NinjaLab Security Vanotsvaga vakagadzira kurwisa kutsva padivi chiteshi (CVE-2021-3011) kubatanidza makiyi eECDSA akachengetwa mumadhiokeni eUSB zvichibva paNXP machipisi.
Kurwisa yakaratidzirwa yeGoogle Titan maviri-factor yekusimbisa tokeni zvichibva pane iyo NXP A700X chip, asi dzidziso inoshanda kune Yubico uye Feitian crypto tokens vachishandisa imwechete chip.
Maitiro akataurwa inobvumira anorwisa kudzokorora makiyi eECDSA akachengetwa muchiratidzo zvichibva pane data rakawanikwa kuburikidza nekuongororwa kwesimba remagetsi rinoburitswa nechiratidzo panguva yechizvarwa chemasaini edhijitari.
Vatsvagiri vakaratidza kuti chiratidzo chemagetsi chinosangana neephemeral kiyi ruzivo kubva kuECDSA, iyo inokwana kutora kiyi yakavanzika uchishandisa michina yekudzidza yemuchina.
Kunyanya, hunhu hwekushandurwa kwemasaini hunobvumira ruzivo nezve mabhureki emunhu kuti abudiswe panguva yekuwandisa nechikara mukushanda neiyo elliptic curve.
Zve ECDSA, tsanangura kunyangwe zvidimbu zvishoma neruzivo pamusoro pekutanga vector (nonce) zvakakwana kuita kurwisa uye sequentially kudzoreredza yega yakavanzika kiyi. Kuti uwanezve kiyi yakavanzika muchiratidzo cheGoogle Titan, zvakakwana kuti uongorore mashandiro emasaini edhijitari anosvika zviuru zvitanhatu zvichienderana nekiyi yeECDSA inoshandiswa kuFIDO U6.000F kuvimbiswa kwezvinhu zviviri kana uchibatana neakaunti yeGoogle.
Kuti uwane kushaya simba mukugadziriswa kwealgorithm ECDSA pane NXP ECDSA machipisi, chikuva chakavhurika chakashandiswa yekugadzira NXP J3D081 (JavaCard) makadhi akangwara, ayo akafanana chaizvo neNXP A700X machipisi uye anoshandisa yakafanana cryptographic raibhurari, asi panguva imwechete inopa mikana yakawanda yekudzidza mashandiro einjini yeECDSA. Kuti utore kiyi yeJavaCard, zvaive zvakakwana kuongorora nezve 4000 mashandiro.
Kuita kurwisa, iwe unofanirwa kuve nekugona kwemuviri kuchiratidzo, ndiko kuti, chiratidzo chinofanirwa kuwanikwa kune iye anorwisa kuti aongorore kwenguva yakareba. Uye zvakare, iyo chip inodzivirirwa nealuminium skrini, saka kesi yacho inofanirwa kubviswa, izvo zvinoita kuti zvive zvakaoma kuvanza zvisaririra zvekurwiswa, semuenzaniso, Google Titan tokeni dzakavharirwa mupurasitiki uye haigone kubviswa pasina zvimiro zvinoonekwa. sarudzo, zvinokurudzirwa kupurinda pane 3D printer yeiyo nyowani imba).
Zvinotora anenge maawa matanhatu kuti utore kiyi yeiyo FIDO U2F account uye inoda kusvika 4 mamwe maawa kuti ubatanidze uye ubatanidze chiratidzo.
Kurwisa kunodawo michina inodhura kwazvo, iyo inodhura kwakatenderedza 10 euros, microcircuit reverse engineering hunyanzvi uye yakakosha software iyo isina kugoverwa pachena (mukana wekurwiswa unosimbiswa neGoogle neNXP).
Panguva yekurwiswa, Langer ICR HH 500-6 kuyera yakaoma inoshandiswa kuyedza ma microcircuits yemagetsi inowirirana, iyo Langer BT 706 gudzazwi, iyo Thorlabs PT3 / M micromanipulator ine 10 μm resolution uye iyo PicoScope 6404D ina-chiteshi oscilloscope.
Senzira inoitwa padivi pevhavha kudzivirirwa zvishoma pakushandiswa kwemakoni akaumbirwa ezvinhu zviviri, zvinokurudzirwa kushandisa nzira yekumisikidza inotsanangurwa muFIDO U2F kududzirwa.
Iyo FIDO U2F standard pakutanga inoreva kuvepo kweimwe seti yemakiyi, iri nekuda kwekuti iyo protocol inotsigira chete maviri ekutanga mashandiro: kunyoresa uye kusimbiswa.
Panguva yekunyoresa, kiyi nyowani kiyi inogadzirwa, iyo yakavanzika kiyi inochengetwa muchiratidzo uye kiyi yeruzhinji inopfuudzwa kuseva.
Iyo chiratidzo-padivi yekusimbisa mashandiro inogadzira ECDSA yedhijitari siginicha yedata rinotakuriswa neseva, iyo inogona kuzosimbiswa pane server ichishandisa kiyi yeruzhinji. Iyo yakavanzika kiyi inogara iri muchiratidzo uye haigone kuteedzerwa, saka kana chiratidzo chitsva chichida kusungwa, kiyi nyowani kiyi inogadzirwa uye kiyi yekare inoiswa mune runyorwa rwemakiyi akabviswa.
mabviro: https://ninjalab.io