cs2107 introduction to information and system security...

SecretsSecurity hardware

CS2107 Introduction to Information andSystem Security

(Slide set 8)

Hugh Anderson

National University of SingaporeSchool of Computing

October, 2016

Hugh Anderson CS2107 Introduction to Information and System Security (Slide set 8)

Hardware...

1959

2009


Outline

1 SecretsNSA and PRNGs and large primesData and AlgorithmsHiding secrets

2 Security hardwareSmart/SIM cardsMore attack vectors



Resources

For this lecture, from SEv2.pdfChapter 16, sections 16.1, 16.2, and have a quick look at sections 16.6,16.7.

http://www.cl.cam.ac.uk/users/mgk25/tamper.pdf


http://www.cl.cam.ac.uk/users/mgk25/tamper.pdf


NSA and PRNGs and large primesData and AlgorithmsHiding secrets

Outline




It seems we cannot trust the gummint

Who knew?In 2013, newly released US documents described a US $250 million/yearprogram designed to “make [systems] exploitable” by inserting vulnerabilities,collecting target network data, and influencing policies, standards andspecifications for commercial public key technologies. The targets includedprotocols for “TLS/SSL, https (e.g. webmail), SSH, encrypted chat, VPNs andencrypted VOIP.”

This explained the background behind well known weaknesses invarious NIST and ISO standards used for TLS.

What was NSA’s role?Through an association with RSA, NSA engineered at least one backdoor insecurity standards. In particular a pseudo random number generator(PRNG).The exploit allowed someone (presumably NSA) to predict the future streamof bits from a PRNG, given some of the past bits.

Pseudo Random Number Generators

Three main applications:There are three main applications of a PRNG in cryptography.

1 Generate an IV (An initial vector). We saw the use of IVs in foils4, wherean initial vector is used in CBC and CFB modes for encryption engines.

2 Generating a large random number, for finding a large prime number(i.e. an algorithm might be generate the number and then check if it isprime). Why would we want large prime numbers? Answer: They areused in asymmetric schemes - see next slides.

3 Generating an apparently random stream of bits for use in a streamcipher.

Why large primes? DH key agreement

The discrete logarithm problem (one-way function):easy to calculate n = gk mod p given g, k and p, (p is a prime)

hard to calculate k in the same equation, given g, n and p.

Two separated users create and share a secret key. A thirdparty is not realistically able to calculate the shared key.

g mod pa

g mod pb

g mod pg mod p

p,g,a

a

b

p,g

g mod pb

g mod pa

p,g,b

Alice Bob

Ted

After exchange, knowledge is different

Only Alice knows $a$, only Bob knows $b$...

Ted

Bob

a

g,pag mod p, g mod pb

g mod p, g mod p

g mod p, g mod p

g,p

g,p

a

a

b

b

bAlice

Diffie-Hellman key agreement

So what does each party do?Both Alice and Bob can now calculate the value gab mod p.

1 Alice calculates (gb mod p)a mod p = (gb)a mod p.2 Bob calculates (ga mod p)b mod p = (ga)b mod p.

Shared key is (gb)a mod p = (ga)b mod p = gab mod p.

Ted has a much more difficult problem.It is difficult to calculate gab mod p without knowing either a or b. Thealgorithmic run-time of the (so-far best) algorithm is exponential.



Outline




Secrets come in lots of flavours

Not just secret keys...We have seen how secrets can be useful, particularly for keeping keysfor cryptography.

Secrets may also be algorithmic...

An encryption algorithmA particular protocol (sequence of communications).A hashing algorithm.

These secrets are programs, not data. How do we keep these sorts ofsecrets?

Applications running on PCs, phones, ...

Consider the compilation process...

Source Code Executable codeCompile...

Often, the executable is distributed, not the source. RMS points outmany reasons why this is most likely a bad idea.

But, in a security scenario, you may think that by only distributing yourexecutable code, you can hide your source code secrets.

This is a silly idea. You should keep no secrets in source code.

