UsingLow-CostCryptographic HardwaretoRobaBank RichardClayton - - PowerPoint PPT Presentation

using low cost cryptographic hardware to rob a bank
SMART_READER_LITE
LIVE PREVIEW

UsingLow-CostCryptographic HardwaretoRobaBank RichardClayton - - PowerPoint PPT Presentation

Apr 25, 2023 301 likes •650 views

UsingLow-CostCryptographic HardwaretoRobaBank RichardClayton &MichaelBond

slide-1
SLIDE 1

UsingLow-CostCryptographic Hardwareto“RobaBank”

RichardClayton &MichaelBond

slide-2
SLIDE 2

Summary

  • KeysandCiphers
  • TheIBM4758Cryptoprocessor
  • HowPINvalueswork
  • Thelow-costhardware“DEScracker”
  • Howtoextract3DESkeysfromaIBM4758
  • MikeBond’s“APIattacks”
slide-3
SLIDE 3

KeysandCiphers

  • Kerckhoff’sdoctrine(1883)

– thesecurityofasystemshoulddependuponits keyandnotuponitsdesignremainingobscure

  • Ifthereisnoshortcutthenthesecurityofa

systemdependsuponitskeylength

– tryingallpossibilities@33millionkeys/sec

  • 240 =9hours
  • 256 =69years
  • 280 =1.1billionyears
slide-4
SLIDE 4

AHistoryofTamperResistance

Problem:anotherprogramonthesame machinecanaccessyoursensitivedata

  • Putkeysintoseparatemicroprocessor
  • Putmicroprocessorintoatinbox
  • Photocellsandtiltdetection
  • Epoxy“potting”
  • Tamperdetectingbarriers
slide-5
SLIDE 5

TheIBM4758

  • Protectivebarrierwithwiresofchemically

similarcompound

  • Detectorsfortemperature&X-Rays
  • “Tempest”shieldingforRFemission
  • Lowpassfiltersonpowersupplyrails
  • Multi-stage“ratchet”bootsequence

=STATEOFTHEARTPROTECTION!

slide-6
SLIDE 6
slide-7
SLIDE 7

CCAandPINvalues

  • CommonCryptographicArchitecture

– runsonmanyIBMplatforms – availableforfreetorunona4758

  • APINvalue(intheCCAworld)isthe

accountnumberencryptedwith(112bit) 3DESkeyandlastfewbytesmadedecimal

  • ChangingaPIN=>changinganoffset
slide-8
SLIDE 8

KeyEntryunderCCA

  • Eachkeyisloadedintwoparts,whichare

thenXORed together

– XORmeansthatknowingoneparttellsyou NOTHINGaboutthefinalkeyvalue

  • Twosecurityofficers,“trusted”notto

collude,aregivenonepartofthekeyeach.

– Theyauthenticatethemselvesandthen separatelyloadtheseintothe4758.

  • Thismakesthekeyentirelysecure...
slide-9
SLIDE 9
  • Athiefwalksintoacarparkandtriesto

stealacar...

  • Howmanykeysmusthetry?

TheMeetintheMiddleAttack

slide-10
SLIDE 10

TheMeetintheMiddleAttack

slide-11
SLIDE 11

TheMeet-in-the-MiddleAttack

Idea:Attackmultiplekeysinparallel

  • Encryptthesameplaintextundereachof

themultiplekeystogeta“testvector”

  • Attackbytryingallkeysinsequencebut

checkforamatchagainstanytestvector value(checkisfasterthanencrypt)

  • Typicalcase:A256 searchforonekey

becomesa242 searchfor214 keys

slide-12
SLIDE 12

AttackingtheCCA:Part1

  • CreateunknownDESkeypart
  • XORin“...001”,“...002”,“...003”etc
  • Encryptzerovalueundereachkey
  • Repeattoget16384(214)results
  • Somecomplexitybecauseofparityissues,

butessentiallysimple&takes10minutes.

  • Use“brute-force”attacktogettheDESkey
slide-13
SLIDE 13

X 001 002 003 004 005 006 007 008 zero V1 V2 V3 V4 V5 V6 V7 V8 Xxor001 X xor 002 X xor 003 X xor 004 X xor 005 X xor 006 X xor 007 X xor 008 zero

$995 DES Cracker

Value1 1 2 Value2 3 Value3 4,5,6,7,8,9,10... Etcetc

slide-14
SLIDE 14

Low-costDESCracker

  • $995Excaliburkit(Altera20K200FPGA)

– chipcostis~$5(involume;$178one-off)

  • 33MHzpipeline(&60MHzpossible)
  • 225 keys/second

– 56bitDES=69years

  • However...lookfor16384keysinparallel

– withaverageluckfindfirstkeyin25.4hours

slide-15
SLIDE 15
slide-16
SLIDE 16

AttackingtheCCA:Part2

  • Recallwehad16KrelatedDESkeys
  • Wecancrackoneofthesein~1day
  • Nowcreate16Krelated3DESkeyswith

