Breaking Crypto For Dummies

Nikita Abdullin @

• @0xABD Abdullin@riscure.com

• Background: fintech, payment security

• Security analyst @ Riscure, evaluating payment tech

• Who is Riscure? • Security lab in the Netherlands & USA • 80 hackers working on:

• Security test tools • Security test services

• We host the #RHme & #RHme2 hardware CTFs! • rhme.riscure.com • 500 players from 49 countries this year

About me

Cryptography Crash Course

Attacks on (Software) Crypto

Side Channel Attacks

Fault Injection Attacks

DEMO

Conclusions

Agenda

Agenda

• Some history: how did people use and break cryptography? • Black room == Mallory peeks in the room == broken

• “Cabinet noir”

• Black box == Mallory peeks in the box == broken • Commercial encryption machines

• Kerckhoffs's principle == Mallory has the key == broken

• …

• The present day: • All of the above

• Internal state == Key

• ???

Cryptography Crash Course

• Black box

Cryptography Crash Course

Observe

Alter

Encrypt Decrypt

• Grey box

Cryptography Crash Course

Observe

Alter

Encrypt Decrypt

Encrypt Decrypt

• White box

Cryptography Crash Course

Observe

Alter

• Black box == Attacker cannot look inside

• Grey box == Attacker can see something* inside and/or influence it

• White box == Attacker has full control

Cryptography Crash Course

• What is cryptography, when implemented in hardware and software?

• Start with a Black box • Inputs

• Data

• Key

• Output

Cryptography Crash Course

Input

Key

Output

• Crypto is executed by a machine

• Sometimes, a “weird machine” (Sergey Bratus et al., 2011) • http://langsec.org/papers/Bratus.pdf

Cryptography Crash Course

Un

inte

nd

ed

fu

nct

ion

alit

y

Normal, intended

functionality

Un

inte

nd

ed

stat

es Normal,

intended states

• What is cryptography, when implemented in hardware and software?

• Symmetric crypto • Done in (simple) steps – rounds

• Key schedule • Use a new key every round

• Linear operations (aka affine transformations) • Matrix operations

• Register arithmetic: SHIFT XOR ADD OR AND NOT …

• Non-linear operations • Table lookups (aka Look-Up Tables “LUT” aka S-boxes, …)

Cryptography Crash Course

• What is cryptography, when implemented in hardware and software?

• Asymmetric crypto • Arithmetic on looooong numbers (> 4x wider than our CPU regs)

• Modular arithmetic

• Various optimizations to make it fit into register width

• Various hacks to make it faster

Cryptography Crash Course

Breaking Modern Cryptography

Images (c) by Vasya Lozhkin http://vasya-lozhkin.ru/

Breaking Modern Cryptography

The hipster way:

• Classic Cryptanalysis

• Linear Cryptanalysis

• Differential Cryptanalysis

• Formal verification of protocols

• …

• “3-AES will probably never be cryptanalyzed”

Breaking Modern Cryptography

• Symmetric crypto: • Current view on computational

complexity (Joan Daemen, 2016): • 80 bits: lightweight

• 96 bits: solid

• 128 bits: secure for the foreseeable future

• 256 bits: for the clueless

Breaking Modern Cryptography

The brutal way:

1. Make assumptions on the internal state of the cipher

2. Guess the state / edit the state

3. Guessed/new state depends on key (and data)

4. Measure & Calculate the key • Adjust your assumptions

Grey box model – the attacker can see through the box and touch it

Breaking Modern Cryptography

The brutal way:

• Side Channel Analysis (SCA) • Timing analysis • Power analysis

• Simple power analysis (SPA) • Differential power analysis (DPA) • Correlation power analysis (CPA)

• …

• Fault Injection (FI) • Differential fault analysis • …

Side-channel Basics

Image source: www.wikihow.com

Side-channel Basics

????

8???

82??

827?

