The Security Newsletter

N°12/ Winter 2009
The Security Newsletter
In this issue
INTRODUCTION
The news
- DNSSEC starts to deploy
- A new partnership for asynchronous
chips
- 3D chips stacking
2
2
Latest attack on WPA
3
Attack on Intel TXT
4
Attack on BGP
4
2
Forging SSL certificates 5
Published Quarterly By:
Thomson’s Corporate Research - part
of the Licensing, Research & Innovation
Division
Technical Editor:
Eric Diehl
Editors:
Sharon Ayalde
Natalie Hamrick
Contributors:
Patrice Auffret
Olivier Courtay
Mohamed Karroumi
Sylvain Lelievre
Nicolas Prigent
VP and Head of Corporate Research:
Gary Donnan
LR&I Head:
Beatrix de Russé
Email and to subscribe:
[email protected]
Copyright Thomson 2008
“Is DRM dead?” I have answered this question countless times, but this quarter it was much
more frequent. Once more, Apple bears the hit. In February 2007, the CEO of Apple, Steve
Jobs, shared his thoughts on music1. To solve the problem of interoperability of digital music,
he foresaw three alternatives: the status-quo, widely license Apple’s DRM FairPlay, or sell
DRM free music. He clearly favored the third solution.
At the beginning of 2009, Apple started the movement - iTunes selling its catalog as DRM
free music. Will other merchants follow? Warner France announced their two sites, Fnac
Music and Virgin Media, would sell DRM free songs. Nevertheless, it is only a trial. The final
decision will be made in 2010.
Is the game over? For music, it is probably true, as the market share of iTunes is so dominant.
Furthermore, the iTunes catalog exceeds 8 million titles and it will be difficult for other
merchants not to follow this trend. Also, the audio industry is looking for alternative solutions,
such as music access or sponsored listening2.
Can we extrapolate this trend to video DRM? The answer is no - music and video are
different.
• Making a blockbuster is far more expensive than recording an album and these investments
need to be protected.
• Musicians have additional sources of revenue, such as concerts. Many years ago, concerts
were the main revenue stream and discs were promotional. However, actors do not have
such alternate revenue streams.
• The release of a music album is worldwide and internationalization
simply requires a new cover. Worldwide releasing of movies is rare,
as subtitling or dubbing can be expensive and lengthier.
• Music sells with basic versioning: a unique song, album, or collector.
Movies use more complex versioning. Furthermore, the window
release system is defined by a complex set of legal agreements that
require enforcement.
These differences highlight that video still may need DRM for some
time.
Eric Diehl
Domain Director, Security
1
The Security Newsletter
N°12/ Winter 2009
reduces power consumption. It also reduces noise and gives more
resistance to power fluctuation. Therefore, it will lead to better
resistance to known side channel attacks such as DPA or DFA.
The News
DNSSEC starts to deploy
The DNS (Domain Name Service)
translates
human-manageable
addresses (e.g. www.thomson.net) into
internet-manageable IP addresses. A
few months ago, security researcher Dan
Kaminsky presented an attack against
DNS3 that allowed the corruption of DNS servers, for instance, to
impersonate servers on the Internet. Although Dan Kaminsky and
most of the DNS software companies quickly provided a solution
prior to the official disclosure of the attack, DNSSEC4 is the only
long-term efficient solution. By cryptographically extending DNS,
DNSSEC allows the authentication of DNS information and thus
prevents unauthorized modification.
A few weeks after Dan Kaminsky’s presentation, the US Office of
E-Government and Information Technologies decided that DNSSEC
should be deployed in the full .gov top-level domain (TLD) before
the end of 2009. This will be the first time that DNSSEC is fully
deployed in a TLD. The first benefit of this deployment is of course
to authenticate the addresses of the servers whose names end in
.gov. However, a longer-term objective is to encourage Internet
Service Providers (which DNS cache servers are considered as
the principal target for the attacks) to deploy DNSSEC. Indeed,
once the .gov TLD uses DNSSEC, ISPs will have an incentive in
using DNSSEC-compliant cache servers. Similarly, once ISPs have
DNSSEC compliant cache servers, other top-level domains will
have incentives to deploy DNSSEC.
