Crypto 2021

Diffie-Hellman key exchange (DHKE) is a widely adopted method for exchanging cryptographic key material in real-world protocols like TLS-DH(E). Past attacks on TLS-DH(E) focused on weak parameter choices or missing parameter validation. The confidentiality of the computed DH share, the premaster secret, was never questioned; DHKE is used as a generic method to avoid the security pitfalls of TLS-RSA.

We show that due to a subtle issue in the key derivation of all TLS-DH(E) cipher suites in versions up to TLS 1.2, the premaster secret of a TLS-DH(E) session may, under certain circumstances, be leaked to an adversary. Our main result is a novel side-channel attack, named Raccoon attack, which exploits a timing vulnerability in TLS-DH(E), leaking the most significant bits of the shared Diffie-Hellman secret. The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret. If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem. The Raccoon attack takes advantage of uncommon DH modulus sizes, which depend on the properties of the used hash functions. We describe a fully feasible remote attack against an otherwise-secure TLS configuration: OpenSSL with a 1032-bit DH modulus. Fortunately, such moduli are not commonly used on the Internet.

Furthermore, with our large-scale scans we have identified implementation-level issues in production-grade TLS implementations that allow for executing the same attack by directly observing the contents of server responses, without resorting to timing measurements.

Protocols for Password-based Authenticated Key Exchange (PAKE) allow two users sharing only a short, low-entropy, password to establish a secure session with a cryptographically strong key. The challenge in designing such protocols is that they must resist offline dictionary attacks in which an attacker exhaustively enumerates the dictionary of likely passwords in an attempt to match the used password.

Recently, with the wide adoption of Dragonfly in WPA3 and the CFRG standardization competition, PAKEs protocols have been brought to light again by both academics and industrials. With this recent shift and adoption of new schemes came some practical considerations which may have been overlooked during the design and implementation of the first protocols. In particular, any leakage on a password related value may completely break the offline dictionary resistance.

In this talk, we study the resilience of one particular PAKE against these attacks. Indeed, we focus on the Secure Remote Password (SRP) protocol that was designed by T. Wu in 1998. Despite its lack of formal security proof, SRP has become a de-facto standard for more than 20 years, thanks to the availability of open-source implementations with no restrictive licenses.

We identified and exploited a timing leakage in the SRP implementation inside the OpenSSL library, allowing an attacker to perform an offline dictionary attack. This leakage stem from the use of an unusual, not constant-time, modular exponentiation, that can be exploited with a Flush+Reload timing attack.

Then, we show that our attack is practical, since it only requires one single trace to retrieve the password in some common dictionaries, at negligible cost. We also prove that the scope of our vulnerability is not only limited to OpenSSL since many other projects (including Stanford's, ProtonMail and Apple Homekit) and langages (such as Python, Erlang, JavaScript and Ruby) rely on OpenSSL, which makes them vulnerable.

This presentation covers three security-related design flaws in Wi-Fi and various widespread implementation flaws. An adversary can abuse these to inject packets or exfiltrate selected frames. The first design flaw is present in Wi-Fi's frame aggregation feature where a flag in the Wi-Fi header is not properly protected. The other two design flaws are present in Wi-Fi's frame fragmentation feature where the receiver improperly verifies and manages fragments. These design flaws affect all protected Wi-Fi networks, including the ancient WEP protocol, meaning these flaws have been part of Wi-Fi since its inception.

Regarding the implementation flaws, we found that some devices accept plaintext frames in a protected Wi-Fi network and others accept plaintext aggregated frames that resemble handshake messages. The resulting attacks will be demonstrated, such as turning an IoT power socket on and off, remotely exploiting an outdated Windows 7 machine, and a tool will be released that can be used to test Wi-Fi products against all the discovered vulnerabilities.

In this talk I will introduce partitioning oracles, a new class of decryption error oracles which, conceptually, take a ciphertext as input and output whether the decryption key belongs to some known subset of keys. We introduce the first partitioning oracles which arise when encryption schemes are not committing with respect to their keys. The talk will detail novel adaptive chosen ciphertext attacks that exploit partitioning oracles to efficiently recover passwords and deanonymize anonymous communications. The attacks utilize efficient key multi-collision algorithms — a cryptanalytic goal that we define — against widely used authenticated encryption with associated data (AEAD) schemes, including AES-GCM, XSalsa20/Poly1305, and ChaCha20/Poly1305. I will describe how we build a practical partitioning oracle attack that quickly recovers passwords from Shadowsocks proxy servers. The talk will also survey early implementations of the OPAQUE protocol for password-based key exchange, and show how many could be vulnerable to partitioning oracle attacks due to incorrectly using non-committing AEAD. Our results suggest that the community should standardize and make widely available committing AEAD to avoid such vulnerabilities.

