mind your keys a security evaluation of java keystores
play

Mind Your Keys? A Security Evaluation of Java Keystores Marco - PowerPoint PPT Presentation

Aug 16, 2022 •167 likes •582 views

Mind Your Keys? A Security Evaluation of Java Keystores Marco Squarcina (Universit Ca Foscari & Cryptosense) Riccardo Focardi Francesco Palmarini Graham Steel Mauro Tempesta Universit Ca Foscari Universit Ca Foscari

  1. Mind Your Keys? A Security Evaluation of Java Keystores Marco Squarcina (Università Ca’ Foscari & Cryptosense) Riccardo Focardi Francesco Palmarini Graham Steel Mauro Tempesta Università Ca’ Foscari Università Ca’ Foscari Cryptosense Università Ca’ Foscari Cryptosense Yarix

  2. BACKGROUND MOTIVATIONS

  3. Key Storage HW Solutions HSM ● Smartcards ● PKCS#11

  4. Key Storage Keystore File containing crypto keys ● and certificates Content is secured by a ● password ******

  5. Key Storage Keystore File containing crypto keys ● and certificates Key Confidentiality Content is secured by a ● Key Integrity password S y s t e m I n t e g r i t y ******

  6. Password-based Key Derivation Ciphers require a key of a specific length ● Produce a key which can be used as a cryptographic key for a given ● cipher (e.g. 3DES) 160b 10K Password: 192b 3DES key KDF (pwd,salt,ic) ********** SHA1

  7. Password-based Key Derivation Ciphers require a key of a specific length ● Produce a key which can be used as a cryptographic key for a given ● cipher (e.g. 3DES) AVOID PREVENT PRECOMPUTATION BRUTEFORCE 160b 10K Password: 192b 3DES key KDF (pwd,salt,ic) ********** SHA1

  8. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  9. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  10. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  11. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  12. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  13. ATTACKS FLAWS

  14. Oracle JKS Password Cracking E = Encrypted Key Key Decryption in JKS W = Keystream W 0 = Salt W i = SHA1(pw||W i-1 ) K i = E i ⊕ W i CK = SHA1(pw||K)

  15. Oracle JKS Password Cracking E = Encrypted Key Key Decryption in JKS ~100X speedup W = Keystream W 0 = Salt W i = SHA1(pw||W i-1 ) K i = E i ⊕ W i CK = SHA1(pw||K) DER / ASN . 1

  16. Oracle JKS Password Cracking E = Encrypted Key Key Decryption in JKS ~100X speedup W = Keystream 8 billions pw/s with one NVIDIA W 0 = Salt W i = SHA1(pw||W i-1 ) GTX 1080 K i = E i ⊕ W i CK = SHA1(pw||K) DER / ASN . 1

  17. Oracle JKS/JCEKS Integrity Password Cracking SHA1(...)

  18. Oracle JKS/JCEKS Integrity Password Cracking Integrity Keystore password content “Mighty Aphrodite” SHA1( ***** || || ) SHA1(...)

  19. Oracle JKS/JCEKS Integrity Password Cracking Integrity Keystore password content “Mighty Aphrodite” SHA1( ***** || || ) SHA1(...) Efficient integrity-password bruteforce ( better w. rainbow-tables � ) ● Length extension attacks? ● Watch out when integrity password = confidentiality password! ●

  20. Oracle JKS/JCEKS Integrity Password Cracking Integrity Keystore password content “Mighty Aphrodite” SHA1( ***** || || ) SHA1(...) Efficient integrity-password bruteforce ( better w. rainbow-tables � ) ● Length extension attacks? ● Watch out when integrity password = confidentiality password! ●