You should not have source code secrets (remember the notion ofopen design), andyou cannot hide things by using compilation.

Why?

Decompilation is reverse of compilation...

Note that really good decompilation may take user input, but itis possible.

Java...

Java decompilation is particularly easy...

Applications...

...are, essentially, an open book...If the platform is sufficiently complex (e.g, Windows, GNU+Linux,Android, Symbian), then it is likely that sources for any application couldbe generated easily, so if you intend to distribute your application toother users, and it relied on some secret in the code, that secret isunsafe.

Of course - you can still have secrets. They must be kept separately.(Do I detect an example of Least common mechanism: Minimize theamount of mechanism common to more than one user and dependedon by all users?)



Outline




Possible locations for secrets

Disk (file), program, OS, brain...

program

OS

DiskSecret locations

Possible locations for secrets

Disk (file), program, OS, brain...Disk: Data secrets can be kept on disk, but algorithmic secrets needsome sort of processing.

An example of secrets kept on disk: .ssh permissionsNote that when a data secret is kept on disk, then the diskbecomes a target for attack. A non-encrypted disk can beduplicated. An encrypted disk can be duplicated and attackedlater. A hacked OS could be used to steal the secret.

Program: As we just saw, programs are vulnerable if they are shared.

OS: The OS itself could be used to keep an algorithmic or data secret,but since the OS is also shared, such secrets would not last long.

Brain: Unfortunately we are not too good at remembering lots of data,or complex algorithms.

Other locations for secrets

Dongles, smart cards, 2-factor devices...

program

OS

Contact/contactless reader

Secret locations

Even more locations for secrets

Think other smart devices...There are plenty of other systems that contain computers, and havesecurity issues.

Consider the following examples, where the systems are complex(contain computers), the systems are mass produced, and there is adesire for algorithmic and data secrets:

The card in a set-top box.Satellite decoder cards (well - maybe not in Singapore).The SIM card in a phone.

Summary...

There is no such thing as a safe PC...Secrets may be data, or algorithmic.

Complex platforms are unsuitable for hiding secrets - they are open toattacks:

physical (someone breaks open a box and steals a disk containingsecrets), orsoftware based (someone manages to install or otherwise hackeither an application or a whole OS).

A strategy for getting around this is to somehow install the secret on aportable computer system that is harder to attack (more resistant totampering), and possibly, resistant to theft.

Examples of this approach are found everywhere (smart cards,SIM cards...).Such external devices typically contain small computers with smallamounts of memory.

Classes of attackers for security hardware

For tamper-resistant portable devices...Anderson outlines this classification:

Class 1 attackers: Clever outsiders, who may not have detailedknowledge of the inner workings of the systemClass 2 attackers: Insiders, with detailed system knowledge.Class 3 attackers: Governments, the Mafia - who may havemoney and time to burn. May also have strong motivation.

Anderson points out that persistence and cunning are some of thehallmarks of an effective attacker, and that sometimes the class 1attacker can do things that the class 3 attacker failed to do.

We have both invasive and non-invasive attacks:

Invasive: the semiconductor chip is decapsulated, and directattacks made on the circuitry. Some of these attacks requireexpensive equipment.Non-invasive: we manipulate the device without decapsulation.May need only inexpensive equipment.

Types of attacks on security hardware

Subject to change ...Types of attacks:

Side-channel: Use some other property of the device (currentconsumption, time, radiation).Microprobing: Access the chip surface directly, to manipulate thedevice.Software: Use the normal device IO to exploit (software)vulnerabilities in the device.Fault generation: Generate errors to get access.Reverse engineering: Deduce, or re-create the electronic circuit ofthe device.


Smart/SIM cardsMore attack vectors

Outline




Typical hardware on a Smart/SIM card

A high-security Smart/SIM card controller

0

PWR (+3V)

CLK

Data IN

GND

1 01 0 1 1

Data OUT

RAM

ROM

IO

BUSSES

CPU

CPU, memory and IO are under the (gold) connector. They are all inone chip, and the components are connected by (internal) busses.

