Deriving ChaCha20 key streams from targeted memory analysis

https://doi.org/10.1016/j.jisa.2019.102372Get rights and content

Abstract

There can be performance and vulnerability concerns with block ciphers, thus stream ciphers can used as an alternative. Although many symmetric key stream ciphers are fairly resistant to side-channel attacks, cryptographic artefacts may exist in memory. This paper identifies a significant vulnerability within OpenSSH and OpenSSL and which involves the discovery of cryptographic artefacts used within the ChaCha20 cipher. This can allow for the cracking of tunneled data using a single targeted memory extraction. With this, law enforcement agencies and/or malicious agents could use the vulnerability to take copies of the encryption keys used for each tunnelled connection. The user of a virtual machine would not be alerted to the capturing of the encryption key, as the method runs from an extraction of the running memory. Methods of mitigation include making cryptographic artefacts difficult to discover and limiting memory access.

Introduction

There is an increasing challenge between the rights of citizens to privacy and the rights of society to protect itself from adversaries [1], [2]. The breaking of encryption tunnels is thus one of the major debating points, and where law enforcement agencies often aim to gather tools and methods which break these tunnels, or where we fix vulnerabilities in tools in order to avoid these tunnels from being broken. In most cases we now perform a key negotiation phase - typically with ECDH (Elliptic Curve Diffie-Hellman) - and then use a symmetric key method to encrypt the traffic within the tunnel.

The cracking of the key exchange process and of the symmetric key used in the tunnel are, in most cases, too costly to crack. Unfortunately, the key exchange process can leave behind trails of evidence in memory which can provide significant clues to the symmetric key being used. While this has been demonstrated for block ciphers, such as for the Advanced Encryption Standard (AES) [3], [4], this paper outlines how well-used applications such as OpenSSH and OpenSSL allow for every generated key in the ChaCha20 stream cipher to be revealed within a fairly fast discovery time. As virtualized environments enable access to virtual machine resources from more privileged levels such as hypervisors or hypervisor consoles, applications operating at that level can extract live virtual machine memory. Extraction is most effective when a virtual machine is paused but it is not necessary. So, virtualized environments present an opportunity to find keys without impacting the target and for target applications to be unaware of extraction.

The rest of the paper is structured as follows. Section 2 discusses related research including side-channel studies and background on stream ciphers and ChaCha20 cipher implementations is presented in Section 3. Section 4 provides relevant details of the framework and its implementation is given in Section 5. The results are presented and discussed in Section 6 and conclusions drawn in Section 7.

Section snippets

Related work

This paper focuses on the decrypting network traffic encrypted with ChaCha20-Poly1305 cipher. Prior studies have investigated potential vulnerabilities in cipher design and in cipher implementation. Researchers have found no vulnerabilities in ChaCha20 design. For example, differential attacks using techniques such as identifying significant key bits only succeeded with reduced cipher rounds and significant volumes of plaintext-ciphertext pairs [5], [6]. Combined linear and differential

Stream ciphers

Secure protocols use encryption to provide confidentiality for secure communications between parties. While asymmetric encryption ciphers are used in secure protocol set-up stages, for performance symmetric ciphers encrypt the confidential information. Symmetric ciphers are commonly classified as being stream ciphers, where plaintext is encrypted bit-by-bit or byte-by-byte or block ciphers, where blocks of a specific size are encrypted. This paper focuses on stream ciphers.

Stream ciphers

Decryption framework

The decryption framework is comprised of data capture, analysis, and decrypt components. Each component is modifiable or replaceable so that different devices, target operating systems, ciphers, and protocols can be addressed. Details of the component design for ChaCha20 are presented in the following paragraphs.

Data Collection. Target device network packets and volatile memory are extracted. Complete SSH and TLS sessions originating from the target device are captured for later examination.

