Advanced Security for Systems Engineering VO 09: Applied Cryptography

Transcription

1 Advanced Security for Systems Engineering VO 09: Applied Cryptography Clemens Hlauschek Lukas Brandstetter Christian Schanes INSO Industrial Software Institute of Computer Aided Automation Faculty of Informatics TU Wien

2 Agenda Attack Model Basic Primitives Simple Timing Attack Quantum Threat Recap 2 / 43

3 Attack Model 3 / 43

4 Attack Model 4 / 43

5 Adversaries Capabilities Depend on exact model Passive: Eavesdropping Active: Tampering with, blocking, delaying, reordering messages Advanced Active: Sometimes even corrupting peers Mostly Probabilistic Polynomial Time Adversary 5 / 43

6 Basic Primitives 6 / 43

7 Encryption Symmetric, Secret-key: m = D(k,E(k,m)) 3DES, AES, (X)Salsa20, ChaCha Fast but needs Key Distribution Asymmetric, Public-key: m = D(sk,E(pk,m)) RSA, ElGamal, Elliptic Curves Key Distribution easy Hybrid: Encrypt random key k asymmetrically Encrypt message symmetrically with k 7 / 43

8 RSA N = p q with p,q P Operations are computed mod N sk : d pk : e with e d = 1 mod φ(n) E : m e D : m d Hardness based on Integer Factorization Never use plain, use OAEP or at least PKCSv1.5 8 / 43

9 ElGamal p P, g is generator of Z p Operations are computed mod P sk : x pk : g x with x uniform random sampled in Z p E : (c 0 = g y,c 1 = pk y m) with y uniform random sampled in Z p D : c 1 (c 0 ) x Hardness based on Discrete Logarithm Never use plain, use Cramer-Shoup 9 / 43

10 ECB 10 / 43

11 CBC 11 / 43

12 Simple Timing Attack We discuss an example of a cryptographic side channel attack (SCA) Variations of this attack in many different implementations / cryptographic primitives We use Message Authentication Code (MAC) verification for illustration purpose 12 / 43

13 MAC Verification What is the problem? 1 int verify (char key, char msg, char atag) { 2 3 char atag computed [32]; 4 5 atag computed = HMAC SHA2(key, msg) ; 6 7 return memcmp(atag computed, atag, 32) 8 9 } 13 / 43

14 MAC Verification Problem: memcmp implements a byte-by-byte comparison. As soon as the first inequality is found, while-loop in memcmp stops. Remember how we brute-forced the stack canary? 14 / 43

15 MAC Verification: Timing Attack Timing Attack: compute the valid authentication tag for a target message 1. Send queries msg, atag with all possible first bytes for atag. When the first byte is correct, response time is slightly longer. 2. Fix the first byte, repeat to find all other bytes. 15 / 43

16 MAC Verification: Timing Attack Same problem with compare functions in many other languages: Java, Python, etc. Avoid vulnerability by either implementing constant-time comparison. (Beware of compile-time optimizations) comparing MACs of the MACs instead. Attacker cannot guess values being compared. MAC(key, atag)==mac(key, atag_computed)) Same attack sometimes applicable for RSA Signature verification, / 43

17 Padding Oracle Attack Device answers whether padding is correct or not: Error Message Timing side channel We can use this Padding Oracle to decrypt any ciphertext without knowledge of the secret key. 17 / 43

18 Padding Oracle Attack Common Padding schemes: PKCS# Zero Byte Padding / 43

19 Padding Oracle Attack Recap: Property of bitwise XOR Bitwise addition (mod 2) Cancel component by XORing twice: x y x = y x = y = x y = / 43

20 Padding Oracle Attack We have ciphertext c = (c[0],c[1],c[2],c[3]) and want to decrypt m[1]. 20 / 43

21 Padding Oracle Attack Fist, make a guess m [1] 15 for the last byte of m[1] 21 / 43

22 Padding Oracle Attack 1. Calculate c [0] := c[0] m [1] 15 0x01 with guess m [1] 15 for last plaintext byte m[1] Send (IV,c [0],c[1]) to device 3. If oracle response was invalid padding, iterate with another guess, but if oracle says valid padding, our guess m [1] 15 was correct. 22 / 43

23 Padding Oracle Attack Next, fix the last byte m[1] 15 and make a guess for m[1] / 43

24 Padding Oracle Attack Proceed until the whole block m[1] is recovered. This way, any ciphertext block can be decrypted. 24 / 43

25 Padding Oracle Attack The Attack was introduced in 2002 [Vaudenay 02]. In the following years many applications were attacked Smartcards, Hardware Security Module (HSM),... TLS was vulnerable too Many attacks work in a similiar fashion 25 / 43

