the long and winding path to secure implementation of
play

The Long and Winding Path to Secure Implementation of GlobalPlatform - PowerPoint PPT Presentation

Oct 01, 2022 •189 likes •658 views

Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida Braga

  1. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida Braga Pierre-Alain Fouque Mohamed Sabt April, 9 th 2020 April, 9th 2020 SCP10 Pitfalls 1 / 26

  2. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion 1 Context 2 Notation & Reminders 3 Deterministic RSA Padding 4 Padding Oracle on Key Transport 5 Key Reuse 6 Secure Implementation 7 Conclusion April, 9th 2020 SCP10 Pitfalls 2 / 26

  3. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion Context April, 9th 2020 SCP10 Pitfalls 3 / 26

  4. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion The smart card world April, 9th 2020 SCP10 Pitfalls 4 / 26

  5. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion The smart card world April, 9th 2020 SCP10 Pitfalls 4 / 26

  6. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion SCP (Secure Communication Protocol) April, 9th 2020 SCP10 Pitfalls 5 / 26

  7. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion SCP (Secure Communication Protocol) April, 9th 2020 SCP10 Pitfalls 5 / 26

  8. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion SCP (Secure Communication Protocol) April, 9th 2020 SCP10 Pitfalls 5 / 26

  9. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion SCP (Secure Communication Protocol) Establish a secure session between a card and an Off-Card Entity 2-steps protocol: Key Exchange + Communication April, 9th 2020 SCP10 Pitfalls 5 / 26

  10. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion SCP (Secure Communication Protocol) Establish a secure session between a card and an Off-Card Entity 2-steps protocol: Key Exchange + Communication SCP10 relies on a Public Key Infrastructure: Both the card and off-card entity have a key pair They use each other public key to encrypt/verify messages April, 9th 2020 SCP10 Pitfalls 5 / 26

  11. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion Key Exchange Modes (a) Key Transport mode April, 9th 2020 SCP10 Pitfalls 6 / 26

  12. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion Key Exchange Modes (a) Key Transport mode (b) Key Agreement mode April, 9th 2020 SCP10 Pitfalls 6 / 26

  13. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion Our contributions Our contributions: 1 Abuse blurs and flaws in the RSA encryption in Key Transport 2 Recovered session keys by two independent means In less than a second with the first attack In an average of 2h30 for the second 3 Exploit a design flaw in the specification to forge a valid certificate, signed by the card (allowing impersonation) 4 Implement a (semi-)compliant version of SCP10 as an applet 5 Propose a secure implementation, with an estimation of the corresponding overhead April, 9th 2020 SCP10 Pitfalls 7 / 26

  14. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion Our contributions Our contributions: 1 Abuse blurs and flaws in the RSA encryption in Key Transport 2 Recovered session keys by two independent means In less than a second with the first attack In an average of 2h30 for the second 3 Exploit a design flaw in the specification to forge a valid certificate, signed by the card (allowing impersonation) 4 Implement a (semi-)compliant version of SCP10 as an applet 5 Propose a secure implementation, with an estimation of the corresponding overhead However, we did not : × Attack real cards (no implementation in the wild) × Try to exploit weakness in the symmetric encryption April, 9th 2020 SCP10 Pitfalls 7 / 26

  15. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion Our Threat Model Our attacker can: � Initiate an SCP10 session with a card � Intercept, read and modify plaintext message transmitted between a legitimate Off-Card Entity and the card � Measure the time needed by the card to respond She cannot: × Have physical access to the card × Break the cryptographic primitives April, 9th 2020 SCP10 Pitfalls 8 / 26

  16. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion Notation & Reminders April, 9th 2020 SCP10 Pitfalls 9 / 26

  17. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion Acronyms APDU: Application Protocol Data Unit Message format of request send to the card TLV: Tag Length Value Data structure used to ease parsing CRT: Control Reference Template Data structure defining a symmetric key and its usage IV: Initialization Vector Initialisation vector used to initialize symmetric encryption April, 9th 2020 SCP10 Pitfalls 10 / 26

