This document provides an agenda for a talk on breaking modern cryptography. It discusses various side channel and fault injection attacks that can be used to break cryptographic implementations running on untrusted hardware. It covers side channel basics like power analysis and EM analysis techniques. It also discusses fault injection basics and how errors can be injected and propagated in cryptosystems. Finally, it summarizes countermeasures for side channel and fault injection attacks and discusses how the same techniques can be applied beyond attacking cryptography.
2. • @0xABD Abdullin@riscure.com
• Background: fintech, payment security
• Security analyst @ Riscure, evaluating payment tech
• Who is Riscure?
• Security lab in the Netherlands & USA
• 80 hackers working on:
• Security test tools
• Security test services
• We host the #RHme & #RHme2 hardware CTFs!
• rhme.riscure.com
• 500 players from 49 countries this year
About me
5. • Some history: how did people use and break cryptography?
• Black room == Mallory peeks in the room== broken
• “Cabinet noir”
• Black box == Mallory peeks in the box == broken
• Commercial encryption machines
• Kerckhoffs's principle == Mallory has the key == broken
• …
• The present day:
• All of the above
• Internal state == Key
• ???
Cryptography Crash Course
9. • Black box == Attacker cannot look inside
• Grey box == Attacker can see something* inside and/or influence it
• White box == Attacker has full control
Cryptography Crash Course
10. • What is cryptography, when implemented in hardware and software?
• Start with a Black box
• Inputs
• Data
• Key
• Output
Cryptography Crash Course
Input
Key
Output
11. • Crypto is executed by a machine
• Sometimes, a “weird machine” (Sergey Bratus et al., 2011)
• http://langsec.org/papers/Bratus.pdf
Cryptography Crash Course
Unintended
functionality
Normal,
intended
functionality
Unintended
states
Normal,
intended
states
12. • What is cryptography, when implemented in hardware and software?
• Symmetric crypto
• Done in (simple) steps – rounds
• Key schedule
• Use a new key every round
• Linear operations (aka affine transformations)
• Matrix operations
• Register arithmetic: SHIFT XOR ADD OR AND NOT …
• Non-linear operations
• Table lookups (aka Look-Up Tables “LUT” aka S-boxes, …)
Cryptography Crash Course
13. • What is cryptography, when implemented in hardware and software?
• Asymmetric crypto
• Arithmetic on looooong numbers (> 4x wider than our CPU regs)
• Modular arithmetic
• Various optimizations to make it fit into register width
• Various hacks to make it faster
Cryptography Crash Course
15. Breaking Modern Cryptography
The hipster way:
• Classic Cryptanalysis
• Linear Cryptanalysis
• Differential Cryptanalysis
• Formal verification of protocols
• …
• “3-AES will probably never be
cryptanalyzed”
16. Breaking Modern Cryptography
• Symmetric crypto:
• Current view on computational
complexity (Joan Daemen, 2016):
• 80 bits: lightweight
• 96 bits: solid
• 128 bits: secure for the
foreseeable future
• 256 bits: for the clueless
17. Breaking Modern Cryptography
The brutal way:
1. Make assumptions on the
internal state of the cipher
2. Guess the state / edit the state
3. Guessed/new state depends on
key (and data)
4. Measure & Calculate the key
• Adjust your assumptions
Grey box model – the attacker can
see through the box and touch it
18. Breaking Modern Cryptography
The brutal way:
• Side Channel Analysis (SCA)
• Timing analysis
• Power analysis
• Simple power analysis (SPA)
• Differential power analysis (DPA)
• Correlation power analysis (CPA)
• …
• Fault Injection (FI)
• Differential fault analysis
• …
21. • Observe the whole cryptosystem
• Find what is leaking (and, preferably, where)
• Time
• Power consumption
• Electromagnetic field
• Light / Sound / Temperature / …
• …
• Make an assumption on the dependencies between secret state and
observable state
• Leakage model
• Process the observation data & Get the key
Side-channel Basics
22. • Why it leaks? A hardware circuit is more complex than its schematics
• Each switch (=bit) draws power when flipped (clocked)
• A power consumption of a register is a function of its data (state)
• Same for EM / temperature / other energy emissions
Side-channel Basics
23. • Every wire is an antenna
• Every loop is a coil
• Works both ways (see later)
• Noise is (usually) random/uniform, correctly modeled leakage is not
• Acquire more measurements (traces)
• Noise cancels itself, but data dependencies are amplified
• If leakage model is correct, otherwise == becomes noise too
Side-channel Basics
24. • For pure software, every shared hardware resource leaks
• CPU caches
• CPU branch predictor
• Any resource of the memory controller
• …
• https://scholar.google.com/scholar?q=cross+vm+side+channel+attack
• Lipp, M., Gruss, D., Spreitzer, R., & Mangard, S. (2015). Armageddon: Last-
level cache attacks on mobile devices. arXiv preprint arXiv:1511.04897.
