SlideShare ist ein Scribd-Unternehmen logo

Recover A RSA Private key from a TLS session with perfect forward secrecy

Priyanka Aash
Priyanka Aash

This document discusses recovering an RSA private key from a TLS session using a side channel attack that exploits the RSA-CRT optimization. It begins with background on side channel attacks and an overview of the roadmap. It then discusses how RSA signatures work, the RSA-CRT optimization, and how a fault during signature generation using RSA-CRT can leak a private key factor. The document demonstrates checking for faulty signatures in TLS and recovering the private key. It notes the attack requires RSA-CRT, signatures on known values, and a faulty signature.

Technologie
1 von 59
Downloaden Sie, um offline zu lesen
Recover a RSA private key from a TLS session with Perfect Forward Secrecy (Marco Ortisi – 2016)
About me • Netizen and IT Security enthusiast since 1996 • Penetration Tester since 1999  In love with buffer overflow flaws  I adore exotic vulnerabilities • Senior/Principal Penetration tester? Just a curious guy • Get in touch with me! marco.ortisi@segfault.it
About the topic • Imagine you can get a server private key by sniffing TLS traffic or interacting through the network with a TLS service. Does it look quite exotic? • Done via a side channel attack • Side Channel Attack – from Wikipedia • “…any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited to break the system…”
Roadmap Introduction First demo More insight into the attack Second demo Greetings and questions
The attack and roots with the past • (1996) Arjen Lenstra demonstrated that the usage of the so-called CRT (Chinese Remainder Theorem) optimization put the RSA implementations at great risk (aka private key leakage) if a fault occurred during the computation of a digital RSA signature. (https://infoscience.epfl.ch/record/164524/files/nscan20.PDF)
What is a RSA signature • RSA encryption  public key is used to encrypt a message  private key is used to decrypt that message • RSA signing  private key is used to sign a value (actually it is an encryption operation)  public key is used to decrypt that value
The attack and roots with the past • 1996) Arjen Lenstra demonstrated that the usage of the so-called CRT (Chinese Remainder Theorem) optimization put the RSA implementations at great risk (aka private key leakage) if a fault occurred during the computation of a digital RSA signature. (https://infoscience.epfl.ch/record/164524/files/nscan20.PDF) • (200x?) - Attack conjectured as possible on smartcards if someone has physical access to the device and can disrupt the math behind the RSA operations
The attack and roots with the past • (2001) OpenPGP Attack (http://eprint.iacr.org/2002/076.pdf). a) get a local copy of file containing the encrypted private key; b) tamper with it in order to introduce faulty bits; c) capture a single message subsequently signed with the modified encrypted private key (for example an email); d) enjoy your leaked private key  • (2015) by targeting TLS, Florian Weimer (Red Hat) unveiled the attack can have remote impacts. https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf
Public key exposed
Recover a RSA private key: Prerequisites • (a) Presence of a RSA signature calculated using the RSA-CRT optimization… • (b) The signature must be applied on values known by the attacker… • (c) Generated signature faulty/miscalculated…
What if the attack is successful? • Private key is exposed • The real server can be impersonated • Man-in-The-Middle attack can be performed without alarming the legitimate clients
What if the attack is successful?
DEMO TIME (PART 1)(enter High Voltage!)
From: http://support-public.cfm.software.dell.com/33164_sonicos_5.8.4.2_releasenotes.pdf
From: http://support-public.cfm.software.dell.com/33164_sonicos_5.8.4.2_releasenotes.pdf
A Little Recap • (a) Presence of a RSA signature calculated using the RSA-CRT optimization… • (b) The signature must be applied on values known by the attacker… • (c) Generated signature faulty/miscalculated…
(a) RSA Signature with RSA-CRT • The modular exponentiations required by RSA are computationally expensive • RSA-CRT introduced a less expensive way to do RSA operations (decryption and signing) • RSA-CRT is used by default in almost every known crypto library out there (openssl, OpenJDK, libgcrypto, PolarSSL, etc…) • Condition (a) is normally satisfied
(b) Signature calculated on known values • We define “X” as the value to be signed • Padding can influence the final “shape” of “X” before being signed and make this unpredictable… • …but with SSL3.0, TLS 1.0, 1.1 and 1.2 the padding scheme (a variant of PKCS1.5) is fully deterministic (not randomized) and then predictable
(b) PKCS 1.5 Padding • Payload: 0D3F8FF87A4D697E73FE86077FD1D10C4ECC59797E759EDD89931B 2208B8044CB4A1B96A • Padded Payload (RSA 2048 bit): 0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFF000D3F8FF87A4D697E73FE86077FD1D10C4ECC59797E759E DD89931B2208B8044CB4A1B96A
(b) Signature calculated on known values • We define “X” as the value to be signed • Padding can influence the final “shape” of “X” before being signed and make this unpredictable… • …but with SSL3.0, TLS 1.0, 1.1 and 1.2 the padding scheme (a variant of PKCS1.5) is fully deterministic (not randomized) and then predictable • Data signed must be known. This is ALWAYS satisfied in our attack if we carefully target the right ciphersuites