This is joint work with Paul Grubbs and Thomas Ristenpart.

The ongoing trend of moving data and computation to the cloud is met with concerns regarding privacy and protection of intellectual property. Cloud providers strive to address these concerns by offering execution in isolated and trusted environments, removing themselves from the trust base.

Trusted Execution Environments are built on two main pillars: attestation and isolation. The variety in the implementation of these two features is broad and ranges from pure hardware or software enforced access protection, to sophisticated schemes with complex cryptographic protection. However, the downside of stronger isolation and protection usually comes in terms of decreased performance.

In this talk, we explore two attacks on AMD SEV highlighting why integrity protection is paramount to secure TEEs in untrusted environments.

NIST's post-quantum standardization effort very recently entered its final round. This makes studying the implementation-security aspect of the remaining candidates an increasingly important task, as such analyses can aid in the final selection process and enable appropriately secure wider deployment after standardization. However, lattice-based key-encapsulation mechanisms (KEMs), which are prominently represented among the finalists, have thus far received little attention when it comes to fault attacks.

Interestingly, many of these KEMs exhibit structural similarities. They can be seen as variants of the encryption scheme of Lyubashevsky, Peikert, and Rosen, and employ the Fujisaki-Okamoto transform (FO) to achieve CCA2 security. The latter involves re-encrypting a decrypted plaintext and testing the ciphertexts for equivalence. This corresponds to the classic countermeasure of computing the inverse operation and hence prevents many fault attacks.

In this talk, we show that despite this inherent protection, practical fault attacks are still possible. We present an attack that requires a single instruction-skipping fault in the decoding process, which is run as part of the decapsulation. After observing if this fault actually changed the outcome (effective fault) or if the correct result is still returned (ineffective fault), we can set up a linear inequality involving the key coefficients. After gathering enough of these inequalities by faulting many decapsulations, we can solve for the key using a bespoke statistical solving approach. As our attack only requires distinguishing effective from ineffective faults, various detection-based countermeasures, including many forms of double execution, can be bypassed.

We apply this attack to Kyber and NewHope, both of which belong to the aforementioned class of schemes. Using fault simulations, we show that, e.g., 6,500 faulty decapsulations are required for full key recovery on Kyber512. To demonstrate practicality, we use clock glitches to attack Kyber running on a Cortex M4. As we argue that other schemes of this class, such as Saber, might also be susceptible, the presented attack clearly shows that one cannot rely on the FO transform's fault deterrence and that proper countermeasures are still needed.

Elliptic-curve cryptography is now a common choice by practicioners, implementing cryptographic primitives that require a group of large prime order. However, for some elliptic curves, the prime order group is a subgroup of a larger composite-order group. Two such examples are Curve25519 and the pairing friendly curve BLS12-381. Protocols that are implemented with these curves are susceptible to subgroup attacks where a point from the composite-order group is used instead of the prime-order group. Such attacks were previously demonstrated in the wild for Curve25519, e.g. CryptoNote double spend vulnerability.

In this talk we focus on subgroups attacks in distributed key generation (DKG) protocols implementations. Such protocols involve interaction between distrusting parties, usually with a requirement to communicate group elements. Due to the overhead in complexity, we notice that implementors occasionally forget to sanitise the received group elements. We look at DKGs that are part of threshold EdDSA and threshold BLS protocols and used in applications such as consensus, distributed randomness beacon and threshold validator. We show how injecting small order subgroup elements can bypass security for cryptographic primitives used in DKGs such as VSS, sigma protocols and digital signatures. We discuss the potential damage of our attacks on the mentioned applications.

The Google Titan Security Key is a FIDO U2F hardware device proposed by Google (available since July 2018) as a two-factor authentication token to sign in to applications such as your Google account. In this paper, we present a side-channel attack that targets the Google Titan Security Key ’s secure element (the NXP A700x chip) by the observation of its local electromagnetic radiations during ECDSA signatures. This work shows that an attacker can clone a legitimate Google Titan Security Key. As a side observation, we identified a novel correlation between the elliptic curve group order and the lattice-based attack success rate.