PIN

8275

Example: PIN Verification and power measurements (traces)

• Observe the whole cryptosystem • Find what is leaking (and, preferably, where)

• Time

• Power consumption

• Electromagnetic field

• Light / Sound / Temperature / …

• …

• Make an assumption on the dependencies between secret state and observable state • Leakage model

• Process the observation data & Get the key

Side-channel Basics

• Why it leaks? A hardware circuit is more complex than its schematics

• Each switch (=bit) draws power when flipped (clocked)

• A power consumption of a register is a function of its data (state) • Same for EM / temperature / other energy emissions

Side-channel Basics

• Every wire is an antenna

• Every loop is a coil

• Works both ways (see later)

• Noise is (usually) random/uniform, correctly modeled leakage is not • Acquire more measurements (traces)

• Noise cancels itself, but data dependencies are amplified • If leakage model is correct, otherwise == becomes noise too

Side-channel Basics

• For pure software, every shared hardware resource leaks • CPU caches

• CPU branch predictor

• Any resource of the memory controller

• …

• https://scholar.google.com/scholar?q=cross+vm+side+channel+attack

• Lipp, M., Gruss, D., Spreitzer, R., & Mangard, S. (2015). Armageddon: Last-level cache attacks on mobile devices. arXiv preprint arXiv:1511.04897. • https://www.blackhat.com/docs/eu-16/materials/eu-16-Lipp-ARMageddon-How-

Your-Smartphone-CPU-Breaks-Software-Level-Security-And-Privacy.pdf

• https://github.com/IAIK/armageddon

Side-channel Basics

• How to perform actual SCA attacks?

1. Acquisition of many traces – extracting leakage out of the box

2. Signal processing – leaving the good things

3. Statistical analysis of the trace set

Side-channel Basics

Side-channel Basics

(1) arm

(6) response

(3) trigger

(4) measurement

(5) acquisition

(2) command

Embedded System Current Probe

(7) attack

• Acquisition of many traces

• Proper equipment

• Proper setup

• Or, “Garbage in – Garbage Out”

Side-channel Basics

• Signal processing

• Filtering

• Alignment

• Resampling

• Cut/paste

• Bucket

Side-channel Basics

• Statistical analysis of the trace set

• First-order analysis – single point on a trace vs. model • Differential

• Correlation

• Higher-order analysis – multiple points on a trace vs. model • Works against protected implementations

• Other attacks

Side-channel Basics

• Statistical analysis of the trace set – How?

• FOSS tools: https://github.com/SideChannelMarvels

• Entry-level hardware: ChipWhisperer

• Commercial tools: Riscure Inspector

Side-channel Basics

• Further reading

• ZeroNights 2014, Roman Korkikyan, “Deriving cryptographic keys via power consumption” • http://2014.zeronights.org/assets/files/slides/korkikyan.pdf

Side-channel Basics

• Hardware is FRAGILE

• Introduce glitches in power supply

• Introduce glitches in CLK

• Directly supply energy to parts of the chip • Laser

• EM field

• Invasive techniques • Edit & Probe the silicon

Fault injection Basics

• Cryptography is FRAGILE

• Errors propagate

• State depends on the key (and data)

• (Error+State) propagates too

• Output is now more a function of a key than before • Sometimes, a single-bit flip = key extracted

• Most of the time = solve a system of (linear) equations

Fault injection Basics

• Why symmetric crypto fails under FI?

• Magic does not happen at once • Symmetric crypto is done in rounds

• Data (fault) propagation per round is limited

• Faults in state remove data dependencies

• Key is linearly combined with the faulty state

Fault injection Basics

• Why asymmetric crypto fails under FI?

• All assumptions fail • Prime numbers become composite with a single bit flip

• Points on a strong ECC curve become points on weaker curves

• …

Fault injection Basics

• Side Channel and Fault Injection the gray box scenario • A hardware black box does not protect the state (the key)

• Even gray boxes no longer sufficient to secure the current ecosystem • Hardware is not free and cannot be delivered over the wire

• Can we make cryptography secure on an untrusted hardware? • Mobile (Payments/Banking/HCE)

• Content Protection (DRM)

• …

• How to hide the key in plain sight of the attacker?

White-box Cryptography Basics

• Assumptions: • Even the hardware is now untrusted

• The attacker can read the code AND the key

• Can it still be secure?

• Let’s mix the key in the algorithm. Code == Key • Tables

• Dark magic

• Tables & dark magic

• And obfuscate the code, make the white-box self-aware • To avoid key extraction and arbitrary code reuse (lifting)

White-box Cryptography Basics

White-box Cryptography Basics

Images (c) Brecht Wyseur http://www.whiteboxcrypto.com/

• White-boxed algorithms • DES

• AES

• RSA

• ECC

• SHA256, SHA256-HMAC

• …

• Fight magic with magic?

