LINE Engineering

LINE and Intertrust Security Summit 2017 Spring, Tokyo 2

Naohisa Ichihara 2017.08.18

Hello, this is Ichihara from the LINE security team. I am in charge of security consultation for LINE services, providing countermeasures for account hacking and abusing, researching authentication technology, and engaging in standardization activities.

Today, I would like to share with you an event titled, "LINE and Intertrust Security Summit 2017 Spring, Tokyo", co-hosted by LINE and Intertrust on May 17. I will cover this event over two posts; this is the second part of the recap. Have a look at the first part from here

Here is a few basic information of the event.

State-of-the-art Research and Technologies

The second session of the summit focused on the state-of-the art research and technologies. The following three speeches were presented.

Practical attacks on commercial whitebox cryptography solutions

LINE's security engineer, Ahn Sang-hwan, presented a topic on practical attacks on commercial white-box cryptography solutions.

Find the presentation slides from below:

People have already figured out methods to attack several white-box cryptography that had been published by studies, and those ciphers have been hacked already. However, so far, no hacking reports are made on commercial white-box cryptography solutions. Mr. Ahn's presentation happens to be the first report in this industry. It is almost impossible to securely store cryptographic keys in the white-box model in which an attacker has all permissions. It is dangerous for architectures to assume that white-box cryptography solution is the solution, just because there has been no attack so far.

Mr. Ahn felt required to establish stability by getting his hands on this case himself. He and his team began with investigating white-box cryptography. They first found that conventional attack techniques on white-box cryptography were not at all effective on commercial white-box cryptography solutions. Through trials and errors, they came up with an improved attack technique and succeeded in deriving a key protected with a commercial white-box cryptography solution. In this presentation, they wanted to share how to attack commercial white-box cryptography solutions and to present security guides on securely applying white-box cryptography to services. They hoped their experience could be of help to various companies, developers and security engineers.

How to enhance the security of IoT devices

Ms. Miyaji, a world-renowned elliptic curve cryptographer, gave a presentation on her research on security models related to IoT devices.

Research on Self-Healing for network environment of IoT equipment

Along with the spread of IoT devices in recent years, data are collected frequently on networks and so are user's privacy information, making the network an attractive target for attackers.

In order to solve security problems, Ms. Miyaji is researching on Self-Healing, which is an act of sharing and updating keys to maintain the overall security, in case cryptography or secret key is hacked, on Wireless Sensor Network (WSN). The assumptions in this study, based on the characteristics of WSN, are that attackers attack sensors directly and computing capacity, low battery and sensor arrangements cannot be identified in advance (key sharing becomes difficult). Take note of the following security requirements:

  • Foreward Secrecy: No past key shall be restorable using the current key
  • Backward Secrecy: No future key shall be possible to be generated using the current key
  • Self-Healing: A compromised key shall be able to heal itself

As a security indicator, how easy shared link keys can be compromised (=no. of compromised shared links/no. of all shared links in the network) becomes important and her team aims to lower this indicator by applying self-healing.

Self-healing can be implemented in various ways. One is probabilistically maintaining the safety of the entire network by the Random Key Pre-distribution (RKP) which preliminarily distributes the common key in the sensors. Another way is to refresh secrets, by making sensors frequently exchange secrets with new sensors, on Multiphase Sensor networks (Multiphase WSNs). For sharing and updating keys on WSN, you can share a common key among multiple sensors, to make as many sensors as possible to share keys with each other. However, this operation is risky as the effects of a single key leakage will be huge.

On the other hand, if keys are shared with and updated by multiple sensors by a polynomial-based key sharing scheme, different keys can be shared among arbitrary sensors. In key updates, you can guarantee forward secrecy and backward secrecy, by using hash chain. For example, key sharing between two parties can be realized by the two-variable polynomial (f(x, y) = f(y, x)). A person 'A' needs to calculate f(ID_B, ID_A) and a person 'B', f(ID_A, ID_B). Examples of polynomial-based key sharing/updating schemes are the POSH scheme and POLISH scheme.

