 Thanks very much, right, so now for something completely different So we for some time I and my Poor collaborators have been looking at the security of device interfaces of cryptographic hardware Okay, so all kinds of cryptographic hardware things like smart cards little USB Authentication tokens and big things like HSM's and this kind of stuff And in a paper at CCS in 2010 We showed how to find a whole bunch of different attacks, which were logical attacks Okay, so they were mistakes in the ways that keys were managed and the ways that roles were assigned to keys That allows you to get hold of a key in the clear outside the device, which is what these devices are meant not to do, okay? And so the outcome of this paper was that we were able to show how with very careful Configuration of these devices you can prevent these kind of things from occurring. Okay, that's good So we have these proofs of security, but they're all in the abstract model of cryptography the sort of dole of yowl style high-level model of crypto And so we would like to transfer these results to the standard model of cryptography. Okay, but we've got a big problem which is Pretty much all the devices we look at use PKCS one version 1.5 padding to encrypt Keys for for import. Okay, so these keys are supposed to remain secure And of course we all know that PKCS one one point five padding doesn't enjoy CCA security, so this prevents us from getting the kind of security proofs that we would like to have So why is it that that these devices are still using this old padding mode? So perhaps it's because they consider that the the best known attack on this on this scheme Which is blacking back as million message attack is not a practical threat because okay, so a smart card for example does about 100 private key RSA operations decryptions per second So if you're going to execute the million message attack, it's going to take you about a month right by which point We assume the user of the smart card gets a bit suspicious. Okay, so So the contribution of this paper is To show a way to execute the million message attack in slightly under 15,000 messages And so the hope of this is this will help people to remove PKCS one one point five from the standards and we can have something else and then we can get our security proofs to go through Okay All right So just if I could ask for a little bit of cooperation So can you raise your hand if you already know what PKCS one one point five padding looks like? Okay, that's pretty good. So Matthew Green told me on Twitter would be about 40% and I can see he was He was just about right and can you put your hand up again if you are familiar with how the Bliken backer attack works? Okay, okay, pretty good. Okay, so I can go through that quite fast All right, so we've got a public key pair a private key and a public key and Following Bliken back as presentation. We're going to talk about the bite length of the modulus n And we're going to call it k and we've got some plain text. We would like to encrypt okay, which it has to be less than K minus 11 It's a plain text p of length l. So how does this work in pges is one one point five So we're going to generate k minus l minus three pseudo random non-zero padding bites I'm going to put them in a string called ps and then the block that we're going to encrypt it's going to look like this It's going to start with a zero then it's going to have a two then it's going to have all these non zero padding bites And then a zero that marks the beginning of the plain text and then the plain text is is the last part on the right Okay, that's that's how it works Okay, so now we go back to 1998 Bill Clinton is the president a company called Google is just being founded and Little knowing that he would be working for Google 14 years later. Daniel Blikenbacker is presenting this attack So we want to attack some cipher text C and discover what the plain text m is that's inside the cipher text Okay, so we know m is equal to C raised to the decryption exponent d modulo n and we assume we have access to a padding oracle Okay, so we know what a padding oracle is we even have songs about them It's an oracle which is going to decrypt a cipher text and return true just when the result is a correctly padded plain text Okay, so it's not going to tell us what the plain text is it's just going to say yes that thing is a correctly padded plain text So the way Blikenbacker's beautiful attack works is we're going to find some integers s So we've worked out how we're going to find them later We're going to send a new cipher text, which is going to be equal to C multiplied by s raised to the Encryption exponent e modulo n to the padding oracle and the oracle is then going to decrypt that and it's going to Work out m prime and m prime of course by the properties of this operation It's going to be equal to m times s Okay, so if the oracle tells us that the result m prime is a correctly padded plain text Then we have the following thing we know that the first two bytes of m times s must be equal to zero zero zero two Okay, so then if we set B to be this constant value We now have this little inequality for the value of m times s We know m times s is bigger than or equal to 2b and less than 3b All right, that's that's just from the fact that it starts with zero zero zero two. All right, that's that's the only place That's coming from Okay, so intuitively we can see that we've learned something about m from from this fact Okay, we know we can find this s and it's going to satisfy this So what exactly have we learned about m? Well, if we look in Blikenbacker's paper it gives us nice formula So we found some si we're going to take the interval that we had previously and we're going to apply this this formula to it And if you stare at this for long enough you could this makes perfect sense It's just it's just of elementary calculation of what the what what it is that we've learned But we haven't got time to look at this for long enough So let's just look at the intuition the intuition is that well We're solving r and s and we're saying look we've multiplied m by some s We've taken away r times n for some value of r Okay, we don't know what the value of r is but but we've done modulo n right So we know we've taken away a certain integer number of n's and what we were left with was t where t is between 2b and 3b okay, so worry about that later But this is the intuition okay, this this r and this s are going to come up again later on So we're multiplying by s and we're taking away r lots of n to leave something that's in the in the right range So help is a huge slide for things, but this is the original attack algorithm So but I only want you to look at a couple of things on here So first of all don't look at the fact there's no step one that's I'll come back to that in a moment What's going on here is a loop? Okay, and