728x90

Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android. The Trusty OS runs on the same processor as the Android OS, but Trusty is isolated from the rest of the system by both hardware and software. Trusty and Android run parallel to each other. Trusty has access to the full power of a device’s main processor and memory but is completely isolated. Trusty's isolation protects it from malicious apps installed by the user and potential vulnerabilities that may be discovered in Android.

Trusty is compatible with ARM and Intel processors. On ARM systems, Trusty uses ARM’s Trustzone™ to virtualize the main processor and create a secure trusted execution environment. Similar support is also available on Intel x86 platforms using Intel’s Virtualization Technology.

Figure 1. Trusty overview diagram.

Trusty consists of:

  • A small OS kernel derived from Little Kernel
  • A Linux kernel driver to transfer data between the secure environment and Android
  • An Android userspace library to communicate with trusted applications (that is, secure tasks/services) via the kernel driver

Note: Trusty and the Trusty API are subject to change. For information about the Trusty API, see the API Reference.

Why Trusty?

Other TEE operating systems are traditionally supplied as binary blobs by third-party vendors or developed internally. Developing internal TEE systems or licensing a TEE from a third-party can be costly to System-on-Chip (SoC) vendors and OEMs. The monetary cost combined with unreliable third-party systems creates an unstable ecosystem for Android. Trusty is being provided to its partners as a reliable and free open source alternative for their Trusted Execution Environment. Trusty offers a level of transparency that is just not possible with closed source systems.

Android supports various TEE implementations so you are not restricted to using Trusty. Each TEE OS has its own unique way of deploying trusted applications. This fragmentation can be a problem for trusted application developers trying to ensure their apps work on every Android device. Using Trusty as a standard helps application developers to easily create and deploy applications without accounting for the fragmentation of multiple TEE systems. Trusty TEE provides developers and partners with transparency, collaboration, inspectability of code, and ease of debugging. Trusted application developers can converge around common tools and APIs to reduce the risk of introducing security vulnerabilities. These developers will have the confidence that they can develop an application and have it reused across multiple devices without further development.

Applications and services

A Trusty application is defined as a collection of binary files (executables and resource files), a binary manifest, and a cryptographic signature. At runtime, Trusty applications run as isolated processes in unprivileged mode under the Trusty kernel. Each process runs in its own virtual memory sandbox utilizing the memory management unit capabilities of the TEE processor. The build of the hardware changes the exact process that Trusty follows, but for example, the kernel schedules these processes using a priority-based, round-robin scheduler driven by a secure timer tick. All Trusty applications share the same priority.

Figure 2. Trusty application overview.

Third-party Trusty applications

Currently all Trusty applications are developed by a single party and packaged with the Trusty kernel image. The entire image is signed and verified by the bootloader during boot. Third-party application development is not supported in Trusty at this time. Although Trusty enables the development of new applications, doing so must be exercised with extreme care; each new application increases the area of the trusted computing base (TCB) of the system. Trusted applications can access device secrets and can perform computations or data transformations using them. The ability to develop new applications that run in the TEE opens up many possibilities for innovation. However, due to the very definition of a TEE, these applications cannot be distributed without some form of trust attached. Typically this comes in the form of a digital signature by an entity trusted by the user of the product on which the application runs.

Uses and examples

Trusted execution environments are fast becoming a standard in mobile devices. Users are relying more and more on their mobile devices for their everyday lives and the need for security is always growing. Mobile devices with a TEE are more secure than devices without a TEE.

On devices with a TEE implementation, the main processor is often referred to as “untrusted”, meaning it cannot access certain areas of RAM, hardware registers, and write-once fuses where secret data (such as, device-specific cryptographic keys) are stored by the manufacturer. Software running on the main processor delegates any operations that require use of secret data to the TEE processor.

The most widely known example of this in the Android ecosystem is the DRM framework for protected content. Software running on the TEE processor can access device-specific keys required to decrypt protected content. The main processor sees only the encrypted content, providing a high level of security and protection against software-based attacks.

There are many other uses for a TEE such as mobile payments, secure banking, multi-factor authentication, device reset protection, replay-protected persistent storage, secure PIN and fingerprint processing, and even malware detection.

