Cryptography is often thought of as the bright spot of practical security, a mathematical paradise where security can be rigorously proven and issues like buffer overflows are in someone else’s department. However, there is a growing community of researchers who regularly find serious flaws in widely deployed cryptographic implementations and protocols. In recent years, this type of research has mostly been published in systems security conferences. This workshop will bring together researchers who work on cryptographic attacks and provide a showcase of their work for the Crypto community. This is the third edition of the WAC workshop, which has been established by Nadia Heninger.
The program will be online and consist of several invited speakers. A few days before the conference (exact date will be announced soon), we will publish online the full version of all our talks (except for the keynote talk). During the workshop, each speaker will give a shorter 15 minutes version of the talk, followed by a Q&A session.
The Trusted Platform Module (TPM) serves as a root of trust for the operating system. TPM is supposed to protect our security keys from malicious adversaries like malware and rootkits. Most laptop and desktop computers nowadays come with a dedicated TPM chip, or they use the Intel firmware-based TPM (fTPM) which runs on a separate microprocessor inside the CPU. Intel CPUs support fTPM since the Haswell generation (2013). TPM chips are also used in other computing devices such as cellphones and embedded devices.
We discovered timing leakage on Intel firmware-based TPM (fTPM) as well as in STMicroelectronics' TPM chip. The dedicated STMicroelectronics' TPM chip is certified at Common Criteria (CC) EAL 4+, which claims to be resistant against side-channel and timing attacks. Both exhibit secret-dependent execution times during cryptographic signature generation. While the key should remain safely inside the TPM hardware, we show how this information allows an attacker to recover 256-bit private keys from digital signature schemes based on elliptic curves. We further highlight the impact of these vulnerabilities by presenting a remote attack against a StrongSwan IPsec VPN that uses a TPM to generate the digital signatures for authentication. In this attack, the remote client recovers the server's private authentication key by timing only authentication handshakes.
These vulnerabilities we have uncovered emphasize the difficulty of correctly implementing known constant-time techniques and show the importance of evolutionary testing and transparent evaluation of cryptographic implementations. Even certified devices that claim resistance against attacks require additional scrutiny by the community and industry, as we learn more about these attacks.
Daniel Moghimi is a PhD candidate in the Department of Electrical and Computer Engineering at Worcester Polytechnic Institute (WPI). He received his Master of Science degree from the Department of Computer Science at WPI in 2017. His research interests are in the area of computer security with special focus on side channels and microarchitectural attacks. He has published in top tier academic conferences including papers in Usenix Security, ACM CCS, IEEE S&P. Some of his notable publications including Spoiler, ZombieLoad and TPM-Fail have been featured in the news articles by Forbes, Wired and The Register. In his free time, he enjoys reverse engineering, finding vulnerabilities, and being involved with various sports and outdoor activities.
Diego F. Aranha and Akira Takahashi
Although it is one of the most popular signature schemes today, ECDSA presents a number of implementation pitfalls, in particular due to the very sensitive nature of the random value (known as the nonce) generated as part of the signing algorithm. It is known that any small amount of nonce exposure or nonce bias can in principle lead to a full key recovery: the key recovery is then a particular instance of Boneh and Venkatesan's hidden number problem (HNP). That observation has been practically exploited in many attacks in the literature, taking advantage of implementation defects or side-channel vulnerabilities in various concrete ECDSA implementations. However, most of the attacks so far have relied on at least 2 bits of nonce bias (except for the special case of curves at the 80-bit security level, for which attacks against 1-bit biases are known, albeit with a very high number of required signatures).
In this talk, we uncover LadderLeak, a novel class of side-channel vulnerabilities in implementations of the Montgomery ladder used in ECDSA scalar multiplication. The vulnerability is in particular present in several recent versions of OpenSSL. However, it leaks less than 1-bit of information about the nonce, in the sense that it reveals the most significant bit of the nonce, but with probability <1. Exploiting such a mild leakage would be intractable using techniques present in the literature so far. However, we present a number of theoretical improvements of the Fourier analysis approach to solving the HNP (an approach originally due to Bleichenbacher), and this lets us practically break LadderLeak-vulnerable ECDSA implementations instantiated over the sect163r1 and NIST P-192 elliptic curves. In so doing, we achieve several significant computational records in practical attacks against the HNP.
This is a joint work with Felipe Rodrigues Novaes, Mehdi Tibouchi and Yuval Yarom.
Diego F. Aranha is an Associate Professor of Computer Science at Aarhus University, Denmark. His professional experience is in Cryptography and Computer Security, with a special interest in the efficient implementation of cryptographic algorithms and security analysis of real-world systems. He received the Google Latin America Research Award for research on privacy twice, and the MIT TechReview's Innovators Under 35 Brazil Award for his work in electronic voting.
