Abstract image of a woman sitting on books and studying on a laptop

nabdullin_brcrdu_dark

Nikita Abdullin, profile picture
Nikita Abdullin

This document provides an agenda for a talk on breaking modern cryptography. It discusses various side channel and fault injection attacks that can be used to break cryptographic implementations running on untrusted hardware. It covers side channel basics like power analysis and EM analysis techniques. It also discusses fault injection basics and how errors can be injected and propagated in cryptosystems. Finally, it summarizes countermeasures for side channel and fault injection attacks and discusses how the same techniques can be applied beyond attacking cryptography.

1 of 72
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
Breaking Crypto For Dummies Nikita Abdullin @
• @0xABD Abdullin@riscure.com • Background: fintech, payment security • Security analyst @ Riscure, evaluating payment tech • Who is Riscure? • Security lab in the Netherlands & USA • 80 hackers working on: • Security test tools • Security test services • We host the #RHme & #RHme2 hardware CTFs! • rhme.riscure.com • 500 players from 49 countries this year About me
Cryptography Crash Course Attacks on (Software) Crypto Side Channel Attacks Fault Injection Attacks DEMO Conclusions Agenda
Agenda
• Some history: how did people use and break cryptography? • Black room == Mallory peeks in the room== broken • “Cabinet noir” • Black box == Mallory peeks in the box == broken • Commercial encryption machines • Kerckhoffs's principle == Mallory has the key == broken • … • The present day: • All of the above • Internal state == Key • ??? Cryptography Crash Course
• Black box Cryptography Crash Course Observe Alter Encrypt Decrypt
• Grey box Cryptography Crash Course Observe Alter Encrypt Decrypt
Encrypt Decrypt • White box Cryptography Crash Course Observe Alter
• Black box == Attacker cannot look inside • Grey box == Attacker can see something* inside and/or influence it • White box == Attacker has full control Cryptography Crash Course
• What is cryptography, when implemented in hardware and software? • Start with a Black box • Inputs • Data • Key • Output Cryptography Crash Course Input Key Output
• Crypto is executed by a machine • Sometimes, a “weird machine” (Sergey Bratus et al., 2011) • http://langsec.org/papers/Bratus.pdf Cryptography Crash Course Unintended functionality Normal, intended functionality Unintended states Normal, intended states
• What is cryptography, when implemented in hardware and software? • Symmetric crypto • Done in (simple) steps – rounds • Key schedule • Use a new key every round • Linear operations (aka affine transformations) • Matrix operations • Register arithmetic: SHIFT XOR ADD OR AND NOT … • Non-linear operations • Table lookups (aka Look-Up Tables “LUT” aka S-boxes, …) Cryptography Crash Course
• What is cryptography, when implemented in hardware and software? • Asymmetric crypto • Arithmetic on looooong numbers (> 4x wider than our CPU regs) • Modular arithmetic • Various optimizations to make it fit into register width • Various hacks to make it faster Cryptography Crash Course
Breaking Modern Cryptography Images (c) by Vasya Lozhkin http://vasya-lozhkin.ru/
Breaking Modern Cryptography The hipster way: • Classic Cryptanalysis • Linear Cryptanalysis • Differential Cryptanalysis • Formal verification of protocols • … • “3-AES will probably never be cryptanalyzed”
Breaking Modern Cryptography • Symmetric crypto: • Current view on computational complexity (Joan Daemen, 2016): • 80 bits: lightweight • 96 bits: solid • 128 bits: secure for the foreseeable future • 256 bits: for the clueless
Breaking Modern Cryptography The brutal way: 1. Make assumptions on the internal state of the cipher 2. Guess the state / edit the state 3. Guessed/new state depends on key (and data) 4. Measure & Calculate the key • Adjust your assumptions Grey box model – the attacker can see through the box and touch it
Breaking Modern Cryptography The brutal way: • Side Channel Analysis (SCA) • Timing analysis • Power analysis • Simple power analysis (SPA) • Differential power analysis (DPA) • Correlation power analysis (CPA) • … • Fault Injection (FI) • Differential fault analysis • …
Side-channel Basics Image source: www.wikihow.com
Side-channel Basics ???? 8??? 82?? 827? PIN 8275 Example: PIN Verification and power measurements (traces)
• Observe the whole cryptosystem • Find what is leaking (and, preferably, where) • Time • Power consumption • Electromagnetic field • Light / Sound / Temperature / … • … • Make an assumption on the dependencies between secret state and observable state • Leakage model • Process the observation data & Get the key Side-channel Basics
• Why it leaks? A hardware circuit is more complex than its schematics • Each switch (=bit) draws power when flipped (clocked) • A power consumption of a register is a function of its data (state) • Same for EM / temperature / other energy emissions Side-channel Basics
• Every wire is an antenna • Every loop is a coil • Works both ways (see later) • Noise is (usually) random/uniform, correctly modeled leakage is not • Acquire more measurements (traces) • Noise cancels itself, but data dependencies are amplified • If leakage model is correct, otherwise == becomes noise too Side-channel Basics
• For pure software, every shared hardware resource leaks • CPU caches • CPU branch predictor • Any resource of the memory controller • … • https://scholar.google.com/scholar?q=cross+vm+side+channel+attack • Lipp, M., Gruss, D., Spreitzer, R., & Mangard, S. (2015). Armageddon: Last- level cache attacks on mobile devices. arXiv preprint arXiv:1511.04897. • https://www.blackhat.com/docs/eu-16/materials/eu-16-Lipp-ARMageddon-How- Your-Smartphone-CPU-Breaks-Software-Level-Security-And-Privacy.pdf • https://github.com/IAIK/armageddon Side-channel Basics
