Paper 2021/553

PARASITE: PAssword Recovery Attack against Srp Implementations in ThE wild

Daniel De Almeida Braga, Pierre-Alain Fouque, and Mohamed Sabt

Abstract

Protocols for password-based authenticated key exchange (PAKE) allow two users sharing only a short, low-entropy password to establish a secure session with a cryptographically strong key. The challenge in designing such protocols is that they must resist offline dictionary attacks in which an attacker exhaustively enumerates the dictionary of likely passwords in an attempt to match the used password. In this paper, we study the resilience of one particular PAKE against these attacks. Indeed, we focus on the Secure Remote Password (SRP) protocol that was designed by T. Wu in 1998. Despite its lack of formal security proof, SRP has become a de-facto standard. For more than 20 years, many projects have turned towards SRP for their authentication solution, thanks to the availability of open-source implementations with no restrictive licenses. Of particular interest, we mention the Stanford reference implementation (in C and Java) and the OpenSSL one (in C). In this paper, we analyze the security of the SRP implementation inside the OpenSSL library. In particular, we identify that this implementation is vulnerable to offline dictionary attacks. Indeed, we exploit a call for a function computing modular exponentiation of big numbers in OpenSSL. In the SRP protocol, this function leads to the call of a non-constant time function, thereby leaking some information about the used password when leveraging cache-based Flush+Reload timing attack. Then, we show that our attack is practical, since it only requires one single trace, despite the noise of cache measurements. In addition, the attack is quite efficient as the reduction of some common dictionaries is very fast using modern resources at negligible cost. We also prove that the scope of our vulnerability is not only limited to OpenSSL, since many other projects, including Stanford's, ProtonMail and Apple Homekit, rely on OpenSSL, which makes them vulnerable. We find that our flaw might also impact projects written in Python, Erlang, JavaScript and Ruby, as long as they load the OpenSSL dynamic library for their big number operations. We disclosed our attack to OpenSSL who acknowledged the attack and timely fixed the vulnerability.

Note: PoC of the attack available at: https://gitlab.inria.fr/ddealmei/poc-openssl-srp

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Proceedings of Conference on Computer and Communications Security (CCS ’21)
DOI
10.1145/3460120.3484563
Keywords
SRPPAKEFlush+ReloadPDAOpenSSL
Contact author(s)
daniel de-almeida-braga @ irisa fr
History
2021-09-14: revised
2021-04-27: received
See all versions
Short URL
https://ia.cr/2021/553
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2021/553,
      author = {Daniel De Almeida Braga and Pierre-Alain Fouque and Mohamed Sabt},
      title = {PARASITE: PAssword Recovery Attack against Srp Implementations in ThE wild},
      howpublished = {Cryptology ePrint Archive, Paper 2021/553},
      year = {2021},
      doi = {10.1145/3460120.3484563},
      note = {\url{https://eprint.iacr.org/2021/553}},
      url = {https://eprint.iacr.org/2021/553}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.