I'm trying to find more and more of these s values and each time I'm going to find an s in one of these Three different ways okay, once I've got an s I narrow the solutions just just using the formula that I showed before and when I've only got one left I get I give that as the output that's the that's the real value of it Otherwise I go back and look for more s. Okay, so there's three different ways of looking for an s value There's step 2a. This is where I just sequentially look for that So I'm looking for the very first value of s I'm looking for s one I'm going to start with some lower bound Don't worry where I got that from I can I can tell you later And I just increase s 1 1 1 1 1 until eventually I find the first value of s There's going to be s1. Okay, we call that a hit when we find a correct value of s Then I either have several intervals to look at afterwards or only have one interval to look at So why do I have several intervals? Well, this comes from the fact that there may be several possible values of r that give me a solution for a possible value of s Okay, so when that's the case in the next step I'm going to have several different disjoint intervals that that may contain the correct plain text m So if that's the case then I go to step 2b and here I just keep increasing my s So I start with s1 now I try s1 plus 1 s1 plus 2 s1 plus 3 till eventually I find the value of s2 Okay, the second hit so that's step 2b and when I've only got one interval left Not in the first case, but when I for the second time I find myself with only one interval left I've got this clever formula. So again, don't look at the detail of this too much But the point is what I'm doing here is I'm deciding what r is first and then I'm looking for an s That could suit this r. Okay, so I'm saying okay I'm going to multiply the modulus by this big number r and then I'm looking for an s that might Multiply the plain text to fit this So how long does it take to do this attack? Well, black and back are estimating his paper 2 to the 20 steps For arbitrary plain text. Okay, so that's important arbitrary plain text That means the thing I'm trying to attack may not have been originally a pkcs 1 1.5 plain text and that would mean I had to do step one which I didn't put on the previous slide Which would take a whole bunch of steps. Okay, but anyway He estimated 2 to the 20 using a variety of sort of heuristic upper and lower bounds And this is where the name of the attack comes from because 2 to the 20 is about a million, right? In the case where M is a valid plain text already so we just implemented black and back as algorithm just as it's written in the paper and We tried with a thousand different 1024 bit modulus values We obtained a mean of two hundred and fifteen thousand oracle calls And a median of a hundred and sixty three So you can see that the mean is sort of dragged upwards by some sort of outlying very large values But the median that means half of the possible plain text can be can be cracked in a hundred and sixty three thousand Okay, so that's that's where we're starting from for our case We observe that finding hits in the step to see case So that's the one where we set the value of r and then we look for a value of s that might see that value of r That's really fast right really fast. I mean you only have to do a few trials for each hit But looking for the s values in step B or step 2a is very slow. I mean essentially you're just getting As far as you know uniformly distributed different plain text And so it's just the probability that one of those happens to start 0002 and have no zeros in the first eight bytes and have a zero somewhere else all that kind of stuff So you can work out how long you would expect that to take and indeed that's what that's what you find So so this part is already fast and these these bits are slow There's an existing optimization that appears in a paper at chairs in 2003 where these guys said well in Step to be so this is the step where you've got lots of different intervals left instead of just naively looking for the next Yes, why don't you use the clever formula from step to see where you set the r value and then look for the s and use it I in parallel on each of the intervals Okay, so I'm step wise going to try that formula on each of my remaining intervals until I get a hit and indeed that speeds Things up quite a lot almost a factor of two So our work was to try to speed up step to a right because this is the last remaining really slow step And the idea was we were trying to use this this clever reasoning where we where we set the value of r in Advance and then look for the s on step to a but of course it doesn't work I mean otherwise I assume like and back I would have done that in the first place It doesn't work because the range of possible values for m is too large So so all your intervals overlap you end up with a just doing exactly the same naive search that you would have done before So what can we do about this? Well, we're going to use this proposition So we propose if I can find two co-prime integers u and t that satisfy this Inequality and this one and if I can find m and m times u times t to the minus one Modulo n such that these are both pkcs 1 1.5 conforming then m is divisible by t. Okay, magic So why is this true? Well the proof is elementary essentially So it just relies on the on the on the use of these particular inequalities So I have to go through it very fast So we know m times u is less than m times 3 times t because of that one We know that's less than 3b 3t by the fact that m is conforming and we know that's less than n because of that inequality there Thus we have m u modulo n is just equal to m u without the modulo Then we have if we set x to be m times u t to the minus 1 mod n We know x is less than 3b because it's a conforming plain text So we know x times t is less than 3b times t which is less than n by this formula here So x t mod n is equal to x t so x t equals x t mod m which is equal to m u mod n So I'm just using the fact that t has to be the inverse of t minus 1 in the z n star group Which is equal to m u outside the modulus which implies that t divides m right because t can't divide u because they're co-prime So what's the use of this little proposition? Well, what this means is if I can find u and t that satisfy this Property so m u t to the minus 1 is conforming then I can trim the range for m Okay, because the consequences of the of this of these two things both being conforming is that I know that m must be Greater than or equal to 2b times t over u and less than 3b times t over u Okay, so I can bring up the bottom bound by using a t bigger than you and I can lower the top bound by using a t smaller than you And note that I can test this just by Using ciphertext which are equal to c times u raised to the e times t raised to the minus e, okay