Hardware Security Modules: Attacks and Secure Configuration Graham Steel Graham Steel April 2014 Graham Steel - HSM Attacks and Secure Configuration April 2014 - 2/ 56 Secure Hardware History Military: WW2 Enigma machines - captured machines used to help break codes NSA devices with explosive tamper resistance - http://www.nsa.gov/about/cryptologic_heritage/museum/ Commercial: IBM: Cryptoprocessors for mainframes - tamper-resistant switches on case ATMs (cash machines) - Encrypted PIN Pads (EPPs) and Hardware Security Modules (HSMs) Graham Steel - HSM Attacks and Secure Configuration April 2014 - 3/ 56 Secure Hardware History - 2 Cryptographic Smartcards - chip contains cryptoprocessor and keys in memory - used in SIM cards, credit cards, ID cards, transport::: Authentication tokens - generate One-Time Passwords, sometimes USB connection Trusted Platform Module (TPM) - now standard (but unused) in most PC laptops The future.. - Secure Elements in mobile phones, cars,::: Graham Steel - HSM Attacks and Secure Configuration April 2014 - 4/ 56 Example - Cash Machine Network I Introduced in the UK in the late 1960s I First modern machines (with DES) in the 70s and 80s I More than 2 million ATMs worldwide I Network is now global and ubiquitous (at least in cities) Graham Steel - HSM Attacks and Secure Configuration April 2014 - 5/ 56 Simplified Network Schematic ATM Maestro UK SocGen HSBC Graham Steel - HSM Attacks and Secure Configuration April 2014 - 6/ 56 HSMs I Manufacturers include IBM, nCipher, Thales, Utimaco, HP I Cost around $20 000 Graham Steel - HSM Attacks and Secure Configuration April 2014 - 7/ 56 A Word About Your PIN IBM 3624 method: 1. Write account number (PAN) as 0000AAAAAAAAAAAA 2. 3DES encrypt under a PDK (PIN Derivation Key), decimalise first digits 3. PIN = IPIN + Offset (modulo 10 each digit) NB: Offset NOT secure! Graham Steel - HSM Attacks and Secure Configuration April 2014 - 8/ 56 API attack example: VSM (Bond, 2001) Graham Steel - HSM Attacks and Secure Configuration April 2014 - 9/ 56 Example: Print Customer PIN {PDK1} KM PAN KM {PAN} PDK1 Secure Printer Host ! HSM : PAN, f PDK1 g Km HSM ! Printer : f PAN g PDK1 Graham Steel - HSM Attacks and Secure Configuration April 2014 - 10/ 56 Example: Send PDK to Terminal {PDK1} KM {TMK1} KM KM {PDK1} TMK1 Host ! HSM : f PDK1 g Km; f TMK1 g Km HSM ! Host : f PDK1 g TMK1 Graham Steel - HSM Attacks and Secure Configuration April 2014 - 11/ 56 Terminal Comms Key {MSG} TC KM TMK1 Graham Steel - HSM Attacks and Secure Configuration April 2014 - 12/ 56 Managing Key Types Graham Steel - HSM Attacks and Secure Configuration April 2014 - 13/ 56 Example: Enter TC key Host ! HSM : TC HSM ! Host : f TC g Km2 Graham Steel - HSM Attacks and Secure Configuration April 2014 - 14/ 56 Example: Send TC to Terminal Host ! HSM : f TC g Km2, f TMK1 g Km HSM ! Host : f TC g TMK1 Graham Steel - HSM Attacks and Secure Configuration April 2014 - 15/ 56 Attack - Step 1 Spy ! HSM : PAN HSM ! Spy : f PAN g Km2 Graham Steel - HSM Attacks and Secure Configuration April 2014 - 16/ 56 Attack - Step 2 Spy ! HSM : f PAN g Km2, f PDK1 g Km HSM ! Host : f PAN g PDK1 Graham Steel - HSM Attacks and Secure Configuration April 2014 - 17/ 56 IBM 4758 CCA API Graham Steel - HSM Attacks and Secure Configuration April 2014 - 18/ 56 CCA Types - 1 The Common Cryptographic Architecture (CCA) API uses the same ‘master key’ architecture as the VSM However, the (patented) type system is much richer Before encrypting a working key, the master key is XORed against a ‘control vector’ indicating the type of the key The control vectors are public values (they can be found in the programmers’ manual), but the master key is secret Control vectors can be composite, i.e. they may consist of a number of values XORed together Graham Steel - HSM Attacks and Secure Configuration April 2014 - 19/ 56 CCA Types - 2 Graham Steel - HSM Attacks and Secure Configuration April 2014 - 20/ 56 CCA API - Examples Encrypt Data: Host ! HSM : f d1 g km⊕data, message HSM ! Host : f message g d1 Verify PIN: Host ! HSM : f PINBlock g p1, PAN, f pdk1 g km⊕pin, OFFSET, f p1 g km⊕ipinenc HSM ! Host : yes/no Graham Steel - HSM Attacks and Secure Configuration April 2014 - 21/ 56 Bootstrapping A common problem in the use of secure hardware How to get the initial secrets onto the device (or encrypted by the device’s master key) in a secure way? A common solution is ‘separation of duty’: several members of staff are given individual parts of a secret. Each individual part is worthless, so only collusion between several staff members can expose the secret. Graham Steel - HSM Attacks and Secure Configuration April 2014 - 22/ 56 Importing Key Parts Separation of duty between e.g. 2 security officers Key k = k1 ⊕ k2 Host ! HSM : k1, TYPE HSM ! Host : f k1 g km⊕kp⊕TYPE Host ! HSM : f k1 g