Akira Takahashi is currently a PhD student at Cryptography and Security Group, Aarhus University, Denmark. He received M.Sc. and B.Eng. from Kyoto University, Japan. He worked as an intern at NTT Corporation in 2018. His research interests cover implementation attacks on public key cryptographic algorithms and construction of efficient two-/multi-party computation protocols.
Modern cryptography requires the ability to securely generate pseudorandom numbers. However, despite decades of work on side-channel attacks, there is little discussion of their application to pseudorandom number generators (PRGs). This talk addresses this gap, empirically evaluating the side channel resistance of a common PRG design. We show that hard-learned lessons about side channel leakage from encryption primitives have not been applied to PRGs, at all levels of abstraction.
We present two attacks we implemented targeting real implementations of CTR_DRBG, a NIST recommended design. We develop the attacks to permit an attacker in a realistic scenario to recover secret keys from TLS connections.
The first scenario we present demonstrates an asynchronous cache attack that recovers the private state from vulnerable CTR_DRBG implementations under realistic conditions to recover long-term authentication keys when the attacker acts as a server in a TLS connection.
In the second scenario, we show that an attacker can leverage the high temporal resolution in cache traces obtainable when the victim uses Intel SGX to conduct a blind attack to passively decrypt collected TLS connections from the victim.
Shaanan is a Postdoctoral Research Associate at the Center for IT Policy at Princeton University and incoming Lecturer at the University of Melbourne. He also retains a secondary affiliation with Penn Law as a Visiting Fellow at the Center for Technology, Innovation & Competition. His research centers on the interplay between networking protocols and the law, with particular focus on applications of cryptography.
His methodology mixes reverse engineering and systems analysis, with approaches from legal scholarship. Shaanan has also worked in government, first as a Cryptography Fellow in the office of U.S. Senator Ron Wyden, and then in the Office of Policy planning at the FTC.
Shaanan completed his Ph.D. at the University of Pennsylvania in Computer & Information Science and concurrently obtained a Master in Law from the same institution.
His research has received recognition in the form of the Best Paper Award at ACM CCS and a 'Pwnie' Award for best Cryptographic Attack. He is also the recipient of the Excellence in Tutoring Award from the University of Melbourne.
According to the Bluetooth specification, the chip is required to contain a proper RNG. This RNG is used for key generation within the chip, but also exposed to the operating system. This is a great feature for embedded devices, which otherwise might not have access to a good RNG.
When analyzing the source code of Broadcom's RNG, we found that it accesses a Hardware Random Number Generator (HRNG) but has a Pseudo Random Number Generator (PRNG) fallback.
The HRNG looked good at least at first sight, and since it is a black box coming out of some memory mapped hardware registers, it is hard to analyze.
However, the RNG function has a PRNG fallback in case the HRNG is not available. This PRNG takes a couple of values which are not random at all. The most random value is the chip's clock. In most contexts within the code that require randomness, the PRNG is called multiple times in a row, thus, the clock is basically constant except from the initial value. Similar issues apply to the other registers and values the PRNG takes as input. The PRNG code was changed multiple times over the years of firmware dumps that we have, such as an additional caching behavior, different input values, etc.—and dropped in the most recent version.
We found that the weak PRNG fallback is indeed used on the Samsung Galaxy S8 series (also S8+ and Note 8) as well as one iPhone model. This makes these devices vulnerable to attacks on pairing and encryption.
Jiska breaks things.
In September 2019, voters for the election at the Parliament of the city of Moscow were allowed to use an Internet voting system. The source code of it had been made available for public testing. In this talk, which is joint work with Alexander Golovnev, I will relate the story of two successful attacks on the encryption scheme implemented in the voting system. Both attacks were sent to the developers, and both issues have been fixed hastily just before the election. I will also explain the general design and how it fails to fulfill many security notions usually expected from a modern e-voting platform.
Since his PhD obtained in 2000, Pierrick Gaudry has worked on algorithmic number theory applied to public key cryptography. His main research interests include elliptic and hyperelliptic curve cryptography, integer factorization, and the discrete logarithm problem. Around 2013, he got interested in electronic voting and is involved in the development of the Belenios internet voting system.
Over 20 years after the initial introduction of timing, power, and EM as sources for additional information that create formidable adversaries, there is still a considerable gap between theoretical leakage resilience and practical side channel security. In my talk I will examine this gap by considering a number of questions/angles: what is the difference between (various) theoretical models for leakage and the actual leakage observed from a complex microprocessor; how can we capture and express complex leakage as observed in practice, and how can we realistically validate a piece of software w.r.t. it's security?