Deploying DNSSEC in the .gov domain is
a very positive initiative. Nevertheless,
extending it to other domains may be more
complex. Indeed, other TLDs (such as.com
for instance) contain even more domains
and are more dynamic. Furthermore, domains that belong to the
.gov TLD are strongly controlled. Only official US agencies can
register a name in the .gov domain. This control is weaker in
the .com domain, for instance, where almost anyone can obtain a
name. Consequently, complete and efficient DNSSEC deployment
may take much more time.
> N. PRIGENT
A new partnership for asynchronous chips
A partnership between contactless chipmaker Inside Contactless
and Tiempo, a French company specializing in asynchronous ICs,
is looking at designing the next generation
chip that incorporates asynchronous
technology. The new chip will use
Tiempo’s clockless and delay insensitive
technology. This technology provides
significant gains in performance and
• Power (or electromagnetic) signature of the chip is strongly
reduced. Power traces are thus more difficult to resynchronize.
• No glitch attack can be applied to the clock signal. Manipulating
the power supply has little effect or may lead to deadlocks that
are not exploitable.
This inherent protection can be improved by adding extra
countermeasures during the chip design5.
Tiempo already proposes core IPs for the implementation
of microcontrollers (16-bit) and cryptoprocessors (DES) with
asynchronous logic. Last November, they announced a prototype
chip that implements its TAM16 microcontroller.
> S. LELIEVRE
3D chips stacking
3D chip stacking is a new trend that extends the functionality of a
chip while keeping or reducing its size. It allows the splitting of a
large system-on-chip into a stacked-die system.
Products already exist (memory chip in particular) that use wire
bonding to interconnect identical stacked dies. The capability
to produce thinner and thinner dies enables the stacking up of
approximately 20 dies.
IMEC, a European leading independent nanoelectronics research
institute recently demonstrated the first functional 3D integrated
circuits using its 3D stacked IC technology (3D-SIC). The dies
interconnections are 5µm copper through-silicon via (TSV) passing
completely through a silicon wafer or die. This reduces the size of
the chip compared to traditional wire bonding.
Furthermore,
this
technology leads to
better resistance of
the chip against a
physical attack by chip
observation or micro
Figure 1: Stacked IC
probing. Each stacked
die uses smaller and smaller dimension processes and may use
several metallization layers. Reverse engineering this type of
component will require more sophisticated equipment and skills.
Unfortunately, this ever-shrinking and complex process
technology requires new testing equipment. Once available on
the secondhand market, the equipment will likely be used by the
most motivated and funded attackers!
> S. LELIEVRE
2
The Security Newsletter
N°12/ Winter 2009
Latest attack on WPA
During the PacSec 2008 conference held last
November in Tokyo, Japan, researchers Martin
Beck and Erik Tews presented the first practical
attack6 against WPA-TKIP, one of the two
protocols proposed to replace WEP to protect WiFi networks. WPA-TKIP7 is a modified version of WEP designed
for legacy Wi-Fi hardware and it mitigates the attacks against
WEP by using:
1. A key-scheduling algorithm to diversify the keys provided to
RC4 to generate the key-stream.
2. Michael, a new Message Integrity Code (MIC), is appended
to the end of the message before the CRC computation and used
in addition to the original WEP CRC value. Although it is more
secure than CRC, it is still reversible.
3. An anti-replay mechanism that discards messages arriving
out of order and resets the communication channel (requiring
rekeying) if more than two messages having a correct CRC but an
incorrect MIC are received.
Despite these counter-measures, Beck and Tews have adapted
the “chopchop attack”8 that worked against WEP in order to work
against WPA-TKIP.