(c) Presence of faulty signature • We identify a faulty RSA signature with the letter “Y” • Events causing the generation of a faulty digital RSA signature can't be predicted but they are out there • Induced by the same vectors like in a typical bit-squatting attack:  CPU overheating  RAM errors  massive exposure of hardware to solar rays  etc…
The right ciphersuite... • Prerequisite (b) – Signature calculated on known values • The condition (b) is ALWAYS satisfied in our attack if we carefully target the right ciphersuites
The right ciphersuite... • RSA_WITH_AES_256_CBC_SHA  RSA = Authentication + Key Exchange  AES = Symmetric algorithm used to encrypt data  CBC = Mode of operation  SHA = Hashing algorithm to avoid data tampering • RSA private key leaked = all TLS sessions compromised (current, past and future ones) • The “Certificate” message contains a Signature created with the private key of CA  statically embedded inside the certificate (not generated on the fly)  the condition (b) is not satisfied
The right ciphersuite... • DHE_RSA_WITH_AES_256_CBC_SHA  DHE = Key Exchange  RSA = Only used for Authentication  [the rest is the same as previously mentioned] • The key exchange is done using private/public keys generated on the fly  Compromission of a private key breaks only that specific encrypted session, not all the previously established  This is called "Perfect Forward Secrecy"
PFS fits REALLY perfectly to us • RSA signature appended onto a TLS Server Key Exchange Message
PFS fits REALLY perfectly to us • A RSA signature is appended on a TLS Server Key Exchange Message • The values on which it is calculated are well known, padding scheme is deterministic  Client Random struct (Client Hello Message)  Server Random struct (Server Hello Message)  Server Params struct (Server Key Exchange Message) • DHE_RSA_WITH_AES_256_CBC_SHA and in general [EC]DHE_RSA_WITH_ANY_ANY_ANY ciphersuites are good for us  The condition (b) is satisfied this time
TLS Client Hello (PFS ciphersuites only negotiation) How High Voltage! works...
TLS Server Hello How High Voltage! works...
TLS Server Certificate n e How High Voltage! works...
TLS Server Key Exchange How High Voltage! works...
TLS Server Key Exchange Client Random Struct (Client Hello Message) Server Random Struct (Server Hello Message) Server Param Struct (Key Exchange Message) How High Voltage! works...
Attacking TLS abusing PFS • Because of “(c) Presence of faulty signature”, the attack can be carried out only when a RSA signature is faulty. How to determine that? • Looking for faulty signatures:  We know padding scheme (PKCS 1.5) and the values on which the server calculates its signature - Client Random struct (Client Hello Message) - Server Random struct (Server Hello Message) - Server Params struct (Server Key Exchange Message)  We know the clear-text message on which the signature is applied  We have the public key of server and can decrypt the signature from the TLS Server Key Exchange  If there is a mismatch between the decrypted signature and the expected plain-text value, we have found what we are looking for
yes Collect all TLS messages up to Server Key Exchange TLS < 1.2? Generate offline two hash (MD5 and SHA1) of Client Random + Server Random + Server Param values (O_S1) Concatenation of the MD5 and SHA1 hashes to get the (O_S2) value Use the public key from the certificate to decrypt the signature value exposed on TLS Server Key Exchange (S_S1) Remove the padding from S_S1 to get the raw signature (S_S2) Compare O_S2 and S_S2 Is there a match? Repeat the TLS handshake Try to recover the private key no yes How to check if a digital signature is invalid? (TLS < 1.2)
How to check if a digital signature is invalid? (TLS 1.2) yes Collect all TLS messages up to Server Key Exchange TLS 1.2? Parse the TLS Server Key Exchange Message to extract the algorithm with which the signature has been created from server (ALG_x) Generate offline a hash using the algorithm ALG_x on Client Random + Server Random + Server Param values (O_S1) Use the public key from the certificate to decrypt the signature value exposed in the Server Key Exchange Message (S_S1) Remove the padding from S_S1 to get the raw signature (S_S2) Compare O_S1 and S_S2 Is there a match? Repeat the TLS handshake Try to recover the private key no yes
What else? • How RSA works • RSA-CRT optimization • 2nd DEMO
How RSA works • c = ciphertext • m = message to encrypt • n, e = public key • e = little exponent (usually a value such as 3 or 65537) • n = big semiprime number (p * q) (p and q are said "prime factors") • d = inverse_mod(e,(p-1) * (q-1)) private key mathematically tied with n • getting “p” and “q” a private key can be recovered because "e" is already a public information encryption = c = m^e mod n decryption = m = c^d mod n
RSA: Rule 1 Gaining a prime factor of n (whatever of the two) we can determine very easily the other one and recover the private key • n = 77 (the public key into the certificate) • p = 7 (leaked prime factor) • q = ? n = p * q d = inverse_mod(e,(p-1) * (q-1))
RSA: Rule 1 Gaining a prime factor of n (whatever of the two) we can determine very easily the other one and recover the private key • n = 77 (the public key into the certificate) • p = 7 (leaked prime factor) • q = 11  77 / 7 • 77 / 11 = 7 (p) • 7 x 11 = 77 (n) n = p x q d = inverse_mod(e,(p-1) x (q-1))
RSA-CRT • RSA-CRT (CRT stands for Chinese Remainder Theorem) • With this optimization the RSA calculation is broken down into two smaller parts
RSA-CRT • Precompute the following values: qInv = (1/q) mod p dP = d (mod p - 1) dQ = d (mod q - 1) • …and next calculate: m1 = c^dP mod p m2 = c^dQ mod q h = qInv.(m1 - m2) mod p m = m2 + h.q If during m1 or m2 calculation there is a fault, a faulty RSA signature is generated and one prime factor can be leaked with this formula: gcd(y^e – x, n)
