol Revisited: A Unified View Paul Hankes Drielsma and Sebastian M odersheim Information Security, ETH Zurich ARSPA Paul Hankes Drielsma 1 Introduction ASW: an

508 views • 14 slides
park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor Amit Vasudevan (CyLab-CMU), Sagar Chaki (SEI-CMU), Petros Maniatis (Google Inc.), Limin Jia, Anupam Datta (ECE/CSD-CMU)

517 views • 24 slides
Automated Reasoning for System Security and Privacy Laura Kovcs Chalmers Automated Reasoning

Automated Reasoning for System Security and Privacy Laura Kovcs Chalmers Automated Reasoning

Chalmers Automated Reasoning for System Security and Privacy Laura Kovcs Chalmers Automated Reasoning for Rigorous Systems Engineering In a vague sense, automated reasoning involves: 1. Representing a problem as a mathematical/logical

696 views • 53 slides
An Approach to Automated Thesaurus Construction Using Clusterization-Based Dictionary Analysis

An Approach to Automated Thesaurus Construction Using Clusterization-Based Dictionary Analysis

An Approach to Automated Thesaurus Construction Using Clusterization-Based Dictionary Analysis Nadezhda Lagutina P.G. Demidov Yaroslavl State University Yaroslavl, Russia Thesaurus definition Thesaurus is a vocabulary of controlled

379 views • 14 slides
Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele 2 , Maverick Woo 1 , David Brumley 1 1 Carnegie Mellon University, 2 Boston University {ddchen, pooh, dbrumley}@cmu.edu, megele@bu.edu 2 FIRMADYNE

404 views • 22 slides
Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Prevention: Program Analysis Any automated analysis at compile or dynamic time to find potential bugs

798 views • 61 slides
Automated Productivity Based Automated Productivity Based Schedule Animation (APBSA) Schedule

Automated Productivity Based Automated Productivity Based Schedule Animation (APBSA) Schedule

Automated Productivity Based Automated Productivity Based Schedule Animation (APBSA) Schedule Animation (APBSA) Gokhan Gelisen, PhD Cand, PE Cost Manager Polytechnic Institute of NYU / Skanska USA Civil Inc. How to Improve Productivity?

395 views • 35 slides
Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE

Secure Web Application Development METHODOLOGIES AND AUTOMATED TOOLS MURAT KAYA SOFTWARE SECURITY SPECIALIST Agenda Software Security Overview Software Security Methodologies Security Test Methods Analysis Tools Tools

497 views • 25 slides
Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng

Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng

Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng , Xiaojing Liao, XiaoFeng Wang, Haining Wang, Qiang Li, Kai Yang, Hongsong Zhu, Limin Sun USENIX Security 2019 Internet-of-Things (IoT) Devices IoT

422 views • 23 slides
Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based NFC M-coupon Protocol Ali Alshehri and Steve Schneider Agenda Introduc?on. Approach

498 views • 25 slides
Extending Security Protocol Analysis : New Challenges Mike Bond, Jolyon Clulow {Mike.Bond,

Extending Security Protocol Analysis : New Challenges Mike Bond, Jolyon Clulow {Mike.Bond,

Extending Security Protocol Analysis : New Challenges Mike Bond, Jolyon Clulow {Mike.Bond, Jolyon.Clulow}@cl.cam.ac.uk Workshop on Automated Reasoning for Security Protocols Analysis (ARSPA 2004) 4 th July 2004 Outline An introduction to

764 views • 31 slides
Automated Credit-Loan Platform based on AI-technology A fully automated processes The Corex.ai

Automated Credit-Loan Platform based on AI-technology A fully automated processes The Corex.ai

Automated Credit-Loan Platform based on AI-technology A fully automated processes The Corex.ai system is a fully automated loan management system. This solution extends the productivity of Your loan business to the maximum. Easily integrates

541 views • 27 slides
my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA COLLECTION AND ANALYTICS There is a high demand for reliable Traffic Data but Static data single-purpose data Invasive costly deployment &

404 views • 18 slides
Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise

Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise

Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise Artificial Intelligence Laboratory (AI-Lab) Security & Trust Research Unit DIST, University of Genova FBK-IRST Genova Trento A. Armando (U.

879 views • 77 slides
Using Strategy Objectives for Network Security Analysis Elie Bursztein Stanford University /

Using Strategy Objectives for Network Security Analysis Elie Bursztein Stanford University /

Network Security Game Strategy Automated Analysis Conclusion Using Strategy Objectives for Network Security Analysis Elie Bursztein Stanford University / LSV, Ens-Cachan Inscrypt 2009 Elie Bursztein Using Strategy Objectives for Network

909 views • 78 slides
Automated Geospatial Watershed Assessment (AGWA) Tool: A GIS-based Hydrologic Modeling Tool for

Automated Geospatial Watershed Assessment (AGWA) Tool: A GIS-based Hydrologic Modeling Tool for

Automated Geospatial Watershed Assessment (AGWA) Tool: A GIS-based Hydrologic Modeling Tool for Watershed Assessment and Futures Analysis Phil Guertin, Shea Burns, Jane Barlow, Carl Unkrich, Yoga Korgaonkar, Ben Olimpio, and David Goodrich

795 views • 39 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS

GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS

GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS Spectrum Monitoring Explore real-world signals Easy access for beginners Live demodulation Batch processing of signals TASKS OF RECEIVING UNKNOWN

626 views • 16 slides
Towards Automated Computationally Faithful Specify protocol participants as processes following

Towards Automated Computationally Faithful Specify protocol participants as processes following

2 Security Analysis a la Dolev-Yao Towards Automated Computationally Faithful Specify protocol participants as processes following Dolev, Yao 1982: In addition to Verification of Cryptoprotocols expected participants, model attacker who: Jan

146 views • 4 slides

More recommend