In the traditional chopchop attack,
the attacker eavesdrops on an
encrypted frame protected by WEP,
but the content is easily guessable
(ARP messages are targets of choice
in this case) and uses the access point
as an oracle to obtain the clear content of the frame, and thus the
key-stream encrypting the frame. The attacker first removes the
last byte of the content in the message and makes a hypothesis
on what its clear value could be, and then recomputes a new CRC
based on the original encrypted message, the encrypted CRC and
the supposed value (details can be found here9).
The attacker then generates a new frame by concatenating the
encrypted shortened message and the recomputed CRC and
sends this frame to the access point. According to the accesspoint reaction, the attacker knows if their hypothesis was valid.
If the hypothesis was not valid, the attacker makes another
hypothesis and redoes the operation. If the hypothesis is correct,
the attacker goes on with the other bytes of the message. In the
worst case, the attacker needs to send 256 messages to obtain a
byte of clear data, and 128 messages on average. At the end of
the process, the attacker knows the clear-text message as well as
the key-stream in which it was encrypted.
WPA-TKIP’s mitigation features 2 and 3 previously described
should prevent the chopchop attack. Indeed, feature 2 requires
that messages arriving out of order are
dropped. Consequently, the attacker could
not reuse the eavesdropped message.
However, Beck and Tews have taken benefits
of 802.11e, recent Quality of Service (QoS)
features mandatory in any 802.11n access
points. 802.11e uses different channels to
offer QoS, and each of these channels has its
own counter. The idea is then to eavesdrop
on a message on a busy channel since its counter will be high,
and to make the trial-and-error operations on a less busy channel
where its counter is lower.
Nonetheless, feature 3 should block the chopchop attack that
will indeed send many packets to the access point with incorrect
MIC. Once again, Beck and Tews circumvented the protection.
They consider the MIC as being a normal part of the message
and apply the chopchop mechanism to it. The only difference is
that if the guess is correct, then the CRC is correct, and the MIC
is wrong. The access point then sends a MIC failure message,
informing the attacker that indeed they were right. To prevent the
rekeying (feature 3), the attacker simply waits one minute before
the next guess.
Due to the way a WPA-TKIP packet is organized, the attacker
only needs 12 rounds of the chopchop algorithm to obtain enough
decrypted information to easily brute-force offline the information
that is still encrypted in an ARP packet.
At the end of the process, the attacker knows the clear-text
message, the key stream, and the MIC value. Because Michael
is reversible, it is possible to discover the MIC key. Using the keystream and this MIC key, the attacker can inject a single message
(the length does not exceed the length of the eavesdropped
message) on each of the 802.11e channels, where counter value
is still less than the eavesdropped message. In other words,
the attacker can, at most, inject seven short messages on the
networks. Currently, there is no recognized way to inject arbitrary
traffic on WPA-TKIP-protected networks, nor there is a way to
obtain the WPA key.
This attack is important since it is the first
practical attack against WPA-TKIP and it may
lead to other attacks. However, WPA-TKIP
should not be considered broken. Since this
attack does not affect WPA-CCMP, the version of WPA that uses
the AES encryption algorithm, we also believe that it would be
more secure to switch to this protection method.
As a conclusion, two lessons can be learned: First, tweaking an
insecure protocol does not make it secure. Second, even for the
slightest modifications made to a system (in this case, using more
channels to ensure QoS), one should always consider the security
implications. It is so easy to open a back door.
> N. PRIGENT
3
The Security Newsletter
N°12/ Winter 2009
Attack on Intel TXT
Many actors in computer data security are
aiming at hardware-based security. The most
known and used hardware component is the
so-called Trusted Platform Module (TPM).
TPM is the heir of the contested TCPA/
Palladium project initiated by Microsoft.
The TPM specifications are defined by the
Trusted Computing Group (TCG). The most known application
using TPM is BitLocker™. BitLocker encrypts hard disk under
Vista™. The secret key is securely stored by the TPM.
However, hardware-based security is never 100% guaranteed. It
is possible to reset the TPM1.1 without resetting the Operating
System. TPM 1.2 solves this issue but is only available on new
computers.