  • POSH scheme: Proactive co-Operative Self-Healing. Self-healing by updating keys with the help of surrounding sensors.
  • POLISH scheme: Proactive co-Operative LInk Self-Healing. Self-healing by polynomial-based updates and updating keys with the help of surrounding sensors.
  • Comparing public-key cryptosystems: RSA vs. ECC

    The cryptographic strength of RSA depends on the factoring problem and sub-exponential time attacks (faster than brute force search). Elliptic Curve Cryptography (ECC) depends only on exponential time attacks, if parameters are used appropriately, and if no unpredictable cryptographic risks are present.

    The keys for ECC can be only 1/9 of RSA in size. For example,
    RSA1024bit ≒ ECDLP160bit
    RSA2048bit = ECDLP 224bit

    She mentioned about using symmetric keys on sensor networks. This means, for example, if AES(Advanced Encryption Standard) uses a 128-bit key and the cryptography is 128-bits, then decrypting the encrypted key requires a minimum of 2128 attempts.

    On the other hand, ECDLP of 160-bit, unlike AES, an attack space will be the square root of the key length in bits. For a 160-bit key, decrypting the key would require only the square root of 2160 attempts, thus 280 attempts. In that sense, to maintain the safety level of ECC keys at the level of symmetric key cryptosystem, we need the key length to be the twice of 112 bits, the size acknowledged safe by the AES. For ECDLP, we would need 224 bits.

    Research trends in temper resistant software

    Professor Oishi from the Faculty of Science of Shizuoka University, delivered a session on the research trend of tamper resistant software.

    The common aspect of commercial software, embedded devices, IC cards is that their end users have the software with them. It is necessary to protect the software and prevent software misuses.

    Since the 1980s, with the spread of encryption, research on encryption and obfuscation of software has become active. In the past, DVD/Blu-ray copy protection technology has also been hacked by static/dynamic analysis. We need to make software that are safe, resistant to observation, resistant to modification and tamper-resistant.

    Various approaches have been studied for the purpose of securing tamper resistance. He introduced four of them at the presentation as follows:

    • Code Obfuscation: A technique to reduce code legibility and to make analyzing difficult by converting programs in easy-to-parse language, like Java, into a complex language. However, obfuscation level will be taken differently by the capability of code analysts.
    • White-Box Cryptography: A technique for protecting encrypted keys under the condition in which attackers have a full access to the encrypted program. Although all the existing proposals or implementations have been hacked, theoretically, new techniques are continuing to make their entrance. You can see an increase in the interests in researches and in the industry, for new techniques. In addition, since actual strength can be proved by having an attacker analyze it, contests are being held for implementing and analyzing white-box cryptography.
    • Function Obfuscation: A technique to completely block internal information from outside, except the program's or functions' input and output. This has been proved to be applicable on some functions and it is difficult to extract keys by including keys inside functions.
    • Self Integrity Verification: A technique for preventing functional tampering; making detection routine interlocking to make tampering difficult, enforcing self-destruction as a tamper response. Professor Oishi proposed this technique in 2011, with a combination of these tasks along with anti-debugging technology. In 2015, he implemented the proposal; he implemented tolerance for keeping and protecting secrets and dynamic analysis, computational complexity for static analysis, and protection for function tampering.

    The following are examples of implementing tamper-resistance. What we will need is quantitative evaluation standards for the two methods above.

    • Self-destructive tamper response
      Camouflages some instructions to run self-modifying routines before and after an actual operation. The self-modifying routine first restores the camouflaged command to the original state by the hash value of the protected area, and then re-camouflages. When the protected area is modified, abnormal command is executed and an causes an error (self-destruction).
    • Interlocking of self integrity verification
      Professor skipped this section due to lack of time, but here is what he intended to share. A hash function and a digital signature are combined to protect the entire code area. The code region is divided, each section performs self-integrity verification of mutual dependency by dynamic self-modifying. The region which has the detection routine is subject to signature verification.

    Exploring Trusted Apps and Services

    A talk session was prepared to engage the participants into the discussion, allowing the participants to ask questions to the panels. The topic of the session was, exploring trusted apps and services. The session was moderated by me, Naohisa Ichihara, from LINE and the panels consisted of the following guests:

    • Elenkov Nikolay, LINE Corporation
    • David P. Maher, Intertrust Technologies
    • Tetsuya Shiota, DeNA
    • Professor Atsuko Miyaji, Osaka University
    • Professor Kazuomi Oishi, Shizuoka University Faculty of Science

    Have a look at some of the discussions made in the session.

