practical attacks on
play

Practical Attacks on Implementations Juraj Somorovsky Ruhr - PowerPoint PPT Presentation

Jan 14, 2023 •114 likes •406 views

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1 Recent years

  1. Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1

  2. Recent years revealed many crypto attacks… • ESORICS 2004, Bard: The Vulnerability of SSL to Chosen Plaintext Attack • Eurocrypt 2002, Vaudenay: Security Flaws Induced by CBC Padding — Applications to SSL, IPSEC, WTLS • Crypto 1998, Bleichenbacher: Chosen Ciphertext Attacks Against Protocols based on the RSA Encryption Standard PKCS #1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 2 2

  3. Standards updated • Countermeasures defined • What could go wrong in RWC implementations? Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 3 3

  4. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 4

  5. RSA-PKCS#1 v1.5 • Used to encrypt symmetric keys • Vulnerable to an adaptive chosen-ciphertext attack XML Encryption ciphertext C = Enc(M) Ciphertext C = Enc(M) C 1 valid/invalid C 2 Server Client valid/invalid … M = Dec(C) (repeated several times) Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 5 5

  6. RSA-PKCS#1 v1.5: Countermeasures 1. Use RSA-OAEP (PKCS#1 v2) 2. Apply specific countermeasure generate random decrypt ciphertext: m = dec(c) if ( padding correct ) proceed with m else proceed with random Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 6 6

  7. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 7

  8. RSA PKCS#1 v1.5 in XML Encryption • Hybrid encryption: k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs 1 k Dec_aes128 2 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 9 9

  9. Attack Countermeasure • Hybrid encryption: k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs 1 Random: k 128 b Dec_aes128 2 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 10 10

  10. Case Apache WSS4J • Hybrid encryption: k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs 1 Random: k 128 B Dec_aes128 2 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 11 11

  11. Case Apache WSS4J • Hybrid encryption: k = Dec_pkcs(priv,C1) m = Dec_aes128(k,C2) Dec_pkcs 1 Random: k 128 B Dec_aes128 2 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 12 12

  12. Case Apache WSS4J • Original bug much more complicated • CVE-2015-0226 • Dennis Kupser, Christian Mainka, Jörg Schwenk, Juraj Somorovsky: How to Break XML Encryption – Automatically (WOOT‘15 ) • Found automatically using WS-Attacker • https://github.com/RUB-NDS/WS-Attacker Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 17 17

  13. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 18

  14. How About TLS? • Christopher Meyer, Juraj Somorovsky, Jörg Schwenk, Eugen Weiss, Sebastian Schinzel, Erik Tews: Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks . USENIX Security 2014 • Practical attacks on JSSE, Bouncy Castle, Cavium Accelerator • Bug in OpenSSL Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 19 19

  15. Case JSSE • No direct TLS error messages • Uses PKCS#1 unpadding function: private byte [] unpadV15 (byte[] padded) { if (PKCS valid) { return unpadded text; } else { throw new BadPaddingException(); } } • Caught, random generated…what’s wrong? Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 20 20

  16. Case JSSE (CVE-2014-411) • Exception consumes about 20 microseconds! PKCS#1 valid, no exception PKCS#1 invalid, exception Bleichenbacher’s Attack over LAN! Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 21 21

  17. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 22

  18. Elliptic Curve • Set of points over a finite field • Used e.g. for key exchange Client Server P Secret s P Key: sP Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 23 23

  19. Invalid Curve Attack • Crypto 2000: Biehl, Meyer, Müller • Attacker sends an invalid point of small order (e.g. 5) Server Secret s Q Q • Attacker computes: 𝒕 𝟐 = 𝒕 𝒏𝒑𝒆 𝟔 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 24 24

  20. Invalid Curve Attack • Choose points of small co- prime order (5, 7, 11, …) • Send to the server • Compute: 𝑡 1 = 𝑡 𝑛𝑝𝑒 5 𝑡 2 = 𝑡 𝑛𝑝𝑒 7 𝑡 3 = 𝑡 𝑛𝑝𝑒 11 𝑡 4 = 𝑡 𝑛𝑝𝑒 13 • Compute s with CRT Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 25 25

  21. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 26

  22. Practical Attacks? • Tibor Jager, Jörg Schwenk, Juraj Somorovsky: Practical Invalid Curve Attacks on TLS-ECDH. ESORICS 2015 • Analyzed 8 libraries • 2 vulnerable – Bouncy Castle: 3300 TLS queries – Oracle JSSE: 17000 TLS queries Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 27 27

  23. Impact • Attacks extract server private keys • Java servers using EC certificates vulnerable – For example Apache Tomcat Demo Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 28 28

  24. Overview 1. Bleichenbacher’s Attack • XML Encryption • TLS 2. Invalid Curve Attack • TLS • Hardware Security Modules Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 29

  25. Attacker Model in HSM Scenarios • Storage of crypto keys • Keys never leave HSMs dec (C) Keys (RSA, EC, AES …) m Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 30 30

  26. Attacker Model in HSM Scenarios • Storage of crypto keys • Keys never leave HSMs getKey Keys (RSA, EC, AES …) Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 31 31

  27. How about Invalid Curve Attacks? • CVE-2015-6924 (with Dennis Felsch) • Utimaco HSMs vulnerable • < 100 queries to get a key…Heartbleed effect • Thanks to cooperation of Utimaco – Provided sample code, fast fix "Catastrophic" is the right word. On the scale • Utimaco HSM is FIPS certified of 1 to 10, this is an 11. Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 32 32