RSA-CRT • Precompute the following values: qInv = (1/q) mod p dP = d (mod p - 1) dQ = d (mod q - 1) • …and next calculate: m1 = c^dP mod p m2 = c^dQ mod q h = qInv.(m1 - m2) mod p m = m2 + h.q If during m1 or m2 calculation there is a fault, a faulty RSA signature is generated and one prime factor can be leaked with this formula: gcd(y^e – x, n)
RSA-CRT: Rule 2 We can leak a prime factor of n from a faulty signature when RSA-CRT is used for signing: y = faulty/miscalculated signature (this can be taken directly from the TLS Server Key Exchange message) e = public exponent (found inside the Certificate) x = the original value before to be signed (it is padded but PKCS 1.5 padding scheme is deterministic) n = public key (p * q) (found inside the Certificate) • When one of the prime factors is known... derived_prime_factor = n / leaked_prime_factor • When leaked_prime_factor and derived_prime_factor are known, p and q are known d = inverse_mod(e,(prime_factor_P - 1) * (prime_factor_Q -1 )) gcd(y^e – x, n)
RSA-CRT: Rule 2 We can leak a prime factor of n from a faulty signature when RSA-CRT is used for signing: y = faulty/miscalculated signature (this can be taken directly from the TLS Server Key Exchange message) e = public exponent (found inside the Certificate) x = the original value before to be signed (it is padded but PKCS 1.5 padding scheme is deterministic) n = public key (p * q) (found inside the Certificate) • When one of the prime factors is known... derived_prime_factor = n / leaked_prime_factor • When leaked_prime_factor and derived_prime_factor are known, p and q are known d = inverse_mod(e,(prime_factor_P - 1) * (prime_factor_Q -1 )) gcd(y^e – x, n)
DEMO TIME (PART 2)(enter Piciolla...)
The bottom line • IF:  you have a piece of software linked to a vulnerable crypto library using RSA- CRT &&  that crypto library does not verify the correctness of each RSA signature generated &&  environmental factors occur (CPU overheating, RAM error, etc...) causing the miscalculation of a RSA signature • THEN you might be in trouble…
The Fix • A few of crypto libraries allow users to disable RSA-CRT (not convenient due to performance issues) • Most vendors have recently issued a patch to address this problem Double-checks the correctness of RSA signatures without RSA-CRT optimization: if (y^e = x (mod n)) then signature_valid
Vulnerable crypto libraries PolarSSL < 2.1.1, 1.3.13 and 1.2.16: MBEDTLS_RSA_NO_CRT can be defined to disable RSA-CRT but this option is off by default) libgcrypt < 1.6.3 (equivalent to CVE-2015-5738) Nettle < 3.1: used by GnuTLS Java SE < 5.0u81, 6u91, 7u76, 8u40, and JRockit < R28.3.5 (CVE- 2015-0478) EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x and 4.1.x before 4.1.5, RSA BSAFE Crypto-C Micro Edition (CCME) 4.0.x and 4.1.x before 4.1.3, RSA BSAFE Crypto-J before 6.2.1, RSA BSAFE SSL-J before 6.2.1, and RSA BSAFE SSL-C before 2.8.9 (CVE-2016-0887)
Vulnerable crypto libraries (2) OpenSSL <= 0.9.7 and *potentially* between 1.0.2 and 1.0.2d because of CVE-2015-3193 only on x86_64 architectures + custom versions Go crypto library < 1.6.2 Cryptlib up to latest 3.4.3 (CRYPT_OPTION_MISC_SIDECHANNELPROTECTION would prevent the attack but it is set to false by default) wolfSSL (formerly CyaSSL) < 3.6.8 (CVE-2015-7744) Libtomcrypt < 2.00 Eldos SecureBlackbox < 13.0.280 and 14.0.281 MatrixSSL < 3.8.3 Openswan up to latest version 2.6.47 vulnerable when not compiled with NSS
Device types mainly affected Embedded devices  Various network appliances (firewalls, routers, etc…)  Consumer / SOHO devices  SSL Accelerators  VPN Concentrators  TLS Reverse Proxies  …
FORTINET (Series 300 / FortiGate < 5.0.13 / 5.2.6 / 5.4.0 observed as vulnerable) Dell (SonicWALL< SonicOS 6.1.1.12 found affected) F5 (Traffix SDC affected) ZTE ZXSEC Firewall (affected models US2640B, US2630B, US2620B) LANCOM wireless devices (version 8.84) <- apparently silently patched since 2014 D-Link-DCS-933L Surveillance camera HILLSTONE NETWORKS (SG-6000 Firewall) CITRIX ZYXEL NORTEL QNO Viprinet BEJY Alteon Affected devices
But remember... •“…a piece of software linked to a vulnerable crypto library using RSA- CRT…” • Wait! Is this problem only related to TLS, right? • No! PFS and RSA are used A LOT in IPSEC VPN (IKE), SSH, etc…
IKEv1 (Internet Key Exchange) • Two modes for Phase 1 (Authentication of peers and Negotiation of SA)  Main  Aggressive • It is believed that only by sniffing the network traffic it is not possible to recover a private key (just as happens for TLS) and an active approach is requested.
IKEv1 Phase 1 Main Mode (Signature Auth) IKE Phase 1 Authenticated With Signatures Initiator Responder ----------- ----------- (1) HDR, SA --> <-- (2) HDR, SA (3) HDR, KE, Ni --> <-- (4) HDR, KE, Nr (5) HDR*, IDii, [ CERT, ] SIG_I --> <-- (6) HDR*, IDir, [ CERT, ] SIG_R * Indicates payload encryption
IKEv1 Phase 1 Aggressive Mode (Signature Auth) IKE Phase 1 Authenticated With Signatures Initiator Responder ----------- ----------- (1) HDR, SA, KE, Ni, IDii --> <-- (2)HDR, SA, KE, Nr, IDir, [ CERT, ] SIG_R (3) HDR, [ CERT, ] SIG_I -->
SPECIAL THANKS Frank Bosman for his nice drawings http://turniphead.deviantart.com Florian Weimer (Red Hat) https://access.redhat.com/blogs/766093/posts/1976703 https://pagure.io/symboldb/tree/tls-experiment
PLEASE VISIT SICILY...
Recover a RSA private key from a TLS session with Perferct Forward Secrecy QUESTIONS? High Voltage & Piciolla – http://www.segfault.it/tools/ Marco Ortisi (2016) Blog – http://www.segfault.it/ thanks!

