mind your keys a security evaluation of java keystores
play

Mind Your Keys? A Security Evaluation of Java Keystores Marco - PowerPoint PPT Presentation

Mind Your Keys? A Security Evaluation of Java Keystores Marco Squarcina (Universit Ca Foscari & Cryptosense) Riccardo Focardi Francesco Palmarini Graham Steel Mauro Tempesta Universit Ca Foscari Universit Ca Foscari


  1. Mind Your Keys? A Security Evaluation of Java Keystores Marco Squarcina (Università Ca’ Foscari & Cryptosense) Riccardo Focardi Francesco Palmarini Graham Steel Mauro Tempesta Università Ca’ Foscari Università Ca’ Foscari Cryptosense Università Ca’ Foscari Cryptosense Yarix

  2. BACKGROUND MOTIVATIONS

  3. Key Storage HW Solutions HSM ● Smartcards ● PKCS#11

  4. Key Storage Keystore File containing crypto keys ● and certificates Content is secured by a ● password ******

  5. Key Storage Keystore File containing crypto keys ● and certificates Key Confidentiality Content is secured by a ● Key Integrity password S y s t e m I n t e g r i t y ******

  6. Password-based Key Derivation Ciphers require a key of a specific length ● Produce a key which can be used as a cryptographic key for a given ● cipher (e.g. 3DES) 160b 10K Password: 192b 3DES key KDF (pwd,salt,ic) ********** SHA1

  7. Password-based Key Derivation Ciphers require a key of a specific length ● Produce a key which can be used as a cryptographic key for a given ● cipher (e.g. 3DES) AVOID PREVENT PRECOMPUTATION BRUTEFORCE 160b 10K Password: 192b 3DES key KDF (pwd,salt,ic) ********** SHA1

  8. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  9. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  10. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  11. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  12. Keystore Types Oracle JRE/JDK Bouncy Castle JKS BKS ● ● JCEKS UBER ● ● PKCS#12 BCPKCS#12 ● ● BCFKS ●

  13. ATTACKS FLAWS

  14. Oracle JKS Password Cracking E = Encrypted Key Key Decryption in JKS W = Keystream W 0 = Salt W i = SHA1(pw||W i-1 ) K i = E i ⊕ W i CK = SHA1(pw||K)

  15. Oracle JKS Password Cracking E = Encrypted Key Key Decryption in JKS ~100X speedup W = Keystream W 0 = Salt W i = SHA1(pw||W i-1 ) K i = E i ⊕ W i CK = SHA1(pw||K) DER / ASN . 1

  16. Oracle JKS Password Cracking E = Encrypted Key Key Decryption in JKS ~100X speedup W = Keystream 8 billions pw/s with one NVIDIA W 0 = Salt W i = SHA1(pw||W i-1 ) GTX 1080 K i = E i ⊕ W i CK = SHA1(pw||K) DER / ASN . 1

  17. Oracle JKS/JCEKS Integrity Password Cracking SHA1(...)

  18. Oracle JKS/JCEKS Integrity Password Cracking Integrity Keystore password content “Mighty Aphrodite” SHA1( ***** || || ) SHA1(...)

  19. Oracle JKS/JCEKS Integrity Password Cracking Integrity Keystore password content “Mighty Aphrodite” SHA1( ***** || || ) SHA1(...) Efficient integrity-password bruteforce ( better w. rainbow-tables � ) ● Length extension attacks? ● Watch out when integrity password = confidentiality password! ●

  20. Oracle JKS/JCEKS Integrity Password Cracking Integrity Keystore password content “Mighty Aphrodite” SHA1( ***** || || ) SHA1(...) Efficient integrity-password bruteforce ( better w. rainbow-tables � ) ● Length extension attacks? ● Watch out when integrity password = confidentiality password! ●

  21. DoS by Integrity Parameters Abuse Oracle PKCS12 ● Bouncy Castle BKS ● Bouncy Castle PKCS12 ● KDF+HMAC

  22. DoS by Integrity Parameters Abuse Oracle PKCS12 ● Bouncy Castle BKS ● Bouncy Castle PKCS12 ● ASN.1 Structure … SEQUENCE (3 elem) SEQUENCE (2 elem) SEQUENCE (2 elem) KDF+HMAC OBJECT IDENTIFIER 1.3.14.3.2.26 sha1 (OIW) NULL OCTET STRING (20 byte) C9C2AF5A... OCTET STRING (20 byte) 7B223BBC... Parameters INTEGER 1024

