Understanding Security APIs - CrySyS Lab
Understanding Security APIs - CrySyS Lab
Understanding Security APIs - CrySyS Lab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
in the attack against 2DES proposed by Diffie and Hellman [19], neither is the<br />
idea of parallel search for multiple keys new (Desmedt describes parallel key search<br />
machine in [18]). However, it seems the author was the first to apply the technique<br />
to HSMs. It was extremely successful, and compromised almost every HSM analysed<br />
– sections 7.2.2, 7.3.3 and 7.3.7 have more details.<br />
3.3.2 3DES Key Binding Attack<br />
In the nineties, financial API manufacturers began to upgrade their <strong>APIs</strong> to use<br />
triple-DES (3DES) as advancing computing power undermined the security of single<br />
DES. IBM’s CCA supported two-key 3DES keys, but stored each half separately,<br />
encrypted under the master key in ECB mode. A different variant of the master key<br />
was used for the left and right halves – achieved by XORing constants representing<br />
the types left and right with the master key Km.<br />
Host -> HSM : { KL }Km⊕left , { KR }Km⊕right , data (Encrypt)<br />
HSM -> Host : { data }KL|KR<br />
The CCA also had support for single DES in a special legacy mode: a ‘replicate’<br />
3DES key could be generated, with both halves the same. 3DES is encryption with<br />
K1, followed by decryption with K2, then encryption with K1, so if K1 = K2 then<br />
E(K1, D(K1, E(K1, data))) = E(K1, data), and a replicate key performs exactly<br />
as a single DES key.<br />
Host -> HSM : (Generate Replicate)<br />
HSM -> Host : { X }Km⊕left , { X }Km⊕right<br />
The flaw was that the two halves of 3DES keys were not bound together with each<br />
other properly, only separated into left and right. There was a clear CRC of the<br />
key token, but this was easily circumvented. A large set of replicate keys could be<br />
generated and cracked using the meet-in-the-middle attack, then a known 3DES key<br />
could be made by swapping the halves of two replicate keys. This known key could<br />
then be used to export other more valuable keys.<br />
Host -> HSM : (Generate Replicate)<br />
HSM -> Host : { X }Km⊕left , { X }Km⊕right<br />
Host -> HSM : (Generate Replicate)<br />
HSM -> Host : { Y }Km⊕left , { Y }Km⊕right<br />
Known key : { X }Km⊕left , { Y }Km⊕right<br />
27