  21. DoS by Integrity Parameters Abuse Oracle PKCS12 ● Bouncy Castle BKS ● Bouncy Castle PKCS12 ● KDF+HMAC

  22. DoS by Integrity Parameters Abuse Oracle PKCS12 ● Bouncy Castle BKS ● Bouncy Castle PKCS12 ● ASN.1 Structure … SEQUENCE (3 elem) SEQUENCE (2 elem) SEQUENCE (2 elem) KDF+HMAC OBJECT IDENTIFIER 1.3.14.3.2.26 sha1 (OIW) NULL OCTET STRING (20 byte) C9C2AF5A... OCTET STRING (20 byte) 7B223BBC... Parameters INTEGER 1024

  23. DoS by Integrity Parameters Abuse Iteration Count = 2 31 –1 Oracle PKCS12 ● DoS the application Bouncy Castle BKS ● loading the keystore! Bouncy Castle PKCS12 ● ASN.1 Structure … SEQUENCE (3 elem) SEQUENCE (2 elem) SEQUENCE (2 elem) KDF+HMAC OBJECT IDENTIFIER 1.3.14.3.2.26 sha1 (OIW) NULL OCTET STRING (20 byte) C9C2AF5A... OCTET STRING (20 byte) 7B223BBC... Parameters INTEGER 1024

  24. JCEKS Secret Keys Code Exec

  25. JCEKS Secret Keys Code Exec SecretKey

  26. JCEKS Secret Keys Code Exec SealedObject SecretKey

  27. JCEKS Secret Keys Code Exec SealedObject SecretKey

  28. JCEKS Secret Keys Code Exec SealedObject SecretKey KeyStore Load Mechanism deserialize each SealedObject ● then perform Integrity Check ●

  29. JCEKS Secret Keys Code Exec SealedObject SecretKey KeyStore Load Mechanism deserialize each SealedObject ● then perform Integrity Check ●

  30. JCEKS Secret Keys Code Exec SealedObject SecretKey Command execution ● JDK≤1.7.21 & JDK≤1.8.20 DoS JDK>1.8.20 ● KeyStore Load Mechanism Fixed Oct 2017 CPU ● deserialize each SealedObject ● then perform Integrity Check ●

  31. JCEKS Secret Keys Code Exec after Decrypt SealedObject SecretKey

  32. JCEKS Secret Keys Code Exec after Decrypt SealedObject Deserialize of SecretKey Extended classpath ● Use gadgets from any 3rd-party library ●

  33. JCEKS Secret Keys Code Exec after Decrypt SealedObject Command execution on Deserialize of SecretKey latest JDK if integrity & key password are known! Extended classpath ● Use gadgets from any 3rd-party library ●

  34. JCEKS Secret Keys Code Exec after Decrypt JCEKS SealedObject SecretKey Rebrand ---------------------------- J ava C ode E xecution K ey S tore Command execution on Deserialize of SecretKey latest JDK if integrity & key password are known! Extended classpath ● Use gadgets from any 3rd-party library ●

  35. DISCLOSURE CONTRIBUTIONS

  36. Disclosure Timeline … 2017 May 2017 Aug 2017 Nov 2017 Keystore Report to Oracle BC1.58 released JCEKS code exec, Analysis and BC fixing some issues again... Apr 2017 Jul 2017 Oct 2017 TODAY Discovered code Issues fixed by Oracle CPU Full disclosure execution Oracle CVE-2017-10345, @NDSS18 at RuCTF finals CVE-2017-10356

  37. Responses Oracle Keytool, warning on JKS/JCEKS ● ○ The JCEKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format [...] Oracle JCEKS KDF params for PBE ● from 20 to 200K iterations (max 5M) ○ Oracle PKCS12 ● from 1024 to 50K iterations for PBE (max 5M) ○ from 1024 to 100K iterations for HMAC (max 5M) ○ Partial fix to the Oracle JCEKS code execution ● Similar improvements in Bouncy Castle ●

  38. Responses CVE-2017-10356 CVSS 6.2 Oracle Keytool, warning on JKS/JCEKS ● ○ The JCEKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format [...] Oracle JCEKS KDF params for PBE ● from 20 to 200K iterations (max 5M) ○ Oracle PKCS12 ● from 1024 to 50K iterations for PBE (max 5M) ○ from 1024 to 100K iterations for HMAC (max 5M) ○ Partial fix to the Oracle JCEKS code execution ● CVE-2017-10345 CVSS 3.1 Similar improvements in Bouncy Castle ●