  23. DoS by Integrity Parameters Abuse Iteration Count = 2 31 –1 Oracle PKCS12 ● DoS the application Bouncy Castle BKS ● loading the keystore! Bouncy Castle PKCS12 ● ASN.1 Structure … SEQUENCE (3 elem) SEQUENCE (2 elem) SEQUENCE (2 elem) KDF+HMAC OBJECT IDENTIFIER 1.3.14.3.2.26 sha1 (OIW) NULL OCTET STRING (20 byte) C9C2AF5A... OCTET STRING (20 byte) 7B223BBC... Parameters INTEGER 1024

  24. JCEKS Secret Keys Code Exec

  25. JCEKS Secret Keys Code Exec SecretKey

  26. JCEKS Secret Keys Code Exec SealedObject SecretKey

  27. JCEKS Secret Keys Code Exec SealedObject SecretKey

  28. JCEKS Secret Keys Code Exec SealedObject SecretKey KeyStore Load Mechanism deserialize each SealedObject ● then perform Integrity Check ●

  29. JCEKS Secret Keys Code Exec SealedObject SecretKey KeyStore Load Mechanism deserialize each SealedObject ● then perform Integrity Check ●

  30. JCEKS Secret Keys Code Exec SealedObject SecretKey Command execution ● JDK≤1.7.21 & JDK≤1.8.20 DoS JDK>1.8.20 ● KeyStore Load Mechanism Fixed Oct 2017 CPU ● deserialize each SealedObject ● then perform Integrity Check ●

  31. JCEKS Secret Keys Code Exec after Decrypt SealedObject SecretKey

  32. JCEKS Secret Keys Code Exec after Decrypt SealedObject Deserialize of SecretKey Extended classpath ● Use gadgets from any 3rd-party library ●

  33. JCEKS Secret Keys Code Exec after Decrypt SealedObject Command execution on Deserialize of SecretKey latest JDK if integrity & key password are known! Extended classpath ● Use gadgets from any 3rd-party library ●

  34. JCEKS Secret Keys Code Exec after Decrypt JCEKS SealedObject SecretKey Rebrand ---------------------------- J ava C ode E xecution K ey S tore Command execution on Deserialize of SecretKey latest JDK if integrity & key password are known! Extended classpath ● Use gadgets from any 3rd-party library ●

  35. DISCLOSURE CONTRIBUTIONS

  36. Disclosure Timeline … 2017 May 2017 Aug 2017 Nov 2017 Keystore Report to Oracle BC1.58 released JCEKS code exec, Analysis and BC fixing some issues again... Apr 2017 Jul 2017 Oct 2017 TODAY Discovered code Issues fixed by Oracle CPU Full disclosure execution Oracle CVE-2017-10345, @NDSS18 at RuCTF finals CVE-2017-10356

  37. Responses Oracle Keytool, warning on JKS/JCEKS ● ○ The JCEKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format [...] Oracle JCEKS KDF params for PBE ● from 20 to 200K iterations (max 5M) ○ Oracle PKCS12 ● from 1024 to 50K iterations for PBE (max 5M) ○ from 1024 to 100K iterations for HMAC (max 5M) ○ Partial fix to the Oracle JCEKS code execution ● Similar improvements in Bouncy Castle ●

  38. Responses CVE-2017-10356 CVSS 6.2 Oracle Keytool, warning on JKS/JCEKS ● ○ The JCEKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format [...] Oracle JCEKS KDF params for PBE ● from 20 to 200K iterations (max 5M) ○ Oracle PKCS12 ● from 1024 to 50K iterations for PBE (max 5M) ○ from 1024 to 100K iterations for HMAC (max 5M) ○ Partial fix to the Oracle JCEKS code execution ● CVE-2017-10345 CVSS 3.1 Similar improvements in Bouncy Castle ●

  39. Contributions Threat model for password-protected keystores, design rules for ● secure keystores Analysis of 7 keystores ● Cryptographic implementation ○ Weaknesses & Attacks ○ Brute force time comparison for key confidentiality and integrity ● passwords Concrete improvements to the security of Oracle JDK and Bouncy ● Castle keystores

  40. THANK YOU! (´ ▽ ` ) ノ

  41. ??? Q ?????????? U ???????????? E ????? ?????? S ??? T ??????????????? I ?????? ? O ??????????????? N ??????????? S ??? squarcina @ unive.it @ blueminimal https://www.linkedin.com/in/squarcina/

Recommend


More recommend