practical attacks on
play

Practical Attacks on Implementations Juraj Somorovsky Ruhr - PowerPoint PPT Presentation

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1 Recent years


  1. Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1

  2. Recent years revealed many crypto attacks… • ESORICS 2004, Bard: The Vulnerability of SSL to Chosen Plaintext Attack • Eurocrypt 2002, Vaudenay: Security Flaws Induced by CBC Padding — Applications to SSL, IPSEC, WTLS • Crypto 1998, Bleichenbacher: Chosen Ciphertext Attacks Against Protocols based on the RSA Encryption Standard PKCS #1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 2 2

  3. Standards updated • Countermeasures defined • What could go wrong in RWC implementations? Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 3 3

  4. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 4

  5. RSA-PKCS#1 v1.5 • Used to encrypt symmetric keys • Vulnerable to an adaptive chosen-ciphertext attack XML Encryption ciphertext C = Enc(M) Ciphertext C = Enc(M) C 1 valid/invalid C 2 Server Client valid/invalid … M = Dec(C) (repeated several times) Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 5 5

  6. RSA-PKCS#1 v1.5: Countermeasures 1. Use RSA-OAEP (PKCS#1 v2) 2. Apply specific countermeasure generate random decrypt ciphertext: m = dec(c) if ( padding correct ) proceed with m else proceed with random Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 6 6

  7. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 7

  8. RSA PKCS#1 v1.5 in XML Encryption • Hybrid encryption: k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs 1 k Dec_aes128 2 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 9 9

  9. Attack Countermeasure • Hybrid encryption: k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs 1 Random: k 128 b Dec_aes128 2 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 10 10

  10. Case Apache WSS4J • Hybrid encryption: k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs 1 Random: k 128 B Dec_aes128 2 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 11 11

  11. Case Apache WSS4J • Hybrid encryption: k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs 1 Random: k 128 B Dec_aes128 2 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 12 12

  12. Case Apache WSS4J • Original bug much more complicated • CVE-2015-0226 • Dennis Kupser, Christian Mainka, Jörg Schwenk, Juraj Somorovsky: How to Break XML Encryption – Automatically (WOOT‘15 ) • Found automatically using WS-Attacker • https://github.com/RUB-NDS/WS-Attacker Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 17 17

  13. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 18

  14. How About TLS? • Christopher Meyer, Juraj Somorovsky, Jörg Schwenk, Eugen Weiss, Sebastian Schinzel, Erik Tews: Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks . USENIX Security 2014 • Practical attacks on JSSE, Bouncy Castle, Cavium Accelerator • Bug in OpenSSL Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 19 19

  15. Case JSSE • No direct TLS error messages • Uses PKCS#1 unpadding function: private byte [] unpadV15 (byte[] padded) { if (PKCS valid) { return unpadded text; } else { throw new BadPaddingException(); } } • Caught, random generated…what’s wrong? Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 20 20

  16. Case JSSE (CVE-2014-411) • Exception consumes about 20 microseconds! PKCS#1 valid, no exception PKCS#1 invalid, exception Bleichenbacher’s Attack over LAN! Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 21 21

  17. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 22

  18. Elliptic Curve • Set of points over a finite field • Used e.g. for key exchange Client Server P Secret s P Key: sP Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 23 23

  19. Invalid Curve Attack • Crypto 2000: Biehl, Meyer, Müller • Attacker sends an invalid point of small order (e.g. 5) Server Secret s Q Q • Attacker computes: 𝒕 𝟐 = 𝒕 𝒏𝒑𝒆 𝟔 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 24 24

  20. Invalid Curve Attack • Choose points of small co- prime order (5, 7, 11, …) • Send to the server • Compute: 𝑡 1 = 𝑡 𝑛𝑝𝑒 5 𝑡 2 = 𝑡 𝑛𝑝𝑒 7 𝑡 3 = 𝑡 𝑛𝑝𝑒 11 𝑡 4 = 𝑡 𝑛𝑝𝑒 13 • Compute s with CRT Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 25 25

  21. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 26

  22. Practical Attacks? • Tibor Jager, Jörg Schwenk, Juraj Somorovsky: Practical Invalid Curve Attacks on TLS-ECDH. ESORICS 2015 • Analyzed 8 libraries • 2 vulnerable – Bouncy Castle: 3300 TLS queries – Oracle JSSE: 17000 TLS queries Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 27 27

  23. Impact • Attacks extract server private keys • Java servers using EC certificates vulnerable – For example Apache Tomcat Demo Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 28 28

  24. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 29

  25. Attacker Model in HSM Scenarios • Storage of crypto keys • Keys never leave HSMs dec (C) Keys (RSA, EC, AES …) m Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 30 30

  26. Attacker Model in HSM Scenarios • Storage of crypto keys • Keys never leave HSMs getKey Keys (RSA, EC, AES …) Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 31 31

  27. How about Invalid Curve Attacks? • CVE-2015-6924 (with Dennis Felsch) • Utimaco HSMs vulnerable • < 100 queries to get a key…Heartbleed effect • Thanks to cooperation of Utimaco – Provided sample code, fast fix "Catastrophic" is the right word. On the scale • Utimaco HSM is FIPS certified of 1 to 10, this is an 11. Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 32 32

  28. Conclusions • Old attacks relevant for RWC implementations • Old algorithms in the newest standards – RSA PKCS#1 v1.5 (attack: 1998) 2008: TLS 1.2 2013: XML Encryption 1.1 2015: JSON Web Encryption – Positive example: TLS 1.3 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 33 33

  29. Conclusions • For standard designers: – Remove old crypto • For developers: – Analyze possible side-channels, best practices • Check point is on curve • For pentesters: – More tools / analyses of crypto applications needed Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 34 34

Recommend


More recommend