format oracles on openpgp
play

Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. - PowerPoint PPT Presentation

Format Oracles on OpenPGP Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France CT-RSA April 22, 2015 Maury et al. | ANSSI | CT-RSA 2015 1 / 19 Format Oracles on OpenPGP | Introduction Contribution We


  1. Format Oracles on OpenPGP Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France CT-RSA April 22, 2015 Maury et al. | ANSSI | CT-RSA 2015 1 / 19

  2. Format Oracles on OpenPGP | Introduction Contribution We identify new format oracles on OpenPGP implementations of symmetrically (authenticated and) encrypted data We study the number of oracle requests necessary to recover a plaintext Format oracle Requests per byte Affected implementation Invalid packet tag 2 GnuPG 2 6 Double literal GnuPG 2 8 MDC packet header GnuPG, End-to-End Maury et al. | ANSSI | CT-RSA 2015 2 / 19

  3. Format Oracles on OpenPGP | Introduction Padding Oracles An encryption scheme is modeled by two (inverse processes) E : P , K → C D : → P (or ⊥ , in authenticated encryption) C , K Issue: Before encryption, the plaintext is usually prepared following a specific format, e.g., a padding is applied After decryption, this format has to be removed. This process may raise errors if the format is not followed The presence/absence of error P E M format C leaks information on the result of decryption ˜ P ˜ ˜ D unformat M C Using malleability of D , this leakage can be aggregated to error decipher a target ciphertext Maury et al. | ANSSI | CT-RSA 2015 3 / 19

  4. Format Oracles on OpenPGP | Introduction Padding/Format Oracles Attacks This principle can be used to mount chosen ciphertext attacks enabling to decipher a target ciphertext adversary C ∗ = E K ( P ∗ ) decryption process for D K purpose: recover P ∗ C i chosen variants of C ∗ computes P i = D K ( C i ) OK or KO information about P i is leaked derives P ∗ (error message, timing info) Previous results Bleichenbacher on RSA-PKCS#1v1.5, in SSL/TLS [Bl98] Vaudenay on CBC mode used with specific padding schemes, in SSL or IPsec [Va02] Kl´ ıma and Rosa noted that the format has not to be restricted to cryptographic padding, but may be applicative [KR03] Maury et al. | ANSSI | CT-RSA 2015 4 / 19

  5. Format Oracles on OpenPGP | OpenPGP OpenPGP Maury et al. | ANSSI | CT-RSA 2015 5 / 19

  6. Format Oracles on OpenPGP | OpenPGP OpenPGP Pretty Good Privacy: published by P. Zimmermann in 1991 Application enabling to protect Confidentiality e.g. of emails, through hybrid encryption Authenticity, through signature Standardized by IETF from 1997: OpenPGP message format RFC 2440, november 1998 Updated by RFC 4880, november 2007 Main free implementation of the standard: GnuPG Renewed interest following the Snowden revelations Increase in the number of monthly registered public keys Multiple promotional campaigns Maury et al. | ANSSI | CT-RSA 2015 6 / 19

  7. Format Oracles on OpenPGP | OpenPGP OpenPGP Number of keys registered (by month) Pretty Good Privacy: published by P. Zimmermann in 1991 45 , 000 Snowden 40 , 000 Application enabling to protect 35 , 000 Confidentiality e.g. of emails, through hybrid encryption Authenticity, through signature 30 , 000 Standardized by IETF from 1997: OpenPGP message format 25 , 000 GnuPG RFC 2440, november 1998 20 , 000 Updated by RFC 4880, november 2007 15 , 000 Main free implementation of the standard: GnuPG 10 , 000 Renewed interest following the Snowden revelations 5 , 000 Increase in the number of monthly registered public keys 0 Multiple promotional campaigns 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Maury et al. | ANSSI | CT-RSA 2015 6 / 19

  8. Format Oracles on OpenPGP | OpenPGP OpenPGP Pretty Good Privacy: published by P. Zimmermann in 1991 Application enabling to protect Confidentiality e.g. of emails, through hybrid encryption Authenticity, through signature Standardized by IETF from 1997: OpenPGP message format RFC 2440, november 1998 Updated by RFC 4880, november 2007 Main free implementation of the standard: GnuPG Renewed interest following the Snowden revelations Increase in the number of monthly registered public keys Multiple promotional campaigns Maury et al. | ANSSI | CT-RSA 2015 6 / 19

