![Page 1: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/1.jpg)
1Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Practical Attacks on
Implementations
Juraj Somorovsky Ruhr University Bochum, HGI
3curity
@jurajsomorovsky
1
![Page 2: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/2.jpg)
2Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Recent years revealed many crypto attacks…
• ESORICS 2004, Bard: The Vulnerability of SSL to Chosen Plaintext Attack
• Eurocrypt 2002, Vaudenay: Security Flaws Induced by CBC Padding—Applications to SSL, IPSEC, WTLS
• Crypto 1998, Bleichenbacher: Chosen CiphertextAttacks Against Protocols based on the RSA Encryption Standard PKCS #1
2
![Page 3: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/3.jpg)
3Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Standards updated
• Countermeasures defined
• What could go wrong in RWC implementations?
3
![Page 4: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/4.jpg)
4Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
1. Bleichenbacher’s Attack
• XML Encryption
• TLS
2. Invalid Curve Attack
• TLS
• Hardware Security Modules
Overview
![Page 5: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/5.jpg)
5Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
RSA-PKCS#1 v1.5
• Used to encrypt symmetric keys
• Vulnerable to an adaptive chosen-ciphertextattack
5
Client
XML Encryption ciphertext C = Enc(M)
C1
valid/invalid
M = Dec(C)
ServerC2
valid/invalid
Ciphertext C = Enc(M)
…
(repeated several times)
![Page 6: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/6.jpg)
6Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
RSA-PKCS#1 v1.5: Countermeasures
1. Use RSA-OAEP (PKCS#1 v2)
2. Apply specific countermeasure
6
generate random
decrypt ciphertext: m = dec(c)
if ( padding correct )
proceed with m
else
proceed with random
![Page 7: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/7.jpg)
7Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
1. Bleichenbacher’s Attack
• XML Encryption
• TLS
2. Invalid Curve Attack
• TLS
• Hardware Security Modules
Overview
![Page 8: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/8.jpg)
9Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
RSA PKCS#1 v1.5 in XML Encryption
• Hybrid encryption:
9
1
2
k
k = Dec_pkcs(priv,C1)
m = Dec_aes128(k,C2)
Dec_pkcs
Dec_aes128
![Page 9: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/9.jpg)
10Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Attack Countermeasure
• Hybrid encryption:
10
1
2
k
k = Dec_pkcs(priv,C1)
m = Dec_aes128(k,C2)
Dec_pkcs
Dec_aes128
Random:
128 b
![Page 10: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/10.jpg)
11Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Case Apache WSS4J
• Hybrid encryption:
11
1
2
k
k = Dec_pkcs(priv,C1)
m = Dec_aes128(k,C2)
Dec_pkcs
Dec_aes128
Random:
128 B
![Page 11: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/11.jpg)
12Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Case Apache WSS4J
• Hybrid encryption:
12
1
2
k
k = Dec_pkcs(priv,C1)
m = Dec_aes128(k,C2)
Dec_pkcs
Dec_aes128
Random:
128 B
![Page 12: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/12.jpg)
17Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Case Apache WSS4J
• Original bug much more complicated
• CVE-2015-0226
• Dennis Kupser, Christian Mainka, Jörg Schwenk, Juraj Somorovsky: How to Break XML Encryption – Automatically (WOOT‘15)
• Found automatically using WS-Attacker
• https://github.com/RUB-NDS/WS-Attacker
17
![Page 13: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/13.jpg)
18Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
1. Bleichenbacher’s Attack
• XML Encryption
• TLS
2. Invalid Curve Attack
• TLS
• Hardware Security Modules
Overview
![Page 14: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/14.jpg)
19Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
How About TLS?
• Christopher Meyer, Juraj Somorovsky, Jörg Schwenk, Eugen Weiss, Sebastian Schinzel, Erik Tews: Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. USENIX Security 2014
• Practical attacks on JSSE, Bouncy Castle, Cavium Accelerator
• Bug in OpenSSL
19
![Page 15: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/15.jpg)
20Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Case JSSE
• No direct TLS error messages
• Uses PKCS#1 unpadding function:
• Caught, random generated…what’s wrong?
