Breaking Crypto For Dummies
nabdullin_brcrdu_dark
nabdullin_brcrdu_dark
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Breaking</strong> <strong>Crypto</strong><br />
<strong>For</strong> <strong>Dummies</strong><br />
Nikita Abdullin @
About me<br />
• @0xABD<br />
Abdullin@riscure.com<br />
• Background: fintech, payment security<br />
• Security analyst @ Riscure, evaluating payment tech<br />
• Who is Riscure?<br />
• Security lab in the Netherlands & USA<br />
• 80 hackers working on:<br />
• Security test tools<br />
• Security test services<br />
• We host the #RHme & #RHme2 hardware CTFs!<br />
• rhme.riscure.com<br />
• 500 players from 49 countries this year
Agenda<br />
<strong>Crypto</strong>graphy Crash Course<br />
Attacks on (Software) <strong>Crypto</strong><br />
Side Channel Attacks<br />
Fault Injection Attacks<br />
DEMO<br />
Conclusions
Agenda
<strong>Crypto</strong>graphy Crash Course<br />
• Some history: how did people use and break cryptography?<br />
• Black room<br />
• “Cabinet noir”<br />
== Mallory peeks in the room == broken<br />
• Black box<br />
== Mallory peeks in the box == broken<br />
• Commercial encryption machines<br />
• Kerckhoffs's principle == Mallory has the key == broken<br />
• …<br />
• The present day:<br />
• All of the above<br />
• Internal state == Key<br />
• ???
<strong>Crypto</strong>graphy Crash Course<br />
• Black box<br />
Encrypt<br />
Decrypt<br />
Observe<br />
Alter
<strong>Crypto</strong>graphy Crash Course<br />
• Grey box<br />
Encrypt<br />
Decrypt<br />
Observe<br />
Alter
<strong>Crypto</strong>graphy Crash Course<br />
• White box<br />
Encrypt<br />
Decrypt<br />
Observe<br />
Alter
<strong>Crypto</strong>graphy Crash Course<br />
• Black box == Attacker cannot look inside<br />
• Grey box == Attacker can see something* inside and/or influence it<br />
• White box == Attacker has full control
<strong>Crypto</strong>graphy Crash Course<br />
• What is cryptography, when implemented in hardware and software?<br />
• Start with a Black box<br />
• Inputs<br />
• Data<br />
• Key<br />
• Output<br />
Input<br />
Key<br />
Output
Unintended<br />
functionality<br />
Unintended<br />
states<br />
<strong>Crypto</strong>graphy Crash Course<br />
• <strong>Crypto</strong> is executed by a machine<br />
• Sometimes, a “weird machine” (Sergey Bratus et al., 2011)<br />
• http://langsec.org/papers/Bratus.pdf<br />
Normal,<br />
intended<br />
functionality<br />
Normal,<br />
intended<br />
states
<strong>Crypto</strong>graphy Crash Course<br />
• What is cryptography, when implemented in hardware and software?<br />
• Symmetric crypto<br />
• Done in (simple) steps – rounds<br />
• Key schedule<br />
• Use a new key every round<br />
• Linear operations (aka affine transformations)<br />
• Matrix operations<br />
• Register arithmetic: SHIFT XOR ADD OR AND NOT …<br />
• Non-linear operations<br />
• Table lookups (aka Look-Up Tables “LUT” aka S-boxes, …)
<strong>Crypto</strong>graphy Crash Course<br />
• What is cryptography, when implemented in hardware and software?<br />
• Asymmetric crypto<br />
• Arithmetic on looooong numbers (> 4x wider than our CPU regs)<br />
• Modular arithmetic<br />
• Various optimizations to make it fit into register width<br />
• Various hacks to make it faster
<strong>Breaking</strong> Modern <strong>Crypto</strong>graphy<br />
Images (c) by Vasya Lozhkin http://vasya-lozhkin.ru/
<strong>Breaking</strong> Modern <strong>Crypto</strong>graphy<br />
The hipster way:<br />
• Classic Cryptanalysis<br />
