密钥安全研究进展

摘要/Abstract

摘要： 密码算法提供安全功能的前提是密钥数据的安全性，要求攻击者不能获得密钥.然而，在计算机系统中实现密码算法、执行密码计算，面临着各种非授权读取密钥数据的攻击，包括系统攻击和物理攻击.先大致总结了计算机系统中各种窃取密钥以及其他敏感数据的攻击方法；然后重点分析了当前各种典型的密钥安全技术方案，分别包括基于寄存器、基于Cache、基于处理器增强特性、结合中心服务器的解决方案，以及基于密钥安全解决方案的数据安全系统技术，并从安全性、计算性能、适用性等方面对各种方案进行了全面的对比；最后，展望了将来的密钥安全技术研究方向.关键词密钥安全；应用密码学；内存攻击；系统安全；物理攻击

关键词: 密钥安全, 应用密码学, 内存攻击, 系统安全, 物理攻击

Abstract: In order to achieve the security functionality of cryptographic algorithms, we need to ensure the security of cryptographic keys, i.e., no attacker can access the cryptographic keys. However, there are various attacks access the cryptographic keys on computers that implement cryptographic algorithms and perform cryptographic operations, including system attacks and physical attacks. This paper surveys the attacks that steal cryptographic keys and other sensitive data on computers. We analyze the cryptographic key protections including various solutions based on registers, caches, CPU features, and online central servers and data security techniques on top of protected cryptographic keys, in terms of security, performance and applicability. Finally, we discuss and prospect the research direction of cryptographic key protection in the future.

Key words: cryptographic key protection, applied cryptography, memory attack, system security, physical attack

林璟锵郑昉昱王跃武. 密钥安全研究进展[J]. 信息安全研究, 2019, 5(1): 68-74.

