میحرلانمحرلاللهامسبce.sharif.edu/~boorghany/pubdown/tokenrand-slides.pdf · o...
TRANSCRIPT
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
بسم اهلل الرحمن الرحیم
Random Data and Key Generation Evaluation of Some Commercial Tokens and Smart Cards
Ahmad Boorghany, Siavash Bayat Sarmadi, Parnian Yousefi, Pouneh Gorji, Rasool Jalili
Data & Network Security Lab (DNSL)
Computer Engineering Dept., Sharif Univ. of Technology
ISCISC’14
September 3, 2014
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Background
o Randomness Failures in Cryptography
o Common Prime Attack on RSA Keys
Our Experiments
o Idea
o Methodology and Tools
Evaluation Results
o Randomness Evaluation
o RSA Key Evaluation
Conclusion and Future Works
Outline
2 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Background
Eval. ResultsOur ExperimentsBackground
3 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Crucial for CPA security [GM84]
o CPA is a weak security notion (respecting CCA or CCA2)
Some stories:
Debian’s Openssl Bug [YRS+09]
RNG output domain < 65536
For two years: 2006~2008
2012: still 57000 vulnerable HTTPS/SSH servers on the Internet [HDWH12]
Android’s RNG Bug [MMS13]
Successful thefts from Bitcoin users [But13]
Randomness in Cryptography
Background
4 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
RSA Cryptosystem:
Depends on the factoring problem
𝑝 and 𝑞 are large random primes
512 bits each in RSA-1024
Common Prime Factor?
If the RNG is good, probability < 2−500
If 𝑁1 = 𝑝 × 𝑞1 and 𝑁2 = 𝑝 × 𝑞2:
𝑝 = GCD 𝑁1, 𝑁2 → Done efficiently
𝑞1 = 𝑁1/𝑝 , 𝑞2 = 𝑁2/𝑝
Common Prime Attack on RSA Keys
𝑁 = 𝑝 × 𝑞
GCD
𝑁1 𝑁2
𝑝
Background
5 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Heninger et al. [HDWH12] in USENIX Sec 2012
Crawled the Internet looking for common factors
o Live hosts: 23,044,976
o Vulnerable ones: 66,540 (≅ 3 in 1000)
Almost all failures: on embedded/constraineddevices
o Lack of good entropy sources
Common Prime Attack on RSA Keys
Background
6 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Bernstein et al. [BCC+13] in Asiacrypt 2013
Tested Taiwanese DB of certificates
Personal smart cards
More than 3,000,000 RSA public keys
Common Prime Attack on RSA Keys
Background
7 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
105 moduli factored easily by pair-wise GCD
The most popular modulus (46 occurrences):
Why? Maybe randomness failures.
Common Prime Attack on RSA Keys
c0000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000002f9
Background
8 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Our Experiments
Our Experiments
9 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Evaluate hardware security modules in the market
o Tokens
o Smart Cards
So, what to do?
o Generate RSA Keys, andcompute pair-wise GCDs
o Generate random streams, andevaluate them in advance
The Idea
Our Experiments
10 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
PKCS#11
Java Card:
How to talk to these devices?
C_GenerateRandom
C_GenerateKeyPair
Command 1 Import JavaCard. …
public class TestCard{…
Our Experiments
11 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Targeted Tokens and Smart Cards:
o Token 1 : PKCS#11
o Token 2 : PKCS#11
o Token 3 : PKCS#11
o Token 4 : PKCS#11
o Token 5 : PKCS#11
o Smart Card 1 : PKCS#11
o Smart Card 2 : Java Card
o Smart Card 3 : Java Card
Sorry, but no names
Methodology
Our Experiments
12 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
For each hardware:
10.000.000-bit stream generated
Its randomness evaluated usingNIST’s Statistical Test Suit (STS)
161 instances from 15 distinct tests
o Frequency Test
o Runs Test
o Serial Test
o Overlapping/Non-overlapping Template Test
o etc.
Methodology
Our Experiments
13 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
For each hardware:
200 RSA key-pairs generated
o 1024-bit and 2048-bit
Pair-wise GCDs computed:
o With each other
o With the database of MOCCA- 25000 certificates
o With the database of Heninger et al.’s crawling- Using factorable.net
Methodology
Our Experiments
14 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Evaluation Results
Eval. Results
15 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Simple frequency diagram
Randomness Evaluation
Eval. Results
16 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Randomness Evaluation – STS Results
Eval. Results
17 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Token 5: very small prime factors: 3, 5, 7, … .
RSA Key Evaluation
Eval. Results
18 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Evaluation is a must!
Better evaluation methods required
Note: only simple vulnerabilities can be foundby statistical testing
Other schemes: ECDSA, etc.
Conclusion and Future Works
19 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
Thanks for your attention
Questions?
20 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
[GM84] S. Goldwasser, S. Micali, “Probabilistic encryption,” J. Computer and System Sciences, vol. 28, no. 2, pp. 270-299, 1984.
[YRS+09] S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage, “When private keys are public: results from the 2008 Debian OpenSSL vulnerability," In Proc. 9th ACM SIGCOMM Conf., 2009, pp. 15-27.
[HDWH12] N. Heninger, Z. Durumeric., E. Wustrow, and J. A. Halderman, “Mining your Ps and Qs: Detection of widespread weak keys in network devices,” In Proc. 21st USENIX Security Symp., 2012, pp. 205-220.
[MMS13] K. Michaelis, C. Meyer, and J. Schwenk, “Randomly failed! The state of randomness in current Java implementations.” In Proc. Topics in Cryptology–CT-RSA, 2013, pp. 129-144.
References
21 / 20
Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014
Eval. ResultsOur ExperimentsBackground
[But13] V. Buterin. (2013, August 11). Critical Vulnerability Found In Android Wallets [Online]. Available: http://bitcoinmagazine.com/6251/critical-vulnerability-found-in-android-wallets/
[BCC+13] D. J. Bernstein et al., “Factoring RSA keys from certified smart cards: Coppersmith in the wild,” In Proc. 19th Advances in Cryptology-ASIACRYPT, 2013, pp. 341-360.
References
22 / 20