Key Management Bugs (KMN) Examples

CVE-2016-1919

BF Taxonomy

To be added.

BF Description

A KMN leads to an ENC.

KMN: Use of weak algorithm (eCryptFS-key from password and stored TIMA key) allows generation of keying material (secret key) that can be obtained through brute force, which may be exploited for IEX of keying material (secret key).

ENC: KMN fault leads to exposed secret key that allows decryption of stored (on disk) sensitive data, which is confidentiality failure and may be exploited for IEX of sensitive data. [1]

CVE Description

"Samsung KNOX 1.0 uses a weak eCryptFS Key generation algorithm, which makes it easier for local users to obtain sensitive information by leveraging knowledge of the TIMA key and a brute-force attack." [2]

Analysis

The following analysis is based on information in [3]: The TIMA key is a random stored byte string. The secret key used is obtained by XOR of the TIMA key and the password characters, where the minimum password length is 7. However, if the password length is no more than 8, a base 64 expansion results in a key that does not depend on the password. The TIMA key is stored, and for a known TIMA key, the key is known, or, if the password length slightly exceeds 8, there is a small set of possible keys. The TIMA key can be obtained using a preliminary step.

Source Code

Code With Bug	Code With Fix
Source Code Not Available	Source Code Not Available

CVE-2015-0204, 1637, 1067 (FREAK - Factoring attack on RSA-Export Keys)

BF Taxonomy

An inner KMN leads to an inner ENC, which leads to an outer ENC.

Inner KMN:

Cause: Improper Offer of Weak Protocol (Export RSA – offered from MITM-tricked server and accepted by client)

Attributes:
Cryptographic Data: Keying Material (pair of private and public keys)
Data State: Transferred (over network)
Algorithm: Export RSA (512-bits key generation based on prime numbers, such that private key can be obtained from public key through factorization)
Operation: Generate

Consequence: IEX Keying Material (private key)

Inner ENC:

Causes: KMN Fault leads to Exposed Private Key

Attributes:
Sensitive Data: Cryptographic (Pre-Master Secret)
Data State: Transferred (over network)
Algorithm: Asymmetric (RSA) (that allows decryption of Pre-Master Secret using exposed private key and computation of Master Secret)
Security Service: Confidentiality

Consequence: IEX of Sensitive Data (Master Secret)

Outer ENC:

Causes: KMN Fault leads to Exposed Secret Key (Master Secret)

Attributes:
Sensitive Data: Credentials (passwords, credit cards)
Data State: Transferred (over network)
Algorithm: Symmetric (key is known)
Security Service: Confidentiality

Consequence: IEX of Sensitive Data (credentials)

BF Description

An inner KMN leads to an inner ENC, which leads to an outer ENC.

Inner KMN: Improper offer of weak protocol (Export RSA from MITM-tricked server and accepted by client) allows use of 512-bits key generation (based on prime numbers) such that the private key can be obtained from the public key through factorization, which may be exploited for IEX of keying material (private key).

Inner ENC: KMN fault leads to exposed private key for asymmetric encryption (RSA) that allows decryption of transferred (over network) cryptographic data (Pre-Master Secret) and computation of other cryptographic data (Master Secret), which is confidentiality failure and IEX of sensitive data (Master Secret).

Outer ENC: KMN fault leads to exposed secret key (Master Secret) for symmetric encryption allows decryption of credentials (passwords, credit cards, etc.) transferred (over network), which is confidentiality failure and IEX of sensitive data (passwords, credit cards, etc.). [1]

CVE Descriptions

"The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations." [4]

"Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204 and CVE-2015-1067." [5]

"Secure Transport in Apple iOS before 8.2, Apple OS X through 10.10.2, and Apple TV before 7.1 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204 and CVE-2015-1637." [6]

Analysis

The following analysis is based on information in [7, 8, 9, 10]: The server offers a weak protocol (Export RSA) while the client requested strong protocol (RSA).

Communication is encrypted by symmetric encryption. The key for that encryption (Master Secret) is created by both client and server from a Pre-Master Secret and nonces sent by client and server. The Pre-Master Secret is sent encrypted by RSA cryptosystem. The client requests RSA protocol, but man in the middle (MITM) intercepts and requests Export RSA that uses a 512 bit key. Factoring a 512 bit RSA key is feasible.

Because of a bug, the client agrees to Export RSA. MITM factors the public 512 bit public RSA key, uses this factoring to recover the private RSA key, and then uses that private key to decrypt the Pre-Master Secret. Then it uses the Pre-Master Secret and the nonces to generate the Master Secret. The Master Secret enables MITM to decrypt the encrypted communication from that point on.

Source Code

FREAK Client Code With Bug

1 2 3 4 5 6 7 8 9 10 11 12 13 #ifndef OPENSSL_NO_RSA if (alg_k & SSL_kRSA) { if ((rsa=RSA_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);

FREAK Client Code With Fix

1 2 3 4 5 6 7 8 9 10 11 12 13 #ifndef OPENSSL_NO_RSA if (alg_k & SSL_kRSA) { /* Temporary RSA keys only allowed in export ciphersuites */ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNEXPECTED_MESSAGE); goto f_err; } if ((rsa=RSA_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);

FREAK Server Code With Bug

1 2 3 4 5 6 7 8 9 10 11 12 13 14 case SSL3_ST_SW_KEY_EXCH_B: alg_k = s->s3->tmp.new_cipher->algorithm_mkey; /* clear this, it may get reset by send_server_key_exchange */ if ((s->options & SSL_OP_EPHEMERAL_RSA) #ifndef OPENSSL_NO_KRB5 && !(alg_k & SSL_kKRB5) #endif /* OPENSSL_NO_KRB5 */) /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key even when forbidden * by protocol specs (handshake may fail as clients are not required to * be able to handle this) */ s->s3->tmp.use_rsa_tmp=1; else s->s3->tmp.use_rsa_tmp=0; if (s->s3->tmp.use_rsa_tmp

FREAK Server Code With Fix

1 2 3 4 5 6 7 8 9 10 11 12 13 14 case SSL3_ST_SW_KEY_EXCH_B: alg_k = s->s3->tmp.new_cipher->algorithm_mkey; /* clear this, it may get reset by send_server_key_exchange */ s->s3->tmp.use_rsa_tmp=0; if (

References

[1] Bojanova, I., Black, P. E., Yesha, Y., Wu, Yan, Evans, Z., Poster: The Bugs Framework (BF) – First Classes: Buffer Overflow (BOF), Injection (INJ), Control of Interaction Frequency (CIF), STC 2017, NIST, Gaithersburg, MD, USA.

[2] The MITRE Corporation, CVE-2016-1919.

[3] openwall.net, [CVE-2016-1919] "Weak eCryptFS Key generation from user password."

[4] The MITRE Corporation, CVE-2015-0204.

[5] The MITRE Corporation, CVE-2015-1637.

[6] The MITRE Corporation, CVE-2015-1067.

[7] R. Heaton, "The SSL FREAK vulnerability explained."

[8] Censys, The FREAK Attack.

[9] StackExchange, Protecting phone from the FREAK bug.

[10] GitHub, openssl, Only allow ephemeral RSA keys in export ciphersuites.