• How to perform actual SCA attacks? 1. Acquisition of many traces – extracting leakage out of the box 2. Signal processing – leaving the good things 3. Statistical analysis of the trace set Side-channel Basics
Side-channel Basics (1) arm (6) response (3) trigger (4) measurement (5) acquisition (2) command Embedded System Current Probe (7) attack
• Acquisition of many traces • Proper equipment • Proper setup • Or, “Garbage in – Garbage Out” Side-channel Basics
• Signal processing • Filtering • Alignment • Resampling • Cut/paste • Bucket Side-channel Basics
• Statistical analysis of the trace set • First-order analysis – single point on a trace vs. model • Differential • Correlation • Higher-order analysis – multiple points on a trace vs. model • Works against protected implementations • Other attacks Side-channel Basics
• Statistical analysis of the trace set – How? • FOSS tools: https://github.com/SideChannelMarvels • Entry-level hardware: ChipWhisperer • Commercial tools: Riscure Inspector Side-channel Basics
• Further reading • ZeroNights 2014, Roman Korkikyan, “Deriving cryptographic keys via power consumption” • http://2014.zeronights.org/assets/files/slides/korkikyan.pdf Side-channel Basics
• Hardware is FRAGILE • Introduce glitches in power supply • Introduce glitches in CLK • Directly supply energy to parts of the chip • Laser • EM field • Invasive techniques • Edit & Probe the silicon Fault injection Basics
• Cryptography is FRAGILE • Errors propagate • State depends on the key (and data) • (Error+State) propagates too • Output is now more a function of a key than before • Sometimes, a single-bit flip = key extracted • Most of the time = solve a system of (linear) equations Fault injection Basics
• Why symmetric crypto fails under FI? • Magic does not happen at once • Symmetric crypto is done in rounds • Data (fault) propagation per round is limited • Faults in state remove data dependencies • Key is linearly combined with the faulty state Fault injection Basics
• Why asymmetric crypto fails under FI? • All assumptions fail • Prime numbers become composite with a single bit flip • Points on a strong ECC curve become points on weaker curves • … Fault injection Basics
• Side Channel and Fault Injection  the gray box scenario • A hardware black box does not protect the state (the key) • Even gray boxes no longer sufficient to secure the current ecosystem • Hardware is not free and cannot be delivered over the wire • Can we make cryptography secure on an untrusted hardware? • Mobile (Payments/Banking/HCE) • Content Protection (DRM) • … • How to hide the key in plain sight of the attacker? White-box Cryptography Basics
• Assumptions: • Even the hardware is now untrusted • The attacker can read the code AND the key • Can it still be secure? • Let’s mix the key in the algorithm. Code == Key • Tables • Dark magic • Tables & dark magic • And obfuscate the code, make the white-box self-aware • To avoid key extraction and arbitrary code reuse (lifting) White-box Cryptography Basics
White-box Cryptography Basics Images (c) Brecht Wyseur http://www.whiteboxcrypto.com/
• White-boxed algorithms • DES • AES • RSA • ECC • SHA256, SHA256-HMAC • … • Fight magic with magic? Breaking White-box Cryptography
• Fight magic with magic… Breaking White-box Cryptography
• Fight magic with magic… • Or apply brutal hardware attacks • Naïve white-box implementations do not solve the gray-box problems • If crypto happens, the state is there • If crypto happens, the fragile parts are there, too Breaking White-box Cryptography
• Eloi Sanfelix, Cristofaro Mune, Job de Haas, “Unboxing the White-Box” BH EU 2015 • https://www.blackhat.com/docs/eu- 15/materials/eu-15-Sanfelix-Unboxing-The- White-Box-Practical-Attacks-Against- Obfuscated-Ciphers-wp.pdf • Joppe W Bos, Charles Hubain, Wil Michiels, Philippe Teuwen “Differential Computation Analysis: Hiding your White-Box Designs is Not Enough” • https://eprint.iacr.org/2015/753 Breaking White-box Cryptography
• Side-channel attacks on WBC • Run on “hardware” • attack as if it was a pure hardware cipher • – What is leaking? – Everything! • Memory • Values in registers • “Trace” is now data dump over time Breaking White-box Cryptography
• Why (some) WBC fails under side channel? • Linearity = leakage • Sasdrich, Pascal, Amir Moradi, and Tim Güneysu. "White-Box Cryptography in the Gray Box.“ • http://eprint.iacr.org/2016/203.pdf Breaking White-box Cryptography
• Fault injection attacks on WBC • Run on “hardware” • attack as if it was a pure hardware cipher • – What can we glitch? – Anything! • Memory • Values in registers Breaking White-box Cryptography
• Need to tap into the code flow and data. How? • Manual code manipulation at run time (hook/inject/debug) • Decompile & recompile with probes • Dynamic Binary Instrumentation • Emulation (with probes) • Absolute worst case: run on real hardware and bring the big guns Software Crypto Instrumentation
• Manual code manipulation at run time (hook/inject/debug) • + Easy to start from a software RE/expl. background • – Lower speed (esp. when debugging, need to tap into everything) • – Need to bypass anti-debug countermeasures • – Scripting debuggers is ugly Software Crypto Instrumentation
• Decompile & recompile with probes • + Easy to start from a software RE/expl. background • + Speed • – lots of manual corrections • – some RE & understanding of the target needed Software Crypto Instrumentation
• Dynamic Binary Instrumentation • Intel PIN • Valgrind • DynamoRIO • (Frida) http://www.frida.re/ • https://github.com/SideChannelMarvels already has one Software Crypto Instrumentation
• Dynamic Binary Instrumentation • + Flexibility • + Stealth • – architecture-specific issues Software Crypto Instrumentation
• Emulation (with probes) • Platform-level emulation = The mighty QEMU • Unicorn Engine (not a platform, only a CPU) http://www.unicorn-engine.org/ • Standalone • IDA plugin • Awesome • PANDA (a full platform) https://github.com/moyix/panda • Record traces and replay • Plugin framework • Awesome (but slow) Software Crypto Instrumentation