• https://www.blackhat.com/docs/eu-16/materials/eu-16-Lipp-ARMageddon-How-
Your-Smartphone-CPU-Breaks-Software-Level-Security-And-Privacy.pdf
• https://github.com/IAIK/armageddon
Side-channel Basics
25. • How to perform actual SCA attacks?
1. Acquisition of many traces – extracting leakage out of the box
2. Signal processing – leaving the good things
3. Statistical analysis of the trace set
Side-channel Basics
26. Side-channel Basics
(1) arm
(6) response
(3) trigger
(4) measurement
(5) acquisition
(2) command
Embedded
System Current Probe
(7) attack
27. • Acquisition of many traces
• Proper equipment
• Proper setup
• Or, “Garbage in – Garbage Out”
Side-channel Basics
29. • Statistical analysis of the trace set
• First-order analysis – single point on a trace vs. model
• Differential
• Correlation
• Higher-order analysis – multiple points on a trace vs. model
• Works against protected implementations
• Other attacks
Side-channel Basics
30. • Statistical analysis of the trace set – How?
• FOSS tools: https://github.com/SideChannelMarvels
• Entry-level hardware: ChipWhisperer
• Commercial tools: Riscure Inspector
Side-channel Basics
31. • Further reading
• ZeroNights 2014, Roman Korkikyan, “Deriving cryptographic keys via
power consumption”
• http://2014.zeronights.org/assets/files/slides/korkikyan.pdf
Side-channel Basics
32. • Hardware is FRAGILE
• Introduce glitches in power supply
• Introduce glitches in CLK
• Directly supply energy to parts of the chip
• Laser
• EM field
• Invasive techniques
• Edit & Probe the silicon
Fault injection Basics
33. • Cryptography is FRAGILE
• Errors propagate
• State depends on the key (and data)
• (Error+State) propagates too
• Output is now more a function of a key than before
• Sometimes, a single-bit flip = key extracted
• Most of the time = solve a system of (linear) equations
Fault injection Basics
34. • Why symmetric crypto fails under FI?
• Magic does not happen at once
• Symmetric crypto is done in rounds
• Data (fault) propagation per round is limited
• Faults in state remove data dependencies
• Key is linearly combined with the faulty state
Fault injection Basics
35. • Why asymmetric crypto fails under FI?
• All assumptions fail
• Prime numbers become composite with a single bit flip
• Points on a strong ECC curve become points on weaker curves
• …
Fault injection Basics
36. • Side Channel and Fault Injection the gray box scenario
• A hardware black box does not protect the state (the key)
• Even gray boxes no longer sufficient to secure the current ecosystem
• Hardware is not free and cannot be delivered over the wire
• Can we make cryptography secure on an untrusted hardware?
• Mobile (Payments/Banking/HCE)
• Content Protection (DRM)
• …
• How to hide the key in plain sight of the attacker?
White-box Cryptography Basics
37. • Assumptions:
• Even the hardware is now untrusted
• The attacker can read the code AND the key
• Can it still be secure?
