Deriving ChaCha20 key streams from targeted memory analysis
Introduction
There is an increasing challenge between the rights of citizens to privacy and the rights of society to protect itself from adversaries [1], [2]. The breaking of encryption tunnels is thus one of the major debating points, and where law enforcement agencies often aim to gather tools and methods which break these tunnels, or where we fix vulnerabilities in tools in order to avoid these tunnels from being broken. In most cases we now perform a key negotiation phase - typically with ECDH (Elliptic Curve Diffie-Hellman) - and then use a symmetric key method to encrypt the traffic within the tunnel.
The cracking of the key exchange process and of the symmetric key used in the tunnel are, in most cases, too costly to crack. Unfortunately, the key exchange process can leave behind trails of evidence in memory which can provide significant clues to the symmetric key being used. While this has been demonstrated for block ciphers, such as for the Advanced Encryption Standard (AES) [3], [4], this paper outlines how well-used applications such as OpenSSH and OpenSSL allow for every generated key in the ChaCha20 stream cipher to be revealed within a fairly fast discovery time. As virtualized environments enable access to virtual machine resources from more privileged levels such as hypervisors or hypervisor consoles, applications operating at that level can extract live virtual machine memory. Extraction is most effective when a virtual machine is paused but it is not necessary. So, virtualized environments present an opportunity to find keys without impacting the target and for target applications to be unaware of extraction.
The rest of the paper is structured as follows. Section 2 discusses related research including side-channel studies and background on stream ciphers and ChaCha20 cipher implementations is presented in Section 3. Section 4 provides relevant details of the framework and its implementation is given in Section 5. The results are presented and discussed in Section 6 and conclusions drawn in Section 7.
Section snippets
Related work
This paper focuses on the decrypting network traffic encrypted with ChaCha20-Poly1305 cipher. Prior studies have investigated potential vulnerabilities in cipher design and in cipher implementation. Researchers have found no vulnerabilities in ChaCha20 design. For example, differential attacks using techniques such as identifying significant key bits only succeeded with reduced cipher rounds and significant volumes of plaintext-ciphertext pairs [5], [6]. Combined linear and differential
Stream ciphers
Secure protocols use encryption to provide confidentiality for secure communications between parties. While asymmetric encryption ciphers are used in secure protocol set-up stages, for performance symmetric ciphers encrypt the confidential information. Symmetric ciphers are commonly classified as being stream ciphers, where plaintext is encrypted bit-by-bit or byte-by-byte or block ciphers, where blocks of a specific size are encrypted. This paper focuses on stream ciphers.
Stream ciphers
Decryption framework
The decryption framework is comprised of data capture, analysis, and decrypt components. Each component is modifiable or replaceable so that different devices, target operating systems, ciphers, and protocols can be addressed. Details of the component design for ChaCha20 are presented in the following paragraphs.
Data Collection. Target device network packets and volatile memory are extracted. Complete SSH and TLS sessions originating from the target device are captured for later examination.
Implementation
The framework is implemented in a virtualized environment as illustrated in Fig. 2. Implementations on other technologies which facilitate packet capture and target memory access should be possible. The Xen hypervisor [31] offers benefits over alternatives including the presence of LibVMI [32] and PyVMI [33] libraries providing access to the volatile memory of live virtual machines. Because of its small trusted computing base, Xen is managed by a privileged virtual machine, which runs or
Evaluation
For SSH evaluation the PuTTY ’pscp’ program is executed from the Windows command line using requests of the form:
pscp -P nnnn ’filename’ @ipaddress:/home/name
where nnnn is the target port, ’filename’ is the file being transmitted, name is a user account on the target Ubuntu server, ipaddress is the target server IP address and /home/name is the Ubuntu server target folder for the transmitted file. An Ubuntu service is started from the bash command line to listen to client SSH messages with
Countermeasures
Fortunately, countermeasures to discovering the ChaCha20 basic structures exist, and hiding the constant string makes discovery more challenging. Possible measures are copying the constant string segments to registers and assembling the structure in the encryption routine, encrypting the constant string, or randomly segmenting the constant string. Perhaps, the most effective approach is assembling the base structure on the stack, as for OpenSSL, and clearing stack contents immediately after the
Conclusions
Implementations of ChaCha20-Poly1305 encryption using commonly used applications and libraries for SSH and TLS communications are vulnerable to decrypt analysis on a single memory extract. As memory analysis identifies cryptographic artefacts with 100% success, the artefacts could be retained with network sessions for later decryption. This may benefit entities, such as cloud vendors, to assist state agencies in decrypting criminals’ communications, without conflicting with local privacy laws.
