Xianhui Lu,Jiang Zhang

DOI: https://doi.org/10.1093/nsr/nwab090

IF: 20.6

2021-05-24

National Science Review

Abstract:The invention of public-key cryptography (PKC) by Diffie and Hellman in 1976 is one of two milestones marking the beginning of modern cryptography. The security of a PKC system requires that it should be infeasible to compute the private key from a given public key, which in turn is typically guaranteed by the difficulty in solving some cryptographic-friendly mathematical problems. Among those problems, the integer factorization and discrete logarithm problems play pivotal roles in the development of public-key cryptography. In particular, the assumption that there is no polynomial time (classical) algorithm that solves the above two problems constitutes the basis for the security of almost all currently used public-key cryptosystems, such as RSA and ElGamal. However, Shor [1] found an efficient quantum solving algorithm for the integer factorization and discrete logarithm problems in 1994, which would destroy the security basis for most real deployed PKC systems if large-scale quantum computers become available. The rapid development of quantum technology in recent years suggests that we are getting closer to the quantum crisis of current PKC systems.

multidisciplinary sciences

Huafeng CHEN,Haibin SHEN,Xiaolang YAN

2008-01-01

Abstract:The design-for-testability structure based on scan-chain often compromises the security of crypto chips.A method to attack certain hardware implementation of elliptic curve cryptography was presented.And an easy but effective secure scan method against the attack was proposed,which would not compromise the security of the chip,while maintaining high fault coverage.By controlling operational mode of the chip,the disability mechanism of scan enable signal was applied.The scan function was disabled when there existed security information in the chip.It solved the problem of secure information disclosure caused by scan chain design.

Ruoxu Zhao,Dawu Gu,Juanru Li,Ran Yu

DOI: https://doi.org/10.1007/978-3-642-24861-0_13

2011-01-01

Abstract:Cryptographic algorithms are widely used inside software for data security and integrity. The search of cryptographic data (include algorithms, input-output data and intermediated states of operation) is important to security analysis. However, various implementations of cryptographic algorithms lead the automatic detection and analysis to be very hard. This paper proposes a novel automatic cryptographic data detection and analysis approach. This approach is based on execution tracing and data pattern extraction techniques, searching the data pattern of cryptographic algorithms, and automatically extracting detected Cryptographic algorithms and input-output data. We implement and evaluate our approach, and the result shows our approach can detect and extract common symmetric ciphers and hash functions in most kinds of programs with accuracy, effectiveness and universality.

Florian Sieck,Sebastian Berndt,Jan Wichelmann,Thomas Eisenbarth

DOI: https://doi.org/10.1145/3460120.3484783

2021-08-10

Abstract:Implementations of cryptographic libraries have been scrutinized for secret-dependent execution behavior exploitable by microarchitectural side-channel attacks. To prevent unintended leakages, most libraries moved to constant-time implementations of cryptographic primitives. There have also been efforts to certify libraries for use in sensitive areas, like Microsoft CNG and Botan, with specific attention to leakage behavior. In this work, we show that a common oversight in these libraries is the existence of \emph{utility functions}, which handle and thus possibly leak confidential information. We analyze the exploitability of base64 decoding functions across several widely used cryptographic libraries. Base64 decoding is used when loading keys stored in PEM format. We show that these functions by themselves leak sufficient information even if libraries are executed in trusted execution environments. In fact, we show that recent countermeasures to transient execution attacks such as LVI \emph{ease} the exploitability of the observed faint leakages, allowing us to robustly infer sufficient information about RSA private keys \emph{with a single trace}. We present a complete attack, including a broad library analysis, a high-resolution last level cache attack on SGX enclaves, and a fully parallelized implementation of the extend-and-prune approach that allows a complete key recovery at medium costs.

Cryptography and Security

Christofer Fellicious,Stewart Sentanoe,Michael Granitzer,Hans P. Reiser

DOI: https://doi.org/10.48550/arXiv.2209.05243

2022-09-13

Abstract:Digital forensics is the process of extracting, preserving, and documenting evidence in digital devices. A commonly used method in digital forensics is to extract data from the main memory of a digital device. However, the main challenge is identifying the important data to be extracted. Several pieces of crucial information reside in the main memory, like usernames, passwords, and cryptographic keys such as SSH session keys. In this paper, we propose SmartKex, a machine-learning assisted method to extract session keys from heap memory snapshots of an OpenSSH process. In addition, we release an openly available dataset and the corresponding toolchain for creating additional data. Finally, we compare SmartKex with naive brute-force methods and empirically show that SmartKex can extract the session keys with high accuracy and high throughput. With the provided resources, we intend to strengthen the research on the intersection between digital forensics, cybersecurity, and machine learning.