    Difficulty in handling game cheats

    • Ichihara: Mr. Shiota spoke about game cheats and I believe there must be difficulties for the security team. Could you please share about that?
    • Tetsuya Shiota(DeNA): When a vulnerability is detected, we have an option to develop a technique to solve it by ourselves or to use third party solutions. But the most struggling part is to find the right timing to suggest the solution to the project with the vulnerability. If the project owner has concerns for security from the beginning, that is from the business planning stage, it would be possible to plan it out. But if a decision is made to employ a security solution, right after or before the release, then we would be out of choices.
    • Ichihara: I’m guessing that it would be difficult to communicate with the development department. How is it?
    • Tetsuya Shiota(DeNA): Generally, the developers in the field rarely know the importance of security. They find it difficult to understand what good is there to adopting security solutions.

    Difficulty in securing client's safety

    • Ichihara: Please give us your opinion on having no evaluation standards in software protection technology.
    • Kazuomi Oishi: What I have introduced in the presentation was CTF (Catch The Flag) which is a competition, where a set of secure AES white-box cryptography solutions are collected and disclosed for hackers to hack. The competition was started by venture company established by the EU fund. There are several products but because it is difficult to evaluate objectively, we have begun the contest so that it may be fair.
    • Ichihara: I see. Like white-box cryptography, it's interesting to see how CTF and software protection technologies and obfuscation work. I'd love to hear from David from Intertrust in this area. What do you think about it? It does not matter even if it is not an official opinion of Intertrust.
    • David P. Maher: I think that the concept of transparency of security technology has a high value. A long time ago, I launched a contest to evaluate elliptic curve cryptosystems when cryptography technology began to be introduced in the world. It was the "proper key length" that was difficult. One of the clients said that the key length can be made shorter than that of RSA or DH (Diffie-Hellman), but there weren’t enough evidences to prove that. That's why I opened a contest on keys of many different sizes. As a result, I was able to make a prediction and it was a satisfying and successful case. I do not know whether the same method can be applied to obfuscation but unlike elliptic curve cryptosystem, there is no clear indicator like size and there are so many attack patterns. Anyhow, by opening the contest, you may be able to confirm various effects and there might be cases of hacking. But probably the best conclusion is that obfuscation will be the best defense measure, let's take the software up to date and respond. Strategies such renewability (to update the software and the system to the latest state) and diversity (to limit the influence range by the attack with various defenses) are important, and on the other hand, you will need the strategy taking the defense of obfuscation.

    About the trends of Elliptic Curve Cryptography (ECC)

    • Ichihara: Now that I have talked about the key length of the elliptic curve cryptography, I would like ask to Professor Miyaji who is a leading expert in Japan about the trends of this field.
    • Atsuko Miyaji: If RSA can be applied on general attack tactics, ECC can be applied to any elliptic curve, and you can make the key to be shorter than that of RSA. When the IoT era begins, the impact of key length will surely become huge and that is why elliptic curve cryptography is promising.
    • Ichihara: In fact, ECC is used on the published samples for FIDO specifications, not RSA. Although it is necessary for the biometric authentication device (authenticator) to generate and sign keys, since it is a small device with a sensor, it is more realistic to use ECC than RSA. I think this is a symbolic event reflecting this era.

    Hardware or software?

    • Ichihara: In today's session there were various topics discussed as data protection methods on the terminal. I would like to ask to Nikolay to share your thoughts, as a security engineer.
    • Elenkov Nikolay: I think there are somewhat special circumstances in FIDO. We need to protect the keys while protecting the biometrics. The problem of key protection has been studied for a long time, and the solution of saving the keys in TEE or Secure Element, is also widely known. On the other hand, for biometrics, it's not clear; which format is the best or what kind of biometric means are suitable. I prefer to have hardware secure, so I believe the best solution is to have secure hardware on devices. I like the idea of separating the normal world (OS) and the secure execution environment like on TEE, but still there are cases where vulnerabilities are found on secure applications or on secure OS. TEE is actually one of the threads that lacks the protection mechanisms implemented at the normal hardware level. I think that the approach of standardizing is a good idea. Regardless of the OS, with OS protection like iOS Secure Enclave or TEE as the baseline, the software is devoted to software protection only and realize a model that software developers can code independent from OS.