• Linear Cryptanalysis<br />
• Differential Cryptanalysis<br />
• <strong>For</strong>mal verification of protocols<br />
• …<br />
• “3-AES will probably never be<br />
cryptanalyzed”
<strong>Breaking</strong> Modern <strong>Crypto</strong>graphy<br />
• Symmetric crypto:<br />
• Current view on computational<br />
complexity (Joan Daemen, 2016):<br />
• 80 bits:<br />
• 96 bits:<br />
• 128 bits:<br />
• 256 bits:<br />
lightweight<br />
solid<br />
secure for the<br />
foreseeable future<br />
for the clueless
The brutal way:<br />
1. Make assumptions on the<br />
internal state of the cipher<br />
2. Guess the state / edit the state<br />
3. Guessed/new state depends on<br />
key (and data)<br />
4. Measure & Calculate the key<br />
• Adjust your assumptions<br />
Grey box model – the attacker can<br />
see through the box and touch it<br />
<strong>Breaking</strong> Modern <strong>Crypto</strong>graphy
The brutal way:<br />
• Side Channel Analysis (SCA)<br />
• Timing analysis<br />
• Power analysis<br />
• Simple power analysis (SPA)<br />
• Differential power analysis (DPA)<br />
• Correlation power analysis (CPA)<br />
• …<br />
• Fault Injection (FI)<br />
• Differential fault analysis<br />
• …<br />
<strong>Breaking</strong> Modern <strong>Crypto</strong>graphy
Image source: www.wikihow.com<br />
Side-channel Basics
Side-channel Basics<br />
Example: PIN Verification and power measurements (traces)<br />
PIN<br />
????<br />
8???<br />
82??<br />
827?<br />
8275
Side-channel Basics<br />
• Observe the whole cryptosystem<br />
• Find what is leaking (and, preferably, where)<br />
• Time<br />
• Power consumption<br />
• Electromagnetic field<br />
• Light / Sound / Temperature / …<br />
• …<br />
• Make an assumption on the dependencies between secret state and<br />
observable state<br />
• Leakage model<br />
• Process the observation data & Get the key
Side-channel Basics<br />
• Why it leaks? A hardware circuit is more complex than its schematics<br />
• Each switch (=bit) draws power when flipped (clocked)<br />
• A power consumption of a register is a function of its data (state)<br />
• Same for EM / temperature / other energy emissions
Side-channel Basics<br />
• Every wire is an antenna<br />
• Every loop is a coil<br />
• Works both ways (see later)<br />
• Noise is (usually) random/uniform, correctly modeled leakage is not<br />
• Acquire more measurements (traces)<br />
• Noise cancels itself, but data dependencies are amplified<br />
• If leakage model is correct, otherwise == becomes noise too
Side-channel Basics<br />
• <strong>For</strong> pure software, every shared hardware resource leaks<br />
• CPU caches<br />
• CPU branch predictor<br />
• Any resource of the memory controller<br />
• …<br />
• https://scholar.google.com/scholar?q=cross+vm+side+channel+attack<br />
• Lipp, M., Gruss, D., Spreitzer, R., & Mangard, S. (2015). Armageddon: Lastlevel<br />
cache attacks on mobile devices. arXiv preprint arXiv:1511.04897.<br />
• https://www.blackhat.com/docs/eu-16/materials/eu-16-Lipp-ARMageddon-How-<br />
Your-Smartphone-CPU-Breaks-Software-Level-Security-And-Privacy.pdf<br />
• https://github.com/IAIK/armageddon
Side-channel Basics<br />
• How to perform actual SCA attacks?<br />
1. Acquisition of many traces – extracting leakage out of the box<br />
2. Signal processing – leaving the good things<br />
3. Statistical analysis of the trace set
Side-channel Basics<br />
(1) arm<br />
(5) acquisition<br />
(7) attack<br />
(6) response<br />
(2) command<br />