Manufacturers such as Intel or AMD are now
integrating hardware security in the heart
of their architectures (i.e. in the processor
and in the motherboard). Recent Intel
computers dedicated to the professional
market include Active Management Technology (AMT) and
Trusted eXecution Technology (TXT). These technologies are a
combination of hardware-based components and software. Intel
has built a complete security solution that allows the deployment
of security updates on computers - even when powered off. This
solution also enables the detection of a virus in the OS without
any detection software running on this OS. The anti-virus
software runs in parallel with the OS. The hardware guarantees
the integrity of the anti-virus.
Yet, the deployment is slow: If AMT is already being used to
manage large computer parks by some companies, TXT is not
really used today. Nevertheless, Intel
already ships its computer with this
technology. TXT may create a secure
environment for operating system
execution, especially at boot and for
virtualization purposes. Intel provides
Tboot, (for Trusted Boot) a software
based on TXT functionality.
Joanna Rutkowska, a recognized expert in trusted computing,
recently announced that she would explain how to divert Tboot
at the next Black Hat conference10. Details are not yet known,
however we are confident about the reality of the flaw.
Tboot developers argue that the software is still under development
and that they are aware of some potential flaws – and perhaps
Rutkowska has discovered one of them.
Some hypotheses have circulated regarding the discovered
flaw. Tboot seems to use virtual addresses instead of physical
addresses. The attack may exploit a flaw in the management
of this mode. Tboot cannot be directly attacked, as the attacker
should first find a flaw in the xen™ hypervisor (Rutkowska seems
to have found a least one).
It is important to emphasize that even if Rutkowska has virtually
broken Tboot, she is still confident that TXT will be a key
technology for trusted computing in the future.
> O. COURTAY
Attack on BGP
At the last DEFCON Las Vegas, researchers
Alex Pilosov and Tony Kapela11 demonstrated
the ease of implementing an Internet-scale
man in the middle attack. This was shown
with a live demo, by redirecting traffic for all
DEFCON attendees to their own network, all
of that in a stealth manner.
Border Gateway Protocol (BGP) is a route exchange protocol
between Autonomous Systems (AS). Every large company has its
own AS along with their own routing architecture. To make an
Internet Protocol (IP) frame travel from source to destination, the
route needs to be communicated across the entire Internet. This
is the purpose of BGP.
Each AS exchanges IP network routes with its neighbors using
BGP. Those neighbors then exchange those routes with their own
neighbors, recursively. A route is exchanged and bound to an AS
number, linking an IP prefix to a specific AS. This information
chain is known as the AS-PATH.
Injecting routes is trivial when you have a BGP router. To hijack an
IP network prefix you must announce
an IP prefix more specific than the one
already announced. For example, if the
1.0.0.0/24 prefix is already announced,
you must announce the 1.0.0.0/25 to
hijack it. Spammers use this to send
their junk emails and avoid complaints
being sent to their hosting provider. Although, hijacking in this
manner unveils your AS number. Every skilled Internet user may
identify the AS announcing this more specific route from the ASPATH, and it will be flagged as potentially malicious.
Even worse, legitimate users of the victim IP network prefix will
no longer be able to reach it, thus, the victim network will be
under a Denial of Service (DoS) condition12. Using a tool such as
the traceroute program, legitimate users may be able to trace
back the attacker’s AS.
4
The Security Newsletter
N°12/ Winter 2009
Pilosov and Kapela demonstrated a stealthier technique to execute
the attack. First, they showed a way to mount a true man in the
middle. They insert themselves between legitimate users and
the victim network while the service continues to work. No more
DoS conditions for the victim. The attacker has access to users’
traffic. To ensure success, the attacker must inject routes from
the attacker’s network to the victim’s network and from legitimate
users to the attacker network. The exact details can be found in
their presentation13.
1. A Certification Authority distributes its CA root certificate (the
red one in the figure) via browser vendors to users. This root
certificate is added in a “trust list” on the user’s PC. This means
that all certificates issued by this CA will be trusted by default
by the users.
