the long and winding path to secure implementation of
play

The Long and Winding Path to Secure Implementation of GlobalPlatform - PowerPoint PPT Presentation

Mar 20, 2023 •208 likes •681 views

The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida Braga Pierre-Alain Fouque Mohamed Sabt TCHES 2020 1 Overview Context Deterministic RSA Padding Padding Oracle Key Reuse Secure

  1. The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida Braga Pierre-Alain Fouque Mohamed Sabt TCHES 2020 1

  2. Overview • Context • Deterministic RSA Padding • Padding Oracle • Key Reuse • Secure Implementation • Conclusion 2

  3. Context

  4. The smart card world 3

  5. The smart card world 3

  6. SCP (Secure Communication Protocol) APDU req APDU resp 4

  7. SCP (Secure Communication Protocol) APDU req APDU req APDU resp APDU resp 4

  8. SCP (Secure Communication Protocol) TLS SCP SCP SCP SCP TLS 4

  9. SCP (Secure Communication Protocol) TLS SCP SCP SCP SCP TLS • Establish a secure session between a card and an Off-Card Entity • 2-steps protocol: Key Exchange + Communication 4

  10. SCP (Secure Communication Protocol) TLS SCP SCP SCP SCP TLS • Establish a secure session between a card and an Off-Card Entity • 2-steps protocol: Key Exchange + Communication • SCP10 relies on a Public Key Infrastructure: • Both the card and off-card entity have a key pair • They use each other public key to encrypt/verify messages 4

  11. Key Exchange Modes OCE Card Applet Selection Manage Security Environment (a) Key Transport mode 5

  12. Key Exchange Modes OCE Card Applet Selection Manage Security Environment Certificate exchange (a) Key Transport mode 5

  13. Key Exchange Modes OCE Card Applet Selection Manage Security Environment Certificate exchange Perform Security Operation (dec) (a) Key Transport mode 5

  14. Key Exchange Modes OCE Card Applet Selection Manage Security Environment Certificate exchange Perform Security Operation (dec) Get challenge External authentication (a) Key Transport mode 5

  15. Key Exchange Modes OCE Card Applet Selection Manage Security Environment Certificate exchange Perform Security Operation (dec) Get challenge External authentication Internal authentication (a) Key Transport mode 5

  16. Key Exchange Modes OCE Card Card OCE Applet Selection Applet Selection Manage Security Environment Manage Security Environment Certificate exchange Certificate exchange Perform Security Operation (dec) Perform Security Operation (dec) Get challenge Get challenge External authentication External authentication Internal authentication Internal authentication Key derivation Key derivation (a) Key Transport mode (b) Key Agreement mode 5

  17. Our contributions Our contributions: 1. Abuse blurs and flaws in the RSA encryption in Key Transport 2. Recovered session keys by two independent means • In less than a second with the first attack • In an average of 2h30 for the second 3. Exploit a design flaw to forge a certificate, signed by the card 4. Implement a (semi-)compliant version of SCP10 as an applet 5. Propose a secure implementation, with an estimation of the corresponding overhead 6

  18. Our contributions Our contributions: 1. Abuse blurs and flaws in the RSA encryption in Key Transport 2. Recovered session keys by two independent means • In less than a second with the first attack • In an average of 2h30 for the second 3. Exploit a design flaw to forge a certificate, signed by the card 4. Implement a (semi-)compliant version of SCP10 as an applet 5. Propose a secure implementation, with an estimation of the corresponding overhead However, we did not : × Attack real cards (no implementation in the wild) × Try to exploit weakness in the symmetric encryption 6

  19. Our Threat Model Our attackers can: � Initiate an SCP10 session with a card � Intercept, read and modify plaintext message transmitted between a legitimate Off-Card Entity and the card � Measure the time needed by the card to respond They cannot: × Have physical access to the card × Break the cryptographic primitives 7

  20. Deterministic RSA Padding

  21. Perform Security Operation Perform Security Operation APDU: M: params || CRT [|| CRT ...] ���� � �� � [22,42] bytes 3 bytes 8

  22. Perform Security Operation Perform Security Operation APDU: M: params || CRT [|| CRT ...] ���� � �� � [22,42] bytes 3 bytes CRT: header || key [|| 91 08 iv ] � �� � ���� ���� 8 bytes [6,8] fixed bytes [16,24] bytes 8

