WhoamI. Attacking WBC Implementations No con Name 2017

Transcription

1 Attacking WBC Implementations No con Name

2 WHO I AM EDUCATION: Computer Science MSc in IT security COMPANY & ROLES: HCE Security Evaluator R&D Engineer WBC project Responsible of Android security training program for new employees CONTACT: jordi.ventayol@applus.com 2

3 INDEX 1. White Box Cryptography 2. AES Classic 3. AES WBC 4. Attacks on White Box Crypto 5. Importing HW attacks on White Box Crypto 6. DFA on WBC-AES 7. Conclusions 3

4 1 White Box Cryptography 4

5 How to protect a cryptographic key? Image source: 5

6 Where? Image source:

7 White Box Cryptography? The challenge is implement a cryptographic algorithm in software in such a way that cryptographic assets remain secure even when subjected to a white-box attack context. The white-box attack context: An attacker is assumed to be expert in analysis tools such as IDA Pro, debuggers, emulators, hooking tools, etc. Cryptography executed on open devices (e.g. PCs, tablets or smartphones). An attacker has complete control over the execution platform and the SW implementation 7

8 The white-box attack context: An attacker can easily: Analyze the binary code of the application (or reverse engineer it) Read memory pages or CPU internal register values Intercept system calls Tamper with the binary and its execution 8

9 Golden Rule: Never use the key in the algorithm, embed it / hard-code it! Perfect way: The best way to completely protect a WBC algorithm would be to code a lookup table with the output of the algorithm per each possible input value. Problem is this requires too much memory resources to store such table (e.g. 2 million TB for a simple DES or 5 * TB for AES 128). Alternative: The strategy, however, can be applied in those parts of the algorithm where the key is used independently in smaller slices. Common strategy for WBC: 1. Embed the key, e.g. using look-up tables 2. Add randomization to those tables, i.e. T = f T g 1 3. Add classic countermeasures, e.g. masking 4. Obfuscate 9

10 2 AES Classic 10

11 AES - Advanced Encryption Standard AKA Rijndael 3 key configurations 128, 192, 256 bits length 1 st subkey indeed the master key Decryption implies inverted transformations: InvShiftRows, InvSubBytes, InvMixColumns AES works with a single S-Box per all bytes, one for encryption and its inverted for decryption this should change in WB context! 11

12 AES State Matrix 12

13 AddRoundKey 13

14 SubBytes 14

15 ShiftRows 15

16 MixColumns 16

17 Key schedule Master Key K 0 = [.. [ K 0 K 1 K n 1 K n SubKeys 17

18 3 AES WBC 18

19 AddRoundKey(ki) ShiftRows SubBytes MixColumns AddRoundKey(k9) ShiftRows SubBytes AddRoundKey(k10) ShiftRows AddRoundKey( ki ) SubBytes MixColumns ShiftRows AddRoundKey( k9 ) SubBytes AddRoundKey(k10) 19

20 ShiftRows T-Boxes(k) MixColumns ShiftRows T-Boxes(9,10) 20

21 ShiftRows T-Boxes(k) Ty-Boxes XOR-Boxes ShiftRows T-Boxes(9,10) 21

22 Code obfuscation WBC is linked with code obfuscation as used to protect SW implementations, however there are function that cannot be obfuscated. So there is some scepticism as obfuscators don t change the functionality of the code. However, breaking WBC in practice is a particular and time consuming work depending not only on the WBC implementation so obfuscation techniques may play their role. Data obfuscation Flow obfuscation Obfuscation tools 22

23 4 Attacks on White Box Crypto 23

24 Attacks overview Debugging Hooking Reverse engineering Code lifting Specific BGE attack <

25 5 Importing HW attacks on White Box Crypto 25

26 A Side Channel is an unintended communication channel that leaks some information from a device through a physical media. A Side Channel Analysis is a passive attack. Monitoring the TOE when it is processing sensitive information. Side Channel Sources: power consumption, electromagnetic radiation, timing of operation and the photonic emission. 26

27 RSA Encrypt 27

28 Simple Power/Electromagnetic Analysis 28

29 The Tracer In WBC, traces are built by monitoring not the power consumption or the EM radiation of a HW device but monitoring the values that are written in the internal registers of the CPU during the execution of the binary. For this purpose we can use different tools: Debuggers Virtual Machines: Qemu, Unicorn, Panda Radare 29

30 On the data generated, the Program Counter of the execution will be traced. If we plot its sequence of values, we can have an idea about the execution given by. gemplus 30 30

31 We can establish a threshold to distinguish system calls from local binary calls. 31

32 Fault Injection To introduce a malfunction (a fault) that induces to an unexpected behavior. First historical references Gamma particles Alpha particles 32

33 War and space electronics are secured against accidental fault injection (electronics in sealed anti-radiation boxes, parallel computation, etc ) But! Errors due to fault injection are used by attackers to perturb user electronics. Fault injection evolved so new sources were found: Gamma X-ray UV light Laser pulses EM pulses Power/clock glitches 33

34 sload_3; // Perturb sload 4; // Perturb if_scmpne L5; // Perturb L4: sspush 27011; invokestatic 9; // javacard/framework/isoexception.throwit(s)v //Avoid this goto L6; // and this L5: aload_2; // Desired flow invokestatic 10;// javacard/framework/util.arraycopynonatomic([bs[bss)s pop; sspush 26368; 34

35 6 DFA on WBC AES 35

36 Differential Fault Attack at Round 9 In red the error detected at the output: Out ok Out faulty = ε out In yellow the initial error: ε in In orange, MixColumns ε in = 2ε in, ε in, ε in, 3ε in for the 1 st column Hence, SubBytes x MixCol ε in = SubBytes x ε out 36

37 Differential Fault Attack DFA on AES applies by changing the value of a single byte at round 8 or round 9. Many-bytes faulted bring complexity (doesn t work) due to the diffusion and byte combination in the MixColumns transformation. How to detect the fault? Is it an exploitable fault? 37

38 38

39 39

40 40

41 Output Round 9 41

42 42

43 1. 5A6D C6A5722CFAAE0CFB32D1 2. 5AE C6A5722CFA750CFB74D1 3. 5AEE C6A5722CFAA60CFB11D1 4. 5A6D C6A5722CFAAE0CFB32D1 5. 5A6D099F2896CEA57249FAAE6AFB32D1 6. AC6D C67D722C5CAE0C0432D1 7. 5A6D09F22896F5A5729FFAAE5AFB32D D C613722C76AE0C3F32D1 9. A86D C6C7722C10AE0CEB32D A6D C6A54A2CFAAE0CFB C6D C6F2722C9BAE0CA632D A6D09DE289671A572A4FAAE44FB32D E6D C638722C9CAE0CE132D1 43

44 44

45 7 Conclusions 45

46 Effective defense? Double-checks on encryption process Less-Improvement: Time and energy cost Bypassed if detected Obfuscation Data obfuscation Control-flow obfuscation Security Measures Detect debbugger/emulator Detect hooks and modifications Device bindings 46

47 47