• Let’s mix the key in the algorithm. Code == Key
• Tables
• Dark magic
• Tables & dark magic
• And obfuscate the code, make the white-box self-aware
• To avoid key extraction and arbitrary code reuse (lifting)
White-box Cryptography Basics
40. • Fight magic with magic…
Breaking White-box Cryptography
41. • Fight magic with magic…
• Or apply brutal hardware attacks
• Naïve white-box implementations do
not solve the gray-box problems
• If crypto happens, the state is there
• If crypto happens, the fragile parts are
there, too
Breaking White-box Cryptography
42. • Eloi Sanfelix, Cristofaro Mune, Job de
Haas, “Unboxing the White-Box” BH EU
2015
• https://www.blackhat.com/docs/eu-
15/materials/eu-15-Sanfelix-Unboxing-The-
White-Box-Practical-Attacks-Against-
Obfuscated-Ciphers-wp.pdf
• Joppe W Bos, Charles Hubain, Wil
Michiels, Philippe Teuwen “Differential
Computation Analysis: Hiding your
White-Box Designs is Not Enough”
• https://eprint.iacr.org/2015/753
Breaking White-box Cryptography
43. • Side-channel attacks on WBC
• Run on “hardware”
• attack as if it was a pure hardware cipher
• – What is leaking? – Everything!
• Memory
• Values in registers
• “Trace” is now data dump over time
Breaking White-box Cryptography
44. • Why (some) WBC fails under side channel?
• Linearity = leakage
• Sasdrich, Pascal, Amir Moradi, and Tim Güneysu. "White-Box Cryptography in
the Gray Box.“
• http://eprint.iacr.org/2016/203.pdf
Breaking White-box Cryptography
45. • Fault injection attacks on WBC
• Run on “hardware”
• attack as if it was a pure hardware cipher
• – What can we glitch? – Anything!
• Memory
• Values in registers
Breaking White-box Cryptography
46. • Need to tap into the code flow and data. How?
• Manual code manipulation at run time (hook/inject/debug)
• Decompile & recompile with probes
• Dynamic Binary Instrumentation
• Emulation (with probes)
• Absolute worst case: run on real hardware and bring the big guns
Software Crypto Instrumentation
47. • Manual code manipulation at run time (hook/inject/debug)
• + Easy to start from a software RE/expl. background
• – Lower speed (esp. when debugging, need to tap into everything)
• – Need to bypass anti-debug countermeasures
• – Scripting debuggers is ugly
Software Crypto Instrumentation
48. • Decompile & recompile with probes
• + Easy to start from a software RE/expl. background
• + Speed
• – lots of manual corrections
• – some RE & understanding of the target needed
Software Crypto Instrumentation
51. • Emulation (with probes)
• Platform-level emulation = The mighty QEMU
• Unicorn Engine (not a platform, only a CPU) http://www.unicorn-engine.org/
• Standalone
• IDA plugin
• Awesome
• PANDA (a full platform) https://github.com/moyix/panda
• Record traces and replay
• Plugin framework
• Awesome (but slow)
Software Crypto Instrumentation
53. • What to do? Side-channel:
• Log all memory accesses
• Address
• Value & Size
• Log all registers
• What to do? Fault injection:
• Flip bits in memory values and memory addresses
• Flip bits in registers
• KEEP TRACK OF THE PROGRAM COUNTER == TIME
Software Crypto Instrumentation
54. • Narrow down the addresses and PC range
• Compare execution traces, identifying data and key dependencies
• Side-channel – easy optimizations
• Memory writes are more useful than reads
• Most registers are redundant (sometimes LSB is enough)
• Data can be compressed/discarded on the fly
• Fault injection – easy optimizations
• Keep track of what you glitch
Software Crypto Instrumentation
55. • White-boxed AES in JS from https://github.com/tsu-iscd/jcrypto
• Fault injection attack in 9th round
• Using https://github.com/SideChannelMarvels/JeanGrey to extract
the key
DEMO 1
56. • Huge traces for SCA
• ~1GHz CPUs, white-box can run in 0.1s, easily 100 M instructions x N bytes
per instruction = a lot of data
Compress and discard more aggressively
Software Crypto Instrumentation Challenges
57. • Misalignment
• Leakage location depends on input
Do aggressive signal processing
Smart emulation (CFG?)
Software Crypto Instrumentation Challenges
58. • Glitching runs wild
• Unwanted glitching of return addresses
• Unwanted glitching of instruction loading addresses
Simple heuristics when glitching, better focus
Software Crypto Instrumentation Challenges
59. • Why?