km⊕kp⊕TYPE, k2, TYPE HSM ! Host : f k1 ⊕ k2 g km⊕TYPE This is a tedious and expensive process, so usually used to import a ‘key encrypting key’ (f KEK g km⊕imp) Graham Steel - HSM Attacks and Secure Configuration April 2014 - 23/ 56 Importing Encrypted Keys Exported from another 4758 encrypted under KEK ⊕ TYPE Key Import: Host ! HSM : f KEY1 g KEK⊕TYPE, TYPE, f KEK g km⊕imp HSM ! Host : f KEY1 g km⊕TYPE Graham Steel - HSM Attacks and Secure Configuration April 2014 - 24/ 56 Attack (Bond, 2001) (part 1) PIN derivation key: f pdk g kek⊕pin Have key part f kek ⊕ k2 g km⊕imp⊕kp for known k2 Host ! HSM : f kek ⊕ k2 g km⊕kp⊕imp, k2 ⊕ pin ⊕ data, imp HSM ! Host : fkek ⊕ pin ⊕ datag km⊕imp Graham Steel - HSM Attacks and Secure Configuration April 2014 - 25/ 56 Attack (Bond, 2001) (part 2) Key Import Host ! HSM : f pdk g kek⊕pin, data, f kek ⊕ pin ⊕ data g km⊕imp HSM ! Host : f pdk g km⊕data Encrypt data Host ! HSM : f pdk g km⊕data, pan HSM ! Host : f pan g pdk (= PIN!) Graham Steel - HSM Attacks and Secure Configuration April 2014 - 26/ 56 IBM Recommendations Published in response to Bond’s attacks 1. Use asymmetric key crypto for key import – 2 officer protocol to generate key pair at destination, transfer public key to source – PKA Symmetric Key Import command 2. More access control – security officers access fewer commands 3. Procedural controls to check entered key parts 2 and 3 verified in a few seconds, but 1 has a simple attack.. Graham Steel - HSM Attacks and Secure Configuration April 2014 - 27/ 56 Attack on 1 (Cortier, Keighren & S. ’07) fkek.IMPgPK ! fkekgKM⊕IMP PKA Symmetric Key Import fk.EXPgPK ! fkgKM⊕EXP PKA Symmetric Key Import fpdkgkek⊕PIN , PIN , fkekgKM⊕IMP ! fpdkgKM⊕PIN Key Import fpdkgKM⊕PIN , PIN , fkgKM⊕EXP ! fpdkgk⊕PIN Key Export Graham Steel - HSM Attacks and Secure Configuration April 2014 - 28/ 56 Summary of First half I Secure hardware is more and more prevalent I The API of the hardware is a security critical part of design I Have seen attacks on VSM, CCA I In the next half we’ll look at specific attacks on PIN processing Graham Steel - HSM Attacks and Secure Configuration April 2014 - 29/ 56 Further reading R. Anderson, Security Engineering, Wiley (2nd Ed.) M. Bond and R. Anderson, API Level Attacks on Embedded Systems, IEEE Computer Magazine, 2001 D. Longley and S. Rigby, An Automatic Search for Security Flaws in Key Management Schemes, Computers and Security, 1992, V. Cortier, G. Keighren and G. Steel, Automatic Analysis of the Security of XOR-based Key Management Schemes, TACAS ’07 The Analysis of Security APIs Workshop, http://www.lsv.ens-cachan.fr/~steel/asa/ Graham Steel - HSM Attacks and Secure Configuration April 2014 - 30/ 56 Photo: redspotted/Flickr Graham Steel - HSM Attacks and Secure Configuration April 2014 - 31/ 56 Introduction to PIN Processing Processing of PINs in the international cash machine network is one of the oldest and most widespread uses of cryptographic hardware International standards (ISO 9564, ANSI X9.8) and de-facto standards (e.g. Visa’s requirements documents) regulate the network According to ANSI X9.8 secure hardware must be configured so that “The system shall not be capable of being used or misused to determine a PIN by exhaustive trial and error”. Graham Steel - HSM Attacks and Secure Configuration April 2014 - 32/ 56 Graham Steel - HSM Attacks and Secure Configuration April 2014 - 33/ 56 Verizon Breach Report 2008 Released April 2009 “While statistically not a large percentage of our overall caseload in 2008, attacks against PIN information represent individual data-theft cases having the largest aggregate exposure in terms of unique records,” “In other words, PIN-based attacks and many of the very large compromises from the past year go hand in hand.” “We’re seeing entirely new attacks that a year ago were thought to be only academically possible,” “What we see now is people going right to the source [..] and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks.” (Quotes from Wired Magazine interview with report author, Bryan Sartin) Graham Steel - HSM Attacks and Secure Configuration April 2014 - 34/ 56 Known Major Breaches 2008 Feb Citibank $3.6M 2008 Nov RBS worldpay $9.4M 2011 May FIS $13M 2012 December RAKBANK $11M 2013 February Bank of Muscat $45M Symatec report: ”tens of millions” lost to ATM heists in 2012 just in Europe: http://www.bloomberg.com/news/2013-05-07/ banks-say-fed-should-lead-in-cybersecurity -for-industry.html Graham Steel - HSM Attacks and Secure Configuration April 2014 - 35/ 56 Simplified Network Schematic ATM Maestro UK SocGen HSBC Graham Steel - HSM Attacks and Secure Configuration April 2014 - 36/ 56 PIN Processing API We can see that the PIN processing API of the HSM will have to (at least): I Translate PINs I Verify PINs I Generate PINs We’ll look at these APIs (and attacks on them).