Attacks & Analysis of Openssl AES Crypto Material From

Attacks & Analysis of Openssl AES Crypto Material From

MASARYK UNIVERSITY FACULTY OF INFORMATICS Attacks & Analysis of OpenSSL AES crypto material from memory dumps MASTER'S THESIS Surya Prakash Mishra Delhi, Spring 2017 Replace this page with a copy of the official signed thesis assignment and a copy of the Statement of an Author. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Surya Prakash Mishra Advisor: Chester Reibero,Petr. Svenda i Acknowledgement I would like to express my sincere thanks and gratitude to my thesis supervisor Prof. Chester Reibero for his valuable guidance, support and feedback. I owe my sincere thanks to RNDr. Petr Svenda, Ph. D for his motivation and insight because of which only I could explore the details. My thanks and gratitude to prof. RNDr. Vaclav Matyas, MSc, Ph.D who has remained source of inspiration for carrying out this work. ii Abstract In recent years, side-channel attacks[l] have seen significant progress. Among the different types of side-channel attacks, cold boot attack[2] has been considered as a very powerful attack and has created con• siderable interest among researchers. The attack was discovered by a group of researchers from Princeton University[2] in 2008 and ex• ploits memory remanence property of random access memory. This attack can be used to beat hard disk encryption system, protecting sensitive information of IT products. Success of the attack depends upon detection and correction of sensitive information in the distorted data obtained during execution of the attack. In this thesis, an at• tempt has been made to improvise key recovery methods so that the attack can be made feasible, even when more errors have been intro• duced during the execution of attack. Experiments have also been carried out to study and improve the efficacy of these techniques for mounting the attack on realistic hard disk encryption systems like Truecrypt/VeraCrypt[3]. iii Keywords clock glitching, cold boot attack, DIMM, EM attack, fault attack, light weight OS, memory remanance, power attack, side channel attack, SIMM, timing attack, voltage glitching. iv Contents 1 Introduction 1 2 Side Channel Attacks 3 3 Different types of memories and data remanence 4 4 Usage of different types of RAMs 8 5 OpenSSL[15] and AES[16] 9 5.1 OpenSSL[15] 9 5.2 AES[16] 9 5.2.1 Substitute Byte 13 5.2.2 Shift Row Transformation 15 5.2.3 Mix Column Transformation 16 5.2.4 Add Round Key Transformation 16 5.2.5 Round Key Generation 16 6 Truecrypt/Veracrypt[3] and its detailed description 19 6.1 Using Veracryptl3] for creation ofvolume or container ... 19 6.2 Technical details of creation of encrypted volume 21 6.3 XTS Mode of Operation 22 6.4 Veracrypt[3] Volume Format 22 6.5 Header Key Derivation 25 6.5.1 Random Number Generator 26 7 Steps required to mount cold boot attack 28 8 Experiments carried out and results obtained 29 8.1 Imaging Tool 29 8.1.1 Experiments of memory remanence 30 8.1.2 Study of Statistical patterns 31 8.1.3 AES Key Detection^] 34 8.1.4 AES key detection results 35 8.1.5 Reconstruction of Correct Keys 37 8.1.6 Experiments with Veracrypt/Truecrypt[3] ... 44 v 9 Conclusion Bibliography List of Tables 5.1 AES Round Transformation 10 5.2 AES S-Box[16] 14 5.3 AES Inverse S-Box[16] 15 6.1 Veracrypt[3] Volume Format 24 8.1 Statistics of distortion pattern after 2 seconds 33 8.2 Statistics of distortion pattern after 5 seconds 33 8.3 Statistics of distortion with respect to time 33 8.4 Byte wise hamming distances of distorted key from original round keys : 38 8.5 Round Key byte determination during Key Correction for 128-bit key 41 8.6 Success Rate for 128-bit AES 44 8.7 Round Key byte determination during Key Correction for 256-bit key 46 8.8 Success Rate for 256-bit AES 47 vii List of Figures 3.1 SRAM and DRAM Cell[14] 7 5.1 AES Block Diagram[16] 11 5.2 AES Round Transformation[16] 12 5.3 AES Column Transformation and Round Key Generation[16]. 17 1 Introduction Remanence effect of different types of memory has been known since long. In the case of non-volatile memory like a magnetic disk, it used to be considered as a security threat and adequate countermeasures like the use of secure erasure was already in practice. In the case of volatile memory, like SRAM and DRAM memory remanence was not taken seriously. In 2008, researchers from Prince• ton University[2], demonstrated memory remanence of RAM, as a potential security threat and named it as cold boot attack. Their re• search has established, that volatility of computer memory, should not be taken as granted because it can also be exploited to get sensi• tive information of the system. They observed that content of RAM remains intact up to few minutes at normal temperature (after power has been removed) and its duration can be increased by cooling it. In the attack, an attacker with physical access to memory tries to retrieve secret parameters like key, password and other sensitive information related to the system. To mount the attack system needs to be cold booted. In cold boot• ing, the system is reset or powered off in a way, that operating system does not get the opportunity to shutdown cleanly. The system is re• booted immediately using a lightweight operating system, which will also be used to dump the content of RAM in the disk. Other way of mounting the attack is removing memory module and putting it into a compatible system or cooling of memory modules and using it at some other point of time to retrieve sensitive information. Among these possible three approaches, the first approach seems to be more practical and less cumbersome. Although attack itself is simpler to carry out, the acquisition of memory is a volatile process and results in corrupted memory acquisition. In this approach issues related to cor• rection of distorted data and its impact on the feasibility of mounting attack is an interesting problem. In this thesis, an attempt has been made to study the distortion pattern of data with respect to time. Analysis of distortion pattern and its use for correction of keys from dumped content of RAM is also attempted. To carry out this study OpenSSL implementation of AES, as well as other implementations available over the internet has been 1 i. INTRODUCTION taken. Extensive experimentation has been carried out to see the ap• plicability of improved key correction technique for recovering the two 256-bit key used in hard disk encryption system Truecrypt/Veracrypt. 2 2 Side Channel Attacks Side channel attacks are attacks in which focus of analyst is not on the theoretical aspects of the crypto algorithm, instead it tries to exploit information gained from physical implementation of it. Some of the side channel attacks which have been effectively utilized for analysis of different cryptosystems are timing attack[4], power attack[5], elec• tromagnetic attack[6], acoustic attack[7], fault attack[8] and memory remanence attack[2]. Timing attack exploits timing variations during the execution of a cryptographic algorithm. These variations may be due to branching operations, cache memory or other micro-architectural features of the processor. Such attacks have been proved effective for the public as well as private key cryptosystems. In the case of power attack, correlation between power consumed by the device and data being manipulated is used for extraction of se• cret parameters (like the key). Simple power attack, differential power attack[5],correlation power attack[9] and template attack[10] are the different variations of this type of attacks. These attacks are more effective for embedded systems. Attack philosophy for electromagnetic attack is same as that of power attack except that the side channel exploited is electromagnetic emanations of the device. Being non-invasive in nature, this type of at• tack is easier to mount but quite often it requires extra post processing of signals before mounting the attack. In fault attack, an attempt is made to introduce the fault during execution of the algorithm and by using correct ciphertext and faulty ciphertext an attempt is made to find the key. Initially this attack was published for RSA[8] but later on, it was extended for block ciphers like DES[11] and AES[12] also. To introduce the fault during execution of algorithm clock glitching[13], voltage glitching and focused ion beam can be used. In memory remanence attack memory remanence effect of volatile and nonvolatile memory is used. Cold boot attack is memory rema• nence attack and it can be used for extraction of the key for public as well as private key cryptosystems. 3 3 Different types of memories and data rema• nence Data Remanence is a property of a storage media by which it retains the residue of data even after it has been erased in some way. This property of magnetic storage was known as early as the 1960s. In theory, there is always some possibility of recovering data using the techniques like magnetic force microscopy, if data has been sparsely written. Data encryption, overwriting, degaussing and destruction of original media were commonly used methods to safeguard against accidental disclosure of data from such devices.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    61 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us