  39. Contributions Threat model for password-protected keystores, design rules for ● secure keystores Analysis of 7 keystores ● Cryptographic implementation ○ Weaknesses & Attacks ○ Brute force time comparison for key confidentiality and integrity ● passwords Concrete improvements to the security of Oracle JDK and Bouncy ● Castle keystores

  40. THANK YOU! (´ ▽ ` ) ノ

  41. ??? Q ?????????? U ???????????? E ????? ?????? S ??? T ??????????????? I ?????? ? O ??????????????? N ??????????? S ??? squarcina @ unive.it @ blueminimal https://www.linkedin.com/in/squarcina/

Recommend

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying security expectations To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

535 views • 19 slides
Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting applications against malicious / unauthorized actions Desktop What kind of code is executed by the application, on the client machine? Where

702 views • 33 slides
STARTING WITH THE END IN MIND How evaluation can support you in achieving program goals October

STARTING WITH THE END IN MIND How evaluation can support you in achieving program goals October

STARTING WITH THE END IN MIND How evaluation can support you in achieving program goals October 23, 2017 Sophia Mansori Sheila Rodriguez Gabriela Garcia Todays agenda Introduce our evaluation team 1 Review evaluation activities and

357 views • 16 slides
T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP

T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP

T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP Kaufman et al: Ch 17, 11.2 SSL/TLS 18, 19 11.3 IPSEC Stallings: Ch 16,17 1 Pretty Good Privacy Email encryption program

566 views • 8 slides
Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations IT Security Evaluation To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

70 views • 4 slides
You still use the password after all Exploring FIDO2 Security Keys in a Small Company

You still use the password after all Exploring FIDO2 Security Keys in a Small Company

You still use the password after all Exploring FIDO2 Security Keys in a Small Company Florian M. Farke, Lennart Lorenz, Theodor Schnitzler, Philipp Markert, and Markus Drmuth Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020)

571 views • 11 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Com puter Security Part Four Last tim e Cryptography Authentication Threats

Com puter Security Part Four Last tim e Cryptography Authentication Threats

Com puter Security Part Four Last tim e Cryptography Authentication Threats Key Management KDC Policy Symmetric keys Specification Asymmetric keys PKI Design Security Protocols Kerberos

617 views • 39 slides
Run-time Evaluation of Opportunities for Object Inlining in Java Ond rej Lhot ak and

Run-time Evaluation of Opportunities for Object Inlining in Java Ond rej Lhot ak and

Run-time Evaluation of Opportunities for Object Inlining in Java Ond rej Lhot ak and Laurie Hendren Sable Research Group McGill University November 5th, 2002 p. 1/30 Motivation Java allows only references to objects as fields,

318 views • 30 slides
The need for a formal model of Java Safety guarantees of Java definedness type safety

The need for a formal model of Java Safety guarantees of Java definedness type safety

Making the Java Memory Model Safe Andreas Lochbihler Institute for Information Security ETH Zurich supported by DFG Sn11/10-1,2 The need for a formal model of Java Safety guarantees of Java definedness type safety security

595 views • 44 slides
5 things to keep in mind as you design your evaluation strategy Using the example of Plans

5 things to keep in mind as you design your evaluation strategy Using the example of Plans

Presentation prepared for the Innovation for Education Program 5 things to keep in mind as you design your evaluation strategy Using the example of Plans Teachers Self- Learning Academy June 6th, 2013 www.laterite-africa.com What

987 views • 19 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens,

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens,

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys Mathy Vanhoef and Frank Piessens, iMinds-DistriNet, KU Leuven USENIX Security 2016 Security of Wi-Fi group keys? Protect broadcast and multicast Wi-Fi frames: All clients share a

