TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk - PowerPoint PPT Presentation

TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk Sunar Thomas Eisenbarth Nadia Heninger 01/08/2020 Real World Crypto

TPM 2

Trusted Platform Module (TPM) Software is Hackers? insecure. Bad Guys? Heartbleed? Rootkits? Computers Ransomware? are just Evil?! 3

Trusted Platform Module (TPM) Software is Hackers? insecure. Bad Guys? Heartbleed? Rootkits? Computers Ransomware? are just Evil?! Hardware-based Root of Trust?! 4

Trusted Platform Module (TPM) • Security Chip for Computers? • Tamper Resistant • Side-Channel Resistant • Crypto Co-processor 5

Trusted Platform Module (TPM) • Security Chip for Computers? • Tamper Resistant • Side-Channel Resistant • Crypto Co-processor Trusted Computing Base 6

Trusted Platform Module (TPM) • Cryptographic Co-processor, specified by Trusted Computing Group • Secure Storage • Integrity Measurement • TRNG • Hash Functions • Encryption • Digital Signatures 7

Trusted Computing Group • https://trustedcomputinggroup .org/membership/certification/ • https://trustedcomputinggroup .org/membership/certification/ tpm-certified-products/ 8

TPM – Digital Signatures • Applications • Trusted Execution of Signing Operations • Remote Attestation • TPM 2.0 supports Elliptic-Curve Digital Signature • ECDSA • ECSchnorr • ECDAA (Anonymous Remote Attestation) 9

Are TPMs really side-channel resistant? 10

High-resolution Timing Test • TPM frequency ~= 32-120 MHz • CPU Frequency is more than 2 GHz 11

High-resolution Timing Test – Intel PTT (fTPM) • Intel Platform Trust Technology (PTT) • Integrated firmware-TPM inside the CPU package • Runs on top of Converged Security and Management Engine (CSME) • Standalone low power processor CPU PCH • Has been around since Haswell CSME • Linux TPM Command Response Buffer (CRB) driver 12

High-resolution Timing Test – Intel PTT (fTPM) • Intel Platform Trust Technology (PTT) • Integrated firmware-TPM inside the CPU package • Runs on top of Converged Security and Management Engine (CSME) CPU PCH CSME Histogram 13

High-resolution Timing Test – Intel PTT (fTPM) • Kernel Driver to increase the Resolution CPU PCH CSME 14

High-resolution Timing Test - Analysis • RSA and ECDSA timing test on 3 dedicated TPM and Intel fTPM • Various non-constant behaviour for both RSA and ECDSA 15

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSChnorr • BN-256 (ECDAA) 16

17

High-resolution Timing Test – ECDSA Nonce • Intel fTPM: 4-bit Window Nonce Length Leakage • ECDSA • ECSchnorr • BN-256(ECDAA) • STMicro TPM: Bit-by-Bit Nonce Length Leakage 18

TPM-Fail – Recovering Private ECDSA Key • TPM is programmed with an unknown key • We already have a template for 𝑢 𝑗 . 1. Collect list of signatures (𝑠 𝑗 , 𝑡 𝑗 ) and timing samples 𝑢 𝑗 . 2. Filter signatures based on 𝑢 𝑗 and keeps (𝑠 𝑗 , 𝑡 𝑗 ) with a known bias. 3. Lattice-based attack to recover private key 𝑒 , from signatures with biased nonce 𝑙 𝑗 . 19

Lattice and Hidden Number Problem • 𝑡 = 𝑙 −1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 20

Lattice and Hidden Number Problem • 𝑡 = 𝑙 −1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙 −1 − 𝑡 𝑗 −1 𝑠 −1 𝑨 ≡ 0 𝑛𝑝𝑒 𝑜 𝑗 𝑒 − 𝑡 𝑗 21

Lattice and Hidden Number Problem • 𝑡 = 𝑙 −1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙 −1 − 𝑡 𝑗 −1 𝑠 −1 𝑨 ≡ 0 𝑛𝑝𝑒 𝑜 𝑗 𝑒 − 𝑡 𝑗 −1 𝑠 −1 𝑨 → k i + A i d + B i = 0 • 𝐵 𝑗 = −𝑡 𝑗 𝑗 , 𝐶 𝑗 = −𝑡 𝑗 22

Lattice and Hidden Number Problem • 𝑡 = 𝑙 −1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙 −1 − 𝑡 𝑗 −1 𝑠 −1 𝑨 ≡ 0 𝑛𝑝𝑒 𝑜 𝑗 𝑒 − 𝑡 𝑗 −1 𝑠 −1 𝑨 → k i + A i d + B i = 0 • 𝐵 𝑗 = −𝑡 𝑗 𝑗 , 𝐶 𝑗 = −𝑡 𝑗 • Let 𝑌 be the upper bound on k i and (d, k 0, k 1 … , 𝑙 𝑜 ) is unknown 23 [8] Dan Boneh and Ramarathnam Venkatesan. Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