  18. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion RSA and padding RSA: pub = ( n , e ) priv = ( n , d ) Encryption: c = m e mod n , Signature: s = RSA sign ( m , priv ) , Decryption: m = c d Verification: m == RSA ver ( m , pub ) ? mod n . April, 9th 2020 SCP10 Pitfalls 11 / 26

  19. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion RSA and padding RSA: pub = ( n , e ) priv = ( n , d ) Encryption: c = m e mod n , Signature: s = RSA sign ( m , priv ) , Decryption: m = c d Verification: m == RSA ver ( m , pub ) ? mod n . PKCS#1v1.5 padding: Enc: EME-PKCS1-v1_5(m) = 0x00 || 0x02 || PS || 0x00 || m ���� random bytes Sig: EMSA-PKCS1-v1_5(m) = 0x00 || 0x01 || 0xFF..FF || 0x00 || m April, 9th 2020 SCP10 Pitfalls 11 / 26

  20. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion Deterministic RSA Padding April, 9th 2020 SCP10 Pitfalls 12 / 26

  21. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion Perform Security Operation Perform Security Operation APDU: M: params || CRT [|| CRT] April, 9th 2020 SCP10 Pitfalls 13 / 26

  22. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion Perform Security Operation Perform Security Operation APDU: padding M: params || CRT [|| CRT] → EM − − − − EM: 0002 || FF..FF || 00 || params || CRT [|| CRT ...] ���� � �� � � �� � [22,42] bytes 128 − len ( CRTs ) − 3 bytes 3 bytes → Hybrid between EME and EMSA April, 9th 2020 SCP10 Pitfalls 13 / 26

  23. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion Perform Security Operation Perform Security Operation APDU: padding M: params || CRT [|| CRT] → EM − − − − EM: 0002 || FF..FF || 00 || params || CRT [|| CRT ...] ���� � �� � � �� � [22,42] bytes 128 − len ( CRTs ) − 3 bytes 3 bytes → Hybrid between EME and EMSA CRT: header || key [|| 91 08 iv ] � �� � ���� ���� [6,8] fixed bytes 8 bytes [16,24] bytes April, 9th 2020 SCP10 Pitfalls 13 / 26

  24. Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion Perform Security Operation Perform Security Operation APDU: padding M: params || CRT [|| CRT] → EM − − − − EM: 0002 || FF..FF || 00 || params || CRT [|| CRT ...] ���� � �� � � �� � [22,42] bytes 128 − len ( CRTs ) − 3 bytes 3 bytes → Hybrid between EME and EMSA CRT: header || key [|| 91 08 iv ] � �� � ���� ���� [6,8] fixed bytes 8 bytes [16,24] bytes ⇒ Only few unknown bytes (compared to the modulus size) April, 9th 2020 SCP10 Pitfalls 13 / 26

Recommend

The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida

The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida

The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida Braga Pierre-Alain Fouque Mohamed Sabt TCHES 2020 1 Overview Context Deterministic RSA Padding Padding Oracle Key Reuse Secure

681 views • 46 slides
The Long and Winding Road of Unique Device Identifier (UDI) Implementation: A Small Company

The Long and Winding Road of Unique Device Identifier (UDI) Implementation: A Small Company

The Long and Winding Road of Unique Device Identifier (UDI) Implementation: A Small Company Perspective Daniel Simpson, RAC (US,CAN), ASQ CBA Sr. Director of Quality and Regulatory Affairs Corgenix, Inc Rocky Mountain Regulatory Affairs

459 views • 25 slides
The Long and Winding Road The Long and Winding Road Christmas Edition Martin Luther on the

The Long and Winding Road The Long and Winding Road Christmas Edition Martin Luther on the

The Long and Winding Road The Long and Winding Road Christmas Edition Martin Luther on the Old Testament: Martin Luther on the Old Testament: Martin Luther on the Old Testament: Simple and lowly are these swaddling cloths, but dear is

638 views • 30 slides
Knowledge Mobilisation Translation collaboration researchers & decision-makers.

