PKCS11 Key Protection And the Insider Threat.

Slides:

Advertisements

Similar presentations

PKCS-11 Protocol for Enterprise Key Management

Advertisements

Operating System Security

CT-KIP Magnus Nyström, RSA Security 23 May Overview A client-server protocol for initialization (and configuration) of cryptographic tokens —Intended.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

A responsibility based model EDG CA Managers Meeting June 13, 2003.

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

FlareCo Ltd ALTER DATABASE AdventureWorks SET PARTNER FORCE_SERVICE_ALLOW_DATA_LOSS Slide 1.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

ERP Risks, Security Checklist, and Priorities for Change Joy R. Hughes VPIT and CIO George Mason University Co-chair STF.

Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states.

Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.

CIS 450 – Network Security Chapter 8 – Password Security.

© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.

Switch off your Mobiles Phones or Change Profile to Silent Mode.

The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.

1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)

1. Chapter 25 Protecting and Preparing Documents.

Lecture 4: Using Block Ciphers

ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.

Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”

Kerberos Guilin Wang School of Computer Science 03 Dec

©Stephen Kingham SIP Protocol overview SIP Workshop APAN Taipei Taiwan 23rd Aug 2005 By Stephen Kingham

Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.

Wireless and Mobile Security

Academic Year 2014 Spring Academic Year 2014 Spring.

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

1 Introduction to NTFS Permissions Assign NTFS permissions to specify Which users and groups can gain access to folders and files What they can do with.

Secure Sockets Layer (SSL) Protocol by Steven Giovenco.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 40 Network Security (Access Control, Encryption, Firewalls)

CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.

©2009 HP Confidential1 Proposal to OASIS KMIP TC Stan Feather and Indra Fitzgerald Hewlett-Packard Co. 26 October, 2010 Encoding Options for Key Wrap of.

KMIP PKCS#12 February 2014 Tim Hudson – 1.

IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.

Fall 2006CS 395: Computer Security1 Key Management.

TLS PRF Considered Harmful Issues with implementing Hardware Security Module Support for TLS.

C Copyright © 2007, Oracle. All rights reserved. Security New Features.

Database Security Database System Implementation CSE 507 Some slides adapted from Navathe et. Al.

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.

7/10/20161 Computer Security Protection in general purpose Operating Systems.

Database System Implementation CSE 507

Access Control Model SAM-5.

Introduction to NTFS Permissions

Operating Systems Protection Alok Kumar Jagadev.

Outline What does the OS protect? Authentication for operating systems

Outline What does the OS protect? Authentication for operating systems

Lesson 16-Windows NT Security Issues

Outline Using cryptography in networks IPSec SSL and TLS.

Module 2 OBJECTIVE 14: Compare various security mechanisms.

Understanding Android Security

Computer Security Protection in general purpose Operating Systems

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Access Control What’s New?

Chapter 4: Security Policies

Presentation transcript:

PKCS11 Key Protection And the Insider Threat

Outline The Insider Threat Existing Protection Mechanism Primary Key vs Secondary Key Primary Key Protection Secondary Key Protection Related Items

The Insider Threat General design goal – if desired, key material checks in but never checks out (PKCS11, the roach motel of key material) Insider threat is authorized, but illegitimate, user Stolen credentials (e.g. PIN) Hacked application using PKCS11 token for security Attacker is authorized token user, but token should prevent extraction attacks. PKCS11 has reasonable protection for primary keys, but little or no protection for secondary keys (see below)

Existing Protection Mechanisms (1) CKA_PRIVATE Limits key use to CKU_USER if true Needs work or replacement if we add user logins (or additional roles) CKA_SENSITIVE Generally prevents use of C_GetAttributeValue with “sensitive” attributes if true CKA_EXTRACTABLE Allows the use of C_WrapKey if true But see also CKA_WRAP_WITH_TRUSTED and CKA_TRUSTED CKA_DERIVE, CKA_SIGN, etc Allows use of C_DeriveKey, C_Sign etc if true

Existing Protection Mechanism (2) CKA_WRAP_WITH_TRUSTED If CKA_EXTRACTABLE is true, limits wrapping of *this* key to only by CKA_TRUSTED=true keys CKA_TRUSTED Can only be set to true by CKU_SO But CKU_SO can’t see CKA_PRIVATE keys to set them Limits usefulness of CKA_WRAP_WITH_TRUSTED to public keys. Or non-private symmetric keys CKA_ALLOWED_MECHANISMS Locks key to specific set of mechanisms Doesn’t appear to be a sticky attribute

Existing Protection Mechanisms (3) CKA_WRAP_TEMPLATE Limits use of *this* key to only wrap keys that match template Simple to bypass by creating a new wrapping key without this restriction CKA_UNWRAP_TEMPLATE Forces unwrapped key to have certain attributes Currently *not* a sticky attribute Easy to bypass by copying key and clearing the template CKA_COPYABLE, CKA_DESTROYABLE, CKA_MODIFIABLE If true, allows C_CopyObject, C_DestroyObject, C_SetAttributeValue respectively Some issues with policy language should be clarified.