Empfohlen

Freenetlinks
FreenetlinksFreenetlinks
FreenetlinksWagner Kinera
 
Elektronik
ElektronikElektronik
ElektronikNurul Hayati
 
Mesin bubut
Mesin bubutMesin bubut
Mesin bubutYendi Kesuma
 
Pembuatan roda gigi lurus
Pembuatan roda gigi lurusPembuatan roda gigi lurus
Pembuatan roda gigi lurusIndra Cecen
 
Poros dan Pasak
Poros dan PasakPoros dan Pasak
Poros dan PasakJulita Anggrek
 
Curso mei 564 detección de fallas en montacargas
Curso mei 564 detección de fallas en montacargasCurso mei 564 detección de fallas en montacargas
Curso mei 564 detección de fallas en montacargasProcasecapacita
 
Alat Perkakas Tangan Teknik Pengelasan.pptx
Alat Perkakas Tangan Teknik Pengelasan.pptxAlat Perkakas Tangan Teknik Pengelasan.pptx
Alat Perkakas Tangan Teknik Pengelasan.pptxkinawelding
 
Dasar gambar teknik
Dasar gambar teknikDasar gambar teknik
Dasar gambar teknikMOSES HADUN
 

Empfohlen

Freenetlinks
FreenetlinksFreenetlinks
FreenetlinksWagner Kinera
 
Elektronik
ElektronikElektronik
ElektronikNurul Hayati
 
Mesin bubut
Mesin bubutMesin bubut
Mesin bubutYendi Kesuma
 
Pembuatan roda gigi lurus
Pembuatan roda gigi lurusPembuatan roda gigi lurus
Pembuatan roda gigi lurusIndra Cecen
 
Poros dan Pasak
Poros dan PasakPoros dan Pasak
Poros dan PasakJulita Anggrek
 
Curso mei 564 detección de fallas en montacargas
Curso mei 564 detección de fallas en montacargasCurso mei 564 detección de fallas en montacargas
Curso mei 564 detección de fallas en montacargasProcasecapacita
 
Alat Perkakas Tangan Teknik Pengelasan.pptx
Alat Perkakas Tangan Teknik Pengelasan.pptxAlat Perkakas Tangan Teknik Pengelasan.pptx
Alat Perkakas Tangan Teknik Pengelasan.pptxkinawelding
 
Dasar gambar teknik
Dasar gambar teknikDasar gambar teknik
Dasar gambar teknikMOSES HADUN
 
Panduan FYP Adtec Shah Alam
Panduan FYP Adtec Shah AlamPanduan FYP Adtec Shah Alam
Panduan FYP Adtec Shah AlamKota Kinabalu
 
Diklat elemen mesin
Diklat elemen mesinDiklat elemen mesin
Diklat elemen mesinEko Purwanto
 
lks2021-cnc turning-soal modul-3
lks2021-cnc turning-soal modul-3lks2021-cnc turning-soal modul-3
lks2021-cnc turning-soal modul-3didik iswanto
 
Buku jurus cepat belajar inventor.docx
Buku jurus cepat belajar inventor.docxBuku jurus cepat belajar inventor.docx
Buku jurus cepat belajar inventor.docxSarwanto.S.Pd.T
 
Materi 8 fungsi g81 g82 g83
Materi 8 fungsi g81 g82 g83Materi 8 fungsi g81 g82 g83
Materi 8 fungsi g81 g82 g83Edi Sutanto
 
ABB High Voltage Current Limiting Fuse Links Type CEF - ABB Indoor Medium Vol...
ABB High Voltage Current Limiting Fuse Links Type CEF - ABB Indoor Medium Vol...ABB High Voltage Current Limiting Fuse Links Type CEF - ABB Indoor Medium Vol...
ABB High Voltage Current Limiting Fuse Links Type CEF - ABB Indoor Medium Vol...Thorne & Derrick International
 
pengubah tenaga sistem bendalir
pengubah tenaga sistem bendalirpengubah tenaga sistem bendalir
pengubah tenaga sistem bendalirWan Nurhidayati Wan Johari
 
Secure Encryption Technique (SET): A Private Key Cryptosystem
Secure Encryption Technique (SET): A Private Key CryptosystemSecure Encryption Technique (SET): A Private Key Cryptosystem
Secure Encryption Technique (SET): A Private Key CryptosystemAvishek Datta
 
Linkedin slides april 2015 pm
Linkedin slides april 2015 pmLinkedin slides april 2015 pm
Linkedin slides april 2015 pmPeter Mayo
 
Aplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachAplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachSarah R. Dowlath
 
Advanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceAdvanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceSmart Coders
 
Unified log-meetup-20160420
Unified log-meetup-20160420Unified log-meetup-20160420
Unified log-meetup-20160420Oli Deakin
 
3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...Robert Parker
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
Kubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений ОльковKubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений ОльковAvitoTech
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)Anjali Agrawal
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
Automation and ansible
Automation and ansibleAutomation and ansible
Automation and ansibleBoaventura Rodrigues Neto
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5Irsandi Hasan
 
One-Time Password
One-Time PasswordOne-Time Password
One-Time PasswordAta Ebrahimi
 
Docker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihanDocker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihanjbminn
 

Weitere ähnliche Inhalte

Was ist angesagt?