• Directly applicable on regular software crypto
• Defeat obfuscation without deobfuscating
• What is executable will be executed and WILL leak / WILL be glitchable
• Minimum reverse engineering
• Ideally, locate the target function in time domain only
• Can be tailored into a point-and-click solution if needed
Bonus: Attacking Regular Software Crypto
60. • But… hardware acceleration? AES-NI, etc.?
• Only for symmetric crypto.
• Maybe forbidden by obfuscator/protector
• Often not applicable due to platform diversity
• E.g. standard crypto extensions for ARM are not there yet, etc.
• Or, emulate & get the key from emulator’s implementation
• Or, emulate & apply DCA on the whole emulator
• Worst case, debug & get the key from registers, as usual
Bonus: Attacking Regular Software Crypto
61. • OLLVM-Obfuscated standard AES encryption
• Side-channel leakage is memory accesses
• Using Riscure Inspector to extract the key
DEMO 2
62. • Any state can be leaked via SCA
• Any data dependency
• PIN/Key/Password lengths
• Hamming weights/distances of values
• Code structure / CFG leaks too
• Basic blocks in CFG may be recognizable
SCA & FI: Beyond Attacking Crypto
63. • Any state can be affected via FI
• Most critical – bypass security mechanisms
• MAC/Signature/PIN/Password checks
• Secure Boot
• …
Niek Timmers, Albert Spruyt: “Bypassing Secure Boot using Fault Injection”, BH EU 2016
https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing-Secure-Boot-Using-
Fault-Injection.pdf
SCA & FI: Beyond Attacking Crypto
65. • SCA countermeasures
• Most are patented, bad news for silicon and crypto vendors
• Reduce leakages (double rail logic, shields, …)
• Introduce noise and jitter
• Shuffle the state in time domain
• Masking
• Encodings between rounds
SCA & FI: Beyond Attacking Crypto
66. • FI countermeasures
• Most are patented, bad news for silicon and crypto vendors
• Best idea: verify everything
• Transform the algorithms
• To allow verification on side effects of the calculations
• To propagate errors DRAMATICALLY, diffusing the key dependencies
• Hardware:
• Awareness – sensors: glitch, light, EM, …
SCA & FI: Beyond Attacking Crypto
67. • State-of-the-art white-box crypto, as seen in highly competitive
markets like content protection, is tough:
• All of the above
• SCA countermeasures
• FI countermeasures
• State-of-the-art obfuscation, anti-debug, anti-emulation and anti-DBI
• Attacking == Defusing an explosive black box with a hammer
• If possible, uses encodings
• Internal encoding:
• 𝐿𝑈𝑇 = 𝑔 ∘ 𝐿𝑈𝑇 ∘ 𝑓−1
• External encoding:
• 𝐴𝐸𝑆 𝑘
′
= 𝐺 ∘ 𝐴𝐸𝑆 𝑘 ∘ 𝐹−1
• 𝐴𝐸𝑆 𝑘
′
(𝑚) is unusable by anyone, except the vendor who can decode
SCA & FI: Beyond Attacking Crypto
68. • More countermeasures for white-box crypto:
• Remember, state = key. Diffuse the state so it is too large to easily extract or
compress
• Bogdanov, A., & Isobe, T.. (2015). White-Box Cryptography Revisited: Space-Hard
Ciphers. ACM Conference on Computer and Communications Security.
10.1145/2810103.2813699
SCA & FI: Beyond Attacking Crypto
69. • It is still possible to break crypto without being a cryptographer
• Academy is busy constructing funny whiteboxes
• Thinking out of the box helps
• Best hacks happen on an edge
• Proper tools
• Continuously evaluate your product before it hits the market
• The fight goes on…
Conclusions
72. Challenge your security
Riscure North America
550 Kearny St.
Suite 330
San Francisco, CA 94108
+1 (650) 646 9979
inforequest@riscure.com
Riscure B.V.
Frontier Building, Delftechpark 49
2628 XJ Delft
The Netherlands
Phone: +31 15 251 40 90
www.riscure.com
We are hiring!
www.riscure.com/careers