Cryptography and Security,Machine Learning

NI Jianbing,YU Yong,Qi XIA,Lei NIU

2012-01-01

Journal of Information and Computational Science

Abstract:Public key encryption with keyword search (PEKS) is a novel cryptographic primitive enabling one to search encrypted data while keeping the security of the original data. Recently, Hu et al. found that the PEKS with a designated tester (dPEKS) due to Rhee et al. suffers from keyword guessing attack and proposed two enhanced schemes. These schemes were claimed as being provably secure against chosen keyword attack and off-line keyword guessing (KG) attack. However, in this paper, we demonstrate that Hu’s dPEKS is still insecure by demonstrating keyword guessing attack where a malicious server can guess the keyword with the trapdoor. We also discuss the impossibility to construct secure dPEKS schemes against a malicious server’s KG attack, when the candidate keywords are from some polynomial size of dictionary.

Yong Li,Yuanyuan Zhang,Juanru Li,Dawu Gu

DOI: https://doi.org/10.1007/978-3-319-11698-3_27

2014-01-01

Abstract:Cryptography is the common means to achieve strong data protection in mobile applications. However, cryptographic misuse is becoming one of the most common issues in development. Attackers usually make use of those flaws in implementation such as non-random key/IV to forge exploits and recover the valuable secrets. For the application developers who may lack knowledge of cryptography, it is urgent to provide an efficient and effective approach to assess whether the application can fulfill the security goal by the use of cryptographic functions. In this work, we design a cryptography diagnosis system iCryptoTracer. Combined with static and dynamic analyses, it traces the iOS application's usage of cryptographic APIs, extracts the trace log and judges whether the application complies with the generic cryptographic rules along with real-world implementation concerns. We test iCryptoTracer using real devices with various version of iOS. We diagnose 98 applications from Apple App Store and find that 64 of which contain various degrees of security flaws caused by cryptographic misuse. To provide the proof-of-concept, we launch ethical attacks on two applications respectively. The encrypted secret information can be easily revealed and the encryption keys can also be restored.

Yuanyuan Yuan,Zhibo Liu,Shuai Wang

DOI: https://doi.org/10.48550/arXiv.2209.14952

2022-09-29

Cryptography and Security

Abstract:Cache side-channel attacks extract secrets by examining how victim software accesses cache. To date, practical attacks on cryptosystems and media libraries are demonstrated under different scenarios, inferring secret keys and reconstructing private media data such as images. This work first presents eight criteria for designing a full-fledged detector for cache side-channel vulnerabilities. Then, we propose CacheQL, a novel detector that meets all of these criteria. CacheQL precisely quantifies information leaks of binary code, by characterizing the distinguishability of logged side channel traces. Moreover, CacheQL models leakage as a cooperative game, allowing information leakage to be precisely distributed to program points vulnerable to cache side channels. CacheQL is meticulously optimized to analyze whole side channel traces logged from production software (where each trace can have millions of records), and it alleviates randomness introduced by cryptographic blinding, ORAM, or real-world noises. Our evaluation quantifies side-channel leaks of production cryptographic and media software. We further localize vulnerabilities reported by previous detectors and also identify a few hundred new leakage sites in recent OpenSSL (ver. 3.0.0), MbedTLS (ver. 3.0.0), Libgcrypt (ver. 1.9.4). Many of our localized program points are within the pre-processing modules of cryptosystems, which are not analyzed by existing works due to scalability. We also localize vulnerabilities in Libjpeg (ver. 2.1.2) that leak privacy about input images.

J. Li,X. Chen,H. Tian,C. Gao

DOI: https://doi.org/10.1504/ijahuc.2014.065156

2014-01-01

International Journal of Ad Hoc and Ubiquitous Computing

Abstract:Since the notion of attribute-based encryption (ABE) was proposed, it has been found a lot of important applications such as fine-grained access control. However, the issue of key exposure problem in ABE has been solved completely. This problem is formally addressed and formulated in this paper. More specifically, we propose a new key-insulated ABE (KI-ABE) scheme as a solution to the key exposure problem. The definition and security model of KI-ABE is proposed. Then, a KI-ABE scheme is presented, which is provably secure under the proposed model. The scheme is secure in the remaining time periods against an adversary who compromises the insecure device and obtains secret keys for the periods of its choice. Finally, we show that the scheme also supports user delegation, which is critical when one wants to delegate part of attributes (privileges) to others.

