JavaScript WhiteBox Crypto and Improving Security for LINE Chrome

Transcript

1. JavaScript WhiteBox Crypto and Improving Security for LINE Chrome Sanghwan

   Ahn / LINE

2. Agenda - Background - White-box security module for Javascript -

   Use cases and Implementation issues - Lessons Learned and Conclusion

3. Shift Left Security Requirements Design Development Testing QA Security Checks

   - Security checks were implemented at the end of the development cycle - The earlier you solve security issues, the lower you cost - Secure design and its implementation may be a daunting task for developer shift app security to the left

4. Shift Left Security Requirements Design Development Testing QA Security Checks

   - Security checks were implemented at the end of the development cycle - The earlier you solve security issues, the lower you cost - Secure design and its implementation may be a daunting task for developer shift app security to the left

5. LTSM LINE Trusted Security Module WAL (White-box Abstraction Layer) Platform

   Binding Layer iOS Android WASM LINE Messenger LINEPay LINEBank JP Core FIDO2 Crypto APIs E2EE White-box Engine KAL (Keychain Abstraction Layer) LINEBank ID LINEBank TW Secure Enclave HW backed KeyStore, StrongBox

6. LTSM - A couple of presentations related to LTSM -

   Cross-platform Mobile Security at LINE in DevDay2020 - https://linedevday.linecorp.com/2020/en/sessions/8802/ - Strong customer authentication & biometrics using FIDO in DevDay2019 - https://linedevday.linecorp.com/jp/2019/sessions/D1-1 LINE Trusted Security Module

7. LTSM LINE Trusted Security Module WAL (White-box Abstraction Layer) Platform

   Binding Layer iOS Android WASM LINE Messenger LINEPay LINEBank JP Core FIDO2 Crypto APIs E2EE White-box Engine KAL (Keychain Abstraction Layer) LINEBank ID LINEBank TW Secure Enclave HW backed KeyStore, StrongBox

8. Motivations - Lack of secure storage for sensitive data such

   as cryptographic keys. - Hardcoded cryptographic key - Mitigation against the impact of unanticipated token leakage - Mitigation against API abuse - Account Takeover, Spamming, Phishing, DDOS, Fake Client - Key protection method against malicious code execution via XSS - No protection layer for End to End Encryption key in LINE Chrome - New web technologies have appeared over the last years - Web Cryptography API, IndexedDB API

9. Cross Site Scripting(XSS) - The most common types of vulnerability

   on the web application - Allow an attacker to execute malicious code in the application context

10. Web browser Web Application In memory or storage Threat Model

    - We assume that an attacker had total control over cryptographic operations and script execution - The goal of the attacker is to retrieve the secret key - The attacker could attempt to gain access to the secret key in memory or storage - Malware has access to the device storage may be able to take the secret key without script execution Secret Key Web Server Application Code Web Application Service Malicious code Malware Scope of Black-box 
 Threat Model Scope of Gray-box Threat Model Scope of White-box Threat Model

11. Web Crypto API and IndexedDB - The content of the

    key is not accessible to the Javascript environment - Provides an additional protection layer so that the key cannot be extracted and make it only works in legitimate operation - CryptoKey.extractable: true or false - CryptoKey.usages: encrypt, decrypt, sign, verify, wrapKey, unwrapKey, deriveKey, deriveBits - CryptoKey object can be directly stored in the IndexedDB

12. Limitations - Web Crypto API does not guarantee the protection

    at the storage level - In key unwrapping, where could we put the unwrapping key? - Web Crypto API does not provide a key attestation - Web Crypto API doesn’t support curve25519 Secret key

13. White-box Cryptography - Keys are embedded in the algorithms making

    it inherently difficult to extract - Keys are never revealed in plaintext form even in memory - Offer increased resistance to reverse engineering and dynamic binary instrumentation toolkit like Frida, PINTool and Valgrind - Purely software-based - Implementable custom cryptographic APIs across platforms

14. White-box Use Case - Enables a key protection layer on

    the key object - provide key itself with a layer of protection against direct access to the content of the key by the javascript code 
 - Secure key provisioning - Hardcoded static key problems - Enables the protection of static key or dynamic key sent by the server - Allow to bind the key to the device

15. WebAssembly - Able to run native code like C/C++ and

    Rust in the browser at near-native speed - WebAssembly executes within a sandboxed environment separated from the host runtime - Provides other nice security features such as Memory Safety, Undefined Behavior Sanitizer, Address Sanitizer and Control-Flow Integrity

16. Chrome extension LTSM_JS LTSM for Javascript - Based on C++

    - Compiles the code to WASM module with Emscripten - Bind C++ functions and classes to JavaScript with Embind - LTSM_JS loaded in a sandboxed page in chrome extension, the sandboxed page will not have access to extension APIs WASM Module JS Binding Layer C++ source code (Sandboxed) HTML Via PostMessage( )

17. LTSM for Javascript - LTSM provides common crypto APIs and

    security features for E2EE - The private key in SecureKey is encrypted at all times in white box container - Even when it performs any operations with the private key, it does so without ever exposing the contents in plain form SecureKey SymmetricKey Curve25519Key HMAC Key Provisioning AES KDF Key Wrapping/ Unwrapping End to End Encryption E2EEKey