Reader must supply power and a clock to operate the CPU.

Only external signaling is a single line IN and a single line OUT.

Data bits are serialized. 1010011 above might correspond to the byte(hex) 0x53, perhaps corresponding to the ASCII letter S.

Typical hardware on a Smart/SIM card

A high-security Smart/SIM card controllerProcessor is something like an 8/16 bit Hitachi H8 CPU.

Connector has only Power, a clock, and serial I/O dataMemory: 32 kbytes EEPROM, 512 bytes Extra EEPROM, 48kbytes ROM and 3 kbytes RAM.Operates at a maximum of 1-10MHz external clock rate.

Note the important properties of this sort of processor:

Opening the container (card) for the device normally destroys it.Very limited access to the device (normally via a serial port)Slow (Typically run at 1-10 MHz, do instructions at about 100,000per second)Limited RAM (3KB... compared with 4GB on my PC). Memory andvariables not protected in any way.Limited program size (Typically 48KB - A minimum OS normallytakes 10MB)

Fuses: a peculiar security-specific feature

For devices like these...

Blown fuse

The chips come from the factory all the same, and need to beprogrammed. To help do this:

When the devices are manufactured, the memory (PROM) can beread and written from outside using the serial port.Once the device has been uniquely programmed, a fuse is blown.This fuse is just a thinner part of track in the IC, and is blown byproviding too much current.

A blown fuse means no more ( external) reading and writing.

Fuses: Class 3 attacker hack 1: Imaging

Assuming you happen to have some fancy equipmentRecipe: Take a common household IR microscope. And then...

Expose chip using chemical and/or laser cutting (decapsulation).Use chemical etch to expose the ROM mask layout ... and henceinfer the bits stored in the ROM.

Decapsulation Chemical etch, and then just view bits.

Note that as chips get smaller, light gets less useful, leading to electronmicroscopes.

Fuses: Class 3 attacker hack 2: rewiring

Assuming you happen to have some fancy equipmentRecipe: Take a common household electron microscope, a focused ionbeam tool, and various other items. And then...

Expose chip using chemical and/or laser cutting (decapsulation).Re-connect the fuse using deposition or tiny probes.Read the memory using the serial port.

Decapsulation

(Nitric acid...)Discover blown fuse

(May need FIB to

expose layer)

Deposit new material over fuse

Fuses: Class 3 attacker hack 3: probing

If you have microprobes...Recipe: Take a common household electron microscope, a focused ionbeam tool, and various other items. And then...

Expose chip using chemical and/or laser cutting (decapsulation).Expose internal wiring (FIB), and construct landing pads forprobes.Observe internal busses and hence anything about the system.

Decapsulation Expose critical circuitry Connect probes(Use FIB to do surgery on chip,constructing landing pads for probes)

Fuses: Class 1 attacker (the outsider) hack 1

Only a little equipment needed...The outsider does not have electron microscopes or FIB units, or evenNitric acid! Life is tough sometimes.

The outsider notices that when power is first applied, the smart cardoutputs an identification string on the serial OUT line:

Vsn 0.97

The outsider knows that the software is very small, and probably storesstrings like “Vsn 0.97” in 9 bytes of memory, the 8 bytes of the string,terminated by a null (a byte with all zeroes in it’s bits).

The outsider surmises that the code is probably like this:

void printit( char buf[] ) {int i=0;while ( buf[i]!=0 ) {

serialtx(buf[i] );i=i+1;

}}...

printit( “Vsn 0.97” );

Fuses: Class 1 attacker hack 1

Timing diagram for the printit() while loop...

ld buf[i]

buf[1] buf[2]

Constant delay

Serial data OUT:

(inside serialtx) inc i beq end

i=i+1 while (buf[i]!=0)

(inside serialtx) inc i

i=i+1 ...

bra loop bra loopInstructions:

CPU

(time...)