  23. Perform Security Operation Perform Security Operation APDU: M: params || CRT [|| CRT ...] ���� � �� � [22,42] bytes 3 bytes CRT: header || key [|| 91 08 iv ] � �� � ���� ���� 8 bytes [6,8] fixed bytes [16,24] bytes EM: 0002 || FF..FF || 00 || M � �� � 128 − len ( M ) − 3 bytes → Hybrid padding (mixing EME and EMSA ) 8

  24. Perform Security Operation Perform Security Operation APDU: M: params || CRT [|| CRT ...] ���� � �� � [22,42] bytes 3 bytes CRT: header || key [|| 91 08 iv ] � �� � ���� ���� 8 bytes [6,8] fixed bytes [16,24] bytes EM: 0002 || FF..FF || 00 || M � �� � 128 − len ( M ) − 3 bytes → Hybrid padding (mixing EME and EMSA ) ⇒ Only few unknown bytes (compared to the modulus size) 8

  25. Coppersmith’s Low Exponent Attack 1 Recover the message if the unknown part is small enough: we need x ≤ n e 1 9

  26. Coppersmith’s Low Exponent Attack 1 Recover the message if the unknown part is small enough: we need x ≤ n e Assuming the card is using: • A 1024 bits modulus • A small public exponent 1 ( e = 3) 1 European Payments Council. Guidelines on cryptographic algorithms usage and key management. epc342-08, 2018 9

  27. Coppersmith’s Low Exponent Attack 1 Recover the message if the unknown part is small enough: we need x ≤ n e Assuming the card is using: • A 1024 bits modulus • A small public exponent 1 ( e = 3) � � 1 3 ) We can recover up to log 2 ( n = 341 bits ( ≈ 42 bytes) • An encryption key: 16-24 unknown bytes • An integrity key (with IV): 26-34 unknown bytes 1 European Payments Council. Guidelines on cryptographic algorithms usage and key management. epc342-08, 2018 9

  28. In practice... • Recover the message in 0.35s on average for a 128 bits key ⇒ on-the-fly attack possible • Passive interception only • Only works for Key Transport 10

  29. In practice... • Recover the message in 0.35s on average for a 128 bits key ⇒ on-the-fly attack possible • Passive interception only • Only works for Key Transport ⇒ Need a big enough public exponent, or random padding 10

  30. In practice... • Recover the message in 0.35s on average for a 128 bits key ⇒ on-the-fly attack possible • Passive interception only • Only works for Key Transport ⇒ Need a big enough public exponent, or random padding � Bigger RSA modulus makes the attack easier � ”Classic” PKCS#1v1.5 padding may not be a valid solution... 10

  31. Padding Oracle

  32. Bleichenbacher’s attack Abusing Perform Security Operation : • Anybody can send this APDU (no authentication before) Manage session / certificate verification Key Transport Perform Security Operation E x p l o i t f o r m a t o r a c l e Response Authentication via challenge 11

  33. Bleichenbacher’s attack Abusing Perform Security Operation : • Anybody can send this APDU (no authentication before) • 3 steps on card: decryption → verification → TLV parsing Manage session / certificate verification Key Transport Perform Security Operation E x p l o i t f o r m a t o r a c l e Response Authentication via challenge 11

  34. Bleichenbacher’s attack Abusing Perform Security Operation : • Anybody can send this APDU (no authentication before) • 3 steps on card: decryption → verification → TLV parsing • Unique error code but no mention of constant time Manage session / certificate verification Key Transport Perform Security Operation E x p l o i t f o r m a t o r a c l e Response Authentication via challenge 11

  35. Bleichenbacher’s attack Abusing Perform Security Operation : • Anybody can send this APDU (no authentication before) • 3 steps on card: decryption → verification → TLV parsing • Unique error code but no mention of constant time • Constant time verification is hard, even harder with TLV parsing Manage session / certificate verification Key Transport Perform Security Operation E x p l o i t f o r m a t o r a c l e Response Authentication via challenge 11

  36. In practice... • Attack possible with some additional analysis • Large number of query needed • Average: 28000 queries ≈ 2h30 • Can be reduced by increasing brute force • No on-the-fly attack: message collection for future decryption 12

  37. In practice... • Attack possible with some additional analysis • Large number of query needed • Average: 28000 queries ≈ 2h30 • Can be reduced by increasing brute force • No on-the-fly attack: message collection for future decryption ⇒ Need robust RSA padding (OAEP would solve both problems) 12