• Emulation (with probes) • + Flexibility • + Stealth • + Speed • – Platform-level emulation is slow Software Crypto Instrumentation
• What to do? Side-channel: • Log all memory accesses • Address • Value & Size • Log all registers • What to do? Fault injection: • Flip bits in memory values and memory addresses • Flip bits in registers • KEEP TRACK OF THE PROGRAM COUNTER == TIME Software Crypto Instrumentation
• Narrow down the addresses and PC range • Compare execution traces, identifying data and key dependencies • Side-channel – easy optimizations • Memory writes are more useful than reads • Most registers are redundant (sometimes LSB is enough) • Data can be compressed/discarded on the fly • Fault injection – easy optimizations • Keep track of what you glitch Software Crypto Instrumentation
• White-boxed AES in JS from https://github.com/tsu-iscd/jcrypto • Fault injection attack in 9th round • Using https://github.com/SideChannelMarvels/JeanGrey to extract the key DEMO 1
• Huge traces for SCA • ~1GHz CPUs, white-box can run in 0.1s, easily 100 M instructions x N bytes per instruction = a lot of data  Compress and discard more aggressively Software Crypto Instrumentation Challenges
• Misalignment • Leakage location depends on input  Do aggressive signal processing  Smart emulation (CFG?) Software Crypto Instrumentation Challenges
• Glitching runs wild • Unwanted glitching of return addresses • Unwanted glitching of instruction loading addresses  Simple heuristics when glitching, better focus Software Crypto Instrumentation Challenges
• Why? • Directly applicable on regular software crypto • Defeat obfuscation without deobfuscating • What is executable will be executed and WILL leak / WILL be glitchable • Minimum reverse engineering • Ideally, locate the target function in time domain only • Can be tailored into a point-and-click solution if needed Bonus: Attacking Regular Software Crypto
• But… hardware acceleration? AES-NI, etc.? • Only for symmetric crypto. • Maybe forbidden by obfuscator/protector • Often not applicable due to platform diversity • E.g. standard crypto extensions for ARM are not there yet, etc. • Or, emulate & get the key from emulator’s implementation • Or, emulate & apply DCA on the whole emulator • Worst case, debug & get the key from registers, as usual Bonus: Attacking Regular Software Crypto
• OLLVM-Obfuscated standard AES encryption • Side-channel leakage is memory accesses • Using Riscure Inspector to extract the key DEMO 2
• Any state can be leaked via SCA • Any data dependency • PIN/Key/Password lengths • Hamming weights/distances of values • Code structure / CFG leaks too • Basic blocks in CFG may be recognizable SCA & FI: Beyond Attacking Crypto
• Any state can be affected via FI • Most critical – bypass security mechanisms • MAC/Signature/PIN/Password checks • Secure Boot • … Niek Timmers, Albert Spruyt: “Bypassing Secure Boot using Fault Injection”, BH EU 2016 https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing-Secure-Boot-Using- Fault-Injection.pdf SCA & FI: Beyond Attacking Crypto
• Countermeasures exist • SCA countermeasures • FI countermeasures SCA & FI: Beyond Attacking Crypto
• SCA countermeasures • Most are patented, bad news for silicon and crypto vendors • Reduce leakages (double rail logic, shields, …) • Introduce noise and jitter • Shuffle the state in time domain • Masking • Encodings between rounds SCA & FI: Beyond Attacking Crypto
• FI countermeasures • Most are patented, bad news for silicon and crypto vendors • Best idea: verify everything • Transform the algorithms • To allow verification on side effects of the calculations • To propagate errors DRAMATICALLY, diffusing the key dependencies • Hardware: • Awareness – sensors: glitch, light, EM, … SCA & FI: Beyond Attacking Crypto
• State-of-the-art white-box crypto, as seen in highly competitive markets like content protection, is tough: • All of the above • SCA countermeasures • FI countermeasures • State-of-the-art obfuscation, anti-debug, anti-emulation and anti-DBI • Attacking == Defusing an explosive black box with a hammer • If possible, uses encodings • Internal encoding: • 𝐿𝑈𝑇 = 𝑔 ∘ 𝐿𝑈𝑇 ∘ 𝑓−1 • External encoding: • 𝐴𝐸𝑆 𝑘 ′ = 𝐺 ∘ 𝐴𝐸𝑆 𝑘 ∘ 𝐹−1 • 𝐴𝐸𝑆 𝑘 ′ (𝑚) is unusable by anyone, except the vendor who can decode SCA & FI: Beyond Attacking Crypto
• More countermeasures for white-box crypto: • Remember, state = key. Diffuse the state so it is too large to easily extract or compress • Bogdanov, A., & Isobe, T.. (2015). White-Box Cryptography Revisited: Space-Hard Ciphers. ACM Conference on Computer and Communications Security. 10.1145/2810103.2813699 SCA & FI: Beyond Attacking Crypto
• It is still possible to break crypto without being a cryptographer • Academy is busy constructing funny whiteboxes • Thinking out of the box helps • Best hacks happen on an edge • Proper tools • Continuously evaluate your product before it hits the market • The fight goes on… Conclusions
Questions?
• http://langsec.org/papers/Bratus.pdf • http://2014.zeronights.org/assets/files/slides/korkikyan.pdf • https://www.blackhat.com/docs/eu-15/materials/eu-15-Sanfelix-Unboxing-The- White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf • https://eprint.iacr.org/2015/753 • http://eprint.iacr.org/2016/203.pdf • https://github.com/SideChannelMarvels • http://www.frida.re • http://www.unicorn-engine.org • https://github.com/moyix/panda • https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing- Secure-Boot-Using-Fault-Injection.pdf References
Challenge your security Riscure North America 550 Kearny St. Suite 330 San Francisco, CA 94108 +1 (650) 646 9979 inforequest@riscure.com Riscure B.V. Frontier Building, Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 www.riscure.com We are hiring! www.riscure.com/careers

