Breaking Deployed Crypto The Side Channel Analyst s Way Daniel - PowerPoint PPT Presentation

Breaking Deployed Crypto The Side Channel Analyst ’ s Way Daniel Moghimi (@danielmgmi) 04/30/2020 Hardwear.io

About Me • Daniel Moghimi @danielmgmi • Security Researcher • PhD Student @ WPI • Microarchitectural Security • Side Channels • Breaking Crypto Implementations • Trusted Execution Environment (Intel SGX) 2

Cryptanalysis • Cryptosystem with an input m , output c , and secret k • Attacker tries to learn k b y looking at ( m, c ) k c m Encrypt Decrypt Sign 3

Cryptanalysis • Cryptosystem with an input m , output c , and secret k • Attacker tries to learn k b y looking at ( m, c ) 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦 1 , 𝑧 1 = 𝑙 𝑗 × 𝐻 𝑠 𝑗 = 𝑦 1 𝑛𝑝𝑒 𝑜 −1 𝑨 + 𝑠 𝑗 𝑒 𝑛𝑝𝑒 𝑜 𝑡 𝑗 = 𝑙 𝑗 −1 𝑨 + 𝑠 𝑡 1 = 𝑙 1 1 𝑒 𝑛𝑝𝑒 𝑜 −1 𝑨 + 𝑠 2 𝑒 𝑛𝑝𝑒 𝑜 k 𝑡 2 = 𝑙 2 c m Encrypt Decrypt Sign 4

Cryptanalysis • Cryptosystem with an input m , output c , and secret k • Attacker tries to learn k b y looking at ( m, c ) 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦 1 , 𝑧 1 = 𝑙 𝑗 × 𝐻 𝑠 𝑗 = 𝑦 1 𝑛𝑝𝑒 𝑜 −1 𝑨 + 𝑠 𝑗 𝑒 𝑛𝑝𝑒 𝑜 𝑡 𝑗 = 𝑙 𝑗 𝑙 1 = 𝑙 2 = 𝑙 𝑜 𝑡 1 = 𝑙 −1 𝑨 + 𝑠 1 𝑒 𝑛𝑝𝑒 𝑜 𝑡 2 = 𝑙 −1 𝑨 + 𝑠 2 𝑒 𝑛𝑝𝑒 𝑜 k c m Encrypt Decrypt Sign 5

Cryptanalysis • Cryptosystem with an input m , output c , and secret k • Attacker tries to learn k b y looking at ( m, c ) 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦 1 , 𝑧 1 = 𝑙 𝑗 × 𝐻 𝑠 𝑗 = 𝑦 1 𝑛𝑝𝑒 𝑜 −1 𝑨 + 𝑠 𝑗 𝑒 𝑛𝑝𝑒 𝑜 𝑡 𝑗 = 𝑙 𝑗 𝑙 1 = 𝑙 2 = 𝑙 𝑜 𝑡 1 = 𝑙 −1 𝑨 + 𝑠 1 𝑒 𝑛𝑝𝑒 𝑜 𝑡 2 = 𝑙 −1 𝑨 + 𝑠 2 𝑒 𝑛𝑝𝑒 𝑜 k c m 𝑡 2 − 𝑡 1 = 𝑠 2 − 𝑠 1 𝑒 𝑛𝑝𝑒 𝑜 Encrypt Decrypt Sign 6

Side-Channel Cryptanalysis • Cryptosystem with an input m , output c , and secret k • Attacker tries to learn k b y looking at ( m, c ) and signal s s k c m Encrypt Decrypt Sign 7

Side-Channel Attacks • Channels • Power Analysis • EM Analysis • … • Timing Analysis • CPU Side Channels • Threat Models: • Physical Access • Local Access (Co-location) • Remote 8

Secure Elements Untrusted Software is /Bad Org.? insecure. Heartbleed? Rootkits? Computers Ransomware? are just Evil?!

Secure Elements Untrusted Software is /Bad Org.? insecure. Heartbleed? Rootkits? Computers Ransomware? are just Evil?! Hardware-based Root of Trust?! 10

Trusted Platform Module (TPM) • Security Chip for Computers? • Tamper Resistant • Side-Channel Resistant • Crypto Co-processor 11

Trusted Platform Module (TPM) • Security Chip for Computers? • Tamper Resistant • Side-Channel Resistant • Crypto Co-processor Trusted Computing Base 12

Trusted Platform Module (TPM) • Cryptographic Co-processor, specified by Trusted Computing Group • Secure Storage • Integrity Measurement • TRNG • Hash Functions • Encryption • Digital Signatures 13

TPM – Digital Signatures • Applications • Trusted Execution of Signing Operations • Remote Attestation • TPM 2.0 supports Elliptic-Curve Digital Signature • ECDSA • ECSchnorr • ECDAA (Anonymous Remote Attestation) 14

Trusted Computing Group • https://trustedcomputinggroup .org/membership/certification/ • https://trustedcomputinggroup .org/membership/certification/ tpm-certified-products/ 15

Are TPMs really side-channel resistant? 16

High-resolution Timing Test • TPM frequency ~= 32-120 MHz • CPU Frequency is more than 2 GHz 17

High-resolution Timing Test – Intel PTT (fTPM) • Intel Platform Trust Technology (PTT) • Integrated firmware-TPM inside the CPU package • Runs on top of Converged Security and Management Engine (CSME) • Standalone low power processor PCH CPU • Has been around since Haswell CSME fTPM 18

