Lock it Down with Cryptography

Transcript

1. Tuesday, May 14, 13

2. Who basho Bryce Kerley Software Engineer Basho Technologies Tuesday, May

   14, 13 This is my “pretending to be cool picture,” took that last Saturday. Next find me in my native habitat.

3. Who basho Bryce Kerley Software Engineer Basho Technologies Tuesday, May

   14, 13 This is my “pretending to be cool picture,” took that last Saturday. Next find me in my native habitat.

4. Who basho Bryce Kerley Software Engineer Basho Technologies Tuesday, May

   14, 13 This is my “pretending to be cool picture,” took that last Saturday. Next find me in my native habitat.

5. Contents •History •Algorithms •Best Practices •Cryptosystem Design Tuesday, May 14,

   13

6. Cryptography “κρυπτός γράφειν” “Secret Writing” Tuesday, May 14, 13 “kryptos”

   “grapho”

7. Caesar Cipher ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHIJKLMNOPQRSTUVWXYZABCDE n = 0 Hello Hello Tuesday,

   May 14, 13

8. ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHIJKLMNOPQRSTUVWXYZABCDE n = 0 Hello Hello Tuesday, May 14,

   13

9. ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHIJKLMNOPQRSTUVWXYZABCDE n = 0 Hello Hello Tuesday, May 14,

   13

10. ABCDEFGHIJKLMNOPQRSTUVWXYZ IJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQR n = 13 Hello Uryyb Tuesday, May 14,

    13

11. ABCDEFGHIJKLMNOPQRSTUVWXYZ VWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ n = 26 Hello Hello Tuesday, May 14,

    13

12. Caesar Cipher (plain + key) % alphabet_size Tuesday, May 14,

    13

13. Caesar Cipher (0..alphabet_size). map do |k| (cipher + k) %

    alphabet_size end Tuesday, May 14, 13 This is convenient in case you forget the key; look at every permutation since there aren’t that many

14. Affine Cipher ((plain * key_a) + key_b) % alphabet_size Must

    be coprime Tuesday, May 14, 13 What happens if they aren’t coprime? You’ll have a “weak key” that doesn’t have the full strength of the algorithm. Many algorithms have weak keys.

15. Enigma Machine German Federal Archives Bild 183-2007-0705-502 Tuesday, May 14,

    13 German military during WWII Electromechanically operated cipher

16. Enigma Machine Tuesday, May 14, 13 Uses ratcheting rotors Read

    the Wikipedia articles Read books about it Everything about it is nerd-cool

17. Breaking Enigma Procedural weaknesses Mathematical weaknesses Tuesday, May 14, 13

18. Procedural Weakness • Set rotors to daily key from codebook

    • Type three-letter message key twice • Set rotors to message key • Type message Tuesday, May 14, 13 This mathematical relationship can then be used to attack the daily key, and from there decode all the day’s messages.

19. Procedural Weakness • Set rotors to daily key from codebook

    • Type three-letter message key twice • Set rotors to message key • Type message Tuesday, May 14, 13 This mathematical relationship can then be used to attack the daily key, and from there decode all the day’s messages.

20. Procedural Weakness • Set rotors to daily key from codebook

    • Type three-letter message key twice • Set rotors to message key • Type message Establishes a mathematical relationship between the first three- letter sequences Tuesday, May 14, 13 This mathematical relationship can then be used to attack the daily key, and from there decode all the day’s messages.

21. Mathematical Weaknesses Crib Tuesday, May 14, 13 Enigma has a

    property that letters will never encipher as themselves. This, coupled with knowledge of German military protocols, allowed cryptographers to narrow down what words are in which positions, and guess at what the plaintext might be. With the plaintext, attacking the key is easier.

22. Mathematical Weaknesses Crib Known plaintext attack Tuesday, May 14, 13

    Enigma has a property that letters will never encipher as themselves. This, coupled with knowledge of German military protocols, allowed cryptographers to narrow down what words are in which positions, and guess at what the plaintext might be. With the plaintext, attacking the key is easier.

23. Kerckhoff’s Principle The algorithm must not be required to be

    secret, and it must be able to fall into the hands of the enemy without inconvenience. Tuesday, May 14, 13

24. Kerchoff’s Principle All the good codes are open-source Most of

    the good codes have been open-source for a decade Tuesday, May 14, 13 There really should be an asterisk next to “good codes;” the NSA has a suite of cryptographic protocols and techniques broadly referred to as “Type 1,” the composition of which is undoubtedly classified and on a “need-to-know” basis.