Breaking White-box Cryptography

• Fight magic with magic…

Breaking White-box Cryptography

• Fight magic with magic…

• Or apply brutal hardware attacks • Naïve white-box implementations do

not solve the gray-box problems

• If crypto happens, the state is there

• If crypto happens, the fragile parts are there, too

Breaking White-box Cryptography

• Eloi Sanfelix, Cristofaro Mune, Job de Haas, “Unboxing the White-Box” BH EU 2015 • https://www.blackhat.com/docs/eu-

15/materials/eu-15-Sanfelix-Unboxing-The-White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf

• Joppe W Bos, Charles Hubain, Wil Michiels, Philippe Teuwen “Differential Computation Analysis: Hiding your White-Box Designs is Not Enough” • https://eprint.iacr.org/2015/753

Breaking White-box Cryptography

• Side-channel attacks on WBC

• Run on “hardware” • attack as if it was a pure hardware cipher

• – What is leaking? – Everything! • Memory

• Values in registers

• “Trace” is now data dump over time

Breaking White-box Cryptography

• Why (some) WBC fails under side channel? • Linearity = leakage

• Sasdrich, Pascal, Amir Moradi, and Tim Güneysu. "White-Box Cryptography in the Gray Box.“ • http://eprint.iacr.org/2016/203.pdf

Breaking White-box Cryptography

• Fault injection attacks on WBC

• Run on “hardware” • attack as if it was a pure hardware cipher

• – What can we glitch? – Anything! • Memory

• Values in registers

Breaking White-box Cryptography

• Need to tap into the code flow and data. How?

• Manual code manipulation at run time (hook/inject/debug)

• Decompile & recompile with probes

• Dynamic Binary Instrumentation

• Emulation (with probes)

• Absolute worst case: run on real hardware and bring the big guns

Software Crypto Instrumentation

• Manual code manipulation at run time (hook/inject/debug)

• + Easy to start from a software RE/expl. background

• – Lower speed (esp. when debugging, need to tap into everything)

• – Need to bypass anti-debug countermeasures

• – Scripting debuggers is ugly

Software Crypto Instrumentation

• Decompile & recompile with probes

• + Easy to start from a software RE/expl. background

• + Speed

• – lots of manual corrections

• – some RE & understanding of the target needed

Software Crypto Instrumentation

• Dynamic Binary Instrumentation

• Intel PIN

• Valgrind

• DynamoRIO

• (Frida) http://www.frida.re/

• https://github.com/SideChannelMarvels already has one

Software Crypto Instrumentation

• Dynamic Binary Instrumentation

• + Flexibility

• + Stealth

• – architecture-specific issues

Software Crypto Instrumentation

• Emulation (with probes)

• Platform-level emulation = The mighty QEMU • Unicorn Engine (not a platform, only a CPU) http://www.unicorn-engine.org/

• Standalone

• IDA plugin

• Awesome

• PANDA (a full platform) https://github.com/moyix/panda • Record traces and replay

• Plugin framework

• Awesome (but slow)

Software Crypto Instrumentation

• Emulation (with probes)

• + Flexibility

• + Stealth

• + Speed

• – Platform-level emulation is slow

Software Crypto Instrumentation

• What to do? Side-channel: • Log all memory accesses

• Address

• Value & Size

• Log all registers

• What to do? Fault injection: • Flip bits in memory values and memory addresses

• Flip bits in registers

• KEEP TRACK OF THE PROGRAM COUNTER == TIME

Software Crypto Instrumentation

• Narrow down the addresses and PC range

• Compare execution traces, identifying data and key dependencies

• Side-channel – easy optimizations • Memory writes are more useful than reads

• Most registers are redundant (sometimes LSB is enough)

• Data can be compressed/discarded on the fly

• Fault injection – easy optimizations • Keep track of what you glitch

Software Crypto Instrumentation

• White-boxed AES in JS from https://github.com/tsu-iscd/jcrypto

• Fault injection attack in 9th round

• Using https://github.com/SideChannelMarvels/JeanGrey to extract the key

DEMO 1

• Huge traces for SCA • ~1GHz CPUs, white-box can run in 0.1s, easily 100 M instructions x N bytes

per instruction = a lot of data

Compress and discard more aggressively

Software Crypto Instrumentation Challenges

• Misalignment • Leakage location depends on input

Do aggressive signal processing

Smart emulation (CFG?)

Software Crypto Instrumentation Challenges

• Glitching runs wild • Unwanted glitching of return addresses

• Unwanted glitching of instruction loading addresses

Simple heuristics when glitching, better focus

Software Crypto Instrumentation Challenges

• Why?

