$30 off During Our Annual Pro Sale. View Details »

JavaScript WhiteBox Crypto and Improving Security for LINE Chrome

JavaScript WhiteBox Crypto and Improving Security for LINE Chrome

Tech-Verse2022
PRO

November 17, 2022
Tweet

More Decks by Tech-Verse2022

Other Decks in Technology

Transcript

  1. JavaScript WhiteBox Crypto and Improving Security for LINE Chrome Sanghwan

    Ahn / LINE
  2. Agenda - Background - White-box security module for Javascript -

    Use cases and Implementation issues - Lessons Learned and Conclusion
  3. Shift Left Security Requirements Design Development Testing QA Security Checks

    - Security checks were implemented at the end of the development cycle - The earlier you solve security issues, the lower you cost - Secure design and its implementation may be a daunting task for developer shift app security to the left
  4. Shift Left Security Requirements Design Development Testing QA Security Checks

    - Security checks were implemented at the end of the development cycle - The earlier you solve security issues, the lower you cost - Secure design and its implementation may be a daunting task for developer shift app security to the left
  5. LTSM LINE Trusted Security Module WAL (White-box Abstraction Layer) Platform

    Binding Layer iOS Android WASM LINE Messenger LINEPay LINEBank JP Core FIDO2 Crypto APIs E2EE White-box Engine KAL (Keychain Abstraction Layer) LINEBank ID LINEBank TW Secure Enclave HW backed KeyStore, StrongBox
  6. LTSM - A couple of presentations related to LTSM -

    Cross-platform Mobile Security at LINE in DevDay2020 - https://linedevday.linecorp.com/2020/en/sessions/8802/ - Strong customer authentication & biometrics using FIDO in DevDay2019 - https://linedevday.linecorp.com/jp/2019/sessions/D1-1 LINE Trusted Security Module
  7. LTSM LINE Trusted Security Module WAL (White-box Abstraction Layer) Platform

    Binding Layer iOS Android WASM LINE Messenger LINEPay LINEBank JP Core FIDO2 Crypto APIs E2EE White-box Engine KAL (Keychain Abstraction Layer) LINEBank ID LINEBank TW Secure Enclave HW backed KeyStore, StrongBox
  8. Motivations - Lack of secure storage for sensitive data such

    as cryptographic keys. - Hardcoded cryptographic key - Mitigation against the impact of unanticipated token leakage - Mitigation against API abuse - Account Takeover, Spamming, Phishing, DDOS, Fake Client - Key protection method against malicious code execution via XSS - No protection layer for End to End Encryption key in LINE Chrome - New web technologies have appeared over the last years - Web Cryptography API, IndexedDB API
  9. Cross Site Scripting(XSS) - The most common types of vulnerability

    on the web application - Allow an attacker to execute malicious code in the application context
  10. Web browser Web Application In memory or storage Threat Model

    - We assume that an attacker had total control over cryptographic operations and script execution - The goal of the attacker is to retrieve the secret key - The attacker could attempt to gain access to the secret key in memory or storage - Malware has access to the device storage may be able to take the secret key without script execution Secret Key Web Server Application Code Web Application Service Malicious code Malware Scope of Black-box 
 Threat Model Scope of Gray-box Threat Model Scope of White-box Threat Model
  11. Web Crypto API and IndexedDB - The content of the

    key is not accessible to the Javascript environment - Provides an additional protection layer so that the key cannot be extracted and make it only works in legitimate operation - CryptoKey.extractable: true or false - CryptoKey.usages: encrypt, decrypt, sign, verify, wrapKey, unwrapKey, deriveKey, deriveBits - CryptoKey object can be directly stored in the IndexedDB
  12. Limitations - Web Crypto API does not guarantee the protection

    at the storage level - In key unwrapping, where could we put the unwrapping key? - Web Crypto API does not provide a key attestation - Web Crypto API doesn’t support curve25519 Secret key
  13. White-box Cryptography - Keys are embedded in the algorithms making

    it inherently difficult to extract - Keys are never revealed in plaintext form even in memory - Offer increased resistance to reverse engineering and dynamic binary instrumentation toolkit like Frida, PINTool and Valgrind - Purely software-based - Implementable custom cryptographic APIs across platforms
  14. White-box Use Case - Enables a key protection layer on

    the key object - provide key itself with a layer of protection against direct access to the content of the key by the javascript code 
 - Secure key provisioning - Hardcoded static key problems - Enables the protection of static key or dynamic key sent by the server - Allow to bind the key to the device
  15. WebAssembly - Able to run native code like C/C++ and

    Rust in the browser at near-native speed - WebAssembly executes within a sandboxed environment separated from the host runtime - Provides other nice security features such as Memory Safety, Undefined Behavior Sanitizer, Address Sanitizer and Control-Flow Integrity
  16. Chrome extension LTSM_JS LTSM for Javascript - Based on C++

    - Compiles the code to WASM module with Emscripten - Bind C++ functions and classes to JavaScript with Embind - LTSM_JS loaded in a sandboxed page in chrome extension, the sandboxed page will not have access to extension APIs WASM Module JS Binding Layer C++ source code (Sandboxed) HTML Via PostMessage( )
  17. LTSM for Javascript - LTSM provides common crypto APIs and

    security features for E2EE - The private key in SecureKey is encrypted at all times in white box container - Even when it performs any operations with the private key, it does so without ever exposing the contents in plain form SecureKey SymmetricKey Curve25519Key HMAC Key Provisioning AES KDF Key Wrapping/ Unwrapping End to End Encryption E2EEKey
  18. Secure Storage - Rely on the browser local storage system.

