Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About - PowerPoint PPT Presentation

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi

About Me • Daniel Moghimi • @danielmgmi • https://moghimi.org • Security Researcher • PhD Candidate @ WPI • Microarchitectural Attacks • Side Channels • Breaking Crypto Implementations • Trusted Execution Environment (Intel SGX) 2 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Thanks! • Berk Sunar @ WPI • Nadia Heninger @ UCSD • Thomas Eisenbarth @ UzL • Jan Wichelmann @ UzL 3 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptanalysis • Cryptosystem with an input m , output c , and secret k • Attacker tries to learn k b y looking at ( m, c ) k c m Encrypt Decrypt Sign 4 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptanalysis • Cryptosystem with an input m , output c , and secret k • Attacker tries to learn k b y looking at ( m, c ) 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦 1 , 𝑧 1 = 𝑙 𝑗 × 𝐻 𝑠 𝑗 = 𝑦 1 𝑛𝑝𝑒 𝑜 −1 𝑨 + 𝑠 𝑗 𝑒 𝑛𝑝𝑒 𝑜 𝑡 𝑗 = 𝑙 𝑗 −1 𝑨 + 𝑠 𝑡 1 = 𝑙 1 1 𝑒 𝑛𝑝𝑒 𝑜 −1 𝑨 + 𝑠 2 𝑒 𝑛𝑝𝑒 𝑜 k 𝑡 2 = 𝑙 2 c m Encrypt Decrypt Sign 5 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptanalysis • Cryptosystem with an input m , output c , and secret k • Attacker tries to learn k b y looking at ( m, c ) 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦 1 , 𝑧 1 = 𝑙 𝑗 × 𝐻 𝑠 𝑗 = 𝑦 1 𝑛𝑝𝑒 𝑜 −1 𝑨 + 𝑠 𝑗 𝑒 𝑛𝑝𝑒 𝑜 𝑡 𝑗 = 𝑙 𝑗 𝑙 1 = 𝑙 2 = 𝑙 𝑜 𝑡 1 = 𝑙 −1 𝑨 + 𝑠 1 𝑒 𝑛𝑝𝑒 𝑜 𝑡 2 = 𝑙 −1 𝑨 + 𝑠 2 𝑒 𝑛𝑝𝑒 𝑜 k c m Encrypt Decrypt Sign 6 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptanalysis • Cryptosystem with an input m , output c , and secret k • Attacker tries to learn k b y looking at ( m, c ) 𝐹𝐷𝐸𝑇𝐵 𝑇𝑗𝑕𝑜: 𝑦 1 , 𝑧 1 = 𝑙 𝑗 × 𝐻 𝑠 𝑗 = 𝑦 1 𝑛𝑝𝑒 𝑜 −1 𝑨 + 𝑠 𝑗 𝑒 𝑛𝑝𝑒 𝑜 𝑡 𝑗 = 𝑙 𝑗 𝑙 1 = 𝑙 2 = 𝑙 𝑜 𝑡 1 = 𝑙 −1 𝑨 + 𝑠 1 𝑒 𝑛𝑝𝑒 𝑜 𝑡 2 = 𝑙 −1 𝑨 + 𝑠 2 𝑒 𝑛𝑝𝑒 𝑜 k c m 𝑡 2 − 𝑡 1 = 𝑠 2 − 𝑠 1 𝑒 𝑛𝑝𝑒 𝑜 Encrypt Decrypt Sign 7 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Side-Channel Cryptanalysis • Cryptosystem with an input m , output c , and secret k • Attacker tries to learn k b y looking at ( m, c ) and signal s s k c m Encrypt Decrypt Sign 8 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Side-Channel Attacks • Channels • Power Analysis • EM Analysis • … • Timing Analysis • CPU Side Channels • Threat Models: • Physical Access • Local Access (Co-location) • Remote 9 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Secure Elements Untrusted Software is /Bad Org.? insecure. Heartbleed? Rootkits? Computers Ransomware? are just Evil?! #BHUSA @BLACKHATEVENTS @DANIELMGMI

Secure Elements Untrusted Software is /Bad Org.? insecure. Heartbleed? Rootkits? Computers Ransomware? are just Evil?! Hardware-based Root of Trust?! 11 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Trusted Platform Module (TPM) • Security Chip for Computers? • Tamper Resistant • Side-Channel Resistant • Crypto Co-processor 12 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Trusted Platform Module (TPM) • Security Chip for Computers? • Tamper Resistant • Side-Channel Resistant • Crypto Co-processor Trusted Computing Base 13 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Trusted Platform Module (TPM) • Cryptographic Co-processor, specified by Trusted Computing Group • Secure Storage • Integrity Measurement • TRNG • Hash Functions • Encryption • Digital Signatures 14 #BHUSA @BLACKHATEVENTS @DANIELMGMI