25. Contents •History •Algorithms •Best Practices •Cryptosystem Design Tuesday, May 14,

    13

26. Algorithms Building Blocks Tuesday, May 14, 13 Do not use

    these algorithms in isolation; think of them like engines or transmissions or other vehicle components: assembling them into a powerful, safe, and useful unit is extremely difficult.

27. Kinds of Algorithm •Symmetric •One-way, “Hash” •Asymmetric, “Public Key” Tuesday,

    May 14, 13

28. Symmetric Same key to encrypt and decrypt Tuesday, May 14,

    13 Enigma, Caesar cipher, ROT-13: these are all symmetric.

29. DES, 1977 Developed by IBM Modified by NSA Approved by

    NIST Tuesday, May 14, 13

30. Differential Cryptanalysis NSA was ten years ahead Tuesday, May 14,

    13 I don’t know if this will happen again. In the security community there’s a concept called the “Advanced Persistent Threat” that’s basically a euphemism for “China.” The theory is that the APT has resources similar to or greater than the NSA. My understanding is that the NSA has less to gain and more at risk by keeping cryptographic breakthroughs to themselves; most of the economy of the US and world depends on

31. AES, 1998 Née “Rijndael” Symmetric Cipher Developed by Rijmen &

    Daemen Public standardization process Tuesday, May 14, 13 After standardization, the Rijndael website still had a link to hear the authors pronounce the name of it; instead of being “rhine-doll,” the new recording simply said “A-E-S.”

32. One Way No decryption operation Tuesday, May 14, 13 This

    isn’t to say that it can’t be decrypted, just that it’s hard; run through candidate plaintexts until you find one that works. For most of these, a GPU helps.

33. One Way Ciphertext = Digest(Plaintext) Tuesday, May 14, 13

34. Pigeon Hole Principle Tuesday, May 14, 13

35. Pigeon Hole Principle More pigeons than holes? Tuesday, May 14,

    13

36. Pigeon Hole Principle More pigeons than holes? At least one

    hole has multiple pigeons. Tuesday, May 14, 13

37. Pigeon Hole Principle More pigeons than holes? At least one

    hole has multiple pigeons. Size-limited digests? Tuesday, May 14, 13

38. Pigeon Hole Principle More pigeons than holes? At least one

    hole has multiple pigeons. Size-limited digests? At least one digest has multiple preimages. Tuesday, May 14, 13

39. SHA-1, 1995 Developed by NSA 160 bits Tuesday, May 14,

    13 Git uses this, you shouldn’t. There’s been a couple attacks that reduce its strength, and it’s relatively small.

40. RIPEMD-160, 1996 Designed at Katholieke Universiteit Leuven 160, 256, or

    320 bits Tuesday, May 14, 13 RIPEMD is interesting from a social perspective: it was developed in an open, academic fashion, unlike SHA-1 and SHA-2. The biggest issue is that it’s not as well-researched as the SHA family, because it’s not as popular.

41. SHA-2, 2001 Developed by NSA 224, 256, 384, 512 bits

    Tuesday, May 14, 13 SHA-2 supports much bigger digests than SHA-1. 256 is a bit faster to compute (and requires half the storage space) as 512. 224 and 384 are simply cut-down versions of 256 and 512, respectively. If space isn’t an issue, use 512.

42. SHA-3, 2013? “Keccak” selected in AES-like public contest Not a

    NIST standard No official bit lengths described Tuesday, May 14, 13 A brief note about the US TLAs, LFLAs, and ELFLAs. The NSA, “None Such Agency” or “National Security Agency” does cryptography design and signals intelligence; they’re part of the DoD and most information about it classified. Think MI6 “Her Majesty’s Secret Service.” NIST, “National Institute of Standards and Technology” is part of the Department of Commerce, and in

43. HMAC, 1996 Message Authentication Code Uses a hash function and

    a secret key Tuesday, May 14, 13 Rack (and Rails) use HMAC to sign session cookies.

44. bcrypt, 1999 Key derivation function Configurable complexity Tuesday, May 14,

    13 bcrypt is what has_secure_password in Rails uses. It’s theoretically weak against ASIC crackers because it doesn’t have huge memory/die space layouts.