 
저작자표시 비영리 변경금지

'ANDROID' 카테고리의 다른 글

When to use guard let rather than if let  (0) 2024.03.11
[Admob] Google Admob 조지기 직전 (197/3.6.27 release)  (0) 2023.12.20
[Trouble Shooting] AccessToken 의 특이점 발견  (31) 2023.08.08
[Android] Classpath 문제 해결하기  (0) 2023.06.26
[Android Update] access_token  (0) 2023.06.20
728x90

 

The group Zp*

Cryptosystems using arithmetic in Zp* include the Diffie-Hellman Key Agreement Protocol and the Digital Signature Algorithm (DSA).
The multiplicative group Zp* uses only the integers between 1 and p - 1 (p is a prime number), and its basic operation is multiplication. Multiplication ends by taking the remainder on division by p; this ensures closure. The multiplicative group Z11* uses the integers from 1 to 10. Multiplication in Z11* finishes by taking the remainder when the result is divided by 11. Here are some examples of multiplication in Z11*:
4 7 mod 11
= 28 mod 11
= 6
9 5 mod 11
= 45 mod 11
= 1.
Thus in Z11*, 4 7 = 6 and 9 5 = 1. Notice that both the calculations shown have answers between 1 and 10.

Multiplicative Inverses

Each number x in a multiplicative group has a multiplicative inverse element in the group; that is an integer x-1 such that x x-1 = 1 in the group. In Z11*, 9-1 = 5 since 9 5 mod 11 = 1.
In a multiplicative group, each element must have a multiplicative inverse. Consider the integers modulo the (composite) number 15. It is possible to define multiplication on the numbers from 1 to 14, always finishing with reduction modulo 15. With this system, the number 6 has no inverse, since there is no number y such that 6 y mod 15 = 1:
  6 0 mod 15 = 0   6 1 mod 15 = 6   6 2 mod 15 = 12   6 3 mod 15 = 3   6 4 mod 15 = 9
  6 5 mod 15 = 0   6 6 mod 15 = 6   6 7 mod 15 = 12   6 8 mod 15 = 3   6 9 mod 15 = 9
  6 10 mod 15 = 0   6 11 mod 15 = 6   6 12 mod 15 = 12   6 13 mod 15 = 3   6 14 mod 15 = 9.
   
  The reason for this is that gcd(6,15) = 3 > 1; a number x has a multiplicative inverse in Zn* only if gcd(x,n) = 1. Only when n is a prime number p will all elements in Zn* have a multiplicative inverse. Thus Zp* is a group only when p is a prime number.

Other operations

While multiplication is the main operation in the multiplicative group Zp*, other operations can be derived from multiplication. For example, the division x / y can be performed as the multiplication x (y-1) mod p. In Z11*, 7 / 9 = 7 9-1 = 7 5 mod 11 = 35 mod 11 = 2.
It is also possible to define exponentiation in Zp* as repeated multiplication. For example, the exponentiation 73 in Z11 can be achieved by multiplying 7 7 7 mod 11 = 343 mod 11 = 2.
저작자표시 비영리 변경금지

'Cryptography' 카테고리의 다른 글

Configuring the HSM to Operate in FIPS Mode  (0) 2024.04.05
HOTP and TOTP  (31) 2024.03.21
Padding oracles and the decline of CBC-mode cipher suites  (115) 2024.03.08
CBC-bit Flipping  (54) 2024.03.08
AES Cipher  (0) 2024.03.07
728x90

At CloudFlare, we’re committed to making sure the encrypted web is available to everyone, even those with older browsers. At the same time, we want to make sure that as many people as possible are using the most modern and secure encryption available to them. Improving the cryptography used by the majority requires a coordinated effort between the organizations building web browsers and API clients and those working on web services like CloudFlare. Cryptography is a two-way street. Even if we support the most secure cryptographic algorithms for our customers, web visitors won’t get the benefit unless their web client supports the same algorithms.

In this blog post we explore the history of one widely used cryptographic mode that continues to cause problems: cipher block chaining (CBC). We’ll explain why CBC has proven difficult to use safely, and how recent trends in the adoption of secure ciphers by web clients have helped reduce the web’s reliance on this technology. From CloudFlare’s own data, we’ve seen the percentage of web clients that support safer cipher modes (such as AEAD) rise from under 50% to over 70% in six months, a good sign for the Internet.

What’s in a block cipher?

Ciphers are usually grouped into two categories: stream ciphers and block ciphers. Stream ciphers encrypt data on a bit-by-bit basis. Plaintext and ciphertext are always the same length. Examples of pure stream ciphers are RC4 and ChaCha20. Although RC4 is no longer considered secure, we can still rely on ChaCha20 as a secure stream cipher for use on the web, but it was only recently standardized by the IETF and therefore does not have broad adoption.