More Related Content

PPTX
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Andrew Morris
 
PPTX
The Background Noise of the Internet
Andrew Morris
 
PPTX
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
PDF
DEFCON 23 - Fernando Arnaboldi - abusing xslt for practical
Felipe Prado
 
PDF
Hta t17
SelectedPresentations
 
PDF
Construction of sfiCAN: a star-based fault-injection infrastructure for the C...
balDYxan
 
PPTX
Side Channel Analysis: Practice and a Bit of Theory
Positive Hack Days
 
PDF
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Andrew Morris
 
The Background Noise of the Internet
Andrew Morris
 
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
DEFCON 23 - Fernando Arnaboldi - abusing xslt for practical
Felipe Prado
 
Hta t17
SelectedPresentations
 
Construction of sfiCAN: a star-based fault-injection infrastructure for the C...
balDYxan
 
Side Channel Analysis: Practice and a Bit of Theory
Positive Hack Days
 
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World
 

Similar to nabdullin_brcrdu_dark (20)

PPTX
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
RootedCON
 
PDF
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
Area41
 
PPTX
White box crytography in an insecure enviroment
Iqra khalil
 
PDF
Why are we still vulnerable to Side Channel Attacks?
Riscure
 
PPTX
Lecture 02 - 05 Oct 21.pptx
HammadRao5
 
PDF
MIT Bitcoin Expo 2018 - Hardware Wallets Security
Charles Guillemet
 
PPTX
cyber security attacks cyber security attacks
NiharikaGuptas
 
PPTX
FPGA-Based Security Solutions & Specific security goals of cryptography
VINOTHRAJR1
 
PDF
Sullivan white boxcrypto-baythreat-2013
Cloudflare
 
PDF
36_Cryptography.pdf
ssuserfb92ae
 
PDF
3. Cryptographic Security
Sam Bowne
 
PDF
Three things that rowhammer taught me by Halvar Flake
n|u - The Open Security Community
 
PDF
Secure Integrated Circuits And Systems 1st Edition Tim Gneysu
bunispinolml
 
PDF
Unboxing the White-Box: Practical Attacks Against Obfuscated Ciphers
Cristofaro Mune
 
