nonce disrespecting adversaries practical forgery attacks
play

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in - PowerPoint PPT Presentation

Nov 04, 2022 •664 likes •956 views

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

  1. Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1

  2. TLS Encryption 1. Asymmetric key exchange – RSA, DHE, ECDHE 2. Symmetric encryption 2

  3. TLS Encryption 1. Asymmetric key exchange – RSA, DHE, ECDHE 2. Symmetric encryption – CBC/HMAC – RC4 (stream cipher) – (new: ChaCha20/Poly1305) – AES-GCM 3

  4. CBC / HMAC • Arbitrary padding in SSLv3 • Implicit IVs in TLS 1.0 2002 Padding • MAC-then-Pad-then-Encrypt Oracles 5

  5. TLS Encryption 1. Asymmetric key exchange – RSA, DHE, ECDHE 2. Symmetric encryption – CBC/HMAC – RC4 (stream cipher) – (new: ChaCha20/Poly1305) – AES-GCM 7

  6. RC4 • Generates a key stream – Some bytes more likely to occur 2013: AlFardan et al. • https://www.rc4nomore.com/ • RFC 7465: Prohibiting RC4 Cipher Suites 8

  7. TLS Encryption 1. Asymmetric key exchange – RSA, DHE, ECDHE 2. Symmetric encryption – CBC/HMAC – RC4 (stream cipher) – (new: ChaCha20/Poly1305) – AES-GCM 9

  8. TLS Encryption 1. Asymmetric key exchange – RSA, DHE, ECDHE 2. Symmetric encryption – CBC/HMAC – RC4 (stream cipher) – (new: ChaCha20/Poly1305) – AES-GCM 10

  9. Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario

  10. AES Counter Mode Nonce || Counter J 1 J 2 AES-Enc AES-Enc P 1 P 2 C 1 C 2 13

  11. Bit Flipping in AES Counter Mode J 1 J 2 AES-Enc AES-Enc C 1 C 2 P 1 P 2 Attacker can modify messages 14

  12. AES-GCM • GCM – Galois Counter Mode • AEAD (Authenticated Encryption with Additional Data) • Only in TLS 1.2 • Combination of Counter Mode and GHASH authentication – Computed over Galois field 15

  13. AES-GCM J 1 J 2 J 0 AES-Enc AES-Enc AES-Enc P 1 P 2 C 1 C 2 Gmul H Gmul H Gmul H Hash key H A len(A)||len(C) Encryption of 128 Gmul H zero bits: H=Enc(0) Output: C || T T 16

  14. GCM: Opinions of Cryptographers • "Do not use GCM. Consider using one of the other authenticated encryption modes, such as CWC, OCB, or CCM." (Niels Ferguson) • "We conclude that common implementations of GCM are potentially vulnerable to authentication key recovery via cache timing attacks." (Emilia Käsper, Peter Schwabe, 2009) • "AES-GCM so easily leads to timing side-channels that I'd like to put it into Room 101." (Adam Langley, 2013) • "The fragility of AES-GCM authentication algorithm" (Shay Gueron, Vlad Krasnov, 2013) • "GCM is extremely fragile" (Kenny Paterson, 2015) 17

  15. Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario

  16. The Forbidden Attack • Nonce: – Number used once – TLS: 8 Byte / 64 Bit nonce • Joux (2006): Nonce reuse allows an attacker to recover the authentication key • Attacker can modify messages 19

  17. Consider one block J 0 J 1 H = AES (0) AES-Enc AES-Enc P 1 T = ( C 1 * H + L) * H + AES (J 0 ) C 1 T = C 1 * H 2 + L * H + AES (J 0 ) Gmul H len(A)||len(C) Unknown values: • H Gmul H • AES (J 0 ) T 21

  18. Duplicate nonce J 0 J 1 H = AES (0) AES-Enc AES-Enc P 1 T 1 = C 1,1 * H 2 + L 1 * H + AES (J 0 ) C 1 T 2 = C 2,1 * H 2 + L 2 * H + AES (J 0 ) Gmul H T 1 - T 2 = (C 1,1 – C 2,1 ) * H 2 len(A)||len(C) + (L 1 – L 2 ) * H Gmul H T 22

  19. Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario

  20. TLS 1.2 / RFC 5288 "Each value of the nonce_explicit must be distinct for each distinct invocation of the GCM encrypt function for any fixed key. Failure to meet this uniqueness requirement can significantly degrade security. The nonce_explicit may be the 64-bit sequence number .“ Two problems: • Random nonces: Collision probability • Repeating nonces 24

  21. Internet-wide Scan • 184 hosts with repeating nonces – Radware (Cavium chip) – Several pages from VISA Europe • 72445 hosts with random looking nonces – A10, IBM Lotus Domino (both published updates) – Sangfor (no response) • More devices that we were unable to identify 26

  22. 0100000003001741 Example: Radware 0100000003001741 f118cd0fa6ff5a15 f118cd0fa6ff5a16 f118cd0fa6ff5a74 OpenSSL 1.0.1j e_aes.c (EVP_CIPHER_CTX_ctrl/aes_gcm_ctrl): if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) return 0; t1_enc.c: if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { EVP_CipherInit_ex(dd,c,NULL,key,NULL,(which & SSL3_CC_WRITE)); EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv); } 27