26 CTR 26 / 43

27 CTR Attack Demo 27 / 43

28 Signatures and Message Authentication Codes Symmetric: V(k,S(k,m),m) = 1 HMAC, CBC-MAC Asymmetric: V(pk,S(sk,m),m) = 1 DSA, ECDSA S( ) is only efficient with k or sk V( ) is efficient with k or pk Ensure that message is from sender and not tampered with Signatures need verifiability for third parties, MACs require only direct peers 28 / 43

29 Fixing the above problems Authenticate the Ciphertext with MAC Block Modes that do exactly this exist GCM is the most popular Like CTR but with a message tag If you want to be even cooler: GCM-SIV If you don t care about patents: OCB Whatever you do, you want Authenticated Encryption 29 / 43

30 Established modern libraries There are libraries for most tasks Use the right primitive NaCl and libsodium are good examples High Level API Authenticated Encryption Hybrid Encryption Hard to use wrong Bindings in many languages nacl.cr.yp.to, libsodium.org 30 / 43

31 NaCl and Libsodium Secret-key crypto_secretbox_keygen(key); randombytes_buf(nonce, nonce_len); crypto_secretbox_easy(ct, pt, pt_len, nonce, key); crypto_secretbox_open_easy(pt, ct, ct_len, nonce, key); Encryption: XSalsa20 stream cipher Authentication: Poly1305 MAC Never reuse nonce 31 / 43

32 NaCl and Libsodium Public-key crypto_box_keypair(apk, ask); crypto_box_keypair(bpk, bsk); randombytes_buf(nonce, nonce_len); crypto_box_easy(ct, pt, pt_len, nonce, bpk, ask); crypto_box_open_easy(pt, ct, ct_len, nonce, apk, bsk); Key exchange: X25519 Encryption: XSalsa20 stream cipher Authentication: Poly1305 MAC Never reuse nonce 32 / 43

33 Quantum Threat 33 / 43

34 Quantum Computing Use quantum mechanics for more efficient computation Classical Computers can emulate all of Quantum Computing but slower Qubit in base state 0 or 1 or in a superposition between Qubits collapse to base state on measurement Each base state has different probability Quantum Computing is manipulating these probabilities s.t. states representing answers are more likely to be measured 34 / 43

35 When will it happen? I used to think it was 50. Now I m thinking like it s 15 or a little more. It s within reach. It s within our lifetime. It s going to happen. Mark Ketchen (IBM) 2012 The effort to build a cryptologically useful quantum computer [..] is part of a $79.7 million research program titled Penetrating Hard Targets.. Washington Post (2014) 1 about Snowden Leaks 1 a-description-of-the-penetrating-hard-targets-project/691/ 35 / 43

36 Shor s Algorithm [Shor 97] Efficient algorithm for period-finding Discrete Logarithm Problem reducable to period-finding Integer Factorization Problem reducable to period-finding Current asymmetric primitives rely on either Discrete Log or Factoring Best classical algorithm is subexponential Shor s algorithm is about quadratic yielding exponential speedup This breaks current asymmetric cryptography 36 / 43

37 Alternative hardness sources Lattice-based New problems Many applications Code-based Well established Encrypt and Sign Hash-based Just Hash functions Only Signatures Multi-variate No security proofs Many applications Most have large key sizes and performance isn t great 37 / 43

38 PQCrypto Project International association of researchers Funded by Horizon 2020 from 2015 to 2018 Conferences on Post-Quantum Cryptography Post-Quantum Crypto for small devices Post-Quantum Crypto for the internet Post-Quantum Crypto for the cloud pqcrypto.eu.org 38 / 43

39 PQCrypto Recommandations Initial Recommandations of PQCrypto 2 Double symmetric key sizes Public-key Encryption: McEliece (Code-based) Public-key Signatures: XMSS or SPHINCS-256 (Hash-based) Key exchange: Maybe try NewHope in addition to ECDH Google Experiment 3 NIST is in the process of standardizing 4 2 pqcrypto.eu.org/docs/initial-recommendations.pdf 3 security.googleblog.com/2016/07/experimenting-with-post-quantum. html 4 csrc.nist.gov/projects/post-quantum-cryptography 39 / 43

40 Recap 40 / 43

41 Rolling your own Crypto? Don t roll your own Crypto Well known rule You will make errors Crypto protects your most precious secretes, Mistakes are fatal A more realistic approach Avoid rolling your own as much as possible Use established modern libraries and protocols Respect that crypto is hard Be patient with your crypto(graphers), Rigor needs time 41 / 43

42 Literature/Links Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography Daniel J. Bernstein, Johannes A. Buchmann, Erik Dahmen: Post-Quantum Cryptography PQCrypto Project, NaCl Library, nacl.cr.yp.to Libsodium Library, libsodium.org Slides and Videos of Summer School on Post-Quantum Cryptography 2017, Peter W. Shor: Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer Serge Vaudenay: Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS / 43

43 Thank s for your attention! INSO Industrial Software Institute of Computer Aided Automation Faculty of Informatics TU Wien