  28. Conclusions • Old attacks relevant for RWC implementations • Old algorithms in the newest standards – RSA PKCS#1 v1.5 (attack: 1998) 2008: TLS 1.2 2013: XML Encryption 1.1 2015: JSON Web Encryption – Positive example: TLS 1.3 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 33 33

  29. Conclusions • For standard designers: – Remove old crypto • For developers: – Analyze possible side-channels, best practices • Check point is on curve • For pentesters: – More tools / analyses of crypto applications needed Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 34 34

Recommend

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing attacks important? Clarifications Zero-One Gap / Neighborhood Size etc. Problems Questions Extensions Contribution Discussion

645 views • 26 slides
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

1.19k views • 77 slides
Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong

Introduction Finding Padding Oracles Basic PO attacks Advanced PO attacks Summary Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong Practical Padding Oracle Attacks Introduction Finding Padding

1.33k views • 108 slides
Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 , Jacques Fournier 2 , Louis Goubin 3 , Ronan Lashermes 2 , 3 , Marie Paindavoine 4 , 5 . 1 - LIASD, Paris 8, France. 2 - CEA Tech, DPACA/LSAS, Gardanne,

446 views • 22 slides
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Motivation n 802.11-based networks have flourished

389 views • 25 slides
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

956 views • 28 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and Obfuscation August 14, 2016, Santa-Barbara, California, USA 1. What to White-Box? Comply with current Standardized standards / protocols

651 views • 35 slides
On evasion attacks against machine learning in practical settings Lujo Bauer Professor,

On evasion attacks against machine learning in practical settings Lujo Bauer Professor,

On evasion attacks against machine learning in practical settings Lujo Bauer Professor, Electrical &amp; Computer Engineering + Computer Science Director, Cyber Autonomy Research Center Collaborators: Mahmood Sharif, Sruti Bhagavatula, Mike

754 views • 31 slides
Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Electrical and Computer Engineering Department Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin Soltani, Amir Houmansadr, Dennis Goeckel, Don Towsley University of Massachusetts Amherst Instant

512 views • 40 slides
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg Schwenk 1 , Adam Czubak 2 , Marcin Szymanek 2 1 : Ruhr University Bochum, Germany 2 : University of Opole, Poland 27 TH USENIX SECURITY SYMPOSIUM

476 views • 25 slides
Expectation-Maximization Tensor Factorization for Practical Location Privacy Attacks Takao

Expectation-Maximization Tensor Factorization for Practical Location Privacy Attacks Takao

Expectation-Maximization Tensor Factorization for Practical Location Privacy Attacks Takao Murakami (AIST*, Japan) *AIST: National Institute of Advanced Industrial Science &amp; Technology 1 Outline [Shokri+,S&amp;P11] [Gambs+,JCSS14]

370 views • 19 slides
Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila

Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila

Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila 1 and Ricardo J. Rodr Jos guez 2 1 DIIS, University of Zaragoza, Spain 2 Research Institute of Applied Sciences in Cybersecurity, University

337 views • 17 slides
Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Universit Catholique de Louvain, Belgium Algebraic

995 views • 61 slides
Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias Schulz, Adrian Loch, Matthias Hollick Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias

607 views • 22 slides
Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven Royal Holloway December 2, 2018 Introduction 1/22 WalnutDSA is a Signature Scheme submitted to the NIST PQC project. Small signatures and keys

643 views • 27 slides
Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst Grtz Institute for IT Security Ruhr University Bochum @jurajsomorovsky 1 Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks

1.45k views • 32 slides
Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of Science, Finland {bbrumley,ntuveri}@tcs.hut.fi Synopsis New remote timing attack vulnerability in OpenSSLs implementation of Montgomerys

487 views • 25 slides
Practical attacks on AES-like cryptographic hash functions Stefan K olbl, Christian Rechberger

Practical attacks on AES-like cryptographic hash functions Stefan K olbl, Christian Rechberger

Practical attacks on AES-like cryptographic hash functions Stefan K olbl, Christian Rechberger DTU - Technical University of Denmark September 12, 2014 Cryptographic Hash Functions Today is the 12th of September... h 4981A99EDA782

1.01k views • 34 slides
KRACKing WPA2 and Mitigating Future Attacks Mathy Vanhoef @vanhoefm CRYPTO Workshop on

KRACKing WPA2 and Mitigating Future Attacks Mathy Vanhoef @vanhoefm CRYPTO Workshop on

KRACKing WPA2 and Mitigating Future Attacks Mathy Vanhoef @vanhoefm CRYPTO Workshop on Attacks (WAC), Santa Barbara, 18 August 2018 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Channel validation 2

646 views • 51 slides
Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Practical Aspects of Security Prof. Michael Backes Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2 Control hijacking attacks Attackers goal: Take over target machine (e.g. web server)

921 views • 57 slides
More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas

More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas

SCIENCE PASSION TECHNOLOGY More Practical Single-Trace Attacks on the Number Theoretic Transform Peter Pessl, Robert Primas Graz University of Technology LATINCRYPT 2019, October 02 &gt; www.iaik.tugraz.at www.iaik.tugraz.at

1.63k views • 60 slides
NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi Cache Attack from the Network Client Server Remote Cache Attack SSH 2 Network Cache Attack 3

794 views • 32 slides
Adversarial examples are not mysterious, generalization is Angus Galloway University of Guelph

Adversarial examples are not mysterious, generalization is Angus Galloway University of Guelph

I NTRODUCTION Theory Trade-offs Practical Attacks DNNs Adversarial examples are not mysterious, generalization is Angus Galloway University of Guelph gallowaa@uoguelph.ca I NTRODUCTION Theory Trade-offs Practical Attacks DNNs T HE

669 views • 31 slides

More recommend