We performed some experiments on the low-level APDU protocols of several smartcards and authentication tokens. Results include sensitive cryptographic keys in the clear, PINs in the clear or easily reversible, stateless protocols that allow easy injection of commands and restrictions on key use enforced at the PKCS#11 (driver) level that are trivially bypassed at the APDU level.
Our findings will be presented in September at the 19th International Symposium on Research in Attacks, Intrusions and Defenses – RAID 2016 (a preprint of the paper is available here).
We have published a summary of the paper.
I’ve published a hands-on guide to Padding Oracle Attacks on RSA that appears in Hakin9 – Defend Yourself! Hands-on Cryptography. It is a practical experience on how to break RSA using a side-channel and contains references to our recent results on real devices.
An article on our paper “Efficient Padding Oracle Attacks on Cryptographic Hardware“, to appear at CRYPTO 2012 this August, has been published today on the New-York Times. The news seems to be bouncing back and forth on many blogs, sometimes imprecise and exaggerated. Our FAQ page should clarify any doubt you might have. If you are curious and you don’t want to go through the full paper, Matthew Green’s blog provides a very nice write-up.
Tookan is an automated tool for security analysis of PKCS#11 compliant authentication tokens. In a paper presented today at CCS’10, we show how we used Tookan to reveal secret keys in devices made by Aladdin, Bull, Gemalto, RSA, snd Siemens amongst others. Tookan can also be used to validate patches to the standard, as we demonstrate in our CryptokiX project. Slides from the conference presentation are available, or you can go to the Tookan project website for full details.
This is the result of joint work between Graham Steel (LSV & INRIA) and the Security Group of the Universita’ Ca’ Foscari.
Avrete sentito parlare di questo nuovo “virus” scritto proprio con lo scopo di attaccare i PLC usati in produzioni industriali. Mi ero chiesto come potesse funzionare essendo spesso i PLC proprietari e off-line.
Questo paper di Symantec chiarisce un pò le cose, il senso si capisce anche limitandosi a leggere l’Executive Summary, certo che per realizzare un tool simile devono esserci degli interessi economici molto precisi.
Interessanti anche alcune delle “classiche” vulnerabilità Windows utilizzate.
W32.Stuxnet Symantec Dossier (PDF)
Windows Kerberos authentication bypass,
Whitepaper + PoC published (w00t!) :
Keep also track of my personal blog, http://memoryh0le.wordpress.com and twitter for any future development.