Implementation

The framework is implemented in a virtualized environment as illustrated in Fig. 2. Implementations on other technologies which facilitate packet capture and target memory access should be possible. The Xen hypervisor [31] offers benefits over alternatives including the presence of LibVMI [32] and PyVMI [33] libraries providing access to the volatile memory of live virtual machines. Because of its small trusted computing base, Xen is managed by a privileged virtual machine, which runs or

Evaluation

For SSH evaluation the PuTTY ’pscp’ program is executed from the Windows command line using requests of the form:

pscp -P nnnn ’filename’ @ipaddress:/home/name

where nnnn is the target port, ’filename’ is the file being transmitted, name is a user account on the target Ubuntu server, ipaddress is the target server IP address and /home/name is the Ubuntu server target folder for the transmitted file. An Ubuntu service is started from the bash command line to listen to client SSH messages with

Countermeasures

Fortunately, countermeasures to discovering the ChaCha20 basic structures exist, and hiding the constant string makes discovery more challenging. Possible measures are copying the constant string segments to registers and assembling the structure in the encryption routine, encrypting the constant string, or randomly segmenting the constant string. Perhaps, the most effective approach is assembling the base structure on the stack, as for OpenSSL, and clearing stack contents immediately after the

Conclusions

Implementations of ChaCha20-Poly1305 encryption using commonly used applications and libraries for SSH and TLS communications are vulnerable to decrypt analysis on a single memory extract. As memory analysis identifies cryptographic artefacts with 100% success, the artefacts could be retained with network sessions for later decryption. This may benefit entities, such as cloud vendors, to assist state agencies in decrypting criminals’ communications, without conflicting with local privacy laws.

Declaration of Competing Interest

The authors declare that they do not have any financial or nonfinancial conflict of interests.

References (41)

  • B. Jungk et al.

    Don’t fall into a trap: physical side-channel analysis of chacha20-poly1305

    2017 design, automation & test in Europe conference & exhibition (DATE)

    (2017)
  • A. Adomnicai et al.

    Bricklayer attack: a side-channel analysis on the chacha quarter round

    International conference in cryptology in India

    (2017)
  • KDDI Research Inc. Security analysis of ChaCha20-Poly1305 AEAD....
  • F. Rocha et al.

    Lucy in the sky without diamonds: stealing confidential data in the cloud

    Proc Int Conf Dependable Syst Netw

    (2011)
  • J.T. Saxon et al.

    Efficient retrieval of key material for inspecting potentially malicious traffic in the cloud

    2015 IEEE international conference on cloud engineering

    (2015)
  • P. Crowley et al.

    Adiantum: length-preserving encryption for entry-level processors

    IACR Trans Symmetric Cryptol

    (2018)
  • D.J. Bernstein

    Extending the Salsa20 nonce

    Workshop record of Symmetric Key Encryption Workshop

    (2011)
  • A. Biryukov

    Block ciphers and stream ciphers: the state of the art

    IACR Cryptol ePrint Arch

    (2004)
  • A. Klein

    Stream ciphers

    (2013)
  • C. Manifavas et al.

    A survey of lightweight stream ciphers for embedded systems

    Secur Commun Netw

    (2016)
  • Cited by (9)

    • Evaluation of live forensic techniques in ransomware attack mitigation

      2020, Forensic Science International: Digital Investigation
      Citation Excerpt :

      Once the required number of memory captures has been completed they are then analysed. Several researchers including (Balogh and Pondelik, 2011; Halderman et al., 2009; Maartmann-Moe et al., 2009; McLaren et al., 2019a, 2019b) have had success in extracting the encryption keys through the discovery of cryptographic information in volatile memory. One thing to remember when applying this method to the ransomware samples analysed in this report is that these samples perform several steps before they actually begin encrypting data on the victims system (Nissim et al., 2019).

    • Novel lightweight video encryption method based on ChaCha20 stream cipher and hybrid chaotic map

      2022, International Journal of Electrical and Computer Engineering
    View all citing articles on Scopus
    View full text