PDF
Cryptography Unchained - BeeBryte (White Paper)
BeeBryte | Energy Intelligence & Automation
 
PDF
Crypto Strikes Back! (Google 2009)
Nate Lawson
 
PDF
CNIT 141: 3. Cryptographic Security
Sam Bowne
 
PDF
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
 
PPTX
Safe and secure programming practices for embedded devices
Soumitra Bhattacharyya
 
PDF
Tower defense for hackers: Layered (in-)security for microcontrollers
Milosch Meriac
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
RootedCON
 
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality
Area41
 
White box crytography in an insecure enviroment
Iqra khalil
 
Why are we still vulnerable to Side Channel Attacks?
Riscure
 
Lecture 02 - 05 Oct 21.pptx
HammadRao5
 
MIT Bitcoin Expo 2018 - Hardware Wallets Security
Charles Guillemet
 
cyber security attacks cyber security attacks
NiharikaGuptas
 
FPGA-Based Security Solutions & Specific security goals of cryptography
VINOTHRAJR1
 
Sullivan white boxcrypto-baythreat-2013
Cloudflare
 
36_Cryptography.pdf
ssuserfb92ae
 
3. Cryptographic Security
Sam Bowne
 
Three things that rowhammer taught me by Halvar Flake
n|u - The Open Security Community
 
Secure Integrated Circuits And Systems 1st Edition Tim Gneysu
bunispinolml
 
Unboxing the White-Box: Practical Attacks Against Obfuscated Ciphers
Cristofaro Mune
 
Cryptography Unchained - BeeBryte (White Paper)
BeeBryte | Energy Intelligence & Automation
 
Crypto Strikes Back! (Google 2009)
Nate Lawson
 
CNIT 141: 3. Cryptographic Security
Sam Bowne
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
 
Safe and secure programming practices for embedded devices
Soumitra Bhattacharyya
 
Tower defense for hackers: Layered (in-)security for microcontrollers
Milosch Meriac
 