  38. Key Reuse

  39. RSA Key Reuse Design flaw: • Same RSA key for Key Transport and Key Agreement • Same RSA key for confidentiality and authentication ⇒ Less storage, processing and complexity but no key isolation 13

Recommend

The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida

The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida

Context Notation & Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida Braga

658 views • 46 slides
The Long and Winding Road of Unique Device Identifier (UDI) Implementation: A Small Company

The Long and Winding Road of Unique Device Identifier (UDI) Implementation: A Small Company

The Long and Winding Road of Unique Device Identifier (UDI) Implementation: A Small Company Perspective Daniel Simpson, RAC (US,CAN), ASQ CBA Sr. Director of Quality and Regulatory Affairs Corgenix, Inc Rocky Mountain Regulatory Affairs

459 views • 25 slides
The Long and Winding Road The Long and Winding Road Christmas Edition Martin Luther on the

The Long and Winding Road The Long and Winding Road Christmas Edition Martin Luther on the

The Long and Winding Road The Long and Winding Road Christmas Edition Martin Luther on the Old Testament: Martin Luther on the Old Testament: Martin Luther on the Old Testament: Simple and lowly are these swaddling cloths, but dear is

638 views • 30 slides
Knowledge Mobilisation Translation collaboration researchers & decision-makers.

Knowledge Mobilisation Translation collaboration researchers & decision-makers.

A long and winding road: Can you predict successful knowledge mobilisation and implementation in advance? Learning from the development and roll out of a social network intervention designed to support long term condition management Anne Rogers

337 views • 16 slides
Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler

Introduction & background Path-key-enabled attacks Secure path-key revocation Conclusions Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler Moore and Jolyon Clulow University of Cambridge

505 views • 22 slides
A Series of Serendipitous Events: The Winding Path Toward Digital Literacy Richard E. Snow Award

A Series of Serendipitous Events: The Winding Path Toward Digital Literacy Richard E. Snow Award

A Series of Serendipitous Events: The Winding Path Toward Digital Literacy Richard E. Snow Award for Early Contributions Jeffrey A. Greene Past Richard E. Snow Award Recipients 2015 George Georgiou 2007 Carol Connor 2006 Mimi Bong 2014

504 views • 36 slides
The Long and Winding Road Designing and Creating a Social Science Research

The Long and Winding Road Designing and Creating a Social Science Research

The Long and Winding Road Designing and Creating a Social Science Research Infrastructure in Switzerland Peter Farago FORS Director 2008-2016 Presentation at the symposium 10 Years FORS Lausanne, September 12, 2018 1 !

570 views • 12 slides
The Long and Winding Road to My Dream Job David Pooley Trinity University dpooley@trinity.edu

The Long and Winding Road to My Dream Job David Pooley Trinity University dpooley@trinity.edu

The Long and Winding Road to My Dream Job David Pooley Trinity University dpooley@trinity.edu 2008 Embry-Riddle 2006 Aug 2008 U Michigan move to Austin Postdoc 20042007 2010 2007 U Alberta UC Santa Cruz UT San Antonio Tufts U

507 views • 15 slides
Advancing equity and justice in protected areas (and a story of the long and winding road from

Advancing equity and justice in protected areas (and a story of the long and winding road from

Advancing equity and justice in protected areas (and a story of the long and winding road from science to impact) Kate Schreckenberg k.schreckenberg@soton.ac.uk ESPA Annual Science Conference, Nairobi, 17 Nov 2016 "For me this is an

262 views • 22 slides
100% in main it's a long and winding road but worth it Holger Levsen, August 12 th 2008

100% in main it's a long and winding road but worth it Holger Levsen, August 12 th 2008

aka Debian Edu 100% in main it's a long and winding road but worth it Holger Levsen, August 12 th 2008 About the two names... nowadays Debian Edu and Skolelinux are used as synonyms it's the same project Skolelinux was started

547 views • 44 slides
Private law children reform: A long and winding road Professor Rosemary Hunter Kent Law School

Private law children reform: A long and winding road Professor Rosemary Hunter Kent Law School

Private law children reform: A long and winding road Professor Rosemary Hunter Kent Law School Private law children cases - ideologies 1. Childrens welfare is best served by having ongoing, regular contact with both of their biological

75 views • 6 slides
Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash

285 views • 13 slides
Secure Vehicular Communication System: Design & Implementation of VPKI (Providing Credential

Secure Vehicular Communication System: Design & Implementation of VPKI (Providing Credential

Secure Vehicular Communication System: Design & Implementation of VPKI (Providing Credential Management in a Secure VANET) Supervisor: MSc Thesis: Prof. Panos Papadimitratos Mohammad Khodaei LCN KTH October, 2012 1 / 38 Outline

519 views • 48 slides
RSA-PSS Provable Secure RSA Signatures and their Implementation Overview What is RSA-PSS?

