[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) Extracting a 3DES key from an IBM 4758

To: debate@lists.fitug.de
Subject: [FYI] (Fwd) Extracting a 3DES key from an IBM 4758
From: "Axel H Horns" <horns@ipjur.com>
Date: Sat, 10 Nov 2001 00:01:58 +0100
CC: krypto@thur.de
Delivered-To: mailing list debate@lists.fitug.de
List-Help: <mailto:debate-help@lists.fitug.de>
List-Id: <debate.lists.fitug.de>
List-Post: <mailto:debate@lists.fitug.de>
List-Subscribe: <mailto:debate-subscribe@lists.fitug.de>
List-Unsubscribe: <mailto:debate-unsubscribe@lists.fitug.de>
Mailing-List: contact debate-help@lists.fitug.de; run by ezmlm
Organization: NONE
Priority: normal

------- Forwarded message follows -------
Date sent:      	Thu, 8 Nov 2001 23:12:09 -0500
To:             	Digital Bearer Settlement List <dbs@philodox.com>,
	dcsb@ai.mit.edu, e$@vmeng.com, cryptography@wasabisystems.com
From:           	"R. A. Hettinga" <rah@shipwright.com>
Subject:        	Extracting a 3DES key from an IBM 4758

http://www.cl.cam.ac.uk/~rnc1/descrack/index.html

Extracting a 3DES key from an IBM 4758

Summary

The IBM 4758 is an extremely secure crytographic co-processor. It is
used by banking systems and in other security conscious applications
to hold keying material. It is designed to make it impossible to
extract this keying material unless you have the correct permissions
and can involve others in a conspiracy.

We are able, by a mixture of sleight-of-hand and raw processing power,
to persuade an IBM 4758 running IBM's ATM (cash machine) support
software called the "Common Cryptographic Architecture" (CCA) to
export any and all its DES and 3DES keys to us. All we need is:

*	about 20 minutes uninterrupted access to the device
*	one person's ability to use the Combine_Key_Parts permission
*	a standard off-the-shelf $995 FPGA evaluation board from Altera
*	about two days of "cracking" time

The attack can only be performed by an insider with physical access to
the cryptographic co-processor, but they can act alone. The FPGA
evaluation board is used as a "brute force key cracking" machine.
Programming this is a reasonably straightforward task that does not
require specialist hardware design knowledge. Since the board is
pre-built and comes with all the necessary connectors and tools, it is
entirely suitable for amateur use.

Besides being the first documented attack on the IBM 4758 to be run
"in anger", we believe that this is only the second DES cracking
machine in the open community that has actually been built and then
used to find an unknown key!

Until IBM fix the CCA software to prevent our attack, banks are
vulnerable to a dishonest branch manager whose teenager has $995 and a
few hours to spend in duplicating our work.

Contents

What is an IBM 4758 ?
What is an FPGA ?
What are DES and 3DES ?
How the DES cracker works
Some relevant sums
How the attack works
Some real results
Who are we ?
Do It Yourself

Frequently Asked Questions

What does an IBM 4758 look like?
Who uses IBM 4758s?
Are all IBM 4758s susceptible to the attack?
What is the CCA?
Are the IBM 4758 and the CCA the same thing?
How hard is it to physically attack a IBM 4758?
I heard that the IBM 4758 is FIPS Level 4 validated. Have you broken
the validation? So what does FIPS Level 4 validation mean? Are other
cryptoprocessors susceptible as well as the IBM 4758? What is DES?
What is Triple-DES (3DES)? How much stronger is Triple-DES than DES?
What privileges do you need to run this attack? What information does
this attack steal from the bank? How do PIN numbers work? Why is PIN
number theft so dangerous? How would a bank respond if someone did
this attack? Is all banking security this bad? So can anyone who
downloads this rip off a bank? Who could rip off a bank then? If this
attack is so dangerous, why are you telling everyone? Where can I go
to book tickets to Bermuda?

Other links

Michael Bond. "Attacks on Cryptoprocessor Transaction Sets"
Proceedings of the CHES 2001 Workshop, Paris 2001. Springer Verlag
LNCS 2162, pp 220-234. Available on the web as:
http://www.cl.cam.ac.uk/~mkb23/research/Attacks-on-Crypto-TS.pdf

Michael Bond & Ross Anderson. "API-Level Attacks on Embedded Systems"
IEEE Computer 34(10), October 2001, pp 67-75.

"Brute force attacks on crytographic keys" a web-based survey of
results, plus an annotated bibliography concentrating on DES crackers.
http://www.cl.cam.ac.uk/~rnc1/brute.html

"IBM PCI Cryptographic Coprocessor CCA Basic Services Reference and
Guide for IBM 4758 Models 002 and 023 with Release 2.40", Seventh
Edition, September 2001. Available from:
ftp://www6.software.ibm.com/software/cryptocards/CCA_Basic_Services_Re
ference_240.pdf

----------------------------------------------------------------------
-- Return to Richard Clayton's Home Page Return to Mike Bond's Home
Page

last modified 29 OCT 2001 --
http://www.cl.cam.ac.uk/~rnc1/descrack/index.html

-- 
-----------------
R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44
Farquhar Street, Boston, MA 02131 USA "... however it may deserve
respect for its usefulness and antiquity, [predicting the end of the
world] has not been found agreeable to experience." -- Edward Gibbon,
'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List Unsubscribe by sending "unsubscribe
cryptography" to majordomo@wasabisystems.com
------- End of forwarded message -------

-- 
To unsubscribe, e-mail: debate-unsubscribe@lists.fitug.de
For additional commands, e-mail: debate-help@lists.fitug.de

Prev by Date: Re: Der Telekom gehoert das Internet
Next by Date: Re: I want my MTV!
Prev by thread: Re: Der Telekom gehoert das Internet
Next by thread: The Busted House Burglar! - New From Gotlaughs
Index(es):
- Date
- Thread