The instructions executed by the CPU are predictable. After transmittingthe serial character for buf[1]:

The i variable is incremented (inc i)The CPU branches to the beginning of the while loop (bra loop)The value in buf[i] is loaded (ld buf[i])If it is equal to 0, then branch to the end of the loop (beq end)Otherwise transmit the next character...

There is a constant delay between the character and these instructions.

Fuses: Class 1 attacker hack 1: glitch

A "glitch" attack...

Data OUT

PWR (+3V)

CLK

Data IN

GND

Impulse/Glitch

Generator

BUSSES

CPU ROM

RAMIO

By timing a pulse/glitch to occur exactly when the software checks thetest at the beginning of the while loop, (it is always a fixed time after theprevious character), attacker can make the test always succeed.

i.e. buf[i]!=0 will always be TRUE.

A glitch may be a spark, a variation of the power supply, or some otheractivity. Hardware to do this is cheaply available (e.g. in most EE labs).

Fuses: Class 1 attacker hack 1: glitch

A "glitch" attack...If buf[i]!=0 is always TRUE...

The code acts like this:

void printit( char buf[] ) {int i=0;while ( TRUE ) {


}}...

As a result, the serial data line continues to output serial datacorresponding to the entire memory of the processor (program anddata).

Note that in small systems like this, memory is not protected, andbuf[0]...buf[65536] is ALL of memory.

Protecting from this attack?

Consider this crazy code...

void printit( char buf[] ) {int i=0;while ( buf[i]!=0 AND buf[i]!=0 ) {


}}...

printit( “Vsn 0.97” );

Can you see why this code may be better than the previous code?

Can you understand why a compiler might undermine this solution?


Smart/SIM cardsMore attack vectors

Outline




PK space attack

Smart cards are slow...Sometimes people implement PK encryption or authentication onsmartcards, but the processors are really slow, and...

An exponentiation operation required takes time proportional to thenumber of bits that are 1 in a large (1024) bit random prime number.

A 1024 bit random number should on average have ..... bits set to a 1.

However, this might make the smartcard unacceptably slow. Soinstead...

Developers select large (1024) bit prime numbers that only have asmall number (3-5) bits set to a 1.Smartcard is now fast, but open to attack.

What is the attack?Consider how few large (1024) bit primes there are, if only 5 bits are setto a 1!

Timing attacks

Observe behaviour externally by measuring current...

End of computation

Beginning of computation

Current consumed

by device:

Current trace gives evidence about computation - type and timing.

What is the attack?Accurate measure of time of computation leads to an attack.

The tutorial has an example of a timing attack.

Tutorial timing attack...

Just a reminder...The case of a function to test an 8-digit PIN number:

void testPIN( char buf[] ) {int i=0;while ( i<9 ) {

if ( buf[i]!=password[i] ) {return NOMATCH;

}i=i+1;

}return MATCH;

}

Instead of requiring 108 = 100, 000, 000 attempts at the password, ourattack algorithm only required 80.

The attack involved precise measurement of the time for the functionwhile trying out PINs.

Tutorial timing attack...

Possible solution...A constant-time function to test an 8-digit PIN number:

void testPIN( char buf[] ) {int i=0;bool match=TRUE;while ( i<9 ) {

if ( buf[i]!=password[i] ) {match=FALSE;

} else {match=match;

}i=i+1;

}return match;

}

No timing attack possible.

Routine always takes a fixed amount of time.

Summary...

Only a brief outline here...Invasive and non-invasive attacks possible on security hardware.

It is an arms race, and I have not even begun to cover techniques likeencryption of memory, light sensitive fusing and so on.

Invasive attacks may include

Decapsulation followed by imaging, reconnecting blown fuses, orprobing.Introducing faults, rewiring.

Non-invasive attacks may include

Introducing glitches, or uncovering protocol/software flawsTiming attacks.

Software based techniques to reduce these effects include

Constant time loopsReducing the likelihood of a single-glitch attack, by making codereliant on two independent tests.

cs2107 introduction to information and system security...

Documents