TPM – Digital Signatures • Applications • Trusted Execution of Signing Operations • Remote Attestation • TPM 2.0 supports Elliptic-Curve Digital Signature • ECDSA • ECSchnorr • ECDAA (Anonymous Remote Attestation) 15 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Trusted Computing Group • https://trustedcomputinggroup .org/membership/certification/ • https://trustedcomputinggroup .org/membership/certification/ tpm-certified-products/ 16 #BHUSA @BLACKHATEVENTS @DANIELMGMI

STMicroelectronics ST33TPHF2ESPI • ST33TPHF2ESPI Data Brief • https://www.st.com/resource/en/data_brief/st33tphf2espi.pdf • ST33TPHF2ESPI CC Evaluation • https://www.ssi.gouv.fr/uploads/2018/10/anssi-cible-cc-2018_41en.pdf 17 #BHUSA @BLACKHATEVENTS @DANIELMGMI

18 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Are TPMs really side- channel resistant? 19

High-resolution Timing Test • TPM frequency ~= 32-120 MHz • CPU Frequency is more than 2 GHz 20 #BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – Intel PTT (fTPM) • Intel Platform Trust Technology (PTT) • Integrated firmware-TPM inside the CPU package • Runs on top of Converged Security and Management Engine (CSME) • Standalone low power processor PCH CPU • Has been around since Haswell CSME fTPM 21 #BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – Intel PTT (fTPM) • Intel Platform Trust Technology (PTT) • Integrated firmware-TPM inside the CPU package • Runs on top of Converged Security and Management Engine (CSME) PCH CPU CSME fTPM Histogram 22 #BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – Intel PTT (fTPM) • Linux TPM Command Response Buffer (CRB) driver • Kernel Driver to increase the Resolution PCH CPU CSME fTPM 23 #BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr Nonce • BN-256 (ECDAA) 0101000100111111...111 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111 t 4.67 4.76 4.8 4.84 4.72 24 #BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr Nonce • BN-256 (ECDAA) 0101000100111111...111 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111 t 4.67 4.76 4.8 4.84 4.72 25 #BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr Nonce • BN-256 (ECDAA) 0101000100111111...111 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111 t 4.67 4.76 4.8 4.84 4.72 26 #BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr Nonce • BN-256 (ECDAA) 0101000100111111...111 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111 t 4.67 4.76 4.8 4.84 4.72 27 #BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr Nonce • BN-256 (ECDAA) 0101000100111111...111 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111 t 4.67 4.76 4.8 4.84 4.72 28 #BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr Nonce • BN-256 (ECDAA) 0101000100111111...111 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111 3.33 ms t 4.67 4.76 4.8 4.84 4.72 29 #BHUSA @BLACKHATEVENTS @DANIELMGMI

DEMO, TIMING 30 #BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test - Analysis • RSA and ECDSA timing test on 3 dedicated TPM and Intel fTPM • Various non-constant behaviour for both RSA and ECDSA 31 #BHUSA @BLACKHATEVENTS @DANIELMGMI

32

High-resolution Timing Test – ECDSA Nonce • STMicro TPM: Bit-by-Bit Nonce Length Leakage 33 #BHUSA @BLACKHATEVENTS @DANIELMGMI

TPM-Fail – Recovering Private ECDSA Key • TPM is programmed with an unknown key • We already have a template for 𝑢 𝑗 . 1. Collect list of signatures (𝑠 𝑗 , 𝑡 𝑗 ) and timing samples 𝑢 𝑗 . 2. Filter signatures based on 𝑢 𝑗 and keeps (𝑠 𝑗 , 𝑡 𝑗 ) with a known bias. 3. Lattice-based attack to recover private key 𝑒 , from signatures with biased nonce 𝑙 𝑗 . 34 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Lattice and Hidden Number Problem • 𝑡 = 𝑙 −1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 35 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Lattice and Hidden Number Problem −1 − 𝑡 𝑗 • 𝑡 = 𝑙 −1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙 𝑗 −1 𝑠 −1 𝑨 ≡ 0 𝑛𝑝𝑒 𝑜 𝑗 𝑒 − 𝑡 𝑗 36 #BHUSA @BLACKHATEVENTS @DANIELMGMI

Lattice and Hidden Number Problem −1 − 𝑡 𝑗 • 𝑡 = 𝑙 −1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙 𝑗 −1 𝑠 −1 𝑨 ≡ 0 𝑛𝑝𝑒 𝑜 𝑗 𝑒 − 𝑡 𝑗 −1 𝑠 −1 𝑨 → 𝑙 𝑗 + 𝐵 𝑗 𝑒 + 𝐶 𝑗 = 0 • 𝐵 𝑗 = −𝑡 𝑗 𝑗 , 𝐶 𝑗 = −𝑡 𝑗 37 #BHUSA @BLACKHATEVENTS @DANIELMGMI