Unlike stream ciphers, which can encrypt data of any size, block ciphers can only encrypt data in "blocks" of a fixed size. Examples of block ciphers are DES (8-byte blocks) and AES (16-byte blocks). To encrypt data that is less than one block long using a block cipher, you have several options. You can either turn the block cipher into a stream cipher (using something called counter mode, more on this later), or you can include extra bytes as padding to align the data to the block size. If the data is longer than one block, then the data needs to be split into multiple blocks that are encrypted separately. This splitting process is where things get tricky.

The naïve approach to encrypting data larger than the block size is called Electronic Code Book (ECB) mode. In ECB mode, you split your data into chunks that match the cipher’s block size and then encrypt each block with the same key. ECB turns out to be a very bad way to encrypt most kinds of data: if the data you are encrypting has redundant portions, say an image with many pixels of the same color, you end up with the "Tux" problem (demonstrated below). If two blocks have the same value, they will be encrypted to the same value. This property lets an attacker know which plaintext blocks match by looking at the ciphertext blocks.

For example, here’s what a high-resolution version of Linux’s "Tux" looks when encrypted in ECB mode:


Image from Filippo Valsorda’s blog

The fact that identical plaintext blocks are encrypted to identical ciphertext blocks gives an unwanted structure to encrypted data that reveals information about the plaintext.

One solution to this is to "chain" blocks together by taking the output of one encryption and mixing it into the input for the next block. There are several block cipher modes, but the one that was originally standardized in SSL (and continues to be used in TLS) is Cipher Block Chaining (CBC). In CBC, the plaintext of one block is combined with the ciphertext of the previous block using the exclusive OR operation (XOR). The first block is XOR’d with a randomly generated initialization vector (IV).

Decryption works by XORing the previous block of ciphertext (or the IV) into the output of the decryption.

CBC has some nice properties. The ciphertext produced by a block cipher is encrypted, so it (hopefully) looks random. In CBC, you’re mixing this random looking encrypted data into the plaintext, making it very unlikely that there will be patterns in the output. Another advantage is that decryption can be done in parallel to speed things up. However, CBC has proven to be more trouble than expected when used in the context of the HTTPS and the web.

How records are encrypted in TLS

TLS provides both encryption—via a cipher—and integrity—via a message authentication code (MAC). When SSL was originally designed, one open question was: should we authenticate the plaintext data, or should we encrypt and then authenticate the encrypted data? This is sometimes stated as MAC-then-encrypt or encrypt-then-MAC? They chose MAC-then-encrypt (encrypt the authenticated data) which has since proven to be the less than ideal choice.

In cryptographic protocol design, leaving some bytes unauthenticated can lead to unexpected weaknesses (this is known as the Cryptographic Doom Principle). When encrypting data using a block cipher mode like CBC, the last block needs to be padded with extra bytes to align the data to the block size. In TLS, this padding comes after the MAC. (There is a TLS extension, described in RFC 7366, that enables encrypt-then-MAC, but it’s rarely implemented.)

A TLS record has the following format. Each one has an 8-byte sequence number that is stored and incremented on each new one. The encrypted part of a request needs to add up to a multiple of 16 bytes, but for the purposes of this post, let’s assume that this length is 64 bytes (4 blocks).

In TLS, valid padding looks like a number preceded by that number of copies of itself. So, if the number is 0x00, it’s repeated 0 times:

If the number is 0x02, it’s repeated 0x02 times:

To decode a block, decrypt the entire message, look at the last byte, remove it, and remove that many bytes of padding. This gives you the location of the HMAC.

To compute the MAC, take the sequence number, the 5-byte header, and the message, then HMAC them using the shared integrity key.

Padding oracle

The problem with this construction is that it is susceptible to a technique called the padding oracle attack. This attack was first reported against TLS by Serge Vaudenay in 2002. A padding oracle is a way for an attacker with the ability to modify ciphertext sent to a server to extract the value of the plaintext.

Attackers don’t have to be an ISP or a government to get in the middle of requests. If they are on the same local network as their victim they can use a technique called ARP spoofing. By tricking the victim’s machine to forward data to the attacker’s machine instead of the router, they can read, modify and measure the time it takes for every encrypted message sent from the browser to the server. By injecting JavaScript into an unencrypted website the client is visiting, they can get the browser to repeatedly send requests to a target HTTPS site. The

저작자표시 비영리 변경금지

'Cryptography' 카테고리의 다른 글

HOTP and TOTP  (31) 2024.03.21
The group Zp*  (31) 2024.03.11
CBC-bit Flipping  (54) 2024.03.08
AES Cipher  (0) 2024.03.07
Advanced Encryption Standard (AES)  (31) 2024.03.07
728x90

Lets start with the definition of CBC mode of operation. CBC stands for cipher block chaining.

