low-cost protection against cold boot attacks for an authentication token
TRANSCRIPT
Low-cost Protection against Cold Boot Attacks for anAuthentication TokenApplied Cryptography and Network Security 2016
Ian Goldberg1 Graeme Jenkinson2 @gcjenkinson Frank Stajano2
2University of Waterloo (Canada)2University of Cambridge (United Kingdon)
ACNS 2016-06-20
Pico: A usable and secure memory prosthesis (Stajano2011)
MEMORYLESS, SCALABLE and SECURE
www.mypico.org
2 of 21
Pico’s benefits (Stajano 2011)
UsabilityWORKS-FOR-ALL, FROM-ANYWHERE, NO-SEARCH,NO-TYPING, CONTINUOUS
SecurityNO-WEAK, NO-REUSE, NO-PHISHING,NO-EAVESDROPPING, NO-KEYLOGGING, NO-SURFING,NO-LINKAGE, LOSS/THEFT-RESITANCE
www.mypico.org
3 of 21
Loss/theft resistance
Picosiblings
1. Small devices you carry with you2. Pico unlocks only in presence of
k-out-of-n Picosiblings3. Picosibling shares construct full disk
encrytion (FDE) key
4 of 21
Picosibling protocol requirements
1. The Pico can ascertain the presence of any of its Picosiblings inthe vicinity
2. The Picosibling responds to its master Pico but to no other3. When challenged, the Picosibling sends its k-out-of-n share to the
Pico, but in a way that doesn’t reveal it to an eavesdropper4. An eavesdropper can detect the comms between the Pico and its
Picosiblings but not infer long-term pseudonyms5. The Pico can detect and ignore old replayed messages6. The Pico can detect and ignore relay attacks
5 of 21
Attacker model
1. Attacker can listen to the comms between Pico and Picosiblings2. Attacker can send messages to Pico and Picosiblings3. Attacker can capture and read out the contents of a Pico and
fewer than k Picosiblings
Concessions
▶ Secure at first use▶ Defender has some low-cost tamper proofing facilities such as
those used in smartcards and phone SIMs in order to provide asmall amount of memory that the attacker can’t read
6 of 21
Cold boot attack (Halderman et al 2008)
Attacker modelAttacker wins if they can extract allthe credentials in plaintext, or use acaptured Pico to authenticate as itsowner.
Memory readout attack whilstsingle FDE key is in memory
7 of 21
A new secret sharing scheme for authentication tokens
Partition Pico’s encrypted storage into many small bins, each holding afew (ideally one) credential(s).
Hash ofservice’sidentifier
Binidenti-
fier
Encrypted credential Userid
H(IDGoogle) 0x1e {credGoogle,jane.doe}K(0x1e) jane.doeH(IDAmazon) 0x75 {credAmazon,jane257}K(0x75) jane257H(IDTwitter ) 0x57 {credTwitter ,@jane}K(0x57) @jane
. . . . . . . . . . . .H(IDExpedia) 0x1e {credExpedia,jane257}K(0x1e) jane257H(IDTwitter ) 0x32 {credTwitter ,@tattoophile}K(0x32) @tattoophile
8 of 21
Details...
Keying polynomialThe secret to be shared across the Picosiblings is r-degree keyingpolynomial: K (y) =
r∑j=0
kjy j
Encryption keyThe encryption key for bin β is K (β)
Note: r = 0 corresponds to Pico’s original design, where everycredential is encrypted using a single key
9 of 21
Bivariate secret sharing
Bivariate polynomialIn order to share an entire keying polynomial K (y), rather than a singleencryption key, we now have the Pico create a bivariate polynomialF(x,y) of degree (k − 1, r)—that is, of degree k − 1 in x and of degreer in y :
F (x , y) =k−1∑i=0
r∑j=0
aijx iy j
10 of 21
More details...
Let F be a finite field; V be a vector space over F; k, r , and n benon-negative integers with 1 ≤ k ≤ n; and α1, . . . , αn be arbitrarydistinct non-zero elements of F.
1. For 0 ≤ j ≤ r , set a0j = kj , and for 1 ≤ i ≤ k − 1 and 0 ≤ j ≤ r ,select aij uniformly at random from V. Then construct thebivariate polynomial F (x , y) ∈ V[x , y ] as above.
2. For each 1 ≤ i ≤ n, compute the degree-r polynomialfi(y) = F (αi , y) ∈ V[y ], and send fi(y) (the share) to participanti . (Note that the amount of storage this requires at eachparticipant is r + 1 elements of V.)
11 of 21
Enrollment
1. The Pico selects an arbitrary unused non-zero αi ∈ F to serve asthat Picosibling’s Picosibling identifier.
2. The Pico and Picosibling are paired establishing a sharedsymmetric communication key CKi (P → PS : CKi).
3. The Pico stores CKi in its tamper-proof memory.4. The Pico creates the keying polynomial K (y) (as above), and uses
it to encrypt the credential database.5. The Pico sends to the Picosibling the coefficients fi0, fi1 ∈ V of its
share of the keying polynomial (P → PS : {fi0, fi1}CKi ).
12 of 21
Query share/presence
For bin identifier β, we wish to reconstruct just the single valueK (β) ∈ V, and not the whole polynomial K (y). To accomplish this:
1. Send the value β to k Picosiblings (P → PS : {β}CKi )2. Each Picosibling i will compute vβi = fi(β) = F (αi , β)—a single
value in V.3. Each Picosibling i will reply with vβi (PS → P : {vβi}CKi ) V.4. The Pico performs Lagrange interpolation on the (αi , vβi) pairs in
the usual way to recover F (0, β) = K (β).
13 of 21
But why didn’t you just...
Ring 0 encryption (TRESOR)Prototype Pico based on non-Intel CPU Pico, therefore don’t haveavailable registers (SSE, debug, AES-NI)
Cache-as-RAM (FrozenCache)Negative impact on performance
Trusted Execution Environment (Secure enclave/Crypto processor)Goal was low cost approach suitable for prototying
14 of 21
Requirements
1. Be small enough to be attached (unobtrusively) to a range ofitems that users already frequently carry (such as wallets, phonesand keys).
2. Be able to be integrated into items that users carry or wear.3. Operate for many months without charging or replacing batteries.4. Be cheap to purchase and replace.
15 of 21
Bluetooth Low Energy
1. Low power▶ Designed around button cell batteries▶ Designed to exploit asymmetry▶ Optimizations include: high-date rate, small packet sizes,
connectionless. . .
2. Small size and cost3. Compatible with large installed base of mobile phones and tablets
Security (not so much)BLE pairing broken (Ryan 2013)
16 of 21
COTS BLE platform
▶ High-performance low-power 8-bit8051 processor
▶ 256 KB flash and 8 KB RAM(retianed across all power states)
▶ Peripherals including watchdog, andgeneral purpose timers, 2x USART,I2C and AES coprocessor
▶ 6mm x 6mm QFN40 package
17 of 21
Results
▶ Prototype gives 165-220 days use on CR2032 battery▶ Introduces 2-3 second latency▶ Optimizations may offer 50% longer battery life
19 of 21
Conclusions
▶ Original Pico design vulnerable to memory readout attacks▶ Bivariate secret sharing can protect all long term credentials
expect the one currently being accessed▶ Key storage costs (1); 256bits▶ Prototype implementation predicted to operate for many montsh
with charging or replacing batteries
20 of 21