Analisi automatica di sistemi crittografici - ISACA · Analisi . automatica . di sistemi...
Transcript of Analisi automatica di sistemi crittografici - ISACA · Analisi . automatica . di sistemi...
27.9.2013 - Venezia - ISACA VENICE Chapter 1
CRITTOGRAFIA - R. FOCARDI
Analisi automatica
di sistemi crittografici
Riccardo Focardi
Venezia, 27 settembre 2013
Soluzioni e sicurezza per applicazioni mobile e payments
27.9.2013 - Venezia - ISACA VENICE Chapter 2
CRITTOGRAFIA - R. FOCARDI
Analisi automatica
di sistemi crittografici
27.9.2013 - Venezia - ISACA VENICE Chapter 3
CRITTOGRAFIA - R. FOCARDI
Soluzioni e sicurezza per applicazioni mobile e payments
Consorzio Triveneto, azienda leader nei sistemi di pagamento a livello italiano da sempre all’avanguardia nello studio e nella speri-mentazione di nuove tecnologie nell’ambito dei pagamenti, è una realtà del Gruppo Bassilichi che opera prevalentemente nei campi della Monetica – con la gestione dei servizi POS e di Commercio Elettronico – e del Corporate Banking a supporto delle imprese.
SPONSOR DELL’EVENTO
Sponsor e sostenitori di ISACA VENICE Chapter
Con il patrocinio di
Analisi automatica di sistemi crittografici
Riccardo Focardi
www.dsi.unive.it/~focardi
www.cryptosense.com
27 settembre 2013
The untrusted world ...
Analysis of Cryptographic Systems 2/ 20
The untrusted world ...
Analysis of Cryptographic Systems 2/ 20
The untrusted world ...
Analysis of Cryptographic Systems 2/ 20
The untrusted world ...
Analysis of Cryptographic Systems 2/ 20
The untrusted world ...
Analysis of Cryptographic Systems 2/ 20
The untrusted world ...
Analysis of Cryptographic Systems 2/ 20
Cryptographic devices
Analysis of Cryptographic Systems 3/ 20
Cryptographic devices
Analysis of Cryptographic Systems 3/ 20
Cryptographic devices
Analysis of Cryptographic Systems 3/ 20
Cryptographic security today
February 20 2013: group of hackers steal35Me in cash from ATM network in<10 hours.
Total payment card fraud in Europe (2012):1.5B e
Supposed to be protected bycryptographic infrastructure
But cryptographic systems are hard toconfigure securely
One mistake enough to create avulnerability.
Analysis of Cryptographic Systems 4/ 20
Security APIs
Analysis of Cryptographic Systems 5/ 20
Example 1: Hardware Security Module (HSM)
Used in the ATM Bank network
Tamper resistant
Security API for
Managing cryptographic keysDecrypting/re-encrypting the PINChecking the validity of the PIN
... but still, attacks are possible
Analysis of Cryptographic Systems 6/ 20
Example 1: Hardware Security Module (HSM)
Used in the ATM Bank network
Tamper resistant
Security API for
Managing cryptographic keysDecrypting/re-encrypting the PINChecking the validity of the PIN
... but still, attacks are possible
Analysis of Cryptographic Systems 6/ 20
Example 2: PKCS#11 API for tokens/smarcards
Analysis of Cryptographic Systems 7/ 20
PKCS#11, an overview
the PIN is a ‘second-layer’ protection to unlock the token⇒ it should never give access to sensitive key values
Analysis of Cryptographic Systems 8/ 20
PKCS#11, an overview
the PIN is a ‘second-layer’ protection to unlock the token⇒ it should never give access to sensitive key values
Analysis of Cryptographic Systems 8/ 20
PKCS#11, an overview
the PIN is a ‘second-layer’ protection to unlock the token⇒ it should never give access to sensitive key values
Analysis of Cryptographic Systems 8/ 20
PKCS#11 keys and cryptographic operations
Keys have attributes and are referenced via handles
APIs for cryptographic operations
Analysis of Cryptographic Systems 9/ 20
PKCS#11 keys and cryptographic operations
Keys have attributes and are referenced via handles
APIs for cryptographic operations
Analysis of Cryptographic Systems 9/ 20
PKCS#11 keys and cryptographic operations
Keys have attributes and are referenced via handles
APIs for cryptographic operations
Analysis of Cryptographic Systems 9/ 20
Security of keys
Confidentiality of sensitive keys