Each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block.

CBC is a way of randomizing the output of the encrypted value. It works by using an IV or initialization vector. The IV is a random value that is used against each block of your encrypted value. The first block of plain text is XORed with the IV and then that value is XORed with the next block and it keeps doing this until each block is XORed with the last one.

Hence we have to reverse XOR to find the bits that will result in our required Plain Text(PT). This practical involves a little calculation at the end. We will look into it and understand it in the simplest way possible.

For this practical we will need Mutillidae 2 that you can download from https://sourceforge.net/projects/mutillidae/ and Burp Suite.

I am dividing the practical in two parts:

  1. To get the required value in the PT from the altered bits in IV.
  2. To calculate and reverse XOR for the arbitrary values that we get in our PT and get the required value(000). This may not be clear now but will be clear by the end of part 1.

Let’s start with part 1:

Browse to your Mutillidae and open Owasp 2017->Broken Authentication and Session Management->Privilege Escalation->Via CBC-bit Flipping

We get to see the following page

Our aim for this part will be to capture the request on burp suite and alter the bits in the IV and map the bits that brings the desired changes in PT. We have to change the values of User Id and Group Id to 000 for “Root Privilege Level”

In the above image we can see that the value of IV is available to us. We will now send this request to “Repeater” and start altering and mapping the changes

Now what we have to do is to change the bits in IV till we see the 0s in the User Id and Group Id. We will do this by replacing 2 bits at a time with ff and see the change in the Response Section by rendering the response as shown above.

We can see changes in the value of Application Id. We will keep changing the bits in similar manner till we reach User Id.

We have reached at the point were our given IV changes the User Id to e00. This value of IV is ffffffffff650b25b4114e93a98f1eba.

We will keep this value with us for part 2 and start proceeding in the similar way for changes in Group Id.

The value at which we get ?00 at Group Id is IV=ffffffffffffffffb4114e93a98f1eba. Now that we have values for both User and Group Ids we will proceed for the part 2 of the practical.

Lets move to part 2:

Now you may be wondering about the e and ? we are getting in our results while we actually needed 000. This is what I was talking about in the beginning of our practical. We have to change these values to 0.

Now we will deal with these values by some simple calculation.

First we have to take the final ff bits in our two results of User and Group Id IVs and replace them in the original IV value.

Original: 6bc24fc1ab650b25b4114e93a98f1eba
New: 6bc24fc1ff650bffb4114e93a98f1eba

Now we have to revise some concepts of CBC and then start calculating.

While encryption, we XORed IV to PT to get our CT. So here the IV that gave us the change was ff and the PT that was visible to us is e. So to find the actual CT we will simply XOR ff to hex value of e i.e 65 and we get 9a after calculation.

9a is the actual CT and now we need the required IV that will give us 0 in place of e. So we will again XOR 9a to hex of 0 i.e 30 and we get aa as the result.

Hence the logic can be memorized as:

First XOR for CT (IV xor PT)

Then XOR for IV (CT xor 30 i.e hex(0))

But what about that symbol in Group Id. I tried 22 in place of ff for Group Id and got 600 that can be changed to 000 as we did above.

Same steps:

First XOR for CT = 22 xor 36 i.e hex(6) = 14

Then XOR for IV = 14 xor 30 i.e hex(0) = 24

Hence we have aa and 24 as the required value of IV that will give us 000 or root in our practical. So let’s replace the values and send the request through repeater and see of it works.

Final IV = 6bc24fc1aa650b24b4114e93a98f1eba

As you can see we have successfully changed the User and Group Id bits to 000 and have User as root.

Now copy the url from repeater and open it in the browser.

Thanks for reading.

 
 
저작자표시 비영리 변경금지

'Cryptography' 카테고리의 다른 글

The group Zp*  (31) 2024.03.11
Padding oracles and the decline of CBC-mode cipher suites  (115) 2024.03.08
AES Cipher  (0) 2024.03.07
Advanced Encryption Standard (AES)  (31) 2024.03.07
일부 변화가 있었던 ARIA 찾아서 조지기  (0) 2024.03.04

+ Recent posts

티스토리툴바