Davide Galli,Giuseppe Chiari,Davide Zoni

2024-09-16

Abstract:Side-channel attacks allow to extract sensitive information from cryptographic primitives by correlating the partially known computed data and the measured side-channel signal. Starting from the raw side-channel trace, the preprocessing of the side-channel trace to pinpoint the time at which each cryptographic primitive is executed, and, then, to re-align all the collected data to this specific time represent a critical step to setup a successful side-channel attack. The use of hiding techniques has been widely adopted as a low-cost solution to hinder the preprocessing of side-channel traces thus limiting side-channel attacks in real scenarios. This work introduces Hound, a novel deep learning-based pipeline to locate the execution of cryptographic primitives within the side-channel trace even in the presence of trace deformations introduced by the use of dynamic frequency scaling actuators. Hound has been validated through successful attacks on various cryptographic primitives executed on an FPGA-based system-on-chip incorporating a RISC-V CPU, while dynamic frequency scaling is active. Experimental results demonstrate the possibility of identifying the cryptographic primitives in DFS-deformed side-channel traces.

Cryptography and Security

Xuancheng Jin,Xuangan Xiao,Songlin Jia,Wang Gao,Dawu Gu,Hang Zhang,Siqi Ma,Zhiyun Qian,Juanru Li

DOI: https://doi.org/10.1109/sp46214.2022.9833650

2022-01-01

Abstract:Protecting confidential data against memory disclosure attacks is crucial to many critical applications, especially those involve cryptographic operations. However, it is neither easy to identify involved cryptographic confidential data in a program nor to implement a fine-grained and yet efficient protection. Existing defensive techniques face many shortcomings such as coarse-grained protection or exorbitant overhead. As a result, real world crypto applications seldom applied this kind of protection in practice.To make the protection of cryptographic confidential data practical, we design and implement CRYPTOMPK, a source code analysis and transformation system to implement a domain-based memory isolation. CRYPTOMPK first automatically tracks and labels all sensitive memory buffers and operations in source code with a context-sensitive, crypto-aware information flow analysis. Then it partitions the source code into crypto and non-crypto domains with a context-dependent privilege switch instrumentation. By further utilizing Intel Memory Protection Keys (MPK), CRYPTOMPK generates executables with efficient domain switching, protecting them against typical memory disclosure vulnerabilities such as arbitrary memory read. In particular, by using CRYPTOMPK, a large number of intermediate memory buffers that have been previously ignored before are well protected, and thus the security risks are reduced significantly. We leveraged CRYPTOMPK to protect prevalent applications such as Apache and Nginx with widely used crypto libraries (e.g., OpenSSL, LibSodium). CRYPTOMPK only needs several minutes to analyze each of these complex cryptographic programs and incurs at most 9.53% performance overhead for the protected programs.

Wei Yang,Anmin Fu,Hailong Zhang,Chanying Huang

DOI: https://doi.org/10.1109/TrustCom50675.2020.00021

2020-01-01

Abstract:Side-channel analysis (SCA) is usually used for analyzing the side-channel resistance of a crypto device. However, it does not mean "practical secure" when a SCA attack fails since SCA only provides a success or failure conclusion. On the basis of the SCA data about scores and ranks of all candidates for each subkey, it is still possible to apply key enumeration (KE) algorithms to search the correct master key at an affordable overhead. Nevertheless, the efficiency of KE is limited by the SCA data in essence. To address the issue, we proposed two methods to exploit the SCA data and Riemann integral of the rank curves of all subkey candidates to update each correct subkey rank before carrying out KE. We applied the proposed methods for different crypto implementations running on different devices to verify their performance. Experimental studies for both mono-channel and multi-channel leakages verified that the proposed methods were effective in improving the efficiency of KE to recover the correct key. The proposed methods are designed for processing the SCA data and can be deemed as a preliminary before executing KE. The work of this paper bridges the gap between SCA and KE.

Hongyuan Chen,Zhenfu Cao,Xiaolei Dong,Jiachen Shen

DOI: https://doi.org/10.1007/978-3-030-33716-2_13

2019-01-01

Abstract:A number of searchable encryption schemes have been widely proposed to solve the search problem in ciphertext domain. However, most existing searchable encryption schemes are vulnerable to keyword guessing attacks. During keyword guessing attacks, with the help of the cloud, an adversary will learn what keyword a given trapdoor is searching for, which leads to the disclosure of users’ privacy information. To address this issue, we propose SDKSE-KGA: a secure dynamic keyword searchable encryption scheme which resists keyword guessing attacks. SDKSE-KGA has constant-size indexes and trapdoors and supports functionalities such as dynamic updating of keywords and files. Formal proofs show that it is Trapdoor-IND-CKA and Index-IND-CKA secure in the standard model.

