Reviewing "A Novel Protocol for Software Authentication"
Posted by Ken Y-N on March 8th, 2010 at 03:07pm
I recently came across the paper "A Novel Protocol for Software Authentication" by Rongyu He, Zheng Qin and Shaojie Wu, and I’ve just spent a while reviewing it, and it seems to have a massive security hole in it. The subject is a proposed improvement to the Mobile Trusted Module specifications. First, the abstract says:
The authenticity and integrity of software running on mobile equipment is relevant and important in m-commerce. Mobile trusted computing can solve the problem by using Reference Integrity Metric (RIM) certificate. But the RIM certificate stored in Mobile Trusted Module (MTM) is suffered to frequently renew while the software is updated or patched. In the study, a user-specific RIM, uRIM, is presented. Based on the uRIM, a novel software integrity verification protocol is proposed. It allows an easy management of RIM to support the secure boot as well as a low-cost on verifying of software authenticity.
The goal is to replace RIM certificates, which are signed with RSA keys, with a shared secret protected via hashing for performance reasons. However, the document ignores the fact that internal RIM Certificates use HMAC keys, so for each certificate there need only be one RSA signature verification, not one every invocation. The document has a number of errors in the formulae, it redefines the operation of tpm_quote to do something completely different, and generally treats the MTM as a general-purpose secure execution environment. However, the security hole comes in equation 2, e = v XOR S. Here, v should be secret and S is a known hash of the application. It should be obvious that one can evaluate e XOR S and recover v, thus one can change the application and replace e with e’ = v XOR S’.
That seems such an obvious hole I must be missing something…
Leave a Comment for Reviewing "A Novel Protocol for Software Authentication"