Knowledge Mobilisation Translation collaboration researchers & decision-makers.

A long and winding road: Can you predict successful knowledge mobilisation and implementation in advance? Learning from the development and roll out of a social network intervention designed to support long term condition management Anne Rogers

337 views • 16 slides
Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler

Introduction & background Path-key-enabled attacks Secure path-key revocation Conclusions Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler Moore and Jolyon Clulow University of Cambridge

505 views • 22 slides
A Series of Serendipitous Events: The Winding Path Toward Digital Literacy Richard E. Snow Award

A Series of Serendipitous Events: The Winding Path Toward Digital Literacy Richard E. Snow Award

A Series of Serendipitous Events: The Winding Path Toward Digital Literacy Richard E. Snow Award for Early Contributions Jeffrey A. Greene Past Richard E. Snow Award Recipients 2015 George Georgiou 2007 Carol Connor 2006 Mimi Bong 2014

504 views • 36 slides
The Long and Winding Road Designing and Creating a Social Science Research

The Long and Winding Road Designing and Creating a Social Science Research

The Long and Winding Road Designing and Creating a Social Science Research Infrastructure in Switzerland Peter Farago FORS Director 2008-2016 Presentation at the symposium 10 Years FORS Lausanne, September 12, 2018 1 !

570 views • 12 slides
The Long and Winding Road to My Dream Job David Pooley Trinity University dpooley@trinity.edu

The Long and Winding Road to My Dream Job David Pooley Trinity University dpooley@trinity.edu

The Long and Winding Road to My Dream Job David Pooley Trinity University dpooley@trinity.edu 2008 Embry-Riddle 2006 Aug 2008 U Michigan move to Austin Postdoc 20042007 2010 2007 U Alberta UC Santa Cruz UT San Antonio Tufts U

507 views • 15 slides
Advancing equity and justice in protected areas (and a story of the long and winding road from

Advancing equity and justice in protected areas (and a story of the long and winding road from

Advancing equity and justice in protected areas (and a story of the long and winding road from science to impact) Kate Schreckenberg k.schreckenberg@soton.ac.uk ESPA Annual Science Conference, Nairobi, 17 Nov 2016 "For me this is an

262 views • 22 slides
100% in main it's a long and winding road but worth it Holger Levsen, August 12 th 2008

100% in main it's a long and winding road but worth it Holger Levsen, August 12 th 2008

aka Debian Edu 100% in main it's a long and winding road but worth it Holger Levsen, August 12 th 2008 About the two names... nowadays Debian Edu and Skolelinux are used as synonyms it's the same project Skolelinux was started

547 views • 44 slides
Private law children reform: A long and winding road Professor Rosemary Hunter Kent Law School

Private law children reform: A long and winding road Professor Rosemary Hunter Kent Law School

Private law children reform: A long and winding road Professor Rosemary Hunter Kent Law School Private law children cases - ideologies 1. Childrens welfare is best served by having ongoing, regular contact with both of their biological

75 views • 6 slides
Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash

285 views • 13 slides
Secure Vehicular Communication System: Design & Implementation of VPKI (Providing Credential

Secure Vehicular Communication System: Design & Implementation of VPKI (Providing Credential

Secure Vehicular Communication System: Design & Implementation of VPKI (Providing Credential Management in a Secure VANET) Supervisor: MSc Thesis: Prof. Panos Papadimitratos Mohammad Khodaei LCN KTH October, 2012 1 / 38 Outline

519 views • 48 slides
RSA-PSS Provable Secure RSA Signatures and their Implementation Overview What is RSA-PSS?