(3) trigger<br />
(4) measurement<br />
Embedded<br />
System<br />
Current Probe
Side-channel Basics<br />
• Acquisition of many traces<br />
• Proper equipment<br />
• Proper setup<br />
• Or, “Garbage in – Garbage Out”
Side-channel Basics<br />
• Signal processing<br />
• Filtering<br />
• Alignment<br />
• Resampling<br />
• Cut/paste<br />
• Bucket
Side-channel Basics<br />
• Statistical analysis of the trace set<br />
• First-order analysis – single point on a trace vs. model<br />
• Differential<br />
• Correlation<br />
• Higher-order analysis – multiple points on a trace vs. model<br />
• Works against protected implementations<br />
• Other attacks
Side-channel Basics<br />
• Statistical analysis of the trace set – How?<br />
• FOSS tools: https://github.com/SideChannelMarvels<br />
• Entry-level hardware: ChipWhisperer<br />
• Commercial tools: Riscure Inspector
Side-channel Basics<br />
• Further reading<br />
• ZeroNights 2014, Roman Korkikyan, “Deriving cryptographic keys via<br />
power consumption”<br />
• http://2014.zeronights.org/assets/files/slides/korkikyan.pdf
Fault injection Basics<br />
• Hardware is FRAGILE<br />
• Introduce glitches in power supply<br />
• Introduce glitches in CLK<br />
• Directly supply energy to parts of the chip<br />
• Laser<br />
• EM field<br />
• Invasive techniques<br />
• Edit & Probe the silicon
Fault injection Basics<br />
• <strong>Crypto</strong>graphy is FRAGILE<br />
• Errors propagate<br />
• State depends on the key (and data)<br />
• (Error+State) propagates too<br />
• Output is now more a function of a key than before<br />
• Sometimes, a single-bit flip = key extracted<br />
• Most of the time = solve a system of (linear) equations
Fault injection Basics<br />
• Why symmetric crypto fails under FI?<br />
• Magic does not happen at once<br />
• Symmetric crypto is done in rounds<br />
• Data (fault) propagation per round is limited<br />
• Faults in state remove data dependencies<br />
• Key is linearly combined with the faulty state
Fault injection Basics<br />
• Why asymmetric crypto fails under FI?<br />
• All assumptions fail<br />
• Prime numbers become composite with a single bit flip<br />
• Points on a strong ECC curve become points on weaker curves<br />
• …
White-box <strong>Crypto</strong>graphy Basics<br />
• Side Channel and Fault Injection the gray box scenario<br />
• A hardware black box does not protect the state (the key)<br />
• Even gray boxes no longer sufficient to secure the current ecosystem<br />
• Hardware is not free and cannot be delivered over the wire<br />
• Can we make cryptography secure on an untrusted hardware?<br />
• Mobile (Payments/Banking/HCE)<br />
• Content Protection (DRM)<br />
• …<br />
• How to hide the key in plain sight of the attacker?
White-box <strong>Crypto</strong>graphy Basics<br />
• Assumptions:<br />
• Even the hardware is now untrusted<br />
• The attacker can read the code AND the key<br />
• Can it still be secure?<br />
• Let’s mix the key in the algorithm. Code == Key<br />
• Tables<br />
• Dark magic<br />
• Tables & dark magic<br />
• And obfuscate the code, make the white-box self-aware<br />
• To avoid key extraction and arbitrary code reuse (lifting)
White-box <strong>Crypto</strong>graphy Basics<br />
Images (c) Brecht Wyseur http://www.whiteboxcrypto.com/
<strong>Breaking</strong> White-box <strong>Crypto</strong>graphy<br />
• White-boxed algorithms<br />
• DES<br />
• AES<br />
• RSA<br />
• ECC<br />
• SHA256, SHA256-HMAC<br />
• …<br />
• Fight magic with magic?