Ad

nabdullin_brcrdu_dark

  • 2. • @0xABD Abdullin@riscure.com • Background: fintech, payment security • Security analyst @ Riscure, evaluating payment tech • Who is Riscure? • Security lab in the Netherlands & USA • 80 hackers working on: • Security test tools • Security test services • We host the #RHme & #RHme2 hardware CTFs! • rhme.riscure.com • 500 players from 49 countries this year About me
  • 3. Cryptography Crash Course Attacks on (Software) Crypto Side Channel Attacks Fault Injection Attacks DEMO Conclusions Agenda
  • 5. • Some history: how did people use and break cryptography? • Black room == Mallory peeks in the room== broken • “Cabinet noir” • Black box == Mallory peeks in the box == broken • Commercial encryption machines • Kerckhoffs's principle == Mallory has the key == broken • … • The present day: • All of the above • Internal state == Key • ??? Cryptography Crash Course
  • 6. • Black box Cryptography Crash Course Observe Alter Encrypt Decrypt
  • 7. • Grey box Cryptography Crash Course Observe Alter Encrypt Decrypt
  • 8. Encrypt Decrypt • White box Cryptography Crash Course Observe Alter
  • 9. • Black box == Attacker cannot look inside • Grey box == Attacker can see something* inside and/or influence it • White box == Attacker has full control Cryptography Crash Course
  • 10. • What is cryptography, when implemented in hardware and software? • Start with a Black box • Inputs • Data • Key • Output Cryptography Crash Course Input Key Output
  • 11. • Crypto is executed by a machine • Sometimes, a “weird machine” (Sergey Bratus et al., 2011) • http://langsec.org/papers/Bratus.pdf Cryptography Crash Course Unintended functionality Normal, intended functionality Unintended states Normal, intended states
  • 12. • What is cryptography, when implemented in hardware and software? • Symmetric crypto • Done in (simple) steps – rounds • Key schedule • Use a new key every round • Linear operations (aka affine transformations) • Matrix operations • Register arithmetic: SHIFT XOR ADD OR AND NOT … • Non-linear operations • Table lookups (aka Look-Up Tables “LUT” aka S-boxes, …) Cryptography Crash Course
  • 13. • What is cryptography, when implemented in hardware and software? • Asymmetric crypto • Arithmetic on looooong numbers (> 4x wider than our CPU regs) • Modular arithmetic • Various optimizations to make it fit into register width • Various hacks to make it faster Cryptography Crash Course
  • 14. Breaking Modern Cryptography Images (c) by Vasya Lozhkin http://vasya-lozhkin.ru/
  • 15. Breaking Modern Cryptography The hipster way: • Classic Cryptanalysis • Linear Cryptanalysis • Differential Cryptanalysis • Formal verification of protocols • … • “3-AES will probably never be cryptanalyzed”
  • 16. Breaking Modern Cryptography • Symmetric crypto: • Current view on computational complexity (Joan Daemen, 2016): • 80 bits: lightweight • 96 bits: solid • 128 bits: secure for the foreseeable future • 256 bits: for the clueless
  • 17. Breaking Modern Cryptography The brutal way: 1. Make assumptions on the internal state of the cipher 2. Guess the state / edit the state 3. Guessed/new state depends on key (and data) 4. Measure & Calculate the key • Adjust your assumptions Grey box model – the attacker can see through the box and touch it
  • 18. Breaking Modern Cryptography The brutal way: • Side Channel Analysis (SCA) • Timing analysis • Power analysis • Simple power analysis (SPA) • Differential power analysis (DPA) • Correlation power analysis (CPA) • … • Fault Injection (FI) • Differential fault analysis • …
  • 20. Side-channel Basics ???? 8??? 82?? 827? PIN 8275 Example: PIN Verification and power measurements (traces)
  • 21. • Observe the whole cryptosystem • Find what is leaking (and, preferably, where) • Time • Power consumption • Electromagnetic field • Light / Sound / Temperature / … • … • Make an assumption on the dependencies between secret state and observable state • Leakage model • Process the observation data & Get the key Side-channel Basics
  • 22. • Why it leaks? A hardware circuit is more complex than its schematics • Each switch (=bit) draws power when flipped (clocked) • A power consumption of a register is a function of its data (state) • Same for EM / temperature / other energy emissions Side-channel Basics
  • 23. • Every wire is an antenna • Every loop is a coil • Works both ways (see later) • Noise is (usually) random/uniform, correctly modeled leakage is not • Acquire more measurements (traces) • Noise cancels itself, but data dependencies are amplified • If leakage model is correct, otherwise == becomes noise too Side-channel Basics
  • 24. • For pure software, every shared hardware resource leaks • CPU caches • CPU branch predictor • Any resource of the memory controller • … • https://scholar.google.com/scholar?q=cross+vm+side+channel+attack • Lipp, M., Gruss, D., Spreitzer, R., & Mangard, S. (2015). Armageddon: Last- level cache attacks on mobile devices. arXiv preprint arXiv:1511.04897. • https://www.blackhat.com/docs/eu-16/materials/eu-16-Lipp-ARMageddon-How- Your-Smartphone-CPU-Breaks-Software-Level-Security-And-Privacy.pdf • https://github.com/IAIK/armageddon Side-channel Basics
  • 25. • How to perform actual SCA attacks? 1. Acquisition of many traces – extracting leakage out of the box 2. Signal processing – leaving the good things 3. Statistical analysis of the trace set Side-channel Basics
  • 26. Side-channel Basics (1) arm (6) response (3) trigger (4) measurement (5) acquisition (2) command Embedded System Current Probe (7) attack
  • 27. • Acquisition of many traces • Proper equipment • Proper setup • Or, “Garbage in – Garbage Out” Side-channel Basics
  • 28. • Signal processing • Filtering • Alignment • Resampling • Cut/paste • Bucket Side-channel Basics