18. Secure Storage - Rely on the browser local storage system.

    - Secure Storage Key(SSK) is provisioned from the server - The key object is only valid in a memory and non-extractable Chrome extension Local storage SSK Server Provisioning AES-256-GCM encrypt/decrypt

19. Letter Sealing - LINE's End to End Encryption protocol -

    Text message, Location message, Audio/Video calls are encrypted on the LINE client before being sent - Based on ECDH key exchange algorithm over curve25519 - Each user holds on to their private key on the device. - White paper offers in-depth details to Letter Sealing 
 https://scdn.line-apps.com/stf/linecorp/en/csr/line-encryption-whitepaper-ver2.1.pdf

20. White Box Integration Issues - SecureKey doesn’t allow to manipulate

    arbitrary bytes of the key. - Mismatched padding algorithm in key wrapping - Curve25519 private key “Clamping” in key generation 
 - White-box provides key utility to create a protected key blob from plain data - White-box provides special purpose algorithms in Key Derivation Function - Concat: derives a new key by concatenating two existing keys - Slice: takes an arbitrary substring of bytes from the input key and derives it as a new key

21. Key Export Tool - Creates Whitebox protected exported keyblob from

    plain input data - This operation should be carried ou be done in trusted environment - Able to load the keyblob with SecureKey.importKey( ) Plain data Key Export Tool KeyBlob 4A 32 4D 72 39 33 33 6C 61 54 4E 6B 32 4D 4A 30 49 D8 AD DC 2B AE 89 D1 EE 67 D0 5F CB F3 5C 07 35 2D B4 93 F1 63 D8 51 DC 58 BB DA E0 9A 60 0B 12 15 DA E0 2D 2B AE D8 … SecureKey.importKey SecureKey

22. Clamping on Curve25519 Private Key - Generates 32 bytes random

    secret from a cryptographically safe source - The “Clamping” should be done to the private key before it is used - The clamping function looks like this: 
 
 
 secret[0] & 248; secret[31] &= 127; secret[31] |= 64;

23. - Pre computed LUT for all possible value in the

    first and the last byte of the private key - LUTs generation code: 
 
 
 - Creates these LUTs to white box protected exported key blobs using Key Export Tool for(x = 0; x < 256 ; x++) { lut00[256] = x & 248; lut31[256] = (x & 127) | 64; } Clamping on Curve25519 Private Key

24. CZUFT
    3BOEPN
    4FDVSF,FZ
    '' '' '' '' '' '' '' '' ''

    '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' Clamping on Curve25519 Private Key

25. The first byte manipulation - Picks random offset in the

    LUT00 as SecureKey - Takes 16bytes using Slicing

26. CZUFT
    3BOEPN
    4FDVSF,FZ
    '' '' '' '' '' '' '' '' ''

    '' '' '' '' '' '' '' 3BOEPNMZ
    QJDLFE
    GSPN
    -65                 The first byte manipulation - Concatenates two keys

27. 3BOEPN
    QJDLFE
    GSPN
    -65         

           The first byte manipulation CZUFT
    3BOEPN
    4FDVSF,FZ
    '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' - Takes 16bytes of the data starting at the 15th index using Slicing

28. The last byte manipulation CZUFT
    3BOEPN
    4FDVSF,FZ
    '' '' '' '' ''

    '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' ''

29. The last byte manipulation - Picks random offset in the

    LUT31 as SecureKey - Takes 16bytes using Slicing

30. The last byte manipulation CZUFT
    3BOEPN
    4FDVSF,FZ
    '' '' '' '' ''

    '' '' '' '' '' '' '' '' '' '' '' 3BOEPN
    QJDLFE
    GSPN
    -65                 - Concatenates two keys

31. The last byte manipulation - Takes 16 bytes of the

    data starting at the second index using Slicing CZUFT
    3BOEPN
    4FDVSF,FZ
    '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' 3BOEPN
    QJDLFE
    GSPN
    -65                

32. 'SPOU
    QBSU
    PG
    UIF
    LFZ  '' '' '' '' '' '' '' ''

    '' '' '' '' '' '' '' Curve25519 private key clamping 3FBS
    QBSU
    PG
    UIF
    LFZ '' '' '' '' '' '' '' '' '' '' '' '' '' '' ''  - Concatenates two keys

33. $MBNQJOH
    EPOF
    CZUFT
    DVSWF
    QSJWBUF
    LFZ  '' '' '' '' '' '' '' ''

    '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' ''  Curve25519 private key clamping

34. Lessons Learned - Able to control arbitrary bytes indirectly by

    concatenating, slicing LUT and key, but its implementation gets much more complicated - Developing some security features inside the security department and providing them to client team can be more efficient in building a security design - Implementing debug features helps to integrate white-box

35. Conclusion - Achieving security within the white box threat model

    is very difficult for software implementation - That is what white-box cryptography tries to achieve 
 - With WebAssembly, white-box implementations can be integrated into more security features in web applications 
 - White-box cryptography is not an all-in-one solution, and it is not a magic bullet that makes an insecure security design secure

36. Thank you