the goal of the research (roca) - … · @crocs_muni rsa is more than a description of basic...

https://crocs.fi.muni.cz @CRoCS_MUNI

Petr Švenda [email protected] @rngsec

Centre for Research on Cryptography and Security, Masaryk University

Joint work with: Matúš Nemec, Marek Sýs, Dušan Klinec, Peter Sekan, Rudolf

Kvašnovský, David Formánek, David Komárek and Vashek Matyáš

The goal of the research (ROCA)

From small bias in RSA public keys to practical

factorization of widely used RSA moduli


RSA primer – what does it mean and why should I care?

• RSA is widely used public-key cryptosystem (1977)

• Used for digital signatures (mail, software distribution, contracts…)

• Used for key exchange (HTTPS/TLS, PGP…)

• Private part: random primes P and Q, private exponent d

• Public part: public exponent e (often 65,537), modulus N

• Factorization attack: compute primes P and Q from the knowledge of N

2 The Lessons We Learned, Tallin, 2018.05.09

P x Q = N

https://roca.crocs.fi.muni.cz


RSA is more than a description of basic algorithm

• Proper key lengths, key management, secure and optimized

implementation, certifications, adaptation to changes…

• RSA security over time:

– 512 bits originally assumed secure, now 2048 to be phased out in 2022 (BSI)

– Faster factorization algorithms (NFS) with faster machines, quantum computers

– Design and coding flaws, faulty TRNG, side-channel attacks, padding oracles…

• BTW: Banks are still using very short RSA key lengths

– 768 & 896 bits (7 out of 11 tested EMV cards issued by EU banks)

– No security margin for problems



Why we targeted Estonian eIDs? (we haven’t)

• Long relationship with smartcards, JavaCards and FOSS

– Analysis for Czech National Security Authority (2002-2009)

– JCAlgTest.org, JCMathLib, CesTa, JCProfiler, curated list of JC apps…

• Cryptographic smartcards are pervasive (SIM, EMV, eID, tokens…)

• Yet smartcard industry is very closed

– NDA just to see detailed specifications, proprietary APIs, no design details…

• Security certifications performed by testing labs (FIPS, CC)

– But details are not public

• Idea in 2014: Infer details using keys similarity to open-source libraries



• Various implementation choices to generate large primes P & Q

• Small bias, but enough to attribute public key to particular library

– Best paper award at USENIX Security 2016

The Lessons We Learned, Tallin, 2018.05.09

Distribution of primes (MSB) Large factors of p-1 / p+1 Number of factors

and more…

Bit stream statistics

60+ million fresh RSA keypairs (P, Q, N)

)

22 sw. libraries

16 smartcards

5


But we were unaware on far bigger issue that time


Primeexpected = random

PrimeInfineon = k * M + 65537a mod M



Algorithmic flaw in Infineon’s RSALib (CVE-2017-15361)

• All keys generated by vulnerable Infineon library are affected

• Practical factorization of common lengths 512/1024/2048b (+ others)

• All public keys have unique “fingerprint” (easy to scan for)

– Tool for detection, https://github.com/crocs-muni/roca/

• Tool for factorization (made public by Lange&Bernstein, 5th Nov)

– Our implementation of factorization tool provided to Infineon in February 2017

– Random 2048b key: 6442450944000000 vCPU years

– Infineon 2048b key: 140 vCPU years



Attack is perfectly parallelizable

1000 cores => 1000x speedup

https://github.com/crocs-muni/roca/

https://crocs.fi.muni.cz @CRoCS_MUNI8 The Lessons We Learned, Tallin, 2018.05.09


Austria, Estonia,

Slovakia, Spain…

25-30% TPMs worldwide,

BitLocker, ChromeOS…

Firmware update available

Commit signing,

Application signing

GitHub, Maven…

Gemalto .NET

Yubikey 4…Yubikey 4…

Very few keys, but all tied

to SCADA management

https://crocs.fi.muni.cz @CRoCS_MUNI9 The Lessons We Learned, Tallin, 2018.05.09

3936b

3072b

512b, ~¢11024b, ~$2

2048b, ~$1000

4096b


Estimated energy-only cost


What were the necessary components for this attack?

1. Knowledge of primes format as generated by vulnerable library [2002?]

– Certified, but publicly unknown and proprietary

– Strange distribution of N % small primes (USENIXSec paper + tech report) [Summer 2016]

– About three weeks to recover structure of primes [January 2017]

• Probably faster if we knew method of M. Joye, P. Paillier, S. Vaudenay [2000, 2006]

2. Coppersmith factorization method as black-box solver [1996]

– Given half of bits of one prime and N, primes P and Q can be computed (SageMath script)

3. Primes format transformation trick [January 2017]

– Idea of attack and working prototype one week after the knowledge of primes recovered


Prime = k * M + 65537a mod M

Strange distribution tester enough to:

1. Recover structure and

2. Propose faster attack within three days

(T. Lange & D. Bernstein, October 2017)


This particular flaw on Infineon side, but wider problem

• “We will make it secure, just trust us” mentality

• Why such a strong secrecy around the whole smartcard industry?

– I cannot buy newer cards (lucky if ICFabDate is 2015)

– Security best practices checklist for JC development available only after NDA…

– I cannot use more secure version of crypto functions (not exposed via public API)

– Research prototypes using ECPoint cannot be published (NDA)

• Smartcards not secure enough if more complete information published?

– What is the attacker model here?

– (not calling for open-source hardware, but more openness beneficial)



Why we haven’t notified Estonia earlier?



• (NIST responsible disclosure guidelines followed)

• End of January 2017: Proof of Concept attack (1024b keys factorized)

• Feb 1st: Infineon notified (email to contact at crypto group)

• Mid May: First Infineon’s customers contact us back for verification

– Change of some PGP keys in second half of April

• Jun 20th: Incident report ID 163484, Austria eHealth certs revoked

– Countries around Europe should have been notified

– BUT: unspecific third party failure, concrete vendor named (but not Infineon)


Responsible disclosure (cont.)



• Begin of Aug: CCS reviewer suggests to test EE LDAP

• Last week Aug: fresh vulnerable EE certs detected (LDAP scan)

• Aug 30th: EE CERT formally contacted by us

• Sept 5th: Estonia publicly announced eID issue

• Oct 10th: Microsoft Patch Tuesday (TPMs, BitLocker)

• Oct 16th: Public disclosure: vulnerability, detection tool released

• Oct 23rd: Lange& Bernstein announced faster attack

• Vulnerable devices from year 2007 found (Gemalto IDPrime .NET)

• Oct 30th: Full paper with details published (ACM CCS’17)


Systematic removal of single point of failure


ACM CCS’17, BlackHat/Devcon’17

• Secure multi-party computation

• Suite of ECC-based multi-party protocols proposed

– Distributed key generation, ElGamal decryption, Schnorr signing

• Efficient implementation on JavaCards

120 cards => 30 quorums

=> 230+ decrypts / second

=> 60+ signatures / second


Conclusions

• Secret design => delayed flaw discovery => higher impact

• Prevent a single point of failure

– Secure multi-party computation (Smart-ID, Schnorr signatures…)

• Be prepared to revoke, patch and update everything

• Personal connections matter


Questions


+ => Aug 30th

[email protected]

the goal of the research (roca) - … · @crocs_muni rsa is more than a description of basic...

Documents