Lattice and Hidden Number Problem • 𝑡 = 𝑙 −1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 𝑜 → 𝑙 −1 − 𝑡 𝑗 −1 𝑠 −1 𝑨 ≡ 0 𝑛𝑝𝑒 𝑜 𝑗 𝑒 − 𝑡 𝑗 −1 𝑠 −1 𝑨 → k i + A i d + B i = 0 • 𝐵 𝑗 = −𝑡 𝑗 𝑗 , 𝐶 𝑗 = −𝑡 𝑗 • Let 𝑌 be the upper bound on k i and (d, k 0, k 1 … , 𝑙 𝑜 ) is unknown • Lattice Construction: 𝑜 𝑜 ⋱ LLL/BKZ 𝑜 𝑌 𝐵 1 𝐵 2 … 𝐵 𝑢 𝑜 𝐶 1 𝐶 2 … 𝐶 𝑢 𝑌 24

TPM-Fail – Key Recovery Results • Intel fTPM • ECDSA, ECSchnorr and BN-256 (ECDAA) • Three different threat model System, User, Network • STMicroelectronics TPM • CC EAL4+ Certified • Give you the key in 80 minutes 25

26

TPM-Fail Case Study: StrongSwan VPN VPN Client VPN Server TPM Device 27

TPM-Fail Case Study: StrongSwan VPN VPN Client VPN Server TPM Device 𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕 𝑦 , 𝑜 𝐽 , … ] 28

TPM-Fail Case Study: StrongSwan VPN VPN Client VPN Server TPM Device 𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕 𝑦 , 𝑜 𝐽 , … ] 𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓 [ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕 𝑦 , 𝑜 𝑆 , … ] 𝐽𝐿𝐹_𝐽𝑂𝐽𝑈 𝑡 𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺 ℎ (𝑕 𝑦𝑧 ) 29

TPM-Fail Case Study: StrongSwan VPN VPN Client VPN Server TPM Device 𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕 𝑦 , 𝑜 𝐽 , … ] 𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓 [ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕 𝑦 , 𝑜 𝑆 , … ] 𝐽𝐿𝐹_𝐽𝑂𝐽𝑈 𝑡 𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺 ℎ (𝑕 𝑦𝑧 ) 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ[ 𝑇𝑗𝑕𝑜 𝑡𝑙𝐽 , (𝑜 𝑆 , … ) ] 30

TPM-Fail Case Study: StrongSwan VPN VPN Client VPN Server TPM Device 𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕 𝑦 , 𝑜 𝐽 , … ] 𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓 [ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕 𝑦 , 𝑜 𝑆 , … ] 𝐽𝐿𝐹_𝐽𝑂𝐽𝑈 𝑡 𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺 ℎ (𝑕 𝑦𝑧 ) 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ[ 𝑇𝑗𝑕𝑜 𝑡𝑙𝐽 , (𝑜 𝑆 , … ) ] 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ 𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓 [ 𝑇𝑗𝑕𝑜 𝑡𝑙𝑆 , (𝑜 𝑆 , … ) ] 31

TPM-Fail Case Study: StrongSwan VPN VPN Client VPN Server TPM Device 𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕 𝑦 , 𝑜 𝐽 , … ] 𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓 [ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕 𝑦 , 𝑜 𝑆 , … ] 𝐽𝐿𝐹_𝐽𝑂𝐽𝑈 𝑡 𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺 ℎ (𝑕 𝑦𝑧 ) 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ[ 𝑇𝑗𝑕𝑜 𝑡𝑙𝐽 , (𝑜 𝑆 , … ) ] 32

TPM-Fail Case Study: StrongSwan VPN VPN Client VPN Server TPM Device 𝐽𝐿𝐹_𝐽𝑂𝐽𝑈[ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕 𝑦 , 𝑜 𝐽 , … ] 𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓 [ 𝑞𝑠𝑝𝑞𝑝𝑡𝑏𝑚, 𝑕 𝑦 , 𝑜 𝑆 , … ] 𝐽𝐿𝐹_𝐽𝑂𝐽𝑈 𝑡 𝑡ℎ𝑏𝑠𝑓𝑒−𝑡𝑓𝑑𝑠𝑓𝑢 = 𝑄𝑆𝐺 ℎ (𝑕 𝑦𝑧 ) 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ[ 𝑇𝑗𝑕𝑜 𝑡𝑙𝐽 , (𝑜 𝑆 , … ) ] 𝐽𝐿𝐹_𝐵𝑣𝑢ℎ 𝑠𝑓𝑡𝑞𝑝𝑜𝑡𝑓 [ 𝑇𝑗𝑕𝑜 𝑡𝑙𝑆 , (𝑜 𝑆 , … ) ] 33

TPM-Fail Case Study: StrongSwan VPN Key Recovery • Remote Key Recovery after about 44,000 handshake ~= 5 hours 34

Remote StrongSwan VPN User Adversary Remote Synthetical System Adversary 35

Coordinated Disclosure - Intel • Intel (CVE-2019-11090) • 02/01/2019: Reported to IPSIRT • 02/12/2019: Acknowledged (Outdated Intel IPP Crypto library) • 11/12/2019: Firmware Update for Intel Management Engine 36

Coordinated Disclosure - STMicroelectronics • STMicroelectronics (CVE-2019-16863) • 05/15/2019: Reported to ST • 05/17/2019: Acknowledged • Lots of calls/emails to clarify the disclosure process • 09/12/2019: Verified new version of STM TPM firmware • After 11/12/2019: • HP and Lenovo have issued firmware updates. • ST released a list of affected devices. 37

Challenge? • Infineon TPM ECDSA Timing Histogram 38

Questions?! https://github.com/ VernamLab/TPM-Fail TPM-FAIL https://tpm.fail/ https://www.usenix.org/conference/us 39 enixsecurity20/presentation/moghimi