Another technique used by these researchers is incrementing the
TTL (Time to Live), in order for a traceroute program to be unable
to see hops (IP addresses) used by the attacker. Now, the attack
is almost perfectly invisible. The only way to know if an attack
occurs is by observing BGP route announcements.
3. When a user visits the secure website, the browser asks the
certificate to the web server. If its signature can be verified with
the certificate of a CA in the trust list, the website certificate
will be accepted. The browser then loads the website and all
traffic between the browser and the website will be secured
using SSL.
> P. AUFFRET
2. The website owner purchases a website certificate at the CA
(the white one on the figure). This certificate is signed by the CA
and guarantees the identity of the website to the users.
Forging Certificates
In a previous security newsletter14, an attack
that exploits collisions in MD5 hash function
was presented. The attack was announced
by researchers Marc Stevens, Arjen Lenstra,
and Benne de Weger. As an illustration, they
predicted the outcome of the 2008 US Presidential
elections15.
The same team recently struck again. With the help of other
researchers: Alex Sotriov, Jacob Appelbaum, David Molnar,
Dag Arne Osvik, a better attack was designed16. Using the same
weakness of MD5, they were able to impersonate any secure
website on the Internet, including banking and e-commerce sites
To do so, they trick an official Certificate Authority (CA) and forge
a rogue intermediary CA certificate that was trusted by most
browsers. To better understand the new attack, Figure 2 illustrates
how a SSL website works:
Figure 2: Certificate Issuing Process
Figure 3: The Attack
The attack scenario illustrated by Figure 3 is described below.
1. A legitimate website certificate is obtained by a rogue CA (the
attacker) from a trusted CA (the blue one in the figure).
2. A fake intermediary CA certificate is constructed (the black one
in the figure). It contains the exact signature as the blue website
certificate, thus it appears that it is issued by a trusted CA. Then,
a fake website certificate (the green one in the figure) containing
the genuine website’s identity, but another public key, is created
and signed by the rogue CA. Forging the fake intermediary CA
certificate is the most interesting part in the attack scenario.
Indeed, rogue CA can create unlimited valid website certificates.
It exploits collisions in MD5 hash function. Computation used
about 200 Sony Playstation®3 (PS3) game consoles.
3. A copy of the secure website is constructed and receives the
two fake certificates. Next, known techniques such as phishing
redirect users at this rogue website whose look and feel is
identical to the legitimate one.
4. Finally, the rogue website presents the two fake certificates
to the browser. The signature in the fake website certificate is
5
The Security Newsletter
N°12/ Winter 2009
verified with the fake intermediary CA certificate. This fake CA
certificate is accepted by the browser, as its signature is verified
with the CA root certificate (the red one in the figure) and the user
sees a genuine SSL website!
This attack is possible because some Certificate Authorities are
still signing certificates using MD5. Amongst them are RapidSSL,
RSA Data Security and Verisign. The researchers targeted
RapidSSL because they could predict some of the fields (serial
number and time) of RapidSSL certificates.
The attack is not due to a weakness in SSL. This may affect
any security application that uses MD5 as a collision free hash
function.
Our recommendation is to check which Certification Authority
issued a certificate as well as the root certificate fields. If the
root certificate using MD5 is recent, then it may fall in this attack
scenario. In this case, do not trust the site.
A more efficient measure would be to remove all the certificates
that use MD5 for signing in the trusted list of your browser.
Unfortunately, this operation is not straightforward.
For some time, many researchers have recommended to stop
using MD5. However, despite these warnings, MD5 is still used.
Why does it take so long for some organizations to improve their
security? Unfortunately, in the case of the Internet, negligence
of some may affect every user. Having a more secure Internet
requires the collaboration of all actors and users. Remember Law
7: Security is not stronger than its weakest link.
> M. KARROUMI
Authors
What if your public key was not some random-looking bit string, but
simply your name or email address? This idea, put forward by Adi
Shamir back in 1984, still keeps cryptographers
busy today. Some cryptographic primitives,
like signatures, were easily adapted to this
new “identity-based” setting, but for others,
including encryption, it was not until recently
that the first practical solutions were found.