参考文献

[1] Guninski G. Linux kernel 2.6 fun, Windoze is a joke[EB/OL]. [2005-02-15]. http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html [2] Lafon M, Francoise R, CAN-2005-0400: Information leak in the Linux kernel ext2 implementation[EB/OL]. [2005-03-25]. https://seclists.org/bugtraq/2005/Apr/17 [3] National Vulnerability Database. CVE-2014-0069[EB/OL]. [2014-02-28]. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0069. [4] National Vulnerability Database. CVE-2014-4653[EB/OL]. [2014-03-07]. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4653. [5] Chow J, Pfaff B, Garfinkel T, et al. Understanding data lifetime via whole system simulation[C]// Proc of the 13th USENIX Security Symp. Berkeley: USENIX, 2004: 321-336 [6] The MITRE Corporation. CWE-212: Improper cross-boundary removal of sensitive data[EB/OL]. [2018-04-03]. https://cwe.mitre.org/data/definitions/212.html. [7] The MITRE Corporation. CWE-226: Sensitive information uncleared before release[EB/OL]. [2018-05-29]. https://cwe.mitre.org/data/definitions/226.html. [8] Szekeres L, Payer M, Wei T, et al. Sok: Eternal war in memory[C]// Proc of the 34th IEEE Symp on Security and Privacy. Piscataway,NJ: IEEE, 2013: 48-62 [9] Halderman J A, Schoen S D, Heninger N, et al. Lest we remember: cold-boot attacks on encryption keys[J]. Communications of the ACM, 2009, 52(5): 91-98 [10] Stewin P, Bystrov I. Understanding DMA malware[C]//Proc of Int Conf on Setection of Intrusions and Malware, and Vulnerability Assessment. Berlin:Springer, 2012: 21-41 [11] Becher M, Dornseif M, Klein C N. FireWire:All your memory are belong to us[J]. Proceedings of CanSecWest, 2005: 67 [12] Blass E O, Robertson W. TRESOR-HUNT: Attacking CPU-bound encryption[C]//Proc of the 28th Annual Computer Security Applications Conference. New York:ACM, 2012: 71-78 [13] Li Y, McCune J M, Perrig A. VIPER: Verifying the integrity of peripherals' firmware[C]//Proc of the 18th ACM Conf on Computer and Communications Security. New York:ACM, 2011: 3-16 [14] Müller T, Freiling F C, Dewald A. TRESOR runs encryption securely outside RAM[C]//Proc of USENIX Security Symp. Berkeley : USENIX, 2011 [15] Simmons P. Security through Amnesia: A software-based solution to the cold boot attack on disk encryption[C]//Proc of the 27th Annual Computer Security Applications Conf. New York:ACM, 2011: 73-82 [16] Garmany B, Müller T. PRIME: Private RSA infrastructure for memory-less encryption[C]//Proc of the 29th Annual Computer Security Applications Conf. New York:ACM, 2013: 149-158 [17] Zhao Y, Lin J, Pan W, et al. RegRSA: Using registers as buffers to resist memory disclosure attacks[C]//Proc of IFIP Int Information Security and Privacy Conf. Berlin:Springer, 2016: 293-307 [18] Pabel J. FrozenCache: Mitigating cold-boot attacks for full-disk-encryption software[C]//Proc of the 27th Chaos Communication Congress. 2010 [19] Guan L, Lin J, Luo B, et al. Copker: Computing with private keys without RAM[C]// Proc of 21st Annual Network and Distributed System Security Symp. Rosten:the Internet Society, 2014: 23-26 [20] Lin J, Guan L, Ma Z, et al. Copker: A cryptographic engine against cold-boot attacks[J]. IEEE Trans on Dependable and Secure Computing, 2018, 15(5): 742-754 [21] Colp P, Zhang J, Gleeson J, et al. Protecting data on smartphones and tablets from memory attacks[C]// Proc of the 20th Int Conf on Architectural Support for Programming Languages and Operating Systems. New York:ACM, 2015 [22] Guan L, Lin J, Luo B, et al. Protecting private keys against memory disclosure attacks using hardware transactional memory[C]//Proc of IEEE Symp on Security and Privacy, Piscataway: IEEE, 2015: 3-19 [23] Sun H, Sun K, Wang Y, et al. TrustOTP: Transforming smartphones into secure one-time password tokens[C]//Proc of the 22nd ACM Conf on Computer and Communications Security. News York:ACM, 2015: 976-988 [24] Sun H, Sun K, Wang Y, et al. TrustICE: Hardware-assisted isolated computing environments on mobile devices[C]//Proc of the 45th Annual IEEE/IFIP Int Conf on Dependable Systems and Networks, Piscataway,NJ:IEEE, 2015: 367-378 [25] Zhang N, Sun K, Lou W, et al. CaSE: Cache-assisted secure execution on arm processors[C]//Proc of IEEE Symp on Security and Privacy, Piscataway,NJ:IEEE, 2016: 72-90 [26] Vasiliadis G, Athanasopoulos E, Polychronakis M, et al. PixelVault: Using PGUs for securing cryptographic operations[C]//Proc of the 2014 ACM Conf on Computer and Communications Security. New York:ACM, 2014: 1131-1142 [27] Zhu Z, Kim S, Rozhanski Y, et al. Understanding the security of discrete GPUs[C]//Proc of the General Purpose GPUs. New York:ACM, 2017: 1-11 [28] Boneh D, Ding X, Tsudik G, et al. A method for fast revocation of public key certificates and security capabilities[C]//Proc of USENIX Security Symp. Berkeley:USENIX, 2001: 22-22 [29] Lindell Y. Fast secure two-party ECDSA signing[C]//Proc of Annual International Cryptology Conference. Berlin:Springer, 2017: 613-644 [30] 林璟锵, 马原, 荆继武, 等. 适用于云计算的基于SM2算法的签名及解密方法和系统: 中国, ZL2014104375995[P]. 2017-11-03 [31] Libert B, Quisquater J J. Efficient revocation and threshold pairing based cryptosystems[C]//Proc of the 22nd Annual Symp on Principles of Distributed Computing. New York:ACM, 2003: 163-171 [32] Tang Y, Ames P, Bhamidipati S, et al. CleanOS: Limiting mobile data exposure with idle eviction[C]//Proc of the 10th USENIX Symp on Operating Systems Design and Implementation. Berkeley:USENIX, 2012: 77-91 [33] Müller T, Taubmann B, Felix C. Freiling. TreVisor - OS-independent software-based full disk encryption secure against main memory attacks[C]// Proc of Int Confon Applied Cryptography and Network Security. Berlin:Springer,2012: 66-83 [34] Shinagawa T, Eiraku H, Tanimoto K, et al. BitVisor: A thin hypervisor for enforcing i/o device security[C]//Proc of the 2009 ACM SIGPLAN/SIGOPS Int Conf on Virtual Execution Environments. New York:ACM, 2009: 121-130 [35] Wang Z, Zheng F, Lin J, et al. Utilizing GPU virtualization to protect the private keys of GPU cryptographic computation[C]//Proc of Int Conf on Information and Communications Security. Berlin:Springer, 2018: 142-157 [36] Mashtizadeh A J, Bittau A, Boneh D, et al. CCFI: Cryptographically enforced control flow integrity[C]//Proc of the 22nd ACM Conf on Computer and Communications Security. New York:ACM, 2015: 941-951 [37] Götzfried J, Müller T, Drescher G, et al. RamCrypt: Kernel-based address space encryption for user-mode processes[C]//Procs of the 11th ACM on Asia Conf on Computer and Communications Security. New York:ACM, 2016: 919-924 [38] Chen Cao, Le Guan, Ning Zhang et al, Wenjing Lou: CryptMe: Data leakage prevention for unmodified programs on ARM devices[G]// LNCS 11050: Proc of Int Symp on Recent Advances in Intrusion Detection. Berlin:Springer, 2018: 380-400 [39] Jingqiang Lin, Bo Luo, Le Guan et al: Secure computing using registers and caches: The problem, challenges, and solutions[J] IEEE Security & Privacy, 2016, 14(6): 63-70 [40] Lipp M, Schwarz M, Gruss D, et al. Meltdown[EB/OL]. [2018-09-01].https://arxiv.org/abs/1801.01207 [41] Kocher P, Genkin D, Gruss D, et al. Spectre attacks: Exploiting speculative execution[EB/OL]. [2018-09-01]. https://arxiv.org/abs/1801.01203 [42] Guoxing Chen, Sanchuan Chen, Yuan Xiao et al, SgxPectre attacks: Stealing Intel secrets from SGX enclaves via speculative execution. [EB/OL]. [2018-02-25]. https://arxiv.org/abs/1802.09085 [43] Hetzelt F, Buhren R. Security analysis of encrypted virtual machines[C]// Proc of the 13th ACM SIGPLAN/SIGOPS Int Conf on Virtual Execution Environments. New York:ACM, 2017 [44] Morbitzer M, Huber M, Horsch J et al. SEVered: Subverting AMD’s virtual machine encryption[EB/OL].[2018-05-24]. https://arxiv.org/abs/1805.09604