“replicate”halvesand“exporter”capability

– 3DES=EncryptA;DecryptB;EncryptA

  • ExporttheDESkeyunderthe3DESkeys
  • Sincereplicatecanalsocrackin~1day
slide-17
SLIDE 17

AttackingtheCCA:Part3

  • Createnon-replicate3DESkeybycombining

twounequalhalveswiththereplicatehalves thatwe’venowdetermined

  • ExportalltheCCAkeysunderthiskey
  • DownloadlistofPINoffsets
  • Usemagneticstripewritertocreatecards
  • UseanyATMtoextractmoneyfromaccounts
  • GotoBermuda!
slide-18
SLIDE 18

MichaelBond’s“APIattacks”

  • Newtypeofattack:usestandardAPIin

non-standardwaytocausedumbthings

– Overloadedkeytypes – Unauthorisedtypecasting – 3DESbindingattack – Relatedkeys

Mike’sPhDtopictargetsformalmethodsthat willdetect(andavoid)theseproblems

slide-19
SLIDE 19

WhoamI?

  • 2nd YearPhDstudentattheComputer

Laboratory,UniversityofCambridge,Age:22

  • Studied“ComputerScience”asan

undergraduateatCambridge,beforethatKSB

  • StudiedMaths,Physics,Chemistry,DT,IT

etc…atA-Level

  • CurrentlyliveinCambridge,amileorsofrom

towncentre&computerlab

slide-20
SLIDE 20

WhatisaPhD?

  • Intheory:“anoriginalandsignificantcontribution

tothegeneralbodyofknowledgeinthechosen subject”– athesisof40,000-100,000words

  • Inpractice:threeyearsofsupervisedresearchinto

aparticulartopicasamemberofaresearchgroup studyingsimilartopics.

  • Year1– Explore
  • Year2– Understand
  • Year3– WriteUp
slide-21
SLIDE 21

MyPhD

  • “UnderstandingSecurityAPIs”
  • SecurityAPI=Softwareinterfacetoa

processorperformingsecurityfunctions, usuallytamper-resistanthardware

  • Year1:Analysed6differentcryptoprocessors,

publishedacademicpapersexplainingattacks

  • Year2:Producingdesignrules,andbuilding

analysistools

slide-22
SLIDE 22

ThePRISMSecurityModule

slide-23
SLIDE 23

TheVisaSecurityModule

slide-24
SLIDE 24

VSMTypeDiagram

slide-25
SLIDE 25

ExampleSecurityAPICommands

U->C:{A}KM ,{B}KM C->U:{A+B}KM U->C:GUESS,{ANS}KM C->U:YES(ifGUESS=ANSelseNO) U->C:{X}K1 ,{K1}KM ,{K2}KM C->U:{X}K2

slide-26
SLIDE 26

ComputerSecurity

  • Cryptography,Anonymity,Protocols,Tamper-

Resistance,OperatingSystems,Copy-Protection

  • Nowadays:Economics,Law,Politics
  • Dealswithfundamentalconflictsofinterest:

– Goodguysvs.badguys – Competingcorporations – Internationalwarfare – Personalprivacyconcerns

slide-27
SLIDE 27
  • 30academicstaff=teaching/research

40researchassistants=researchonlabmoney 80researchstudents=researchongrantmoney (+300undergraduatestudents)

  • Groups:Security,Graphics&Hardware,

SystemsResearch,Theory,Natural Languages…

slide-28
SLIDE 28
slide-29
SLIDE 29

InMyOffice

slide-30
SLIDE 30

WhatisComputerScience?

  • Practicalandtheoreticalstudyofthedetails

andprinciplesofsoftware,hardwareand communicationstechnology

  • Cambridgecourseaimstobetechnology

independent,split50/50betweenpractice andtheory

  • Includesa60man/hgroupproject,and500

man/hindividualproject

slide-31
SLIDE 31

ComputerScienceCareerPaths

Academia Industry Government

Freelance Consultant Freelance Consultant GCHQ CESG MI5 MI6 DERA Civil Service Defence Contractor Industrial R&DLab Security ProductGroup ThinkTank Consultancy Firm Theorist Industry Funded Research EPSRC Research Lecturer Research Assistant O/S Security Security Officer Lobbyist

slide-32
SLIDE 32

ComputerHacking

  • Notonthecareerpathdiagram?
  • Youcanreally hackhypotheticalsystems,and

really hackrealsystems

  • Youneedpermissionforthelatter
  • “BlackHats”and“WhiteHats”canbothhack

legally– differenceisethicsofdisclosure

  • Realhackersarejustcommoncriminals
slide-33
SLIDE 33

MoreInfo

  • Howtohackabank?

http://www.cl.cam.ac.uk/~rnc1/descrack/

  • HowtoapplytoCambridge?

http://www.cam.ac.uk/cambuniv/undergrad/

  • Howtobelikeme?

http://www.cl.cam.ac.uk/~mkb23/

  • Morequestions– emailus:

Mike.Bond@cl.cam.ac.uk ,Richard.Clayton@cl.cam.ac.uk