In the past two decades the use of cryptography in computer systems has constantly increased. Ranging from personal devices to critical infrastructures, cryptography is pervasive and variegated. It is crucial to perform the security evaluation of existing cryptographic design and implementations. In this thesis we first investigate on Java keystores, the standard password-protected facility to securely store keys in Java. We define a threat model, distil a set of security properties and disclose unpublished attacks and weaknesses in keystores that do not adhere to state-of-the-art standards or use ad-hoc cryptographic mechanisms. Typically, security sensitive applications employ dedicated cryptographic hardware. We study the low-level APDU protocol used to communicate with PKCS#11 devices such as smartcards. We describe a threat model and discuss new attacks that exploit proprietary implementation weaknesses enabling attackers to leak sensitive keys as cleartext. Complex cryptography can also be found in the firmware of embedded and Internet-Of-Things devices. The research for security flaws in the firmware by reverse-engineering can be blocked by mechanisms preventing memory content readout to protect the IPs. We present novel firmware extraction attacks from six microcontrollers and we introduce a new voltage fault injection technique for improving the attack performance. Then we conduct a thorough evaluation of the results against the voltage glitching state-of-the-art.

Analysis of threats and design flaws in hardware and software cryptographic systems / Palmarini, Francesco. - (2019 Mar 20).

Analysis of threats and design flaws in hardware and software cryptographic systems

Palmarini, Francesco
2019-03-20

Abstract

In the past two decades the use of cryptography in computer systems has constantly increased. Ranging from personal devices to critical infrastructures, cryptography is pervasive and variegated. It is crucial to perform the security evaluation of existing cryptographic design and implementations. In this thesis we first investigate on Java keystores, the standard password-protected facility to securely store keys in Java. We define a threat model, distil a set of security properties and disclose unpublished attacks and weaknesses in keystores that do not adhere to state-of-the-art standards or use ad-hoc cryptographic mechanisms. Typically, security sensitive applications employ dedicated cryptographic hardware. We study the low-level APDU protocol used to communicate with PKCS#11 devices such as smartcards. We describe a threat model and discuss new attacks that exploit proprietary implementation weaknesses enabling attackers to leak sensitive keys as cleartext. Complex cryptography can also be found in the firmware of embedded and Internet-Of-Things devices. The research for security flaws in the firmware by reverse-engineering can be blocked by mechanisms preventing memory content readout to protect the IPs. We present novel firmware extraction attacks from six microcontrollers and we introduce a new voltage fault injection technique for improving the attack performance. Then we conduct a thorough evaluation of the results against the voltage glitching state-of-the-art.
20-mar-2019
31
Informatica
Focardi, Riccardo
Focardi, Riccardo
File in questo prodotto:
File Dimensione Formato  
823027-1208051.pdf

accesso aperto

Tipologia: Tesi di dottorato
Dimensione 2.38 MB
Formato Adobe PDF
2.38 MB Adobe PDF Visualizza/Apri

I documenti in ARCA sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/10579/15005
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact