1 / 29

Laboratory of security and applied cryptography Lab head: Vashek Maty áš

Laboratory of security and applied cryptography Lab head: Vashek Maty áš. Petr Švenda {matyas,svenda}@fi.muni.cz Masaryk University, Brno, Czech Rep. The team. 4 faculty members full-time and 2 postdocs 4 PhD student s, 15+ MSc 2-4 faculty members in relevant areas

kathleenrainey
Download Presentation

Laboratory of security and applied cryptography Lab head: Vashek Maty áš

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Laboratory of security and applied cryptographyLab head: Vashek Matyáš • Petr Švenda • {matyas,svenda}@fi.muni.cz • Masaryk University, Brno, Czech Rep. Masaryk U. – related research, interest

  2. The team • 4 faculty members full-time • and 2 postdocs • 4 PhD students, 15+ MSc • 2-4 faculty members in relevant areas • Dedicated lab with basic biometric, smartcard, mobile, wired and WiFi (security) equipment, HSMs, sensor nodes, oscilloscopes… Masaryk U. – related research, interest

  3. Ongoing/past projects • Department of Home Affairs • cryptographic protocols, privacy, intrusion detection in wireless sensor networks – applied research project • National Security Authority • long-term cooperation in the areas of secure H/W, smartcards and related applications, including crypto protocols • Czech Science Agency and industry projects • mobile devices, tokens, biometrics, code audits… • EU PICOS (Privacy and Identity Management for Community Services) (STREP) • mobile privacy preserving services for communities • requirements (gaming community), architecture, eval. & assurance • EU FIDIS Network of Excellence (EC) • identity, identification, privacy • autentication – PKI, biometrics, tokens, protocols Masaryk U. – related research, interest

  4. Main topics of interest • Cryptographic hardware • mainly smart cards • Wireless Sensor Networks • design and practical implementation of network wide protection layer (privacy, IDS, key distribution) • Random number generators • practical testing: mobile phones, smart cards • Evolutionary algorithms + BOINC • utilization of distributed computation for other areas Masaryk U. – related research, interest

  5. Main topics of interest – secure hardware • Laboratory equipment capable to • power analysis of smart cards • fault induction attacks (power&data glitch) • bytecode level reverse engineering • Source code analysis & software-level protections • automatic source code transformation (CesTa) • Design & implementation of smart card protocols • advanced schemes utilizing on smart cards • (micro-)payment schemes Masaryk U. – related research, interest

  6. Cryptographic Hardware Security • Projects mainly for Czech NSA • How to select most suitable smart card? • How to test large batch for same hardware? • How to detect potential backdoor? • How to fix problems with hardware in software? • Projects with Czech provider of ePassports and citizen ID cards • How to let user to confirm transcation amount? • Source code audits Masaryk U. – related research, interest

  7. Basic setup for power analysis Smart card reader Oscilloscope Smart card Inverse card connector Probe Resistor 20-80 ohm Masaryk U. – related research, interest

  8. More advanced setup for power analysis External power supply Tested smartcard SCSAT04 measurement board Ethernet Masaryk U. – related research, interest

  9. Database of common operations • Power trace of DES, AES, EEPROM, write RAM, RSA, MD5/SHA1/SHA256 … • GlobalPlatform SCP’0x, PIN verification… Masaryk U. – related research, interest

  10. Bytecode - situation with current SC • Tested 10 different families from 4 manufactures • 3 with clearly visible bytecode and separators • 3 with visible bytecode, but no separators • 1 with partially visible bytecode • 3 without visible bytecode • Caused by used type of the main processor Masaryk U. – related research, interest

  11. Reverse engineering of Java Card bytecode Goal: obtain code back from smart card JavaCard defines around 140 bytecode instructions JVM fetch instruction and execute it oscilloscope (bytecode) getfield_a_this 0; sconst_0; baload; sconst_1; srem; bastore; (source code) m_ram1[0] = (byte) (m_ram1[0] % 1); compiler (power trace) Masaryk U. – related research, interest

  12. Target card sadd; sstore 4; sload 4; sconst_1; aload_1; sload 4; Reverse engineering sadd; unknown; sload sconst sload sadd sconst Masaryk U. – related research, interest

  13. Conditional jumps may reveal sensitive info keys, internal branches, … oscilloscope (bytecode) sload_1; ifeq_w L2; L1:getfield_a_this 0; sconst_0; sconst_0; bastore; goto L3; L2:getfield_a_this 0; sconst_0; sconst_1; bastore; goto L3; L3: … (source code) if (key== 0) m_ram1[0] = 1; else m_ram1[0] = 0; compiler (power trace, k != 0) (power trace, k == 0) Masaryk U. – related research, interest

  14. External Authenticate Incorrect MAC Incorrect checksum Masaryk U. – related research, interest

  15. FITKit logger and manipulator Masaryk U. – related research, interest

  16. Automated code transformationCesTa project http://cesta.sourceforge.net Masaryk U. – related research, interest

  17. CesTa - main design goals • Enhanced security on real applets • fix what is wrong, add preventive defenses • Source code level & auditability • trust, but verify • Complexity is hidden • clarity of original code • Flexibility & Extensibility • protect against new threats • protect only what HW does not Masaryk U. – related research, interest

  18. CesTa – basic scheme • Write code once, apply only what needed Masaryk U. – related research, interest

  19. CesTa project – current state JavaCard transformations, SC.NET in development Several non-trivial transformations implemented low level IfSwitchReplacement (replacement rule) generic ShadowVariables (replacement rule) generic ValidateStateTransitions (replacement rule) generic CheckTransactions (analysis rule) Tested on real (bigger) applets JOpenPGPCard, CardCrypt/TrueCrypt, crypto software impl… Transformations can be provided by independent labs modular design, open source http://CesTa.sourceforge.net Masaryk U. – related research, interest

  20. Summary • Obtain some info from power trace • JC RE, OpenPlatform operation powertrace • Make additional testing • APDUPlay/FITKitlogger packet manipulation • Power glitch fault induction • Combined with power trace • Inspection of interface and protocols used • SACC, APDUPlay • Often combined with power trace (hidden code detection) • Fix problems found with automatic source code transformations • CesTa project Masaryk U. – related research, interest

  21. Masaryk U. – related research, interest

  22. Backup slides Masaryk U. – related research, interest

  23. IF_SWITCH transformation • Conditional jump (IF THEN ELSE) leaks argument • IP++ or IP = IP + branch_offset • SWITCH also leaks, but have multiple branches • attacker can still distinguish first and second branch • but not between second and third branch • jump executed in both cases • IP = IP + branch2_offset or IP = IP + branch3_offset • Basic idea • replace IF THEN ELSE -> SWITCH Masaryk U. – related research, interest

  24. Assumption: comparison and assignment is not leaking IF_SWITCH transformation – robust version • IF THEN ELSE still present, but randomized • attacker can distinguish then and else branch • but not case 0: and case 1: branch Random branch will be taken Masaryk U. – related research, interest

  25. IF_SWITCH template unique ID for expression variable (e.g., expr_res13) jump logical expression (e.g., key == 0) content of THEN branch (e.g., m_ram[0] = 5;) content of ELSE branch (e.g., m_ram[0] = 7;) Masaryk U. – related research, interest

  26. Another attack – fault induction Attacker can induce bit faults in memory locations power glitch, flash light, radiation... harder to induce targeted then random fault Protection with shadow variable every variable has shadow counterpart shadow variable contains inverse value consistency is checked every read/write to memory Robust protection, but cumbersome for developer 01011010 10100101 01011010 01010101 01010000 if (a != ~a_inv) Exception(); a = 0x13; if (a != ~a_inv) Exception(); a = 0x55; a_inv = ~0x55; a a_inv 10100101 10101010 Masaryk U. – related research, interest

  27. Applet state transition enforcement Applet security states controlled usually ad-hoc if (adminPIN.isValidated() && bSecureChannelExists) … unwanted (unprotected) paths may exist Possible solution model state transitions in inspectable format (DOT (GraphViz) automatically generate code for state transitions check appropriate states in sensitive methods Masaryk U. – related research, interest

  28. Applet state transition - example Masaryk U. – related research, interest

  29. Check transactions Transactions can breach applet security e.g., decreased PIN counter value is rolled back CesTa can detect possible problems in code warning is generated Masaryk U. – related research, interest

More Related