  • 29. • Statistical analysis of the trace set • First-order analysis – single point on a trace vs. model • Differential • Correlation • Higher-order analysis – multiple points on a trace vs. model • Works against protected implementations • Other attacks Side-channel Basics
  • 30. • Statistical analysis of the trace set – How? • FOSS tools: https://github.com/SideChannelMarvels • Entry-level hardware: ChipWhisperer • Commercial tools: Riscure Inspector Side-channel Basics
  • 31. • Further reading • ZeroNights 2014, Roman Korkikyan, “Deriving cryptographic keys via power consumption” • http://2014.zeronights.org/assets/files/slides/korkikyan.pdf Side-channel Basics
  • 32. • Hardware is FRAGILE • Introduce glitches in power supply • Introduce glitches in CLK • Directly supply energy to parts of the chip • Laser • EM field • Invasive techniques • Edit & Probe the silicon Fault injection Basics
  • 33. • Cryptography is FRAGILE • Errors propagate • State depends on the key (and data) • (Error+State) propagates too • Output is now more a function of a key than before • Sometimes, a single-bit flip = key extracted • Most of the time = solve a system of (linear) equations Fault injection Basics
  • 34. • Why symmetric crypto fails under FI? • Magic does not happen at once • Symmetric crypto is done in rounds • Data (fault) propagation per round is limited • Faults in state remove data dependencies • Key is linearly combined with the faulty state Fault injection Basics
  • 35. • Why asymmetric crypto fails under FI? • All assumptions fail • Prime numbers become composite with a single bit flip • Points on a strong ECC curve become points on weaker curves • … Fault injection Basics
  • 36. • Side Channel and Fault Injection  the gray box scenario • A hardware black box does not protect the state (the key) • Even gray boxes no longer sufficient to secure the current ecosystem • Hardware is not free and cannot be delivered over the wire • Can we make cryptography secure on an untrusted hardware? • Mobile (Payments/Banking/HCE) • Content Protection (DRM) • … • How to hide the key in plain sight of the attacker? White-box Cryptography Basics
  • 37. • Assumptions: • Even the hardware is now untrusted • The attacker can read the code AND the key • Can it still be secure? • Let’s mix the key in the algorithm. Code == Key • Tables • Dark magic • Tables & dark magic • And obfuscate the code, make the white-box self-aware • To avoid key extraction and arbitrary code reuse (lifting) White-box Cryptography Basics
  • 38. White-box Cryptography Basics Images (c) Brecht Wyseur http://www.whiteboxcrypto.com/
  • 39. • White-boxed algorithms • DES • AES • RSA • ECC • SHA256, SHA256-HMAC • … • Fight magic with magic? Breaking White-box Cryptography
  • 40. • Fight magic with magic… Breaking White-box Cryptography
  • 41. • Fight magic with magic… • Or apply brutal hardware attacks • Naïve white-box implementations do not solve the gray-box problems • If crypto happens, the state is there • If crypto happens, the fragile parts are there, too Breaking White-box Cryptography
  • 42. • Eloi Sanfelix, Cristofaro Mune, Job de Haas, “Unboxing the White-Box” BH EU 2015 • https://www.blackhat.com/docs/eu- 15/materials/eu-15-Sanfelix-Unboxing-The- White-Box-Practical-Attacks-Against- Obfuscated-Ciphers-wp.pdf • Joppe W Bos, Charles Hubain, Wil Michiels, Philippe Teuwen “Differential Computation Analysis: Hiding your White-Box Designs is Not Enough” • https://eprint.iacr.org/2015/753 Breaking White-box Cryptography
  • 43. • Side-channel attacks on WBC • Run on “hardware” • attack as if it was a pure hardware cipher • – What is leaking? – Everything! • Memory • Values in registers • “Trace” is now data dump over time Breaking White-box Cryptography
  • 44. • Why (some) WBC fails under side channel? • Linearity = leakage • Sasdrich, Pascal, Amir Moradi, and Tim Güneysu. "White-Box Cryptography in the Gray Box.“ • http://eprint.iacr.org/2016/203.pdf Breaking White-box Cryptography
  • 45. • Fault injection attacks on WBC • Run on “hardware” • attack as if it was a pure hardware cipher • – What can we glitch? – Anything! • Memory • Values in registers Breaking White-box Cryptography
  • 46. • Need to tap into the code flow and data. How? • Manual code manipulation at run time (hook/inject/debug) • Decompile & recompile with probes • Dynamic Binary Instrumentation • Emulation (with probes) • Absolute worst case: run on real hardware and bring the big guns Software Crypto Instrumentation
  • 47. • Manual code manipulation at run time (hook/inject/debug) • + Easy to start from a software RE/expl. background • – Lower speed (esp. when debugging, need to tap into everything) • – Need to bypass anti-debug countermeasures • – Scripting debuggers is ugly Software Crypto Instrumentation
  • 48. • Decompile & recompile with probes • + Easy to start from a software RE/expl. background • + Speed • – lots of manual corrections • – some RE & understanding of the target needed Software Crypto Instrumentation
  • 49. • Dynamic Binary Instrumentation • Intel PIN • Valgrind • DynamoRIO • (Frida) http://www.frida.re/ • https://github.com/SideChannelMarvels already has one Software Crypto Instrumentation
  • 50. • Dynamic Binary Instrumentation • + Flexibility • + Stealth • – architecture-specific issues Software Crypto Instrumentation
  • 51. • Emulation (with probes) • Platform-level emulation = The mighty QEMU • Unicorn Engine (not a platform, only a CPU) http://www.unicorn-engine.org/ • Standalone • IDA plugin • Awesome • PANDA (a full platform) https://github.com/moyix/panda • Record traces and replay • Plugin framework • Awesome (but slow) Software Crypto Instrumentation
  • 52. • Emulation (with probes) • + Flexibility • + Stealth • + Speed • – Platform-level emulation is slow Software Crypto Instrumentation