Panduan FYP Adtec Shah Alam
Panduan FYP Adtec Shah AlamPanduan FYP Adtec Shah Alam
Panduan FYP Adtec Shah AlamKota Kinabalu
 
Diklat elemen mesin
Diklat elemen mesinDiklat elemen mesin
Diklat elemen mesinEko Purwanto
 
lks2021-cnc turning-soal modul-3
lks2021-cnc turning-soal modul-3lks2021-cnc turning-soal modul-3
lks2021-cnc turning-soal modul-3didik iswanto
 
Buku jurus cepat belajar inventor.docx
Buku jurus cepat belajar inventor.docxBuku jurus cepat belajar inventor.docx
Buku jurus cepat belajar inventor.docxSarwanto.S.Pd.T
 
Materi 8 fungsi g81 g82 g83
Materi 8 fungsi g81 g82 g83Materi 8 fungsi g81 g82 g83
Materi 8 fungsi g81 g82 g83Edi Sutanto
 
ABB High Voltage Current Limiting Fuse Links Type CEF - ABB Indoor Medium Vol...
ABB High Voltage Current Limiting Fuse Links Type CEF - ABB Indoor Medium Vol...ABB High Voltage Current Limiting Fuse Links Type CEF - ABB Indoor Medium Vol...
ABB High Voltage Current Limiting Fuse Links Type CEF - ABB Indoor Medium Vol...Thorne & Derrick International
 

Was ist angesagt? (7)

Panduan FYP Adtec Shah Alam
Panduan FYP Adtec Shah AlamPanduan FYP Adtec Shah Alam
Panduan FYP Adtec Shah Alam
 
Diklat elemen mesin
Diklat elemen mesinDiklat elemen mesin
Diklat elemen mesin
 
lks2021-cnc turning-soal modul-3
lks2021-cnc turning-soal modul-3lks2021-cnc turning-soal modul-3
lks2021-cnc turning-soal modul-3
 
Buku jurus cepat belajar inventor.docx
Buku jurus cepat belajar inventor.docxBuku jurus cepat belajar inventor.docx
Buku jurus cepat belajar inventor.docx
 
Materi 8 fungsi g81 g82 g83
Materi 8 fungsi g81 g82 g83Materi 8 fungsi g81 g82 g83
Materi 8 fungsi g81 g82 g83
 
ABB High Voltage Current Limiting Fuse Links Type CEF - ABB Indoor Medium Vol...
ABB High Voltage Current Limiting Fuse Links Type CEF - ABB Indoor Medium Vol...ABB High Voltage Current Limiting Fuse Links Type CEF - ABB Indoor Medium Vol...
ABB High Voltage Current Limiting Fuse Links Type CEF - ABB Indoor Medium Vol...
 
pengubah tenaga sistem bendalir
pengubah tenaga sistem bendalirpengubah tenaga sistem bendalir
pengubah tenaga sistem bendalir
 

Andere mochten auch

Secure Encryption Technique (SET): A Private Key Cryptosystem
Secure Encryption Technique (SET): A Private Key CryptosystemSecure Encryption Technique (SET): A Private Key Cryptosystem
Secure Encryption Technique (SET): A Private Key CryptosystemAvishek Datta
 
Linkedin slides april 2015 pm
Linkedin slides april 2015 pmLinkedin slides april 2015 pm
Linkedin slides april 2015 pmPeter Mayo
 
Aplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachAplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachSarah R. Dowlath
 
Advanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceAdvanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceSmart Coders
 
Unified log-meetup-20160420
Unified log-meetup-20160420Unified log-meetup-20160420
Unified log-meetup-20160420Oli Deakin
 
3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...Robert Parker
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
Kubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений ОльковKubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений ОльковAvitoTech
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)Anjali Agrawal
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5Irsandi Hasan
 
Docker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihanDocker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihanjbminn
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with AnsibleRayed Alrashed
 
IBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveIBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveMorag Hughson
 

Andere mochten auch (20)

Secure Encryption Technique (SET): A Private Key Cryptosystem
Secure Encryption Technique (SET): A Private Key CryptosystemSecure Encryption Technique (SET): A Private Key Cryptosystem
Secure Encryption Technique (SET): A Private Key Cryptosystem
 
Linkedin slides april 2015 pm
Linkedin slides april 2015 pmLinkedin slides april 2015 pm
Linkedin slides april 2015 pm
 
Aplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approachAplication and Transport layer- a practical approach
Aplication and Transport layer- a practical approach
 
Advanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceAdvanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a service
 
Unified log-meetup-20160420
Unified log-meetup-20160420Unified log-meetup-20160420
Unified log-meetup-20160420
 
3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxying
 
Kubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений ОльковKubernetes в Avito - Евгений Ольков
Kubernetes в Avito - Евгений Ольков
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Automation and ansible
Automation and ansibleAutomation and ansible
Automation and ansible
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5
 
One-Time Password
One-Time PasswordOne-Time Password
One-Time Password
 
Docker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihanDocker ansible-make-chef-puppet-unnecessary-minnihan
Docker ansible-make-chef-puppet-unnecessary-minnihan
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
Vpn
VpnVpn
Vpn
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
 
IBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveIBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-Dive
 

Ähnlich wie Recover A RSA Private key from a TLS session with perfect forward secrecy

[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...PROIDEA
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!OWASP
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
 
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...ghorilemin
 
this is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is pptthis is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is pptghorilemin
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoHarry Potter
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoJames Wong
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoYoung Alista
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoDavid Hoen
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoLuis Goldster
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoFraboni Ec
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoTony Nguyen
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol DesignNate Lawson
 

Ähnlich wie Recover A RSA Private key from a TLS session with perfect forward secrecy (20)

[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 
SSL overview
SSL overviewSSL overview
SSL overview
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured Communications
 
03-SSL (1).ppt
03-SSL (1).ppt03-SSL (1).ppt
03-SSL (1).ppt
 
03-SSL (2).ppt
03-SSL (2).ppt03-SSL (2).ppt
03-SSL (2).ppt
 
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
 
this is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is pptthis is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is ppt
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Go paranoid
Go paranoidGo paranoid
Go paranoid
 