    - Secure Storage Key(SSK) is provisioned from the server - The key object is only valid in a memory and non-extractable Chrome extension Local storage SSK Server Provisioning AES-256-GCM encrypt/decrypt
  19. Letter Sealing - LINE's End to End Encryption protocol -

    Text message, Location message, Audio/Video calls are encrypted on the LINE client before being sent - Based on ECDH key exchange algorithm over curve25519 - Each user holds on to their private key on the device. - White paper offers in-depth details to Letter Sealing 
 https://scdn.line-apps.com/stf/linecorp/en/csr/line-encryption-whitepaper-ver2.1.pdf
  20. White Box Integration Issues - SecureKey doesn’t allow to manipulate

    arbitrary bytes of the key. - Mismatched padding algorithm in key wrapping - Curve25519 private key “Clamping” in key generation 
 - White-box provides key utility to create a protected key blob from plain data - White-box provides special purpose algorithms in Key Derivation Function - Concat: derives a new key by concatenating two existing keys - Slice: takes an arbitrary substring of bytes from the input key and derives it as a new key
  21. Key Export Tool - Creates Whitebox protected exported keyblob from

    plain input data - This operation should be carried ou be done in trusted environment - Able to load the keyblob with SecureKey.importKey( ) Plain data Key Export Tool KeyBlob 4A 32 4D 72 39 33 33 6C 61 54 4E 6B 32 4D 4A 30 49 D8 AD DC 2B AE 89 D1 EE 67 D0 5F CB F3 5C 07 35 2D B4 93 F1 63 D8 51 DC 58 BB DA E0 9A 60 0B 12 15 DA E0 2D 2B AE D8 … SecureKey.importKey SecureKey
  22. Clamping on Curve25519 Private Key - Generates 32 bytes random

    secret from a cryptographically safe source - The “Clamping” should be done to the private key before it is used - The clamping function looks like this: 
 
 
 secret[0] & 248; secret[31] &= 127; secret[31] |= 64;
  23. - Pre computed LUT for all possible value in the

    first and the last byte of the private key - LUTs generation code: 
 
 
 - Creates these LUTs to white box protected exported key blobs using Key Export Tool for(x = 0; x < 256 ; x++) { lut00[256] = x & 248; lut31[256] = (x & 127) | 64; } Clamping on Curve25519 Private Key
  24. CZUFT3BOEPN4FDVSF,FZ '' '' '' '' '' '' '' '' ''

    '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' Clamping on Curve25519 Private Key
  25. The first byte manipulation - Picks random offset in the

    LUT00 as SecureKey - Takes 16bytes using Slicing
  26. CZUFT3BOEPN4FDVSF,FZ '' '' '' '' '' '' '' '' ''

    '' '' '' '' '' '' '' 3BOEPNMZQJDLFEGSPN-65                 The first byte manipulation - Concatenates two keys
  27. 3BOEPNQJDLFEGSPN-65         

           The first byte manipulation CZUFT3BOEPN4FDVSF,FZ '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' - Takes 16bytes of the data starting at the 15th index using Slicing
  28. The last byte manipulation CZUFT3BOEPN4FDVSF,FZ '' '' '' '' ''

    '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' ''
  29. The last byte manipulation - Picks random offset in the

    LUT31 as SecureKey - Takes 16bytes using Slicing
  30. The last byte manipulation CZUFT3BOEPN4FDVSF,FZ '' '' '' '' ''

    '' '' '' '' '' '' '' '' '' '' '' 3BOEPNQJDLFEGSPN-65                 - Concatenates two keys
  31. The last byte manipulation - Takes 16 bytes of the

    data starting at the second index using Slicing CZUFT3BOEPN4FDVSF,FZ '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' 3BOEPNQJDLFEGSPN-65                
  32. 'SPOUQBSUPGUIFLFZ  '' '' '' '' '' '' '' ''

    '' '' '' '' '' '' '' Curve25519 private key clamping 3FBSQBSUPGUIFLFZ '' '' '' '' '' '' '' '' '' '' '' '' '' '' ''  - Concatenates two keys
  33. $MBNQJOHEPOFCZUFTDVSWFQSJWBUFLFZ  '' '' '' '' '' '' '' ''

    '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' ''  Curve25519 private key clamping
  34. Lessons Learned - Able to control arbitrary bytes indirectly by

    concatenating, slicing LUT and key, but its implementation gets much more complicated - Developing some security features inside the security department and providing them to client team can be more efficient in building a security design - Implementing debug features helps to integrate white-box
  35. Conclusion - Achieving security within the white box threat model

    is very difficult for software implementation - That is what white-box cryptography tries to achieve 
 - With WebAssembly, white-box implementations can be integrated into more security features in web applications 
 - White-box cryptography is not an all-in-one solution, and it is not a magic bullet that makes an insecure security design secure
  36. Thank you