RSA-PSS Provable Secure RSA Signatures and their Implementation Overview What is RSA-PSS?

RSA-PSS Provable Secure RSA Signatures and their Implementation Overview What is RSA-PSS? Why RSA-PSS? Comparing original and standardized PSS Status of Protocols, Standards and Imple- mentations RSA-PSS in X.509

718 views • 19 slides
Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM

Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM

Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM Implementation of for Mobile Devices for Mobile Devices Sang- -bum bum Suh Suh Sang sbuk.suh@samsung.com sbuk.suh@samsung.com SW Laboratories SW

598 views • 48 slides
Principles for secure implementation Some of the slides and content are from Mike Hicks

Principles for secure implementation Some of the slides and content are from Mike Hicks

Principles for secure implementation Some of the slides and content are from Mike Hicks Coursera course Trusted computing bases Every system has a TCB Your reference monitor Compiler OS CPU Memory Keyboard..

1.61k views • 143 slides
Introduction to the West Midlands Combined Authority Aims Secure long term investment rather

Introduction to the West Midlands Combined Authority Aims Secure long term investment rather

Introduction to the West Midlands Combined Authority Aims Secure long term investment rather than short term budget allocations to stimulate economic growth for the region Tackle the long term challenges faced by all local authorities and

498 views • 17 slides
verifiedSCION: Verified Secure Routing Peter Mller Joint work with the verifiedSCION Team at

verifiedSCION: Verified Secure Routing Peter Mller Joint work with the verifiedSCION Team at

verifiedSCION: Verified Secure Routing Peter Mller Joint work with the verifiedSCION Team at ETH Security and Correctness Protocol-level properties - Path validity : Constructed paths are valid and reflect the routing decisions by on-path

294 views • 8 slides
Secure Income REIT Plc 9 March 2018 www.SecureIncomeREIT.co.uk Secure Income REIT Plc is a

Secure Income REIT Plc 9 March 2018 www.SecureIncomeREIT.co.uk Secure Income REIT Plc is a

Secure Income REIT Plc 9 March 2018 www.SecureIncomeREIT.co.uk Secure Income REIT Plc is a specialist UK REIT, selectively investing in key operating real estate assets in defensive sectors that provide long term rental income with inflation

822 views • 60 slides
Off-Path BoF Problem/Solution Overview Paul Francis Cornell University Research Goal

Off-Path BoF Problem/Solution Overview Paul Francis Cornell University Research Goal

Off-Path BoF Problem/Solution Overview Paul Francis Cornell University Research Goal Robust, secure, connection establishment Robust: always works Even if behind NATs, firewalls, different network layers Secure: In a

640 views • 17 slides
Access to the English Coast The England Coast Path Gosport to Portsmouth (GPM) What will the

Access to the English Coast The England Coast Path Gosport to Portsmouth (GPM) What will the

Access to the English Coast The England Coast Path Gosport to Portsmouth (GPM) What will the coast path bring Secure, continuous, clearly way-marked, well managed route National Trail brand and funding Tourists with spending money,

367 views • 14 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
The Path to a Secure and Resilient Power Grid Infrastructure Bill Sanders University of Illinois

The Path to a Secure and Resilient Power Grid Infrastructure Bill Sanders University of Illinois

The Path to a Secure and Resilient Power Grid Infrastructure Bill Sanders University of Illinois at Urbana-Champaign www.tcipg.org whs@illinois.edu | 1 Power Grid Trust Dynamics Span Two Interdependent Infrastructures Cyber Infrastructure

337 views • 15 slides
1 Singapores Efforts in developing Creating a Secure and Trusted infrastructure and

1 Singapores Efforts in developing Creating a Secure and Trusted infrastructure and

Presentation Outline E- -Business Implementation Business Implementation E Part 1 The Singapore Experience The Singapore Experience How Singapore Government Agency created a secure and trusted infrastructure for e-business By Tan Jin

790 views • 25 slides

More recommend