Cours4.pptx
Cours4.pptxCours4.pptx
Cours4.pptx
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
 

Mehr von Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

Mehr von Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Kürzlich hochgeladen

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 

Kürzlich hochgeladen (20)

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 

Recover A RSA Private key from a TLS session with perfect forward secrecy

  • 1.
  • 2. Recover a RSA private key from a TLS session with Perfect Forward Secrecy (Marco Ortisi – 2016)
  • 3. About me • Netizen and IT Security enthusiast since 1996 • Penetration Tester since 1999  In love with buffer overflow flaws  I adore exotic vulnerabilities • Senior/Principal Penetration tester? Just a curious guy • Get in touch with me! marco.ortisi@segfault.it
  • 4.
  • 5. About the topic • Imagine you can get a server private key by sniffing TLS traffic or interacting through the network with a TLS service. Does it look quite exotic? • Done via a side channel attack • Side Channel Attack – from Wikipedia • “…any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited to break the system…”
  • 6. Roadmap Introduction First demo More insight into the attack Second demo Greetings and questions
  • 7. The attack and roots with the past • (1996) Arjen Lenstra demonstrated that the usage of the so-called CRT (Chinese Remainder Theorem) optimization put the RSA implementations at great risk (aka private key leakage) if a fault occurred during the computation of a digital RSA signature. (https://infoscience.epfl.ch/record/164524/files/nscan20.PDF)
  • 8. What is a RSA signature • RSA encryption  public key is used to encrypt a message  private key is used to decrypt that message • RSA signing  private key is used to sign a value (actually it is an encryption operation)  public key is used to decrypt that value
  • 9. The attack and roots with the past • 1996) Arjen Lenstra demonstrated that the usage of the so-called CRT (Chinese Remainder Theorem) optimization put the RSA implementations at great risk (aka private key leakage) if a fault occurred during the computation of a digital RSA signature. (https://infoscience.epfl.ch/record/164524/files/nscan20.PDF) • (200x?) - Attack conjectured as possible on smartcards if someone has physical access to the device and can disrupt the math behind the RSA operations
  • 10. The attack and roots with the past • (2001) OpenPGP Attack (http://eprint.iacr.org/2002/076.pdf). a) get a local copy of file containing the encrypted private key; b) tamper with it in order to introduce faulty bits; c) capture a single message subsequently signed with the modified encrypted private key (for example an email); d) enjoy your leaked private key  • (2015) by targeting TLS, Florian Weimer (Red Hat) unveiled the attack can have remote impacts. https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf
  • 12. Recover a RSA private key: Prerequisites • (a) Presence of a RSA signature calculated using the RSA-CRT optimization… • (b) The signature must be applied on values known by the attacker… • (c) Generated signature faulty/miscalculated…
  • 13. What if the attack is successful? • Private key is exposed • The real server can be impersonated • Man-in-The-Middle attack can be performed without alarming the legitimate clients
  • 14. What if the attack is successful?
  • 15. DEMO TIME (PART 1)(enter High Voltage!)
  • 18. A Little Recap • (a) Presence of a RSA signature calculated using the RSA-CRT optimization… • (b) The signature must be applied on values known by the attacker… • (c) Generated signature faulty/miscalculated…
  • 19. (a) RSA Signature with RSA-CRT • The modular exponentiations required by RSA are computationally expensive • RSA-CRT introduced a less expensive way to do RSA operations (decryption and signing) • RSA-CRT is used by default in almost every known crypto library out there (openssl, OpenJDK, libgcrypto, PolarSSL, etc…) • Condition (a) is normally satisfied
  • 20. (b) Signature calculated on known values • We define “X” as the value to be signed • Padding can influence the final “shape” of “X” before being signed and make this unpredictable… • …but with SSL3.0, TLS 1.0, 1.1 and 1.2 the padding scheme (a variant of PKCS1.5) is fully deterministic (not randomized) and then predictable
  • 21. (b) PKCS 1.5 Padding • Payload: 0D3F8FF87A4D697E73FE86077FD1D10C4ECC59797E759EDD89931B 2208B8044CB4A1B96A • Padded Payload (RSA 2048 bit): 0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFF000D3F8FF87A4D697E73FE86077FD1D10C4ECC59797E759E DD89931B2208B8044CB4A1B96A
  • 22. (b) Signature calculated on known values • We define “X” as the value to be signed • Padding can influence the final “shape” of “X” before being signed and make this unpredictable… • …but with SSL3.0, TLS 1.0, 1.1 and 1.2 the padding scheme (a variant of PKCS1.5) is fully deterministic (not randomized) and then predictable • Data signed must be known. This is ALWAYS satisfied in our attack if we carefully target the right ciphersuites
  • 23. (c) Presence of faulty signature • We identify a faulty RSA signature with the letter “Y” • Events causing the generation of a faulty digital RSA signature can't be predicted but they are out there • Induced by the same vectors like in a typical bit-squatting attack:  CPU overheating  RAM errors  massive exposure of hardware to solar rays  etc…
  • 24. The right ciphersuite... • Prerequisite (b) – Signature calculated on known values • The condition (b) is ALWAYS satisfied in our attack if we carefully target the right ciphersuites