Primary Key vs Secondary Key For the purposes of this presentation Primary Key Key created or loaded by legitimate user for which the source key material is not accessible to an attacker Generated on token, or securely loaded Sticky attributes set at creation Secondary key A key created through the use of C_DeriveKey from a Primary or Secondary Key Creation can be repeated at any time assuming public data and original key Or a key created through the use of C_UnwrapKey where the wrapped key material is accessible at some point to an attacker Unwrapping can be repeated at any time as long as unwrapping key is still on token

Primary Key Protection (1) Creator can prevent extraction CKA_EXTRACTABLE=false (sticky) Creator can prevent key data extraction CKA_SENSITIVE=true (sticky) Creator can limit key to specific use CKA_DERIVE, CKA_SIGN, etc But not sticky, so attacker can change Creator can limit key to specific mechanisms CKA_ALLOWED_MECHANISMS Other stickyness problems for other protection attributes

Primary Key Protection (2) Extractable Keys (CKA_EXTRACTABLE=true) Constrained by CKA_WRAP_WITH_TRUSTED and CKA_WRAP_TEMPLATE But attacker can add new key with less restrictive wrap template. Re-loaded wrapped keys Wrapped keys don’t contain original attributes Unwrapped keys can be set with any attributes But some protection through CKA_UNWRAP_TEMPLATE

Primary Key Protection (3) Fixes? Add stickyness language to all protection attributes Ensure attributes can become more restrictive, but not less Allow key to specify its wrap key at creation CKA_WRAP_WITH_UUID CKA_UUID (read only, internally generated) Doesn’t require SO intervention to specify a “trusted” key. Specify at least one wrapping mechanism that preserves/restores key attributes CKM_SEAL_KEY

Secondary Key Protection (1) General model of attack for C_Derive is that attacker Has use permission for primary key Has access to “public data” used for the derive operation E.g. other side public key, random data, label, etc Re-derives desired key But sets attributes of derived key so key data is extractable E.g. CKA_SENSITIVE=false or CKA_EXTRACTABLE=true Extracts key data and passes it on or uses it No mechanism to enforce setting of policy on derived secondary keys

Secondary Key Protection (2) Second method of attack for C_DeriveKey is that attacker Has use of CKK_GENERIC_SECRET primary key Has access to public data used by derive operation Has use of the underlying PRF CMAC or HMAC function used by the derive mechanism Knows the derive function Uses the CMAC or HMAC function with the primary key and public data to directly produce a public version of the key stream Extracts the key data and passes it on or uses it CKA_ALLOWED_MECHANISMS is currrently only way to protect against this, but attribute is non-sticky.

Secondary Key Protection (3) General method of attack for C_UnwrapKey is that attacker Has use of unwrapping key Has access to wrapped key data Unwraps the wrapped key But sets attributes of unwrapped key so key data is extractable Extracts key data and passes it on or uses it CKA_UNWRAP_TEMPLATE enforces attributes of unwrapped keys But CKA_UNWRAP_TEMPLATE is not currently sticky, so trivial for attacker to remove it in C_CopyObject or by C_SetAttributeValue Some vendors did fix this though. Possible for legitimate user to screw up unwrap configuration

Secondary Key Protection (4) Fixes? Specify a mechanism to enforce policy on derived keys I.e., CKA_DERIVE_TEMPLATE Since derives can be multilevel, mechanism must be able to propagate through each level of derive Revisit default and permitted sensitivities for all derive mechanisms (e.g. default is at least as sensitive as key being derived from, but if template is provided at original key creation, permitted values can be weaker If done this way, template can only be applied at key creation and is read-only or prohibited after (otherwise violates the “changes must be in direction of more secure” policy

Secondary Key Protection (5) Example: TLS wants to protect pre-master and master secret from extraction, but wants to export mac and encryption secrets for use by general purpose processor. Default for TLS would be if pre-master and master were “sensitive” and “non-extractable” then so would derived keys Template would allow for easing restriction at creation of master secret

Related Items CKK_GENERIC_SECRET Can be used with derivation, CMAC and HMAC mechanisms Problematic for policy controls especially as C_Derive mechanisms use underlying CMAC or HMAC PRFs Perhaps instead: CKK_MASTER_SECRET – can be used with C_Derive mechanisms only CKK_AES_CMAC, CKK_DES_CMAC etc (or only CKK_CMAC?) CKK_SHA1_HMAC, CKK_SHA2_HMAC (or CKK_HMAC? Or CKK_SHA(224|256|384)_HMAC?)