564 views • 29 slides
Java Technologies Java EE - Introduction First of All Course Information The Goal The

Java Technologies Java EE - Introduction First of All Course Information The Goal The

Java Technologies Java EE - Introduction First of All Course Information The Goal The Motivation Teaching / Learning Bibliography Evaluation Lab: problems, personal projects, essays easy Exam: written test /

711 views • 22 slides
2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys > 100 uses 4450 keys > 1000 uses An excursion in to the world of OSM tagging presets Simon Poole, SOtM 2018 In the beginning Bus

686 views • 50 slides
Java Security: From HotJava to Netscape and Beyond Drew Dean, Ed Felten, Dan Wallach Safe

Java Security: From HotJava to Netscape and Beyond Drew Dean, Ed Felten, Dan Wallach Safe

Java Security: From HotJava to Netscape and Beyond Drew Dean, Ed Felten, Dan Wallach Safe Internet Programming Group Princeton University The Java Model Web server Web browser Java program URL lookup applet code byte code Verifier

458 views • 14 slides
Know the mind. Shape the mind. Free the mind. 1 The Neurology of Awakening: Using the New Brain

Know the mind. Shape the mind. Free the mind. 1 The Neurology of Awakening: Using the New Brain

Know the mind. Shape the mind. Free the mind. 1 The Neurology of Awakening: Using the New Brain Research to Steady Your Mind Spirit Rock Meditation Center February 17, 2019 Rick Hanson, Ph.D. The Wellspring Institute For Neuroscience and

959 views • 58 slides
Private Keys And Security In A World Of Blockchain Mat Cybula Co-Founder & CEO

Private Keys And Security In A World Of Blockchain Mat Cybula Co-Founder & CEO

Private Keys And Security In A World Of Blockchain Mat Cybula Co-Founder & CEO mat@cryptiv.com State of the blockchain 2016 - A big year for blockchain Public Ledgers Evolve Wall Street Places Bets Digital Assets Have Arrived Why this

217 views • 21 slides
SAR-SSI 2012 1 Introduction Java Card security model Off-card security model Java class Byte

SAR-SSI 2012 1 Introduction Java Card security model Off-card security model Java class Byte

Samiya Hamadouche, Guillaume Bouffard , Jean-Louis Lanet, Bruno Dorsemaine , Bastien Nouhant, Alexandre Magloire, Arnaud Reygnaud guillaume.bouffard@xlim.fr bruno.dorsemaine@etu.unilim.fr SAR-SSI 2012 1 Introduction Java Card security model

227 views • 19 slides
Seismic Response and Seismic Response and Capacity Evaluation of Exterior Capacity Evaluation of

Seismic Response and Seismic Response and Capacity Evaluation of Exterior Capacity Evaluation of

2009 Caltrans-PEER Seismic Seminar Series Seismic Response and Seismic Response and Capacity Evaluation of Exterior Capacity Evaluation of Exterior Sacrificial Shear Keys of Bridge Sacrificial Shear Keys of Bridge Abutments Abutments Scott

178 views • 17 slides
Mind your Language(s)! A discussion about languages and security Eric Jaeger & Olivier

Mind your Language(s)! A discussion about languages and security Eric Jaeger & Olivier

Mind your Language(s)! A discussion about languages and security Eric Jaeger & Olivier Levillain LangSec Workshop @ IEEE SSP, 2014-05-18 ANSSI ANSSI (French Network and Information Security Agency) has InfoSec (and no Intelligence)

697 views • 46 slides
Xpanda security products The gate way to peace of mind Retail security gate solutions

Xpanda security products The gate way to peace of mind Retail security gate solutions

Xpanda Security Products Presentation Xpanda security products The gate way to peace of mind Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Access control security gate

491 views • 13 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1

Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1

Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1 CS 136, Fall 2014 Outline Properties of keys Key management Key servers Certificates Lecture 5 Page 2 CS 136, Fall 2014

1.02k views • 68 slides

More recommend