Common Crypto Pitfalls

Common Crypto Pitfalls

1dd7176bac1e853c31abbde4bdd12c92?s=128

Amirali Sanatinia

March 14, 2018
Tweet

Transcript

  1. Common Crypto Pitfalls Amirali Sanatinia asanatinia

  2. Cryptography • Cryptography is ubiquitous today • From mobile phones

    to wireless connections • Supported in almost every programming language • It is even embedded in the CPUs • It is not hard to do crypto right but …
  3. Crypto Failures

  4. Hashing Functions • Input: long message • Output: short block

    (called hash or message digest) • Desired properties: – Pre-image: Given a hash h it is computationally infeasible to find a message m that produces h – Second preimage: Given message m, it is computationally infeasible to find a message m’, (m ≠ m’) s.t., h(m) = h(m’) – Collisions: It is computationally difficult to find any two messages m, m’ (m ≠ m’) such that, h(m) = h(m’)
  5. Hashing (cont.) • Examples – Recommended Hash Algorithm (SHA-2, SHA-3)

    by NIST – SHA2: 224, 256, 384, or 512 bits digests – SHA-1: output 160 bits being phased out, shattered – MD2, MD4, and MD5 by Ron Rivest [RFC1319, 1320, 1321]
  6. Encryption Models Encryption Algorithm Decryption Algorithm Encryption Key Decryption Key

    Message Destination Plaintext Ciphertext Plaintext Symmetric encryption: Asymmetric encryption: Public key Shared key Shared key Private key
  7. Symmetric vs. Asymmetric Encryption • Symmetric algorithms are much faster

    – In the order of a 1000 times faster • Symmetric algorithms require a shared secret – Impractical if the communicating entities don’t have another secure channel • Both algorithms are combined to provide practical and efficient secure communication – E.g., establish a secret session key using asymmetric crypto and use symmetric crypto for encrypting the traffic
  8. Advanced Encryption Standard (AES) • Also known as Rijndael •

    Part of NIST competition • Requirements – Fast in software and hardware – Block size: 128; Key size: 128, 192 and 256 • Joan Daemen and Vincent Rijmen • First published in 1998 • FIPS 197 on November 26, 2001 • Other candidates: Mars, RC6, Serpent, Twofish
  9. Block Cipher Mode of Operation • AES works on a

    block of data (128 bits) • To encrypt a large message, each block needs to be encrypted • Different modes of encrypting the blocks – Electronic Codebook (ECB) – Cipher Block Chaining (CBC) – Counter (CTR)
  10. ECB source: wikipedia

  11. CBC source: wikipedia

  12. CTR source: wikipedia

  13. ECB vs. CBC Original ECB CBC

  14. Bit Flipping Attack • Change encryption of m 1 to

    encryption of m 2 without the knowledge of the key k • In certain modes of operation (e.g., CBC) • Ci = Ek (Pi ⊕ Ci-1 ) • C0 = IV • Pi = DK (Ci ) ⊕ Ci-1 • C0 = IV • IVj = IVj ⊕ Pj ⊕ t
  15. Hash-based Message Authentication Code source: wikipedia

  16. Encrypt then MAC source: wikipedia

  17. source: wikipedia Encrypt and MAC

  18. source: wikipedia MAC then Encrypt

  19. Galois Counter Mode (GCM) source: wikipedia

  20. Case of Adobe source: nakedsecurity

  21. Case of Adobe (cont.) source: nakedsecurity

  22. Case of Adobe (cont.) source: nakedsecurity

  23. Case of Adobe (cont.) source: nakedsecurity

  24. Password Storage • Use salt • Use adaptive one-way functions

    – Password-Based Key Derivation Function 2 (PBKDF2) • Key = PBKDF2(PRP, password, salt, iterations, key length) – scrypt – bcrypt
  25. RSA • One of the first practical public crypto systems

    • Designed by Ron Rivest, Adi Shamir, and Leonard Adleman • First published in 1977 • Was patented until September 2000 • Based on the hardness of factoring problem and modular arithmetic
  26. Textbook RSA • E(M) = Me mod n = C

    (Encryption) • D(C) = Cd mod n = M (Decryption) • RSA parameters and basic (not secure) operations: – p, q, two big prime numbers (private, chosen) – n = pq, f(n) = (p-1)(q-1) (public, calculated) – e, with gcd(f(n), e) = 1, 1<e<f(n) (public, chosen) – d = e-1 mod f(n) (private, calculated) • D(E(M)) = Med mod n = M kf(n)+1 = M (Euler’s theorem)
  27. Example of RSA • Keys generation: – p = 5;

    q = 11 => n = 55 – e = 3 => d = 27 • Because ed = 1 mod (p-1)(q-1) – Public key: (e, n); Private Key: (d, n) • Encryption – M = 2 – Encryption(M) = Me mod n = 8 – Decryption(8) = 8d mod n = 2
  28. Optimal Asymmetric Encryption Padding (OAEP) • Textbook RSA is not

    IND-CPA secure • M 1 =M 2 → E(M 1 ) = E(M 2 ) • We use Optimal Asymmetric Encryption Padding (OAEP)
  29. OAEP source: wikipedia

  30. RSA Public Key (Salt Stack)

  31. No Encryption Fake Ransom ware

  32. Cost of Crypto

  33. Cost of Crypto (cont.) source: Cloudflare

  34. Cryptography in Action (SHA2)

  35. Cryptography in Action (AES Encryption/Decryption)

  36. Cryptography in Action (RSA Key Generation)

  37. Cryptography in Action (RSA Encryption/Decryption)

  38. Takeaways • Don’t invent your own crypto algorithm • Don’t

    implement your own crypto library • Doing crypto in a right way is not difficult
  39. Thank You! Questions?