Now remember that for a successful s we have to have some solution to this equation So we have m times s minus some r times n is in the 2b 3b range So given that we've trimmed the first interval to some range a b This gives us a series of possible bounds for the value s Okay, so given some particular r. It must be some somewhere in between these two values Note further that if there's a gap between the upper bound for r and the lower bound for r plus 1 Then this when we have a whole of values where they can't possibly be an s Okay, so that means when we're searching for s we can just jump over that that range and not bother looking for the s value there And that's it it turns out that makes a massive difference to the efficiency of the of the attack So how much difference does it make? well, so first of all we Found that in practice the implementations of pkcs 1 1.5 padding are quite different And they often reveal more information about the plain text than than the original paper would suggest if you just look at the Perfect implementation of the of the padding check. So We're going to characterize these different implementations not we're not characterizing all implementations But just the ones that we found so we assume that they all allow a correct plain text where p is of the correct length for the operation Okay, so often we know what length of plain text should be for example, we're importing a 128 bit a s key It should be an 128 bit plain text that we get so all of our oracles that we found admit these correctly padded plain text Then we're interested in ones which also allow us to have a zero somewhere in the first Eight bytes so you're not supposed to have a zero in the first eight bytes But we found some oracles that either give you a different error message Which of course is already enough for you to know that that you've passed the first part of the panic or in fact Let it go through then we have a second flag for whether the Implementation allows you to have a plain text of length zero right so there's no zero at all anywhere in the Anywhere in that's an undefined length of the plain text. There's no zero at all anywhere in the block here and we found implementations which allow you to have Any length you like for p Okay, so any correctly padded block with any length of plain text Okay, so under that setting the original black and back oracle is an FFT oracle So it disallows ones where there's a zero in the in the panning it disallows plain text with undefined length But it does allow you to have a plain text of any given length Okay, so under the original attack we had a mean and median like this 215,000 162,000 with our algorithm. We have a mean of 49,000 and a median of 14,500 okay So what's going on here? So Here we have an implementation where anything is allowed that starts zero zero zero two okay So ones which have got zeros in the wrong place ones which have no zeros at all and ones which have any length Okay, so this is a really bad implementation of pks is one one point five panning because it means that you find loads of hits When you when you go looking with a black and back or algorithm and the median look is only 3768 so remember this is a one bit leak and we're trying to attack a thousand bit plain text And we're only taking you know essentially less than four Operations to find each bit of the plain text. So this is really very efficient. So where do these? Things occur well here are some devices that we tested So here we're just so just on the right here I'm not gonna have time to talk about this today But we did also look for for the Vodemay cbc padding attack and we found this on a couple of devices Here we should these are different kinds of keys So a token keys is pkcs 11 language for a long-term key and a session key is an ephemeral key So not at any means they don't allow you to have this kind of key these x's here are to show that these devices actually Don't implement any padding check They just take whatever turns out to be the right most bits of the result of the pk of the RSA private key operation And turn that into the key no matter what it is. So I mean that's a bit bizarre But but it doesn't allow the attack so that's that's kind of interesting But these other ones allowed the attack But they implement different kinds of Oracle. So here are the different kinds of Oracle. So for example The Siemens Cato S implementation and the RSA secure ID 800 Implementation are perfect zero zero zero two prefix oracles So they admit the most efficient version of the attack And so these timings are taken from the real devices doing the private key operations on the devices So this is where this bizarre headline figure that came out of the New York Times about cracking your RSA ID in Less than 15 minutes came from so that does indeed take 13 minutes to do this This padding Oracle attack, but you know just to be very clear This does only give you the symmetric key from inside the plain text It doesn't give you the private key. It doesn't give you the seed for your secure ID six-digit number or any of this stuff Okay, so I've got a little bit of time not very much I'll just say there is an Estonian ID card. It has a chip on the back It also implements RSA 1.5 padding it has a key which you can use for signature and encryption decryption Which means that you can use it to fake signatures Very quickly about countermeasures. So of course OAP has been pkcs1 since 1998 It's been recommended for all new applications since 2002 only one device in our list supports it But it insists that all keys also allow pkcs1 1.5 padding as well, right? So what's the consequence of that? It means that whatever you encrypt under OAP I can still use Bleichenbacker's padding Oracle attack to crack it and find out with the plain text What so there's not much point doing it that way I don't have time to talk about that so much Pkcs1 1.5 is still being used in current standards for XML encryption TLS and our results of course also apply there, right? And you will see in the coming months results on XML encryption and PLS appearing in various places Manufacturing reaction has been varied some positive some less so we can talk about that offline Pro tip so this isn't the optimal attack I'm sure this can be improved further if you want to improve it further Please observe you don't really need to implement encryption and decryption right because if you're just testing the attack You know what the plain text is you can just multiply it and and divide it yourself So I'm not gonna say at what point during our experiments this occurred to us that It could have been earlier And read very carefully by come back as paper words like the smallest integer greater than x divided by y Think about very carefully about what that means because that actually makes a big difference to the efficiency of the attack Thank you very much