Preview only show first 10 pages with watermark. For full document please download

The Failures Of Proprietary Cryptography

   EMBED

Share

Transcript

The Failures of Proprietary Cryptography Roel Verdult - Radboud University Nijmegen [email protected] Roel  Verdult   DES   •  Introduced  in  1977   •  Key  size  =  256   •  Cipher  proper@es   –  Block  cipher,  using  blocks  of  64  bit   –  Op@mized  for  hardware   •  Weak  keys  (00…0  and  11…1)   •  ARacks   –  Linear  cryptanalysis  requiring  243  known  plaintexts   –  Brute-­‐force   3DES   •  Introduced  in  1981   •  Key  size  =  2112   •  Cipher  proper@es   –  Block  cipher,  using  blocks  of  64  bit   –  Op@mized  for  hardware   •  Weak  keys  (00…0  and  11…1)   •  ARacks   –  Best  aRack  requires  284  encryp@ons   –  Brute-­‐force   AES   •  Introduced  in  2001   •  Key  size  =  2128   •  Cipher  proper@es   –  Block  cipher,  using  blocks  of  128  bit   –  Op@mized  for  hardware   •  ARacks   –  Best  aRack  requires  2126  encryp@ons   LEGIC  Prime  Applica@ons   LEGIC  Prime   •  Introduced  in  1992   –  Access  control   •  Key  size  =  20   •  Weaknesses   –  No  encryp@on  /  hashing   –  Relies  only  on  obfusca@on   •  ARacks   –  Instant  replay  of  recorded  transac@on   –  Abuse  trust-­‐delega@on  and  create  “Uber”  token   Roel  Verdult   MIFARE  Classic  Applica@ons   MIFARE  Classic   •  Introduced  in  1994   –  Public  transport   –  Access  control   •  Key  size  =  248   •  Sold  billion+  @mes   •  Weaknesses   –  Weak  random  nonces   –  Only  odd  filter-­‐inputs   –  Encrypts  parity  bits   Roel  Verdult   •  ARacks   – Eavesdrop  (1  trace)   – Reader-­‐only  (2  traces)   – Card-­‐only  (300  traces)   CryptoMemory  Applica@ons   •  •  •  •  •  •  •  •  •  •  •  ID  and  access  cards   healthcare   loyalty  cards   e-­‐purses   energy  meters   e-­‐government   printers  and  print  cartridges   Digital-­‐TV   subassembly  authen@ca@on   counterfeit  protec@on   Vegas!   Roel  Verdult   SecureMemory  &  CryptoMemory   •  Introduced  in  1999   –  Casino  and  e-­‐cash   –  An@-­‐counterfeit   –  Access  control   •  Key  size  =  264   •  Weaknesses   –  No  tag  nonce   –  Register  correla@on   –  Rollback  of  cipherstate   Roel  Verdult   •  ARacks   –  SecureMem  (1  trace  /  month)   –  CryptoMem  (24  traces  /  days)   –  DPA  aRack  (card-­‐only  seconds)   DST  Applica@ons   Digital  Signature  Transponder  (DST)   •  Introduced  in  1995   –  Immobilizers   •  Key  size  =  240   •  Weaknesses   –  No  tag  nonce   –  Low  complexity   –  Unbalanced  cipher   •  ARacks:   – Brute-­‐force   Roel  Verdult   Hitag2  Applica@ons   Hitag2   •  Introduced  in  1996   –  Immobilizers   •  Key  size  =  248   •  34+  makes,  200+  models   •  Weaknesses   –  No  tag  nonce   –  Weak  filter  func@on   –  Session  dependencies   –  Key  stream  recovery   Roel  Verdult   •  ARacks   –  Eavesdrop  (2  traces)   –  6  Hours  computa@on   KeeLoq  Applica@ons   KeeLoq   •  Introduced  in  1996   –  Remote  keyless  entry   •  Key  size  =  264   •  11+  makes,  30+  models   •  Weaknesses   –  Jamming  of  code  hopping   •  ARacks   –  Small  internal  state   –  Side-­‐channel  (DPA)   –  Linear  rela@on  over  cipher  bits   –  Eavesdrop  (2  traces)   –  Missing  hardware  protec@on   Roel  Verdult   Other  Proprietary  Cryptography   Proprietary  VS  Standardized  crypto   •  Proprietary  crypto  relies  on  secret  algorithms     •  Product  secrets  s@mulates  vendor  lock-­‐in   •  When  secret  leaks  out,  all  products  are  vulnerable   –  The  more  it  is  sold/used,  the  more  likely  vic@m   •  “Security  by  obscurity”  –  obscurity  =    no  security   •  All  reversed  engineered  proprietary  algorithms  are     so  badly  broken  that  they  can  be  abused  in  prac.ce   •  Peer-­‐review  seems  to  be  inevitable,  so  why  not  start   with  this  anyway,  