High-resolution Timing Test – Intel PTT (fTPM) • Intel Platform Trust Technology (PTT) • Integrated firmware-TPM inside the CPU package • Runs on top of Converged Security and Management Engine (CSME) PCH CPU CSME fTPM Histogram 19

High-resolution Timing Test – Intel PTT (fTPM) • Linux TPM Command Response Buffer (CRB) driver • Kernel Driver to increase the Resolution PCH CPU CSME fTPM 20

High-resolution Timing Test - Analysis • RSA and ECDSA timing test on 3 dedicated TPM and Intel fTPM • Various non-constant behaviour for both RSA and ECDSA 21

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr Nonce • BN-256 (ECDAA) 0101000100111111...111 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111 t 4.67 4.76 4.8 4.84 4.72 22

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr Nonce • BN-256 (ECDAA) 0101000100111111...111 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111 t 4.67 4.76 4.8 4.84 4.72 23

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr Nonce • BN-256 (ECDAA) 0101000100111111...111 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111 t 4.67 4.76 4.8 4.84 4.72 24

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr Nonce • BN-256 (ECDAA) 0101000100111111...111 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111 t 4.67 4.76 4.8 4.84 4.72 25

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr Nonce • BN-256 (ECDAA) 0101000100111111...111 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111 t 4.67 4.76 4.8 4.84 4.72 26

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr Nonce • BN-256 (ECDAA) 0101000100111111...111 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111 t 4.67 4.76 4.8 4.84 4.72 27

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr Nonce • BN-256 (ECDAA) 0101000100111111...111 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111 t 4.67 4.76 4.8 4.84 4.72 28

29

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • STMicro TPM: Bit-by-Bit Nonce Length Leakage 30

TPM-Fail – Recovering Private ECDSA Key • TPM is programmed with an unknown key • We already have a template for 𝑢 𝑗 . 1. Collect list of signatures (𝑠 𝑗 , 𝑡 𝑗 ) and timing samples 𝑢 𝑗 . 2. Filter signatures based on 𝑢 𝑗 and keeps (𝑠 𝑗 , 𝑡 𝑗 ) with a known bias. 3. Lattice-based attack to recover private key 𝑒 , from signatures with biased nonce 𝑙 𝑗 . 31

Lattice and Hidden Number Problem • 𝑡 = 𝑙 −1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 32

Lattice and Hidden Number Problem −1 − 𝑡 𝑗 • 𝑡 = 𝑙 −1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙 𝑗 −1 𝑠 −1 𝑨 ≡ 0 𝑛𝑝𝑒 𝑜 𝑗 𝑒 − 𝑡 𝑗 33

Lattice and Hidden Number Problem −1 − 𝑡 𝑗 • 𝑡 = 𝑙 −1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙 𝑗 −1 𝑠 −1 𝑨 ≡ 0 𝑛𝑝𝑒 𝑜 𝑗 𝑒 − 𝑡 𝑗 −1 𝑠 −1 𝑨 → 𝑙 𝑗 + 𝐵 𝑗 𝑒 + 𝐶 𝑗 = 0 • 𝐵 𝑗 = −𝑡 𝑗 𝑗 , 𝐶 𝑗 = −𝑡 𝑗 34

Lattice and Hidden Number Problem −1 − 𝑡 𝑗 • 𝑡 = 𝑙 −1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙 𝑗 −1 𝑠 −1 𝑨 ≡ 0 𝑛𝑝𝑒 𝑜 𝑗 𝑒 − 𝑡 𝑗 −1 𝑠 −1 𝑨 → 𝑙 𝑗 + 𝐵 𝑗 𝑒 + 𝐶 𝑗 = 0 • 𝐵 𝑗 = −𝑡 𝑗 𝑗 , 𝐶 𝑗 = −𝑡 𝑗 • Let 𝑌 be the upper bound on k i and (𝑒, 𝑙 0, 𝑙 1 … , 𝑙 𝑜 ) is unknown 35 [1] Dan Boneh and Ramarathnam Venkatesan. Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

Lattice and Hidden Number Problem −1 − 𝑡 𝑗 • 𝑡 = 𝑙 −1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙 𝑗 −1 𝑠 −1 𝑨 ≡ 0 𝑛𝑝𝑒 𝑜 𝑗 𝑒 − 𝑡 𝑗 −1 𝑠 −1 𝑨 → 𝑙 𝑗 + 𝐵 𝑗 𝑒 + 𝐶 𝑗 = 0 • 𝐵 𝑗 = −𝑡 𝑗 𝑗 , 𝐶 𝑗 = −𝑡 𝑗 • Let 𝑌 be the upper bound on k i and (𝑒, 𝑙 0, 𝑙 1 … , 𝑙 𝑜 ) is unknown • Lattice Construction: 𝑜 𝑜 ⋱ LLL/BKZ 𝑜 𝑌 𝐵 1 𝐵 2 … 𝐵 𝑢 𝑜 𝐶 1 𝐶 2 … 𝐶 𝑢 𝑌 36

TPM-Fail – Key Recovery Results • Intel fTPM • ECDSA, ECSchnorr and BN-256 (ECDAA) • Three different threat model System, User, Network • STMicroelectronics TPM • CC EAL4+ Certified • Give you the key in 80 minutes 37

38

TPM-Fail Case Study: StrongSwan VPN VPN Client VPN Server TPM Device 39