  • 53. • What to do? Side-channel: • Log all memory accesses • Address • Value & Size • Log all registers • What to do? Fault injection: • Flip bits in memory values and memory addresses • Flip bits in registers • KEEP TRACK OF THE PROGRAM COUNTER == TIME Software Crypto Instrumentation
  • 54. • Narrow down the addresses and PC range • Compare execution traces, identifying data and key dependencies • Side-channel – easy optimizations • Memory writes are more useful than reads • Most registers are redundant (sometimes LSB is enough) • Data can be compressed/discarded on the fly • Fault injection – easy optimizations • Keep track of what you glitch Software Crypto Instrumentation
  • 55. • White-boxed AES in JS from https://github.com/tsu-iscd/jcrypto • Fault injection attack in 9th round • Using https://github.com/SideChannelMarvels/JeanGrey to extract the key DEMO 1
  • 56. • Huge traces for SCA • ~1GHz CPUs, white-box can run in 0.1s, easily 100 M instructions x N bytes per instruction = a lot of data  Compress and discard more aggressively Software Crypto Instrumentation Challenges
  • 57. • Misalignment • Leakage location depends on input  Do aggressive signal processing  Smart emulation (CFG?) Software Crypto Instrumentation Challenges
  • 58. • Glitching runs wild • Unwanted glitching of return addresses • Unwanted glitching of instruction loading addresses  Simple heuristics when glitching, better focus Software Crypto Instrumentation Challenges
  • 59. • Why? • Directly applicable on regular software crypto • Defeat obfuscation without deobfuscating • What is executable will be executed and WILL leak / WILL be glitchable • Minimum reverse engineering • Ideally, locate the target function in time domain only • Can be tailored into a point-and-click solution if needed Bonus: Attacking Regular Software Crypto
  • 60. • But… hardware acceleration? AES-NI, etc.? • Only for symmetric crypto. • Maybe forbidden by obfuscator/protector • Often not applicable due to platform diversity • E.g. standard crypto extensions for ARM are not there yet, etc. • Or, emulate & get the key from emulator’s implementation • Or, emulate & apply DCA on the whole emulator • Worst case, debug & get the key from registers, as usual Bonus: Attacking Regular Software Crypto
  • 61. • OLLVM-Obfuscated standard AES encryption • Side-channel leakage is memory accesses • Using Riscure Inspector to extract the key DEMO 2
  • 62. • Any state can be leaked via SCA • Any data dependency • PIN/Key/Password lengths • Hamming weights/distances of values • Code structure / CFG leaks too • Basic blocks in CFG may be recognizable SCA & FI: Beyond Attacking Crypto
  • 63. • Any state can be affected via FI • Most critical – bypass security mechanisms • MAC/Signature/PIN/Password checks • Secure Boot • … Niek Timmers, Albert Spruyt: “Bypassing Secure Boot using Fault Injection”, BH EU 2016 https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing-Secure-Boot-Using- Fault-Injection.pdf SCA & FI: Beyond Attacking Crypto
  • 64. • Countermeasures exist • SCA countermeasures • FI countermeasures SCA & FI: Beyond Attacking Crypto
  • 65. • SCA countermeasures • Most are patented, bad news for silicon and crypto vendors • Reduce leakages (double rail logic, shields, …) • Introduce noise and jitter • Shuffle the state in time domain • Masking • Encodings between rounds SCA & FI: Beyond Attacking Crypto
  • 66. • FI countermeasures • Most are patented, bad news for silicon and crypto vendors • Best idea: verify everything • Transform the algorithms • To allow verification on side effects of the calculations • To propagate errors DRAMATICALLY, diffusing the key dependencies • Hardware: • Awareness – sensors: glitch, light, EM, … SCA & FI: Beyond Attacking Crypto
  • 67. • State-of-the-art white-box crypto, as seen in highly competitive markets like content protection, is tough: • All of the above • SCA countermeasures • FI countermeasures • State-of-the-art obfuscation, anti-debug, anti-emulation and anti-DBI • Attacking == Defusing an explosive black box with a hammer • If possible, uses encodings • Internal encoding: • 𝐿𝑈𝑇 = 𝑔 ∘ 𝐿𝑈𝑇 ∘ 𝑓−1 • External encoding: • 𝐴𝐸𝑆 𝑘 ′ = 𝐺 ∘ 𝐴𝐸𝑆 𝑘 ∘ 𝐹−1 • 𝐴𝐸𝑆 𝑘 ′ (𝑚) is unusable by anyone, except the vendor who can decode SCA & FI: Beyond Attacking Crypto
  • 68. • More countermeasures for white-box crypto: • Remember, state = key. Diffuse the state so it is too large to easily extract or compress • Bogdanov, A., & Isobe, T.. (2015). White-Box Cryptography Revisited: Space-Hard Ciphers. ACM Conference on Computer and Communications Security. 10.1145/2810103.2813699 SCA & FI: Beyond Attacking Crypto
  • 69. • It is still possible to break crypto without being a cryptographer • Academy is busy constructing funny whiteboxes • Thinking out of the box helps • Best hacks happen on an edge • Proper tools • Continuously evaluate your product before it hits the market • The fight goes on… Conclusions
  • 71. • http://langsec.org/papers/Bratus.pdf • http://2014.zeronights.org/assets/files/slides/korkikyan.pdf • https://www.blackhat.com/docs/eu-15/materials/eu-15-Sanfelix-Unboxing-The- White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf • https://eprint.iacr.org/2015/753 • http://eprint.iacr.org/2016/203.pdf • https://github.com/SideChannelMarvels • http://www.frida.re • http://www.unicorn-engine.org • https://github.com/moyix/panda • https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing- Secure-Boot-Using-Fault-Injection.pdf References
  • 72. Challenge your security Riscure North America 550 Kearny St. Suite 330 San Francisco, CA 94108 +1 (650) 646 9979 inforequest@riscure.com Riscure B.V. Frontier Building, Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 www.riscure.com We are hiring! www.riscure.com/careers