  9. Format Oracles on OpenPGP | OpenPGP OpenPGP Promotion of GnuPG by FSF Europe Pretty Good Privacy: published by P. Zimmermann in 1991 Application enabling to protect Confidentiality e.g. of emails, through hybrid encryption Authenticity, through signature Standardized by IETF from 1997: OpenPGP message format RFC 2440, november 1998 Updated by RFC 4880, november 2007 Main free implementation of the standard: GnuPG Renewed interest following the Snowden revelations Increase in the number of monthly registered public keys Multiple promotional campaigns Maury et al. | ANSSI | CT-RSA 2015 6 / 19

  10. Format Oracles on OpenPGP | OpenPGP OpenPGP Encryption Mode Symmetric encryption is done in OpenPGP with CFB mode CFB is used with an all zero IV, and is made non-deterministic by prepending a random block to the plaintext The first 2 bytes of the initial random block are repeated This provides a quick consistency check at the beginning of decryption, useful for password based encryption This check has been used by [MZ05] to decipher 2 bytes per block with an oracle attack No padding, truncation of the keystream Authenticated encryption uses an ad-hoc mode Security? Maury et al. | ANSSI | CT-RSA 2015 7 / 19

  11. Format Oracles on OpenPGP | OpenPGP OpenPGP Message Format Packet Structure T L V Encrypted Packet (with Integrity Protection) SHA-1 plaintext packet(s) Digest MDC packet $ $ 0xD3 0x14 Encryption K encrypted data C T L Maury et al. | ANSSI | CT-RSA 2015 8 / 19

  12. Format Oracles on OpenPGP | Oracles Oracles Maury et al. | ANSSI | CT-RSA 2015 9 / 19

  13. Format Oracles on OpenPGP | Oracles Format Oracles in OpenPGP Implementations We investigated implementations that are (or can be seen) as libraries, to use to develop higher-level applications relying on OpenPGP Application OpenPGP library We expect these implementations to act as cryptographic back ends for the front end applications: Perform all cryptographic operations As a consequence, be the only part where keys are manipulated Issue: The interaction between application and library often goes beyond the ideal model of encryption schemes Error messages are output (or logged) The API of the library does not state whether these errors are sensitive There is a risk that the front end may leak them Result: Identification of 3 types of leakage, potential oracles (over 50 distinct oracles) Maury et al. | ANSSI | CT-RSA 2015 10 / 19

  14. Format Oracles on OpenPGP | Oracles Format Oracles in OpenPGP Implementations We investigated implementations that are (or can be seen) as libraries, to use to develop higher-level applications relying on OpenPGP Application OpenPGP library Investigated implementations GnuPG, originally an application, but can be used as a We expect these implementations to act as cryptographic back ends library through scripting, even produces status messages for for the front end applications: the calling application for such cases. Perform all cryptographic operations As a consequence, be the only part where keys are manipulated End-to-End, Google OpenPGP implementation in JavaScript Issue: The interaction between application and library often goes OpenPGP.js, another library developed in JavaScript beyond the ideal model of encryption schemes Error messages are output (or logged) The API of the library does not state whether these errors are sensitive There is a risk that the front end may leak them Result: Identification of 3 types of leakage, potential oracles (over 50 distinct oracles) Maury et al. | ANSSI | CT-RSA 2015 10 / 19

  15. Format Oracles on OpenPGP | Oracles Format Oracles in OpenPGP Implementations We investigated implementations that are (or can be seen) as libraries, to use to develop higher-level applications relying on OpenPGP Application OpenPGP library We expect these implementations to act as cryptographic back ends for the front end applications: Perform all cryptographic operations As a consequence, be the only part where keys are manipulated Issue: The interaction between application and library often goes beyond the ideal model of encryption schemes Error messages are output (or logged) The API of the library does not state whether these errors are sensitive There is a risk that the front end may leak them Result: Identification of 3 types of leakage, potential oracles (over 50 distinct oracles) Maury et al. | ANSSI | CT-RSA 2015 10 / 19

  16. Format Oracles on OpenPGP | Oracles MDC Packet Header Oracle For integrity-protected encrypted packets, the last 22 bytes of the decrypted ciphertext form a Modification Detection Code packet 20-byte SHA-1 Digest 0xD3 0x14 GnuPG and End-to-End enforced this format by specifically checking for the two byte values 0xD314 at position 22 and 21 from the end of the decrypted ciphertext, and returning specific error messages in case of mismatch Using this leakage and CFB malleability, it is possible to recover any two bytes of plaintext by performing 2 16 oracle queries Maury et al. | ANSSI | CT-RSA 2015 11 / 19

Recommend


More recommend