Elisabeth Oswald works as Professor of Cybersecurity at AAU Klagenfurt. Prior to that she established Bristol Cryptography’s side channel research activity. She previously was an EPSRC Leadership Fellow, and currently holds an ERC consolidator award. She was program chair of CHES and Eurocrypt, and is associate editor of the Journal of Cryptology and the Journal of Cryptographic Engineering. Her research interests are in the general area of applied cryptography and range from statistical and machine learning methods in the context of leakage analysis, over implementation techniques to leakage resilient cryptography.
Bluetooth is a ubiquitous technology for low power wireless communications. Bluetooth runs on billions of devices including mobile, wearables, home automation, smart speakers, headsets, industrial and medical appliances, and vehicles. As a result, Bluetooth's attack surface is huge and includes significant threats such as identity thefts, privacy violations, and malicious device control.
Bluetooth is a complex technology specified in an open standard. The standard defines two wireless stacks Bluetooth Classic for high throughput services (e.g., audio and voice) and Bluetooth Low Energy (BLE) for very low power services (e.g., localization, and monitoring). The standard defines security mechanisms to protect the confidentiality, integrity, and authenticity of Bluetooth communications. Those mechanisms include pairing to share a long term key among two devices, and secure session establishment to let two paired devices negotiate session keys to protect their communication. A single vulnerability in a standard-compliant security mechanism translates into billions of exploitable devices.
This talk reviews several standard-compliant vulnerabilities that we recently uncovered on the key negotiation and authentication mechanisms of Bluetooth Classic and BLE. We also describe how to exploit such vulnerabilities to perform key negotiation attacks on Bluetooth Classic and BLE (KNOB attacks, CVE-2019-9506) and impersonation attacks on Bluetooth Classic (BIAS attacks, CVE-2020-10135). The attacks are presented together with a detailed description of the Bluetooth treat model and the affected security mechanism. We also explain how we implemented such attacks using low-cost hardware and open-source software and how we evaluated them on actual devices from the major vendors including Apple, Broadcom, Cypress, CSR, Google, Intel, Microsoft, and Qualcomm. Finally, we describe how the Bluetooth standard was amended after the disclosure of our attacks, our proposed countermeasures, and why most of the Bluetooth devices are still vulnerable to our attacks.
For more details about the KNOB and BIAS attacks have a look at the related research papers:
Daniele Antonioli is a Postdoctoral researcher working in the HexHive group led by Mathias Payer at EPFL in Switzerland. Daniele is interested in wireless systems security (e.g., Bluetooth, Wi-Fi, Nearby Connections), cyber-physical systems security (e.g., ICS, MiniCPS, SCADA) and applied cryptography (e.g., secure protocol analysis and reverse engineering).
Daniele holds a PhD in Computer Science from SUTD (Singapore), a MS and BS in Electronics and Telecommunications Engineering from UniBO (Italy). As part of his PhD Daniele visited Kasper Rasmussen at the University of Oxford (UK) and Nils Ole Tippenhauer at CISPA, the Helmholtz Center for Information Security (DE). Daniele has a personal website with more information about his works at francozappa.github.io
The Portable Document Format, better known as PDF, is one of the most widely used document formats worldwide, and in order to ensure information confidentiality, this file format supports document encryption. In this paper, we analyze PDF encryption and show two novel techniques for breaking the confidentiality of encrypted documents. First, we abuse the PDF feature of partially encrypted documents to wrap the encrypted part of the document within attacker-controlled content and therefore, exfiltrate the plaintext once the document is opened by a legitimate user. Second, we abuse a flaw in the PDF encryption specification to arbitrarily manipulate encrypted content. The only requirement is that a single block of known plaintext is needed, and we show that this is fulfilled by design. Our attacks allow the recovery of the entire plaintext of encrypted documents by using exfiltration channels which are based on standard compliant PDF properties. We evaluated our attacks on 27 widely used PDF viewers and found all of them to be vulnerable. We responsibly disclosed the vulnerabilities and supported the vendors in fixing the issues.
Jens Müller is a PhD candidate at the Chair for Network and Data Security, Ruhr University Bochum, Germany. His research interests are legacy protocols and data formats, for which he loves to investigate what could possibly go wrong in a modern world. He has experience as a speaker on international security conferences (Black Hat, DEF CON, USENIX, OWASP, IEEE S&P) and as a freelancer in network penetration testing and security auditing. In his spare time, he develops free open source software, for example, tools related to network printer exploitation.