میحرلانمحرلاللهامسبce.sharif.edu/~boorghany/pubdown/tokenrand-slides.pdf · o Randomness Failures in Cryptography ... Java Card: How to talk to these ... “Randomly

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

بسم اهلل الرحمن الرحیم

Random Data and Key Generation Evaluation of Some Commercial Tokens and Smart Cards

Ahmad Boorghany, Siavash Bayat Sarmadi, Parnian Yousefi, Pouneh Gorji, Rasool Jalili

Data & Network Security Lab (DNSL)

Computer Engineering Dept., Sharif Univ. of Technology

ISCISC’14

September 3, 2014

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Background

o Randomness Failures in Cryptography

o Common Prime Attack on RSA Keys

Our Experiments

o Idea

o Methodology and Tools

Evaluation Results

o Randomness Evaluation

o RSA Key Evaluation

Conclusion and Future Works

Outline

2 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Background

Eval. ResultsOur ExperimentsBackground

3 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Crucial for CPA security [GM84]

o CPA is a weak security notion (respecting CCA or CCA2)

Some stories:

Debian’s Openssl Bug [YRS+09]

RNG output domain < 65536

For two years: 2006~2008

2012: still 57000 vulnerable HTTPS/SSH servers on the Internet [HDWH12]

Android’s RNG Bug [MMS13]

Successful thefts from Bitcoin users [But13]

Randomness in Cryptography

Background

4 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

RSA Cryptosystem:

Depends on the factoring problem

𝑝 and 𝑞 are large random primes

512 bits each in RSA-1024

Common Prime Factor?

If the RNG is good, probability < 2−500

If 𝑁1 = 𝑝 × 𝑞1 and 𝑁2 = 𝑝 × 𝑞2:

𝑝 = GCD 𝑁1, 𝑁2 → Done efficiently

𝑞1 = 𝑁1/𝑝 , 𝑞2 = 𝑁2/𝑝

Common Prime Attack on RSA Keys

𝑁 = 𝑝 × 𝑞

GCD

𝑁1 𝑁2

𝑝

Background

5 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Heninger et al. [HDWH12] in USENIX Sec 2012

Crawled the Internet looking for common factors

o Live hosts: 23,044,976

o Vulnerable ones: 66,540 (≅ 3 in 1000)

Almost all failures: on embedded/constraineddevices

o Lack of good entropy sources

Common Prime Attack on RSA Keys

Background

6 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Bernstein et al. [BCC+13] in Asiacrypt 2013

Tested Taiwanese DB of certificates

Personal smart cards

More than 3,000,000 RSA public keys

Common Prime Attack on RSA Keys

Background

7 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

105 moduli factored easily by pair-wise GCD

The most popular modulus (46 occurrences):

Why? Maybe randomness failures.

Common Prime Attack on RSA Keys

c0000000000000000000000000000000

00000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000002f9

Background

8 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Our Experiments

Our Experiments

9 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Evaluate hardware security modules in the market

o Tokens

o Smart Cards

So, what to do?

o Generate RSA Keys, andcompute pair-wise GCDs

o Generate random streams, andevaluate them in advance

The Idea

Our Experiments

10 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

PKCS#11

Java Card:

How to talk to these devices?

C_GenerateRandom

C_GenerateKeyPair

Command 1 Import JavaCard. …

public class TestCard{…

Our Experiments

11 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Targeted Tokens and Smart Cards:

o Token 1 : PKCS#11

o Token 2 : PKCS#11

o Token 3 : PKCS#11

o Token 4 : PKCS#11

o Token 5 : PKCS#11

o Smart Card 1 : PKCS#11

o Smart Card 2 : Java Card

o Smart Card 3 : Java Card

Sorry, but no names

Methodology

Our Experiments

12 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

For each hardware:

10.000.000-bit stream generated

Its randomness evaluated usingNIST’s Statistical Test Suit (STS)

161 instances from 15 distinct tests

o Frequency Test

o Runs Test

o Serial Test

o Overlapping/Non-overlapping Template Test

o etc.

Methodology

Our Experiments

13 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

For each hardware:

200 RSA key-pairs generated

o 1024-bit and 2048-bit

Pair-wise GCDs computed:

o With each other

o With the database of MOCCA- 25000 certificates

o With the database of Heninger et al.’s crawling- Using factorable.net

Methodology

Our Experiments

14 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Evaluation Results

Eval. Results

15 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Simple frequency diagram

Randomness Evaluation

Eval. Results

16 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Randomness Evaluation – STS Results

Eval. Results

17 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Token 5: very small prime factors: 3, 5, 7, … .

RSA Key Evaluation

Eval. Results

18 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Evaluation is a must!

Better evaluation methods required

Note: only simple vulnerabilities can be foundby statistical testing

Other schemes: ECDSA, etc.

Conclusion and Future Works

19 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

Thanks for your attention

Questions?

20 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

[GM84] S. Goldwasser, S. Micali, “Probabilistic encryption,” J. Computer and System Sciences, vol. 28, no. 2, pp. 270-299, 1984.

[YRS+09] S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage, “When private keys are public: results from the 2008 Debian OpenSSL vulnerability," In Proc. 9th ACM SIGCOMM Conf., 2009, pp. 15-27.

[HDWH12] N. Heninger, Z. Durumeric., E. Wustrow, and J. A. Halderman, “Mining your Ps and Qs: Detection of widespread weak keys in network devices,” In Proc. 21st USENIX Security Symp., 2012, pp. 205-220.

[MMS13] K. Michaelis, C. Meyer, and J. Schwenk, “Randomly failed! The state of randomness in current Java implementations.” In Proc. Topics in Cryptology–CT-RSA, 2013, pp. 129-144.

References

21 / 20

Random and Key Generation Evaluation of Tokens and Smart CardsBoorghany et al. ISCISC 2014

Eval. ResultsOur ExperimentsBackground

[But13] V. Buterin. (2013, August 11). Critical Vulnerability Found In Android Wallets [Online]. Available: http://bitcoinmagazine.com/6251/critical-vulnerability-found-in-android-wallets/

[BCC+13] D. J. Bernstein et al., “Factoring RSA keys from certified smart cards: Coppersmith in the wild,” In Proc. 19th Advances in Cryptology-ASIACRYPT, 2013, pp. 341-360.

References

22 / 20