20
private byte [] unpadV15 (byte[] padded) {
if (PKCS valid) {
return unpadded text;
} else {
throw new BadPaddingException();
}
}
![Page 16: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/16.jpg)
21Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Case JSSE (CVE-2014-411)
• Exception consumes about 20 microseconds!
21
PKCS#1 valid, no exceptionPKCS#1 invalid,
exception
Bleichenbacher’sAttack over LAN!
![Page 17: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/17.jpg)
22Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
1. Bleichenbacher’s Attack
• XML Encryption
• TLS
2. Invalid Curve Attack
• TLS
• Hardware Security Modules
Overview
![Page 18: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/18.jpg)
23Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Elliptic Curve
• Set of points over a finite field
• Used e.g. for key exchange
23
Client Server
PSecret s
Key: sP
P
![Page 19: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/19.jpg)
24Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
• Crypto 2000: Biehl, Meyer, Müller
• Attacker sends an invalid point of small order (e.g. 5)
• Attacker computes:
Invalid Curve Attack
24
Server
QSecret s
Q
𝒔𝟏 = 𝒔𝒎𝒐𝒅 𝟓
![Page 20: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/20.jpg)
25Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Invalid Curve Attack
• Choose points of small co-prime order (5, 7, 11, …)
• Send to the server
• Compute:𝑠1 = 𝑠 𝑚𝑜𝑑 5
𝑠2 = 𝑠 𝑚𝑜𝑑 7𝑠3 = 𝑠 𝑚𝑜𝑑 11𝑠4 = 𝑠 𝑚𝑜𝑑 13
• Compute s with CRT
25
![Page 21: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/21.jpg)
26Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
1. Bleichenbacher’s Attack
• XML Encryption
• TLS
2. Invalid Curve Attack
• TLS
• Hardware Security Modules
Overview
![Page 22: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/22.jpg)
27Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Practical Attacks?
• Tibor Jager, Jörg Schwenk, Juraj Somorovsky: Practical Invalid Curve Attacks on TLS-ECDH. ESORICS 2015
• Analyzed 8 libraries
• 2 vulnerable
– Bouncy Castle: 3300 TLS queries
– Oracle JSSE: 17000 TLS queries
27
![Page 23: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/23.jpg)
28Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Impact
• Attacks extract server private keys
• Java servers using EC certificates vulnerable
– For example Apache Tomcat
28
Demo
![Page 24: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/24.jpg)
29Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
1. Bleichenbacher’s Attack
• XML Encryption
• TLS
2. Invalid Curve Attack
• TLS
• Hardware Security Modules
Overview
![Page 25: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/25.jpg)
30Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Attacker Model in HSM Scenarios
• Storage of crypto keys
• Keys never leave HSMs
30
dec (C)
m
Keys (RSA, EC, AES …)
![Page 26: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/26.jpg)
31Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Attacker Model in HSM Scenarios
• Storage of crypto keys
• Keys never leave HSMs
31
getKeyKeys (RSA, EC, AES …)
![Page 27: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/27.jpg)
32Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
How about Invalid Curve Attacks?
• CVE-2015-6924 (with Dennis Felsch)
• Utimaco HSMs vulnerable
• < 100 queries to get a key…Heartbleed effect
• Thanks to cooperation of Utimaco
– Provided sample code, fast fix
• Utimaco HSM is FIPS certified
32
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
![Page 28: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/28.jpg)
33Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Conclusions
• Old attacks relevant for RWC implementations
• Old algorithms in the newest standards
– RSA PKCS#1 v1.5 (attack: 1998)
2008: TLS 1.2
2013: XML Encryption 1.1
2015: JSON Web Encryption
– Positive example: TLS 1.3
33
![Page 29: Practical Attacks on Implementations · Practical Attacks on Real World Crypto Implementations Juraj Somorovsky 2 Recent years revealed many crypto attacks… • ESORICS 2004, Bard:](https://reader033.vdocuments.us/reader033/viewer/2022042413/5f2d2cf030ba40681a23ddb1/html5/thumbnails/29.jpg)
34Practical Attacks on Real World Crypto Implementations Juraj Somorovsky
Conclusions
• For standard designers:
– Remove old crypto
• For developers:
– Analyze possible side-channels, best practices
• Check point is on curve
• For pentesters:
– More tools / analyses of crypto applications needed
34