  23. Open Source Libraries • Botan, BouncyCastle, MatrixSSL, SunJCE, OpenSSL • No real problems • Counter overflows in Botan and MatrixSSL 28

  24. Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario 29

  25. Attacking Vulnerable Websites GET visa.dk/index.html HTTP 1.1 200 OK HTTP 1.1 200 OK … … <html> <html> <script> … </script> <h1>Hello Visa</h1> </html> </html> 30

  26. Demo 32

  27. Attacking mi5.gov.uk 33

  28. Conclusions • TLS 1.2: no guidance how to use nonces correctly – Some people get it wrong • Implicit nonces needed: – Chacha20/Poly1305 and TLS 1.3 based on record number • Better test tools for TLS implementation flaws 34

Recommend

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

566 views • 38 slides
Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1

Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1

Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1 , O guzhan Ersoy 2 , Ferhat Karako c 1 1 T 2 Bo UB ITAK-B ILGEM-UEKAE gazi ci University ASIACRYPT 2016, Hanoi, VIETNAM 1/27

860 views • 28 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017 Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi

894 views • 35 slides
On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos

On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos

On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos Cid Information Security Group, Royal Holloway, University of London Our Contributions 1 Study the underlying algebraic structure of

409 views • 24 slides
Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Introduction and Adversaries Attack

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Introduction and Adversaries Attack

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Introduction and Adversaries Attack Setups Attacks in Theory Example: Square and Multiply Combined Attacks Conclusion, Outlook Fault Type Transient Permanent

439 views • 22 slides
Genetic Algorithm to Study Practical Quantum Adversaries Walter O. Krawec Sam A. Markelon

Genetic Algorithm to Study Practical Quantum Adversaries Walter O. Krawec Sam A. Markelon

Genetic Algorithm to Study Practical Quantum Adversaries Walter O. Krawec Sam A. Markelon University of Connecticut, Storrs CT USA walter.krawec@gmail.com walterkrawec.org Quantum Key Distribution (QKD) Allows two users Alice (A) and

1.03k views • 55 slides
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud cole normale suprieure CHES September, 15th 2015 (with Aurlie Bauer) Damien Vergnaud (ENS) Key Recovery from Random

766 views • 48 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Computer Security Course. Dawn Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song Example Application Consider a social networking site, GraceBook, that allows users to share happenings from

696 views • 54 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Dept. Of Computer Science &amp; Engineering, IIT Kharagpur, INDIA 2 Dept. Of Mathematics, Vidyasagar University, INDIA DIAC 2014, Santa Barbara, USA Nonce-based Encryption

298 views • 19 slides
Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing attacks important? Clarifications Zero-One Gap / Neighborhood Size etc. Problems Questions Extensions Contribution Discussion

645 views • 26 slides
Measuring and Mitigating AS-level Adversaries Against Tor Oleksii Adva Phillipa Michael Starov

Measuring and Mitigating AS-level Adversaries Against Tor Oleksii Adva Phillipa Michael Starov

Measuring and Mitigating AS-level Adversaries Against Tor Oleksii Adva Phillipa Michael Starov Zair Gill Schapira Rishab Nithyanand Network-level Traffic Correlation Attacks Internet rou,ng is asymmetric. Source -&gt; Entry != Entry

591 views • 11 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years &amp; proven

1.17k views • 68 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years &amp; proven

679 views • 63 slides
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

1.19k views • 77 slides
Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Introduction Finding Padding Oracles Basic PO attacks Advanced PO attacks Summary Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong Practical Padding Oracle Attacks Introduction Finding Padding

1.33k views • 108 slides
Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1 Recent years

406 views • 29 slides
Finding Protocol Manipulation Attacks Nupur Kothari Ratul Mahajan, Todd Millstein, Ramesh

Finding Protocol Manipulation Attacks Nupur Kothari Ratul Mahajan, Todd Millstein, Ramesh

Finding Protocol Manipulation Attacks Nupur Kothari Ratul Mahajan, Todd Millstein, Ramesh Govindan, Madanlal Musuvathi Manipulation Attacks Adversaries induce victim into undesirable behavior by lying in their messages Exploit partial

216 views • 19 slides
Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU) Department of Mathematics e.zenner@mat.dtu.dk Pisa, Sep. 9, 2009 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 1 / 29 Everyone

337 views • 32 slides
Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 , Jacques Fournier 2 , Louis Goubin 3 , Ronan Lashermes 2 , 3 , Marie Paindavoine 4 , 5 . 1 - LIASD, Paris 8, France. 2 - CEA Tech, DPACA/LSAS, Gardanne,

446 views • 22 slides
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Motivation n 802.11-based networks have flourished

389 views • 25 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and Obfuscation August 14, 2016, Santa-Barbara, California, USA 1. What to White-Box? Comply with current Standardized standards / protocols

651 views • 35 slides

More recommend