Carlo Meijer,Veelasha Moonsamy,Jos Wetzels

DOI: https://doi.org/10.48550/arXiv.2009.04274

2020-09-09

Cryptography and Security

Abstract:The continuing use of proprietary cryptography in embedded systems across many industry verticals, from physical access control systems and telecommunications to machine-to-machine authentication, presents a significant obstacle to black-box security-evaluation efforts. In-depth security analysis requires locating and classifying the algorithm in often very large binary images, thus rendering manual inspection, even when aided by heuristics, time consuming. In this paper, we present a novel approach to automate the identification and classification of (proprietary) cryptographic primitives within binary code. Our approach is based on Data Flow Graph (DFG) isomorphism, previously proposed by Lestringant et al. Unfortunately, their DFG isomorphism approach is limited to known primitives only, and relies on heuristics for selecting code fragments for analysis. By combining the said approach with symbolic execution, we overcome all limitations of their work, and are able to extend the analysis into the domain of unknown, proprietary cryptographic primitives. To demonstrate that our proposal is practical, we develop various signatures, each targeted at a distinct class of cryptographic primitives, and present experimental evaluations for each of them on a set of binaries, both publicly available (and thus providing reproducible results), and proprietary ones. Lastly, we provide a free and open-source implementation of our approach, called Where's Crypto?, in the form of a plug-in for the popular IDA disassembler.

Shuai Wang,Yuyan Bao,Xiao Liu,Pei Wang,Danfeng Zhang,Dinghao Wu

DOI: https://doi.org/10.48550/arXiv.1905.13332

2019-05-31

Abstract:Cache-based side channels enable a dedicated attacker to reveal program secrets by measuring the cache access patterns. Practical attacks have been shown against real-world crypto algorithm implementations such as RSA, AES, and ElGamal. By far, identifying information leaks due to cache-based side channels, either in a static or dynamic manner, remains a challenge: the existing approaches fail to offer high precision, full coverage, and good scalability simultaneously, thus impeding their practical use in real-world scenarios. In this paper, we propose a novel static analysis method on binaries to detect cache-based side channels. We use abstract interpretation to reason on program states with respect to abstract values at each program point. To make such abstract interpretation scalable to real-world cryptosystems while offering high precision and full coverage, we propose a novel abstract domain called the Secret-Augmented Symbolic domain (SAS). SAS tracks program secrets and dependencies on them for precision, while it tracks only coarse-grained public information for scalability. We have implemented the proposed technique into a practical tool named CacheS and evaluated it on the implementations of widely-used cryptographic algorithms in real-world crypto libraries, including Libgcrypt, OpenSSL, and mbedTLS. CacheS successfully confirmed a total of 154 information leaks reported by previous research and 54 leaks that were previously unknown. We have reported our findings to the developers. And they confirmed that many of those unknown information leaks do lead to potential side channels.

Cryptography and Security

Baolei Mao,Wei Hu,Alric Althoff,Janarbek Matai,Jason Oberg,Dejun Mu,Timothy Sherwood,Ryan Kastner

DOI: https://doi.org/10.1109/iccad.2015.7372618

2015-01-01

Abstract:Cryptographic function implementations are known to leak information about private keys through timing information. By using statistical analysis of the variations in runtime required to encrypt different messages, an attacker can relatively easily determine the key with high probability. There are many mitigation techniques to combat these side channels; however, there are limited metrics available to quantify the effectiveness of these mitigation attacks. In this work, we employ information theoretic ideas to quantify the amount of leakage that can be extracted from runtime measurements and reveal the influence of individual key bits on the timing observations across a variety of hardware implementations. By studying different RSA hardware architectures (each with different performance optimizations and mitigation techniques), we determine the effectiveness of these information theoretic techniques against the success of attacks. Our experimental results show that mutual information is a promising metric to quantify timing-based information leakage and it also correlates to the attack-ability of a cryptographic implementation.