• Fight magic with magic…<br />
<strong>Breaking</strong> White-box <strong>Crypto</strong>graphy
<strong>Breaking</strong> White-box <strong>Crypto</strong>graphy<br />
• Fight magic with magic…<br />
• Or apply brutal hardware attacks<br />
• Naïve white-box implementations do<br />
not solve the gray-box problems<br />
• If crypto happens, the state is there<br />
• If crypto happens, the fragile parts are<br />
there, too
<strong>Breaking</strong> White-box <strong>Crypto</strong>graphy<br />
• Eloi Sanfelix, Cristofaro Mune, Job de<br />
Haas, “Unboxing the White-Box” BH EU<br />
2015<br />
• https://www.blackhat.com/docs/eu-<br />
15/materials/eu-15-Sanfelix-Unboxing-The-<br />
White-Box-Practical-Attacks-Against-<br />
Obfuscated-Ciphers-wp.pdf<br />
• Joppe W Bos, Charles Hubain, Wil<br />
Michiels, Philippe Teuwen “Differential<br />
Computation Analysis: Hiding your<br />
White-Box Designs is Not Enough”<br />
• https://eprint.iacr.org/2015/753
<strong>Breaking</strong> White-box <strong>Crypto</strong>graphy<br />
• Side-channel attacks on WBC<br />
• Run on “hardware”<br />
• attack as if it was a pure hardware cipher<br />
• – What is leaking? – Everything!<br />
• Memory<br />
• Values in registers<br />
• “Trace” is now data dump over time
<strong>Breaking</strong> White-box <strong>Crypto</strong>graphy<br />
• Why (some) WBC fails under side channel?<br />
• Linearity = leakage<br />
• Sasdrich, Pascal, Amir Moradi, and Tim Güneysu. "White-Box <strong>Crypto</strong>graphy in<br />
the Gray Box.“<br />
• http://eprint.iacr.org/2016/203.pdf
<strong>Breaking</strong> White-box <strong>Crypto</strong>graphy<br />
• Fault injection attacks on WBC<br />
• Run on “hardware”<br />
• attack as if it was a pure hardware cipher<br />
• – What can we glitch? – Anything!<br />
• Memory<br />
• Values in registers
Software <strong>Crypto</strong> Instrumentation<br />
• Need to tap into the code flow and data. How?<br />
• Manual code manipulation at run time (hook/inject/debug)<br />
• Decompile & recompile with probes<br />
• Dynamic Binary Instrumentation<br />
• Emulation (with probes)<br />
• Absolute worst case: run on real hardware and bring the big guns
Software <strong>Crypto</strong> Instrumentation<br />
• Manual code manipulation at run time (hook/inject/debug)<br />
• + Easy to start from a software RE/expl. background<br />
• – Lower speed (esp. when debugging, need to tap into everything)<br />
• – Need to bypass anti-debug countermeasures<br />
• – Scripting debuggers is ugly
Software <strong>Crypto</strong> Instrumentation<br />
• Decompile & recompile with probes<br />
• + Easy to start from a software RE/expl. background<br />
• + Speed<br />
• – lots of manual corrections<br />
• – some RE & understanding of the target needed
Software <strong>Crypto</strong> Instrumentation<br />
• Dynamic Binary Instrumentation<br />
• Intel PIN<br />
• Valgrind<br />
• DynamoRIO<br />
• (Frida) http://www.frida.re/<br />
• https://github.com/SideChannelMarvels already has one
Software <strong>Crypto</strong> Instrumentation<br />
• Dynamic Binary Instrumentation<br />
• + Flexibility<br />
• + Stealth<br />
• – architecture-specific issues
Software <strong>Crypto</strong> Instrumentation<br />
• Emulation (with probes)<br />
• Platform-level emulation = The mighty QEMU<br />
• Unicorn Engine (not a platform, only a CPU) http://www.unicorn-engine.org/<br />
• Standalone<br />
• IDA plugin<br />
• Awesome<br />
• PANDA (a full platform) https://github.com/moyix/panda<br />