sensitive keys never accessible as plaintext outside the device... even if we know the PIN
Attack scenario
1 token used on compromised host
2 attacker sniffs PIN and extracts sensitive keys
3 attacker clones the token
“... the PIN may be passed through the operating system. Thiscan make it easy for a rogue application on the operating systemto obtain the PIN ... ” [RSA Security]
Analysis of Cryptographic Systems 10/ 20
PKCS#11 key management
Analysis of Cryptographic Systems 11/ 20
PKCS#11 key management
Analysis of Cryptographic Systems 11/ 20
PKCS#11 key management
Analysis of Cryptographic Systems 11/ 20
PKCS#11 key management
Analysis of Cryptographic Systems 11/ 20
PKCS#11 key management
Analysis of Cryptographic Systems 11/ 20
A simple API-level attack [Clulow CHES’03]
Analysis of Cryptographic Systems 12/ 20
A simple API-level attack [Clulow CHES’03]
Analysis of Cryptographic Systems 12/ 20
A simple API-level attack [Clulow CHES’03]
Analysis of Cryptographic Systems 12/ 20
A simple API-level attack [Clulow CHES’03]
Analysis of Cryptographic Systems 12/ 20
Key separation: forbid wrap and decrypt on the same key
Analysis of Cryptographic Systems 13/ 20
Key separation: forbid wrap and decrypt on the same key
Analysis of Cryptographic Systems 13/ 20
Key separation: forbid wrap and decrypt on the same key
Analysis of Cryptographic Systems 13/ 20
Key separation: forbid wrap and decrypt on the same key
Analysis of Cryptographic Systems 13/ 20
Key separation: forbid wrap and decrypt on the same key
Analysis of Cryptographic Systems 13/ 20
Well ... make attributes ‘sticky on’
Analysis of Cryptographic Systems 14/ 20
Well ... make attributes ‘sticky on’
Analysis of Cryptographic Systems 14/ 20
Well ... make attributes ‘sticky on’
Analysis of Cryptographic Systems 14/ 20
But still ...
Analysis of Cryptographic Systems 15/ 20
But still ...
Analysis of Cryptographic Systems 15/ 20
But still ...
Analysis of Cryptographic Systems 15/ 20
But still ...
Analysis of Cryptographic Systems 15/ 20
But still ...
Analysis of Cryptographic Systems 15/ 20
Crytpsense Analyzer
Analysis of Cryptographic Systems 16/ 20
Device Supported Functionality Attacks foundBrand Model s as cobj chan w ws wd rs ru su Tk
Aladdin eToken PRO X X X X X X X wdAthena ASEKey X X XBull Trustway RCI X X X X X X X wdEutron Crypto Id. ITSEC X XFeitian StorePass2000 X X X X X X X X X rsFeitian ePass2000 X X X X X X X X X rsFeitian ePass3003Auto X X X X X X X X X rsGemalto SEG X XMXI Stealth MXP Bio X X XRSA SecurID 800 X X X X X X X rsSafeNet iKey 2032 X X X XSata DKey X X X X X X X X X X rsACS ACOS5 X X X XAthena ASE Smartcard X X XGemalto Cyberflex V2 X X X X X X wdGemalto SafeSite V1 X XGemalto SafeSite V2 X X X X X X X X X X rsSiemens CardOS V4.3 B X X X X X ru
Analysis of Cryptographic Systems 17/ 20
The future of Cryptosense
Analyzer has been deployed in testing PKCS#11-compatible HSMs,which have a more sophisticated attribute policy, and support manyconfiguration options
In use at an aircraft manufacturer, two major European banks andtwo national security agencies
The spin-off company was created in September 2013 with 250ke offunding (French Ministry of Research Prize)
Aim of development programme: generalise architecture to produceversions of the analyzer for custom APIs
Analysis of Cryptographic Systems 18/ 20
Cryptosense Generator
Device under test
Reverse engineering
Device model
Model checker
Compiled header
Annotated interface header
Cryptosense Generator
…
Analysis of Cryptographic Systems 19/ 20
Summary
RSA PKCS#11: Many attacks, many approaches to securing
Cryptosense Analyzer: an automated audit tool
Cryptosense Generator: make a version of the Analyzer from APIspecifications
www.cryptosense.com
Analysis of Cryptographic Systems 20/ 20
27.9.2013 - Venezia - ISACA VENICE Chapter 4
CRITTOGRAFIA - R. FOCARDI
Grazie per l’attenzione!
•www.dsi.unive.it/~focardi •www.cryptosense.com