  • 25. The right ciphersuite... • RSA_WITH_AES_256_CBC_SHA  RSA = Authentication + Key Exchange  AES = Symmetric algorithm used to encrypt data  CBC = Mode of operation  SHA = Hashing algorithm to avoid data tampering • RSA private key leaked = all TLS sessions compromised (current, past and future ones) • The “Certificate” message contains a Signature created with the private key of CA  statically embedded inside the certificate (not generated on the fly)  the condition (b) is not satisfied
  • 26. The right ciphersuite... • DHE_RSA_WITH_AES_256_CBC_SHA  DHE = Key Exchange  RSA = Only used for Authentication  [the rest is the same as previously mentioned] • The key exchange is done using private/public keys generated on the fly  Compromission of a private key breaks only that specific encrypted session, not all the previously established  This is called "Perfect Forward Secrecy"
  • 27. PFS fits REALLY perfectly to us • RSA signature appended onto a TLS Server Key Exchange Message
  • 28. PFS fits REALLY perfectly to us • A RSA signature is appended on a TLS Server Key Exchange Message • The values on which it is calculated are well known, padding scheme is deterministic  Client Random struct (Client Hello Message)  Server Random struct (Server Hello Message)  Server Params struct (Server Key Exchange Message) • DHE_RSA_WITH_AES_256_CBC_SHA and in general [EC]DHE_RSA_WITH_ANY_ANY_ANY ciphersuites are good for us  The condition (b) is satisfied this time
  • 29. TLS Client Hello (PFS ciphersuites only negotiation) How High Voltage! works...
  • 30. TLS Server Hello How High Voltage! works...
  • 31. TLS Server Certificate n e How High Voltage! works...
  • 32. TLS Server Key Exchange How High Voltage! works...
  • 33. TLS Server Key Exchange Client Random Struct (Client Hello Message) Server Random Struct (Server Hello Message) Server Param Struct (Key Exchange Message) How High Voltage! works...
  • 34. Attacking TLS abusing PFS • Because of “(c) Presence of faulty signature”, the attack can be carried out only when a RSA signature is faulty. How to determine that? • Looking for faulty signatures:  We know padding scheme (PKCS 1.5) and the values on which the server calculates its signature - Client Random struct (Client Hello Message) - Server Random struct (Server Hello Message) - Server Params struct (Server Key Exchange Message)  We know the clear-text message on which the signature is applied  We have the public key of server and can decrypt the signature from the TLS Server Key Exchange  If there is a mismatch between the decrypted signature and the expected plain-text value, we have found what we are looking for
  • 35. yes Collect all TLS messages up to Server Key Exchange TLS < 1.2? Generate offline two hash (MD5 and SHA1) of Client Random + Server Random + Server Param values (O_S1) Concatenation of the MD5 and SHA1 hashes to get the (O_S2) value Use the public key from the certificate to decrypt the signature value exposed on TLS Server Key Exchange (S_S1) Remove the padding from S_S1 to get the raw signature (S_S2) Compare O_S2 and S_S2 Is there a match? Repeat the TLS handshake Try to recover the private key no yes How to check if a digital signature is invalid? (TLS < 1.2)
  • 36. How to check if a digital signature is invalid? (TLS 1.2) yes Collect all TLS messages up to Server Key Exchange TLS 1.2? Parse the TLS Server Key Exchange Message to extract the algorithm with which the signature has been created from server (ALG_x) Generate offline a hash using the algorithm ALG_x on Client Random + Server Random + Server Param values (O_S1) Use the public key from the certificate to decrypt the signature value exposed in the Server Key Exchange Message (S_S1) Remove the padding from S_S1 to get the raw signature (S_S2) Compare O_S1 and S_S2 Is there a match? Repeat the TLS handshake Try to recover the private key no yes
  • 37. What else? • How RSA works • RSA-CRT optimization • 2nd DEMO
  • 38. How RSA works • c = ciphertext • m = message to encrypt • n, e = public key • e = little exponent (usually a value such as 3 or 65537) • n = big semiprime number (p * q) (p and q are said "prime factors") • d = inverse_mod(e,(p-1) * (q-1)) private key mathematically tied with n • getting “p” and “q” a private key can be recovered because "e" is already a public information encryption = c = m^e mod n decryption = m = c^d mod n
  • 39. RSA: Rule 1 Gaining a prime factor of n (whatever of the two) we can determine very easily the other one and recover the private key • n = 77 (the public key into the certificate) • p = 7 (leaked prime factor) • q = ? n = p * q d = inverse_mod(e,(p-1) * (q-1))
  • 40. RSA: Rule 1 Gaining a prime factor of n (whatever of the two) we can determine very easily the other one and recover the private key • n = 77 (the public key into the certificate) • p = 7 (leaked prime factor) • q = 11  77 / 7 • 77 / 11 = 7 (p) • 7 x 11 = 77 (n) n = p x q d = inverse_mod(e,(p-1) x (q-1))
  • 41. RSA-CRT • RSA-CRT (CRT stands for Chinese Remainder Theorem) • With this optimization the RSA calculation is broken down into two smaller parts
  • 42. RSA-CRT • Precompute the following values: qInv = (1/q) mod p dP = d (mod p - 1) dQ = d (mod q - 1) • …and next calculate: m1 = c^dP mod p m2 = c^dQ mod q h = qInv.(m1 - m2) mod p m = m2 + h.q If during m1 or m2 calculation there is a fault, a faulty RSA signature is generated and one prime factor can be leaked with this formula: gcd(y^e – x, n)