• Record traces and replay<br />
• Plugin framework<br />
• Awesome (but slow)
Software <strong>Crypto</strong> Instrumentation<br />
• Emulation (with probes)<br />
• + Flexibility<br />
• + Stealth<br />
• + Speed<br />
• – Platform-level emulation is slow
Software <strong>Crypto</strong> Instrumentation<br />
• What to do? Side-channel:<br />
• Log all memory accesses<br />
• Address<br />
• Value & Size<br />
• Log all registers<br />
• What to do? Fault injection:<br />
• Flip bits in memory values and memory addresses<br />
• Flip bits in registers<br />
• KEEP TRACK OF THE PROGRAM COUNTER == TIME
Software <strong>Crypto</strong> Instrumentation<br />
• Narrow down the addresses and PC range<br />
• Compare execution traces, identifying data and key dependencies<br />
• Side-channel – easy optimizations<br />
• Memory writes are more useful than reads<br />
• Most registers are redundant (sometimes LSB is enough)<br />
• Data can be compressed/discarded on the fly<br />
• Fault injection – easy optimizations<br />
• Keep track of what you glitch
DEMO 1<br />
• White-boxed AES in JS from https://github.com/tsu-iscd/jcrypto<br />
• Fault injection attack in 9 th round<br />
• Using https://github.com/SideChannelMarvels/JeanGrey to extract<br />
the key
Software <strong>Crypto</strong> Instrumentation Challenges<br />
• Huge traces for SCA<br />
• ~1GHz CPUs, white-box can run in 0.1s, easily 100 M instructions x N bytes<br />
per instruction = a lot of data<br />
Compress and discard more aggressively
Software <strong>Crypto</strong> Instrumentation Challenges<br />
• Misalignment<br />
• Leakage location depends on input<br />
Do aggressive signal processing<br />
Smart emulation (CFG?)
Software <strong>Crypto</strong> Instrumentation Challenges<br />
• Glitching runs wild<br />
• Unwanted glitching of return addresses<br />
• Unwanted glitching of instruction loading addresses<br />
Simple heuristics when glitching, better focus
Bonus: Attacking Regular Software <strong>Crypto</strong><br />
• Why?<br />
• Directly applicable on regular software crypto<br />
• Defeat obfuscation without deobfuscating<br />
• What is executable will be executed and WILL leak / WILL be glitchable<br />
• Minimum reverse engineering<br />
• Ideally, locate the target function in time domain only<br />
• Can be tailored into a point-and-click solution if needed
Bonus: Attacking Regular Software <strong>Crypto</strong><br />
• But… hardware acceleration? AES-NI, etc.?<br />
• Only for symmetric crypto.<br />
• Maybe forbidden by obfuscator/protector<br />
• Often not applicable due to platform diversity<br />
• E.g. standard crypto extensions for ARM are not there yet, etc.<br />
• Or, emulate & get the key from emulator’s implementation<br />
• Or, emulate & apply DCA on the whole emulator<br />
• Worst case, debug & get the key from registers, as usual
DEMO 2<br />
• OLLVM-Obfuscated standard AES encryption<br />
• Side-channel leakage is memory accesses<br />
• Using Riscure Inspector to extract the key
SCA & FI: Beyond Attacking <strong>Crypto</strong><br />
• Any state can be leaked via SCA<br />
• Any data dependency<br />
• PIN/Key/Password lengths<br />
• Hamming weights/distances of values<br />
• Code structure / CFG leaks too<br />
• Basic blocks in CFG may be recognizable
SCA & FI: Beyond Attacking <strong>Crypto</strong><br />
• Any state can be affected via FI<br />
• Most critical – bypass security mechanisms<br />