The advent of pairings to cryptography caused
a boom in the creation of new identitybased schemes. A recent book (shown in the
image above), co-edited by Marc Joye, summarizes the current
state-of-the-art research in this active subfield of cryptographic
research. It covers a broad range of aspects, ranging from the
mathematical background of pairings and the main cryptographic
constructions to software and hardware implementation issues.
This self-contained volume bundles fourteen contributed chapters
written by experts in the field, and is suitable for a wide audience
of scientists, graduate students, and implementers alike.
Where will we be?
* 5th Information Security Practice and
Experience Conference (ISPEC 2009), Xian,
China, April 13-15, 2009
Paper presentation: Hash-based key
management schemes for MPEG4-FGS, by
Mohamed Karroumi and Ayoub Massoudi
* NAB Show, Las Vegas, USA, April 23, 2009
Paper presentation: Image and video fingerprinting: forensic
applications, by Frédéric Lefebvre, Bertrand Chupeau, Ayoub
Massoudi and Eric Diehl
References
Steve Jobs, “Apple - Thoughts on Music,” February 6, 2007, http://
www.apple.com/hotnews/thoughtsonmusic/.
2
“Digital music Report 2009, New business models for a changing
environment” (IFPI, January 2009), http://www.ifpi.org/content/library/
DMR2009.pdf.
3
Patrice AUFFRET, “DNS weakness,” Security Newsletter, no. 11
(September 2008).
4
R. Arends et al., DNS Security Introduction and Requirements (RFC
4033, March 2005), Google Scholar.
5
Y. Monnet et al., “Practical Evaluation of Fault Countermeasures
on an Asynchronous DES Crypto Processor,” in Proceedings of
the 12th IEEE International Symposium on On-Line Testing (IEEE
Computer Society, 2006), 125-130, http://portal.acm.org/citation.
cfm?id=1157732.1157776.
6
M. Beck and E. Tews, “Practical attacks against WEP and WPA,”
in Proceedings of PACSEC 2008 (presented at the PacSec 08, Tokyo,
Japan, 2008).
7
“Temporal Key Integrity Protocol,” in Wikipedia, http://en.wikipedia.
org/wiki/Temporal_Key_Integrity_Protocol.
8
“chopchoptheory [Aircrack-ng],” http://www.aircrack-ng.org/doku.
php?id=chopchoptheory.
9
Ibid.
10
Joanna Rutkowska, “Attacking Intel Trusted Execution Technology,”
invisible things, January 5, 2009, http://theinvisiblethings.blogspot.
com/2009/01/attacking-intel-trusted-execution.html.
11
Anton Kapela and Alex Pilosov, “Stealing The Internet - A Routed,
Wide-area, Man in the Middle Attack,” in DEFCON 16, 2008, https://
www.defcon.org/html/defcon-16/dc-16-speakers.html#Kapela
12
“Pakistan lifts the ban on YouTube,” BBC NEWS, February 26,
2008, Online edition, sec. Technology, http://news.bbc.co.uk/1/hi/
technology/7262071.stm.
13
Anton Kapela and Alex Pilosov, Defcon presentation, 2008, http://
media.defcon.org/dc-16/video/dc16_kapela-pilosov_stealing/dc16_
kapela-pilosov.m4v .
14
Mohamed Karroumi, “Nostradamus predicts next US President,”
Security Newsletter, no. 9 (Spring 2008).
15
Marc Stevens, Arjen Lenstra, and Benne de Weger, “ Predicting
the winner of the 2008 US Presidential Elections using a Sony
PlayStation 3,” November 30, 2007, http://www.win.tue.nl/hashclash/
Nostradamus/.
16
Alexander Sotirov et al., “Creating a rogue CA certificate,” December
30, 2008, http://www.win.tue.nl/hashclash/rogue-ca/.
1
6