like  DES,  3DES  and  AES  did.   18   iClass  and  PicoPass   iClass  (HID  Global)   •  •  •  •  ISO  15693  and  ISO  14443-­‐B  compa@ble  smartcard   Introduced  in  2002,  replacement  of  HID  Prox  (125kHz)   Over  300  million  cards  sold  (according  to  HID)   Marketed  as  migra.on  op@on  for  MIFARE  Classic   Applica@ons   Roel  Verdult   Key-­‐length  comparison   Cipher   Key-­‐length   Crypto1  (MIFARE  Classic)   48   DES   56   Secure/CryptoMemory   64   iClass   64   AES   128     HID  boosts   • Extremely  high  security   • Migra@on  op@on  for  MIFARE  Classic   -­‐  “improved  security,  performance  and  data  integrity”   Roel  Verdult   iClass  Standard   •  One  master  key  for  every  system  (worldwide)   •  spoiler  alert:  we  have  it!   •  Built-­‐in  Key  Diversifica@on   iClass  Elite  (aka  High  Security)   •  Allows  customized  master  key   •  Built-­‐in  Key  Diversifica@on   •  More  expensive   iClass  Memory  Layout   Key Slot 00 01 02 .. .. Value Eavesdropping   Proxmark 3 (www.proxmark.org) Supports several HF/LF protocols (ISO 14443a/b) Added eavesdropping for iClass (ISO 15693) PIC Microcontroller Bypassing  PIC’s  firmware  protec@on   Roel  Verdult   29   Authen@ca@on  Protocol   Card Identity Reader Nonce Card Challenge Reader MAC Card MAC iClass  Cipher   looks  interes@ng   Roel  Verdult   32   Key  Diversifica@on  (concept)   Master  key  K   id   Auth(Kid  )   Kid  =  Enc  (  K  ,  id  )   Roel  Verdult   id,  Kid   Key  Diversifica@on  (iClass)   (single)  DES   Iden@fier   hash0  (  )  =   Key  (Card)   Roel  Verdult   Master  Key   Key  Diversifica@on  (iClass  Elite)   hash1  (  )   Iden@fier   Master  Key   Roel  Verdult   16  x  (single)  DES   8  lookup  indices   hash0  (  )                                            hash1  (  )   •  Not  one-­‐way   •  Not  collision  resistant   •  In  fact,  it  is  inver.ble   •  Easy  to  find  pre-­‐image   •  Many  collision   Roel  Verdult   36   Key  Diversifica@on  (iClass  Elite)   Hash2(key)  returns  128  bytes  “matrix”   6   8   1   4   2   7   3   5   byte  selec@on  (hash1):  “based  on  the  card  serial  number  and  a  complex  algorithm”   temp  =  DES  (      1        2          3          4        5          6          7          8      ,id)   cardkey  =  hash0(temp)   Roel  Verdult   37   Revover  Master  Key  (iClass  Elite)   …   Not  needed   =  DES(key,~key)  =  temp   =  DES(temp,~key)   key  =  ~DES(temp,                                                              )   Roel  Verdult   38   Key  Diversifica@on  (iClass  Elite)   7   1   3   8   2   4   6   Choose  iden.fiers  (id),  so  that  hash1(id)  returns   as  much  lookup-­‐indices  from  the  first  matrix  row   Roel  Verdult   39   Malicious  card  iden@@es   Roel  Verdult   40   ARack  @mes  iClass   Product   Auth  at.   MACs   Time   iClass  Standard   222   O(240)   <  one  day  on   Under   a  laptop   submission   iClass  Elite   (reader  only)   15   O(225)   Roel  Verdult   5’’  on  a   laptop   Under   submission   Wrapping  up  iClass   •  Security  by  obscurity  oqen  covers  for   negligent  designs.   •  It  is  hard  to  patch  a  cipher     •  More  is  not  always  beRer   – 3DES  beRer  than  16  ah-­‐hoc  DES   •  Implementa@on  of  security  products  need     formal  verifica@on  e.g.  model  checking   •  Plenty  of  room  for  improvement!   Roel  Verdult   Consequences   •  HID  asked  their  manufacturing  party  (Inside   Secure)  to  put  legal  pressure  by  claiming  we   might  incur  indirect  patent  infringement.   •  We  (and  our  lawyers)  do  not  agree,  so  went   ahead  and  published  it.   •  HID  press  release,  2  weeks  a\er  publica.on  (coincidence?):   "HID’s  iCLASS  SE  readers  will  be  powered  by  NXP’s  new  CLRC663  reader  ICs   and  fully  support  13.56  MHz  smart  cards  that  are  ISO14443  compliant,   including  MIFARE  DESFIRE  EV1."   Roel  Verdult