• MAC/Signature/PIN/Password checks<br />
• Secure Boot<br />
• …<br />
Niek Timmers, Albert Spruyt: “Bypassing Secure Boot using Fault Injection”, BH EU 2016<br />
https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing-Secure-Boot-Using-<br />
Fault-Injection.pdf
SCA & FI: Beyond Attacking <strong>Crypto</strong><br />
• Countermeasures exist<br />
• SCA countermeasures<br />
• FI countermeasures
SCA & FI: Beyond Attacking <strong>Crypto</strong><br />
• SCA countermeasures<br />
• Most are patented, bad news for silicon and crypto vendors<br />
• Reduce leakages (double rail logic, shields, …)<br />
• Introduce noise and jitter<br />
• Shuffle the state in time domain<br />
• Masking<br />
• Encodings between rounds
SCA & FI: Beyond Attacking <strong>Crypto</strong><br />
• FI countermeasures<br />
• Most are patented, bad news for silicon and crypto vendors<br />
• Best idea: verify everything<br />
• Transform the algorithms<br />
• To allow verification on side effects of the calculations<br />
• To propagate errors DRAMATICALLY, diffusing the key dependencies<br />
• Hardware:<br />
• Awareness – sensors: glitch, light, EM, …
SCA & FI: Beyond Attacking <strong>Crypto</strong><br />
• State-of-the-art white-box crypto, as seen in highly competitive<br />
markets like content protection, is tough:<br />
• All of the above<br />
• SCA countermeasures<br />
• FI countermeasures<br />
• State-of-the-art obfuscation, anti-debug, anti-emulation and anti-DBI<br />
• Attacking == Defusing an explosive black box with a hammer<br />
• If possible, uses encodings<br />
• Internal encoding:<br />
• LUT = g ∘ LUT ∘ f −1<br />
• External encoding:<br />
• AES k ′ = G ∘ AES k ∘ F −1<br />
• AES k ′ (m) is unusable by anyone, except the vendor who can decode
SCA & FI: Beyond Attacking <strong>Crypto</strong><br />
• More countermeasures for white-box crypto:<br />
• Remember, state = key. Diffuse the state so it is too large to easily extract or<br />
compress<br />
• Bogdanov, A., & Isobe, T.. (2015). White-Box <strong>Crypto</strong>graphy Revisited: Space-Hard<br />
Ciphers. ACM Conference on Computer and Communications Security.<br />
10.1145/2810103.2813699
Conclusions<br />
• It is still possible to break crypto without being a cryptographer<br />
• Academy is busy constructing funny whiteboxes<br />
• Thinking out of the box helps<br />
• Best hacks happen on an edge<br />
• Proper tools<br />
• Continuously evaluate your product before it hits the market<br />
• The fight goes on…
Questions?
References<br />
• http://langsec.org/papers/Bratus.pdf<br />
• http://2014.zeronights.org/assets/files/slides/korkikyan.pdf<br />
• https://www.blackhat.com/docs/eu-15/materials/eu-15-Sanfelix-Unboxing-The-<br />
White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf<br />
• https://eprint.iacr.org/2015/753<br />
• http://eprint.iacr.org/2016/203.pdf<br />
• https://github.com/SideChannelMarvels<br />
• http://www.frida.re<br />
• http://www.unicorn-engine.org<br />
• https://github.com/moyix/panda<br />
• https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing-<br />
Secure-Boot-Using-Fault-Injection.pdf
Challenge your security<br />
We are hiring!<br />
www.riscure.com/careers<br />
Riscure B.V.<br />
Frontier Building, Delftechpark 49<br />
2628 XJ Delft<br />
The Netherlands<br />
Phone: +31 15 251 40 90<br />
Riscure North America<br />
550 Kearny St.<br />
Suite 330<br />
San Francisco, CA 94108<br />
+1 (650) 646 9979<br />
www.riscure.com<br />
inforequest@riscure.com