Petr Svenda

Vasilios Mavroudis, Petr Svenda

JavaCard is a multi-application security platform deployed to over twenty billion smartcards, used in applications ranging from secure payments to telecommunications. While the platform is a popular choice for established commercial use cases (e.g., SIM cards in telecommunication networks), it has notably low adoption rates in: 1) application scenarios requiring recently-standardized cryptographic algorithms, 2) research projects, and 3) open source initiatives. We attribute this to the restricted access to low-level cryptographic primitives (e.g., elliptic curve operations) and the lack of essential data types (e.g., Integers). While the underlying hardware has those capabilities, the JavaCard API does not provide calls for the corresponding functionality. Until now, the only available workaround was manufacturer-specific proprietary APIs that come with very restrictive non-disclosure agreements. In this paper, we introduce a methodology to efficiently derive essential data types and low-level cryptographic primitives from high-level operations. Our techniques are ideal for resource-constrained platforms, and make optimal use of the underlying hardware, while having a small memory footprint. We also introduce JCMathLib, which, to the best of our knowledge, is the first generic library for low-level cryptographic operations in JavaCards that does not rely on a proprietary API. Without any disclosure limitations, JCMathLib enables open code sharing, release of research prototypes and public and third-party code audits.

Adam Janovsky, Matus Nemec, Petr Svenda et al.

In 2016, Svenda et al. (USENIX 2016, The Million-key Question) reported that the implementation choices in cryptographic libraries allow for qualified guessing about the origin of public RSA keys. We extend the technique to two new scenarios when not only public but also private keys are available for the origin attribution - analysis of a source of GCD-factorable keys in IPv4-wide TLS scans and forensic investigation of an unknown source. We learn several representatives of the bias from the private keys to train a model on more than 150 million keys collected from 70 cryptographic libraries, hardware security modules and cryptographic smartcards. Our model not only doubles the number of distinguishable groups of libraries (compared to public keys from Svenda et al.) but also improves more than twice in accuracy w.r.t. random guessing when a single key is classified. For a forensic scenario where at least 10 keys from the same source are available, the correct origin library is correctly identified with average accuracy of 89% compared to 4% accuracy of a random guess. The technique was also used to identify libraries producing GCD-factorable TLS keys, showing that only three groups are the probable suspects.

Vasilios Mavroudis, Andrea Cerulli, Petr Svenda et al.

The semiconductor industry is fully globalized and integrated circuits (ICs) are commonly defined, designed and fabricated in different premises across the world. This reduces production costs, but also exposes ICs to supply chain attacks, where insiders introduce malicious circuitry into the final products. Additionally, despite extensive post-fabrication testing, it is not uncommon for ICs with subtle fabrication errors to make it into production systems. While many systems may be able to tolerate a few byzantine components, this is not the case for cryptographic hardware, storing and computing on confidential data. For this reason, many error and backdoor detection techniques have been proposed over the years. So far all attempts have been either quickly circumvented, or come with unrealistically high manufacturing costs and complexity. This paper proposes Myst, a practical high-assurance architecture, that uses commercial off-the-shelf (COTS) hardware, and provides strong security guarantees, even in the presence of multiple malicious or faulty components. The key idea is to combine protective-redundancy with modern threshold cryptographic techniques to build a system tolerant to hardware trojans and errors. To evaluate our design, we build a Hardware Security Module that provides the highest level of assurance possible with COTS components. Specifically, we employ more than a hundred COTS secure crypto-coprocessors, verified to FIPS140-2 Level 4 tamper-resistance standards, and use them to realize high-confidentiality random number generation, key derivation, public key decryption and signing. Our experiments show a reasonable computational overhead (less than 1% for both Decryption and Signing) and an exponential increase in backdoor-tolerance as more ICs are added.