Declaration of Competing Interest
The authors declare that they do not have any financial or nonfinancial conflict of interests.
References (41)
- et al.
The persistence of memory: forensic identification and extraction of cryptographic keys
Digital Invest
(2009) Chosen iv cryptanalysis on reduced round chacha and salsa
Discrete Appl Math
(2016)- et al.
Tlskex: harnessing virtual machine introspection for decrypting tls communication
Digital Invest
(2016) - et al.
Decrypting live SSH traffic in virtual environments
Digital Invest
(2019) - et al.
After snowden: rethinking the impact of surveillance
Int PolitSociol
(2014) - Iphofen R. Safety is more important than privacy,ǥ Times Higher Education....
- et al.
Lest we remember: cold-boot attacks on encryption keys
Commun ACM
(2009) - et al.
New features of latin dances: analysis of salsa, chacha, and rumba
International Workshop on Fast Software Encryption
(2008) - et al.
Differential cryptanalysis of salsa and chacha-an evaluation with a hybrid model
IACR Cryptol ePrint Arch
(2016) The salsa20 family of stream ciphers
New stream cipher designs
(2008)
Don’t fall into a trap: physical side-channel analysis of chacha20-poly1305
2017 design, automation & test in Europe conference & exhibition (DATE)
Bricklayer attack: a side-channel analysis on the chacha quarter round
International conference in cryptology in India
Lucy in the sky without diamonds: stealing confidential data in the cloud
Proc Int Conf Dependable Syst Netw
Efficient retrieval of key material for inspecting potentially malicious traffic in the cloud
2015 IEEE international conference on cloud engineering
Adiantum: length-preserving encryption for entry-level processors
IACR Trans Symmetric Cryptol
Extending the Salsa20 nonce
Workshop record of Symmetric Key Encryption Workshop
Block ciphers and stream ciphers: the state of the art
IACR Cryptol ePrint Arch
Stream ciphers
A survey of lightweight stream ciphers for embedded systems
Secur Commun Netw
Cited by (9)
Evaluation of live forensic techniques in ransomware attack mitigation
2020, Forensic Science International: Digital InvestigationCitation Excerpt :Once the required number of memory captures has been completed they are then analysed. Several researchers including (Balogh and Pondelik, 2011; Halderman et al., 2009; Maartmann-Moe et al., 2009; McLaren et al., 2019a, 2019b) have had success in extracting the encryption keys through the discovery of cryptographic information in volatile memory. One thing to remember when applying this method to the ransomware samples analysed in this report is that these samples perform several steps before they actually begin encrypting data on the victims system (Nissim et al., 2019).
Privacy and authenticity of drone communication using chacha20 algorithm
2023, AIP Conference ProceedingsNovel lightweight video encryption method based on ChaCha20 stream cipher and hybrid chaotic map
2022, International Journal of Electrical and Computer EngineeringImplementation and optimization of ChaCha20 stream cipher on sunway taihuLight supercomputer
2022, Journal of SupercomputingImprovement of Chacha20 algorithm based on tent and Chebyshev chaotic maps
2021, Iraqi Journal of ScienceEnhancement the ChaCha20 Encryption Algorithm Based on Chaotic Maps
2021, Lecture Notes in Networks and Systems