Hackfest Cracking Crypto Rev 2

Copyright 2011 Trend Micro Inc.

Bryan Glancey • Global Encryption Subject Mater Expert

Cracking Crypto

Trend Micro Confidential 04/14/23 1


Agenda


Introduction

Background

Methodology

Applicability

Conclusion


Agenda


Introduction

Background

Methodology

Applicability

Conclusion


Agenda


Introduction

Background

Methodology

Applicability

Conclusion


Agenda


Introduction

Background

Methodology

Applicability

Conclusion


Agenda


Introduction

Background

Methodology

Applicability

Conclusion


INTRODUCTIONCracking Crypto



Introduction

• Throughout this presentation we will be following an exploit against Cryptographic Software – to give you background on why…

• Bryan E. Glancey, Jr.– One of the original US based team to form Pointsec

Mobile Technologies– Founded Mobile Armor in 2002 to pursue Enterprise

class Data-at-Rest Cryptography– Mobile Armor was acquired by Trend in February of

2011 – Co-Founder & Chief Technology Officer of Mobile

Armor



BACKGROUNDCracking Crypto



A call in the middle of the night



Oh Oh



What is it?

• http://citp.princeton.edu/research/memory/

• Hit the News in February 2008 – without without Source codeSource code

• Every major Customer called Every major Customer called within 24 Hourswithin 24 Hours

• We HAD to understand it, We HAD to understand it, recreate it, and then make sure recreate it, and then make sure we defended against itwe defended against it



What had to be done?

• We needed to review the paper

• We had to understand the attack

• We had to recreate the attack

• We had to analyze the results

• We had to see if our product was affected and find out why or why not

• We had to advise our customers

• We had to do it in less then a week



METHODOLOGYCracking Crypto



Step 1 : Understand the attack

• http://citp.princeton.edu/research/memory/

• Two parts:– Retrieving a memory image

• This is the actual getting the keys part. The original team was studying the rememence in DRAM of the formerly stored data.

• One of the impressive things the team did was write software to compensate for the memory degradation over time

– Analyzing the memory image• Once the memory image was obtained, we needed to

analyze that image to find the Encryption Key• This was the key to the attack for us



Step 1: Figure out what was important

• There was a lot of time / effort expended on the acquisition of the memory image.

• The majority of the reports, presentations, and reviews focus on the ‘aircan’ attack of cooling DRAM to make it more persistent and take the memory image

• Due to image degradation, the majority of cases of the attack assumed some percentage of degradation

• We decided to pursue the hardest case – Direct memory imaging with a 0% degradation



Step 2: How do you do it?

• Physical capture of memory was obtained through the use of the windows debugging tool. Setup of this tools is detailed on http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx . Physical setup required two computers, a target computer (the computer being attacked) and a host computer (from which the attacker is attacking).

• The target system must have a full disk encryption software installed and running, and the user must be authenticated. In our recreation we used Mobile Armor’s DataArmor product version 3.0 service pack 4.



(Spoilers) New methods for imaging

• Disk volume images can be created using third-party tools, such as Guidance EnCase, Free EASIS Drive Cloning, or DD. Physical memory images can be created using Passware FireWire Memory Imager or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd. If the target computer with the BitLocker volume is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates.



A Needle (or a key) in a haystack

• So now that we had the image, we had to find the key

• We had to write a program to systematically search through memory and figure out what was a key and what wasn’t

• (UPDATE) The Princeton team has since released their Software for this as well

• (UPDATE) Both TrueCrypt and Bitlocker use static storage methods – so commercial tools now retrieve the keys instantly



The Guts of searching for keys

• The method of finding the AES key amidst all of the other extraneous data in memory is using one of the functional characteristics of AES itself, namely Key expansion. Key expansion is the mechanism through which you take the symmetric encryption key and expand it into a workable format for both encryption and decryption – as well as several iterations, or rounds. AES is not a Feistel Cipher, meaning that encryption and decryption are not equivalent functions, which necessitates the separate tables for encryption and decryption of data. Since this key is typically used constantly in the case of full disk encryption , the Key expansion is stored in memory and used to encrypt the data being written to the disk and decrypt the data being read off the disk. This was the mechanism of attack utilized by the Princeton researchers. In order to find the key expansion in memory (and subsequently in the memory dump file captured in the attack) the Keyfind program reads a specific length of data which corresponds to the key length of the algorithm. The Length of the data is 32 bits for 256-bit, 24 bits for 192-bit or 16 bits for 128 bit. This data from the memory dump is then assumed to be the encryption key, and Key Expansion is performed upon it. The resultant Key Expansion is then compared against the ‘nextchunk’ of data from the memory dump to see if it matches. The pattern matching of the key to the key expansion is what allows the decrease in time to finding the key stored in RAM. IT is, however, dependent upon the pattern found in memory matching the pre-computed Key expansion exactly.



What caused the issue?

• Vendors had either stored their encryption keys (Key expansions)– In the same place every time– As one predictable string

• What could you do to prevent this?– Split keys into multiple parts– Randomize your location in memory– Store several Dummy keys (fakes) – Key

Expansions– Camouflage Keys to make harder to detect



APPLICABILITYCracking Crypto



What is affected by this

• Any software application that uses Cryptography is potentially vulnerable

• Some popular programs:

• Bitlocker

• TrueCrypt

• PGP

• DMCRYPT

• loopAES

• Others?



Potential Malware?

• Malware could be designed to search for Key Expansion in a running system

• Capture of the Key Expansion would result in compromise and recoverability of an encrypted system

• Keyfind application is readily available

• Perfect for creating a targeted attack against a known Disk Encryption user



CONCLUSIONCracking Crypto



Press Release of results


• ST. LOUIS, Feb. 25 /PRNewswire/ -- In response to last week's Princeton University Report on full disk encryption security flaws, Mobile Armor, the leader in data protection solutions, today said its DataArmor(TM) product has long included safeguards to prevent the types of exploits detailed in the report.The Princeton Report found that through the use of simple tools thieves could capture the encryption keys from systems running disk encryption software from Microsoft, Apple, and TrueCrypt. "While the DataArmor product provides similar functionality to the studied products, our solution goes far beyond the basics and is engineered to protect against the vulnerabilities cited in the Princeton Report," said Bryan Glancey, chief technology officer of Mobile Armor.


So, it’s been two years.. All fixed?

• NO

• Need ask questions from vendors (and open source developers) about what they are doing to protect Encryption keys

• As always, when looking at any security tool, search for vulnerabilities prior to purchase



Where have things gone from here

• Commonly available keyfind source code

• Several vendors have decided not to fix

• Commercial and Open source software has included the Key find concepts



Attack Technic is now commercially available

• Example: Passware Forensic

• Able to remove the key and decrypt

–Bitlocker–TrueCrypt

• Passware Hard disk Decryptor for TrueCrypt and Bitlocker

• http://www.lostpassword.com/kit-forensic.htm



What does this mean to me?

• Cryptographic applications are subject to attacks on Key Expansion

• Keys can be retrieved for Memory images, Disk images, or malware capture

• Need to make sure Cryptographic keys are always protected



THANK YOU!


Documents

Hackfest Cracking Crypto Rev 2