• Directly applicable on regular software crypto

• Defeat obfuscation without deobfuscating • What is executable will be executed and WILL leak / WILL be glitchable

• Minimum reverse engineering • Ideally, locate the target function in time domain only

• Can be tailored into a point-and-click solution if needed

Bonus: Attacking Regular Software Crypto

• But… hardware acceleration? AES-NI, etc.? • Only for symmetric crypto.

• Maybe forbidden by obfuscator/protector

• Often not applicable due to platform diversity • E.g. standard crypto extensions for ARM are not there yet, etc.

• Or, emulate & get the key from emulator’s implementation

• Or, emulate & apply DCA on the whole emulator

• Worst case, debug & get the key from registers, as usual

Bonus: Attacking Regular Software Crypto

• OLLVM-Obfuscated standard AES encryption

• Side-channel leakage is memory accesses

• Using Riscure Inspector to extract the key

DEMO 2

• Any state can be leaked via SCA

• Any data dependency • PIN/Key/Password lengths

• Hamming weights/distances of values

• Code structure / CFG leaks too • Basic blocks in CFG may be recognizable

SCA & FI: Beyond Attacking Crypto

• Any state can be affected via FI

• Most critical – bypass security mechanisms • MAC/Signature/PIN/Password checks

• Secure Boot

• …

Niek Timmers, Albert Spruyt: “Bypassing Secure Boot using Fault Injection”, BH EU 2016

https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing-Secure-Boot-Using-Fault-Injection.pdf

SCA & FI: Beyond Attacking Crypto

• Countermeasures exist

• SCA countermeasures

• FI countermeasures

SCA & FI: Beyond Attacking Crypto

• SCA countermeasures • Most are patented, bad news for silicon and crypto vendors

• Reduce leakages (double rail logic, shields, …)

• Introduce noise and jitter

• Shuffle the state in time domain

• Masking

• Encodings between rounds

SCA & FI: Beyond Attacking Crypto

• FI countermeasures • Most are patented, bad news for silicon and crypto vendors

• Best idea: verify everything

• Transform the algorithms • To allow verification on side effects of the calculations

• To propagate errors DRAMATICALLY, diffusing the key dependencies

• Hardware: • Awareness – sensors: glitch, light, EM, …

SCA & FI: Beyond Attacking Crypto

• State-of-the-art white-box crypto, as seen in highly competitive markets like content protection, is tough: • All of the above

• SCA countermeasures • FI countermeasures

• State-of-the-art obfuscation, anti-debug, anti-emulation and anti-DBI • Attacking == Defusing an explosive black box with a hammer

• If possible, uses encodings • Internal encoding:

• 𝐿𝑈𝑇 = 𝑔 ∘ 𝐿𝑈𝑇 ∘ 𝑓−1

• External encoding: • 𝐴𝐸𝑆𝑘

′ = 𝐺 ∘ 𝐴𝐸𝑆𝑘 ∘ 𝐹−1

• 𝐴𝐸𝑆𝑘′ (𝑚) is unusable by anyone, except the vendor who can decode

SCA & FI: Beyond Attacking Crypto

• More countermeasures for white-box crypto: • Remember, state = key. Diffuse the state so it is too large to easily extract or

compress • Bogdanov, A., & Isobe, T.. (2015). White-Box Cryptography Revisited: Space-Hard

Ciphers. ACM Conference on Computer and Communications Security. 10.1145/2810103.2813699

SCA & FI: Beyond Attacking Crypto

• It is still possible to break crypto without being a cryptographer • Academy is busy constructing funny whiteboxes

• Thinking out of the box helps • Best hacks happen on an edge

• Proper tools • Continuously evaluate your product before it hits the market

• The fight goes on…

Conclusions

Questions?

• http://langsec.org/papers/Bratus.pdf

• http://2014.zeronights.org/assets/files/slides/korkikyan.pdf

• https://www.blackhat.com/docs/eu-15/materials/eu-15-Sanfelix-Unboxing-The-White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf

• https://eprint.iacr.org/2015/753

• http://eprint.iacr.org/2016/203.pdf

• https://github.com/SideChannelMarvels

• http://www.frida.re

• http://www.unicorn-engine.org

• https://github.com/moyix/panda

• https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing-Secure-Boot-Using-Fault-Injection.pdf

References

Challenge your security

Riscure North America

550 Kearny St.

Suite 330

San Francisco, CA 94108

+1 (650) 646 9979

inforequest@riscure.com

Riscure B.V.

Frontier Building, Delftechpark 49

2628 XJ Delft

The Netherlands

Phone: +31 15 251 40 90

www.riscure.com

We are hiring! www.riscure.com/careers