State Key Laboratory of Cryptology,Zhu Liehuang,Lyu Zeyuan,Wang Zongyue

DOI: https://doi.org/10.1007/s11704-020-0319-z

IF: 2.6688

2021-01-01

Frontiers of Computer Science

Abstract:Despite Kerckhoff’s principle, there are secret ciphers with unknown components for diplomatic or military usages. The side-channel analysis of reverse engineering (SCARE) is developed for analyzing secret ciphers. Considering the side-channel leakage, SCARE attacks enable the recovery of some secret parts of a cryptosystem, e.g., the substitution box table. However, based on idealized leakage assumption, most of these attacks have a few limitations on prior knowledge or implementations. In this paper, we focus on AES-like block ciphers with a secret S-box and demonstrate an attack which recovers both the secret key and the secret S-box. On the one hand, the key is recovered under profiled circumstance by leakage analysis and collision attack. On the other hand, the SCARE attack is based on mathematical analysis. It relies on Hamming weight of MixColumns intermediate results in the first round, which can restore the secret S-box. Experiments are performed on real power traces from a software implementation of AES-like block cipher. Moreover, we evaluate the soundness and efficiency of our method by simulations and compare with previous approaches. Our method has more advantages in intermediate results location and the required number of traces. For simulated traces with gaussian noise, our method requires 100000 traces to fully restore the secret S-box, while the previous method requires nearly 300000 traces to restore S-box.

Pan Bian,Bin Liang,Jianjun Huang,Wenchang Shi,Xidong Wang,Jian Zhang

DOI: https://doi.org/10.1145/3368089.3409678

2020-01-01

Abstract:Mastering the knowledge about security-sensitive functions that can potentially result in bugs is valuable to detect them. However, identifying this kind of functions is not a trivial task. Introducing machine learning-based techniques to do the task is a natural choice. Unfortunately, the approach also requires considerable prior knowledge, e.g., sufficient labelled training samples. In practice, the requirement is often hard to meet. In this paper, to solve the problem, we propose a novel and practical method called SinkFinder to automatically discover function pairs that we are interested in, which only requires very limited prior knowledge. SinkFinder first takes just one pair of well-known interesting functions as the initial seed to infer enough positive and negative training samples by means of sub-word word embedding. By using these samples, a support vector machine classifier is trained to identify more interesting function pairs. Finally, checkers equipped with the obtained knowledge can be easily developed to detect bugs in target systems. The experiments demonstrate that SinkFinder can successfully discover hundreds of interesting functions and detect dozens of previously unknown bugs from large-scale systems, such as Linux, OpenSSL and PostgreSQL.

Guorui Xu,Fan Zhang,Xinjie Zhao,Yuan Chen,Shize Guo,Kui Ren

DOI: https://doi.org/10.1109/dac56929.2023.10247932

2023-01-01

Abstract:For embedded devices, the uncertainty of target physical environments is always a great challenge. With constrained resources and common overloaded uses, they can be more exposed to hardware faults. Other than stability and ordinary security issues, there exist some subtle phenomenons that lead to potential cryptanalysis or secret leakage. In this paper, we present STALKER, a framework to analyze the fragility of libraries under hardware fault models. Compared with existing tools, our framework targets faulty execution outputs, and can flexibly work on different libraries, architectures and support different search schemes. We find dozens of security-sensitive bits that may cause critical issues and provide detailed analysis.

Samira Briongos,Ida Bruhns,Pedro Malagón,Thomas Eisenbarth,José M. Moya

DOI: https://doi.org/10.48550/arXiv.2008.12188

2020-08-27

Cryptography and Security

Abstract:Microarchitectural side channel attacks have been very prominent in security research over the last few years. Caches have been an outstanding covert channel, as they provide high resolution and generic cross-core leakage even with simple user-mode code execution privileges. To prevent these generic cross-core attacks, all major cryptographic libraries now provide countermeasures to hinder key extraction via cross-core cache attacks, for instance avoiding secret dependent access patterns and prefetching data. In this paper, we show that implementations protected by 'good-enough' countermeasures aimed at preventing simple cache attacks are still vulnerable. We present a novel attack that uses a special timing technique to determine when an encryption has started and then evict the data precisely at the desired instant. This new attack does not require special privileges nor explicit synchronization between the attacker and the victim. One key improvement of our attack is a method to evict data from the cache with a single memory access and in absence of shared memory by leveraging the transient capabilities of TSX and relying on the recently reverse-engineered L3 replacement policy. We demonstrate the efficiency by performing an asynchronous last level cache attack to extract an RSA key from the latest wolfSSL library, which has been especially adapted to avoid leaky access patterns, and by extracting an AES key from the S-Box implementation included in OpenSSL bypassing the per round prefetch intended as a protection against cache attacks.