    Open source of software protection technology

    • Ichihara: Vulnerability is often found from open source. Rather, we open our source to resolve security issues quickly and make our solutions more strong. For instance, it would be interesting to make open source projects for the lightweight versions of software protection products. Since it is a personal opinion, please let me know what your thoughts are.
    • David P. Maher: Whether it is white-box cryptography or obfuscation, it is important for lightweight products and there always has been discussions regarding it. It's about differentiating a range of features, capacity and strength. There are indeed such needs in the market. In fact, we are offering various types of products to satisfy various market requirements.

    Security models on IoT

    • Ichihara: I think many of today’s topics were on how to protect software. Meanwhile, the content of Professor Miyaji's presentation was, "In the world of IoT, how to recover IoT device on the assumption that it will be broken". I think that such assumption plays a critical role in near future.
    • David P. Maher: Until now, security debates had assumed that the key is safe. But in the world of IoT, the question of how to recover the whole system when an IoT device is attacked, will become very important.
    • Ichihara: Yes. It is an important theme in the IoT world where things could go out of control out of nowhere. Thank you very much.

    Vulnerability of biometric authentication device

    • Ichihara: I would like to receive questions from the audience.
    • Audience: There was a talk on FIDO, the vulnerability of the biometric authentication device is a hot topic. For example, authenticating with fingerprints can be hacked simply with a picture of a hand making a v sign. What you think will happen in the future?
    • Ichihara: That's an interesting topic. We will pass the question to Mr. Moriyama from NTT DOCOMO who is also a chairman of FIDO Japan Working Group.
    • Moriyama: Certainly, it has been reported that you can authenticate using fake fingerprints and we know what can actually be done with cheap sensors. Yet, there are sophisticated sensors that can detect fake and manufacturers are striving to respond to such situations. There is no situation where inquiries are coming to the NTT DOCOMO customer center at the moment but certainly will need to keep our eye on, in order to prevent such cases.
    • Audience: Thank you very much.
    • Ichihara: To add more explanation, there is also a move within the FIDO Alliance to make a program to certify biometric authentication devices (authenticator). For example, with respect to certified authenticators, there are discussions within the FIDO alliance to remotely control the authenticators in case certified authenticators are found with vulnerabilities. Examples of remote controls include remotely updating the authenticator and revoking the authenticator's product number from the access control list on the FIDO server.

    What else was at the summit?

    As giveaways, LINE provided free lunch boxes at lunch, LINE character biscuits and summit T-shirts for the participants. A simultaneous interpretation service was provided from Japanese to English. The interpretation team from LINE worked hard at the back of the hall.

    A message from Intertrust

    Intertrust would like to share the following words with you on this posting:

    "The modern Internet presents a variety of tough challenges for security engineers. The consumer market presents the some of the deepest challenges, since hackers hide behind innocent users; also the App economy, built on billions of smartphones running operating systems like iOS and Android puts pressure on app developers to provide a higher degree of end to end system integrity. As one of the largest digital communities in history, LINE finds itself on the bleeding edge of consumer side security challenges. In response, they have built one of the best security teams in the game, and are going beyond what is expected from a consumer social network to protect their users. Intertrust is honored to work with LINE’s security team to look together over the horizon and develop new solutions to the array of security challenges we are facing together. This takes the form of joint product integration, research into new solutions and evangelism and thought leadership through our conference series. Together, we are novel secure systems solutions that we hope will have broad applicability to making the App economy a safer place to live and trade in".

    As I close

    I would like to express my gratitude to all the participants of the summit, the experts who gave great sessions, and the summit staff through this blog.

    Although we could've done better in some areas, I received a lot of complimentary comments at the cocktail party afterwards. Participants expressed that they were satisfied with the summit content, and that the presentations were deep and interesting. I was very pleased to receive such responses.

    The second LINE and Intertrust Security Summit is scheduled to be held in the fall of 2017, in San Francisco, and the third one is expected to be held in Japan again, in the spring of 2018. Hope you look forward to it as we do.

    Security Intertrust

    Naohisa Ichihara 2017.08.18

    Add this entry to Hatena bookmark

    Back to blog list