RSA-PSS Provable Secure RSA Signatures and their Implementation Overview What is RSA-PSS?

RSA-PSS Provable Secure RSA Signatures and their Implementation Overview What is RSA-PSS? Why RSA-PSS? Comparing original and standardized PSS Status of Protocols, Standards and Imple- mentations RSA-PSS in X.509

718 views • 19 slides
Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM

Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM

Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM Implementation of for Mobile Devices for Mobile Devices Sang- -bum bum Suh Suh Sang sbuk.suh@samsung.com sbuk.suh@samsung.com SW Laboratories SW

598 views • 48 slides
Principles for secure implementation Some of the slides and content are from Mike Hicks

Principles for secure implementation Some of the slides and content are from Mike Hicks

Principles for secure implementation Some of the slides and content are from Mike Hicks Coursera course Trusted computing bases Every system has a TCB Your reference monitor Compiler OS CPU Memory Keyboard..

1.61k views • 143 slides
Introduction to the West Midlands Combined Authority Aims Secure long term investment rather

Introduction to the West Midlands Combined Authority Aims Secure long term investment rather

Introduction to the West Midlands Combined Authority Aims Secure long term investment rather than short term budget allocations to stimulate economic growth for the region Tackle the long term challenges faced by all local authorities and

498 views • 17 slides
verifiedSCION: Verified Secure Routing Peter Mller Joint work with the verifiedSCION Team at

verifiedSCION: Verified Secure Routing Peter Mller Joint work with the verifiedSCION Team at

verifiedSCION: Verified Secure Routing Peter Mller Joint work with the verifiedSCION Team at ETH Security and Correctness Protocol-level properties - Path validity : Constructed paths are valid and reflect the routing decisions by on-path

294 views • 8 slides
Secure Income REIT Plc 9 March 2018 www.SecureIncomeREIT.co.uk Secure Income REIT Plc is a

Secure Income REIT Plc 9 March 2018 www.SecureIncomeREIT.co.uk Secure Income REIT Plc is a

Secure Income REIT Plc 9 March 2018 www.SecureIncomeREIT.co.uk Secure Income REIT Plc is a specialist UK REIT, selectively investing in key operating real estate assets in defensive sectors that provide long term rental income with inflation

822 views • 60 slides
Off-Path BoF Problem/Solution Overview Paul Francis Cornell University Research Goal

Off-Path BoF Problem/Solution Overview Paul Francis Cornell University Research Goal

Off-Path BoF Problem/Solution Overview Paul Francis Cornell University Research Goal Robust, secure, connection establishment Robust: always works Even if behind NATs, firewalls, different network layers Secure: In a

640 views • 17 slides
Access to the English Coast The England Coast Path Gosport to Portsmouth (GPM) What will the

Access to the English Coast The England Coast Path Gosport to Portsmouth (GPM) What will the

Access to the English Coast The England Coast Path Gosport to Portsmouth (GPM) What will the coast path bring Secure, continuous, clearly way-marked, well managed route National Trail brand and funding Tourists with spending money,

367 views • 14 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
The Path to a Secure and Resilient Power Grid Infrastructure Bill Sanders University of Illinois

The Path to a Secure and Resilient Power Grid Infrastructure Bill Sanders University of Illinois

The Path to a Secure and Resilient Power Grid Infrastructure Bill Sanders University of Illinois at Urbana-Champaign www.tcipg.org whs@illinois.edu | 1 Power Grid Trust Dynamics Span Two Interdependent Infrastructures Cyber Infrastructure

337 views • 15 slides
1 Singapores Efforts in developing Creating a Secure and Trusted infrastructure and

1 Singapores Efforts in developing Creating a Secure and Trusted infrastructure and

Presentation Outline E- -Business Implementation Business Implementation E Part 1 The Singapore Experience The Singapore Experience How Singapore Government Agency created a secure and trusted infrastructure for e-business By Tan Jin

790 views • 25 slides

More recommend