  • 43. RSA-CRT • Precompute the following values: qInv = (1/q) mod p dP = d (mod p - 1) dQ = d (mod q - 1) • …and next calculate: m1 = c^dP mod p m2 = c^dQ mod q h = qInv.(m1 - m2) mod p m = m2 + h.q If during m1 or m2 calculation there is a fault, a faulty RSA signature is generated and one prime factor can be leaked with this formula: gcd(y^e – x, n)
  • 44. RSA-CRT: Rule 2 We can leak a prime factor of n from a faulty signature when RSA-CRT is used for signing: y = faulty/miscalculated signature (this can be taken directly from the TLS Server Key Exchange message) e = public exponent (found inside the Certificate) x = the original value before to be signed (it is padded but PKCS 1.5 padding scheme is deterministic) n = public key (p * q) (found inside the Certificate) • When one of the prime factors is known... derived_prime_factor = n / leaked_prime_factor • When leaked_prime_factor and derived_prime_factor are known, p and q are known d = inverse_mod(e,(prime_factor_P - 1) * (prime_factor_Q -1 )) gcd(y^e – x, n)
  • 45. RSA-CRT: Rule 2 We can leak a prime factor of n from a faulty signature when RSA-CRT is used for signing: y = faulty/miscalculated signature (this can be taken directly from the TLS Server Key Exchange message) e = public exponent (found inside the Certificate) x = the original value before to be signed (it is padded but PKCS 1.5 padding scheme is deterministic) n = public key (p * q) (found inside the Certificate) • When one of the prime factors is known... derived_prime_factor = n / leaked_prime_factor • When leaked_prime_factor and derived_prime_factor are known, p and q are known d = inverse_mod(e,(prime_factor_P - 1) * (prime_factor_Q -1 )) gcd(y^e – x, n)
  • 46. DEMO TIME (PART 2)(enter Piciolla...)
  • 47. The bottom line • IF:  you have a piece of software linked to a vulnerable crypto library using RSA- CRT &&  that crypto library does not verify the correctness of each RSA signature generated &&  environmental factors occur (CPU overheating, RAM error, etc...) causing the miscalculation of a RSA signature • THEN you might be in trouble…
  • 48. The Fix • A few of crypto libraries allow users to disable RSA-CRT (not convenient due to performance issues) • Most vendors have recently issued a patch to address this problem Double-checks the correctness of RSA signatures without RSA-CRT optimization: if (y^e = x (mod n)) then signature_valid
  • 49. Vulnerable crypto libraries PolarSSL < 2.1.1, 1.3.13 and 1.2.16: MBEDTLS_RSA_NO_CRT can be defined to disable RSA-CRT but this option is off by default) libgcrypt < 1.6.3 (equivalent to CVE-2015-5738) Nettle < 3.1: used by GnuTLS Java SE < 5.0u81, 6u91, 7u76, 8u40, and JRockit < R28.3.5 (CVE- 2015-0478) EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x and 4.1.x before 4.1.5, RSA BSAFE Crypto-C Micro Edition (CCME) 4.0.x and 4.1.x before 4.1.3, RSA BSAFE Crypto-J before 6.2.1, RSA BSAFE SSL-J before 6.2.1, and RSA BSAFE SSL-C before 2.8.9 (CVE-2016-0887)
  • 50. Vulnerable crypto libraries (2) OpenSSL <= 0.9.7 and *potentially* between 1.0.2 and 1.0.2d because of CVE-2015-3193 only on x86_64 architectures + custom versions Go crypto library < 1.6.2 Cryptlib up to latest 3.4.3 (CRYPT_OPTION_MISC_SIDECHANNELPROTECTION would prevent the attack but it is set to false by default) wolfSSL (formerly CyaSSL) < 3.6.8 (CVE-2015-7744) Libtomcrypt < 2.00 Eldos SecureBlackbox < 13.0.280 and 14.0.281 MatrixSSL < 3.8.3 Openswan up to latest version 2.6.47 vulnerable when not compiled with NSS
  • 51. Device types mainly affected Embedded devices  Various network appliances (firewalls, routers, etc…)  Consumer / SOHO devices  SSL Accelerators  VPN Concentrators  TLS Reverse Proxies  …
  • 52. FORTINET (Series 300 / FortiGate < 5.0.13 / 5.2.6 / 5.4.0 observed as vulnerable) Dell (SonicWALL< SonicOS 6.1.1.12 found affected) F5 (Traffix SDC affected) ZTE ZXSEC Firewall (affected models US2640B, US2630B, US2620B) LANCOM wireless devices (version 8.84) <- apparently silently patched since 2014 D-Link-DCS-933L Surveillance camera HILLSTONE NETWORKS (SG-6000 Firewall) CITRIX ZYXEL NORTEL QNO Viprinet BEJY Alteon Affected devices
  • 53. But remember... •“…a piece of software linked to a vulnerable crypto library using RSA- CRT…” • Wait! Is this problem only related to TLS, right? • No! PFS and RSA are used A LOT in IPSEC VPN (IKE), SSH, etc…
  • 54. IKEv1 (Internet Key Exchange) • Two modes for Phase 1 (Authentication of peers and Negotiation of SA)  Main  Aggressive • It is believed that only by sniffing the network traffic it is not possible to recover a private key (just as happens for TLS) and an active approach is requested.
  • 55. IKEv1 Phase 1 Main Mode (Signature Auth) IKE Phase 1 Authenticated With Signatures Initiator Responder ----------- ----------- (1) HDR, SA --> <-- (2) HDR, SA (3) HDR, KE, Ni --> <-- (4) HDR, KE, Nr (5) HDR*, IDii, [ CERT, ] SIG_I --> <-- (6) HDR*, IDir, [ CERT, ] SIG_R * Indicates payload encryption
  • 56. IKEv1 Phase 1 Aggressive Mode (Signature Auth) IKE Phase 1 Authenticated With Signatures Initiator Responder ----------- ----------- (1) HDR, SA, KE, Ni, IDii --> <-- (2)HDR, SA, KE, Nr, IDir, [ CERT, ] SIG_R (3) HDR, [ CERT, ] SIG_I -->
  • 57. SPECIAL THANKS Frank Bosman for his nice drawings http://turniphead.deviantart.com Florian Weimer (Red Hat) https://access.redhat.com/blogs/766093/posts/1976703 https://pagure.io/symboldb/tree/tls-experiment
  • 59. Recover a RSA private key from a TLS session with Perferct Forward Secrecy QUESTIONS? High Voltage & Piciolla – http://www.segfault.it/tools/ Marco Ortisi (2016) Blog – http://www.segfault.it/ thanks!