45. PBKDF2, 2000 Key derivation function Supports multiple hashes Configurable complexity

    Tuesday, May 14, 13 Described in RFC 2898, easier to get through accreditation.

46. Asymmetric Different encrypt and decrypt keys Tuesday, May 14, 13

47. Asymmetric Encryption Ciphertext = Encrypt(Plaintext, Public Key) Plaintext = Decrypt(Ciphertext,

    Private Key) Tuesday, May 14, 13

48. Asymmetric Signing Plaintext = Digest(Message) Signature = Encrypt(Plaintext, Private Key)

    Plaintext = Decrypt(Signature, Public Key) Tuesday, May 14, 13

49. RSA, 1977 Rivest, Shamir, and Adleman Hugely popular Huge keys

    Tuesday, May 14, 13 RSA keys under 512 bits are no match for modern computers, especially if the attacker has money. “Halting State” by the excellent British author Charles Stross includes a situation in which a quantum computer is used to crack RSA keys by factoring them with Shor’s algorithm. Last year, a quantum computer factored 21, a number expressible in five bits, and that I’ve personally hand-cranked RSA with.

50. Elliptic Curve, 1985 Koblitz and Miller Less popular Tiny keys

    Tuesday, May 14, 13 Koblitz and Miller figured these out independently. One nice thing about ECC is that keys and ciphertexts are much smaller than RSA; small enough for a public key to be a Bitcoin address, in fact. I will not talk about Bitcoins for the rest of my presentation.

51. Algorithms •Symmetric: AES •One-way: SHA-2 •Asymmetric: RSA or ECC Tuesday,

    May 14, 13

52. Contents •History •Algorithms •Best Practices •Cryptosystem Design Tuesday, May 14,

    13

53. Best Practices Don’t design cryptosystems Tuesday, May 14, 13 There’s

    lots of cryptosystems that are plenty good and have been well vetted.

54. Best Practices Tuesday, May 14, 13 This is for SSL/TLS.

    It provides authentication of endpoints and encryption in transit. It’s been one of the most popular cryptosystems in the world for the last 19 years.

55. Best Practices Use HTTPS Tuesday, May 14, 13 HTTPS solves

    lots of procedural and mathematical traps that come with using raw ciphers to encrypt data in transit. The SSL certificates that are such a pain to configure can be used to authenticate both sides of the exchange, so you can even set up HTTPS between internal services that are secure from third- parties.

56. Best Practices Use GPG Tuesday, May 14, 13 GPG solves

    most of the problems with encrypting data at rest. You don’t have to worry about cipher modes, key management is relatively easy, and it’s already been through twenty-two years of review. The downside is that, last time I looked, there weren’t any seriously excellent implementations in Ruby.

57. Best Practices Use NaCl Tuesday, May 14, 13 “NaCl” as

    in “salt” as in DJB’s “Networking and Cryptography library.” Tony Arcieri has a gem for it that works on most Ruby VMs, and fits nicely in to a Ruby program. It provides nice tools for symmetric and asymmetric authenticated encryption.

58. Best Practices Use bcrypt Tuesday, May 14, 13 Or scrypt,

    or PBKDF2 if you need corporate to okay it (it’s a NIST standard!)

59. Best Practices Use PBKDF2 Tuesday, May 14, 13 PBKDF2 requires

    a bit more effort than bcrypt, since PBKDF2 libraries don’t bring their own salting functionality.

60. Best Practices Don’t design cryptosystems Tuesday, May 14, 13

61. Contents •History •Algorithms •Best Practices •Cryptosystem Design Tuesday, May 14,

    13

62. Cryptosystem Design (seriously though, don’t) Tuesday, May 14, 13 We

    see the F-16 just sitting there, keys in the ignition, no one watching, lights blinking, ladder extended. And some infosec nerd is telling us we're can't climb in there, even though we just want to taxi around a little and we've totally read the manual. - Maciej Ceglowski

63. Why? Doing something tricky Tuesday, May 14, 13 Clever OAuth2

    tricks with request tokens and multiple servers,

64. Functions Is the message safe from being read? Tuesday, May

    14, 13

65. Functions What happens when the message is modified in transit?

    Tuesday, May 14, 13

66. Functions What happens when the message is attacked offline? Tuesday,

    May 14, 13

67. Authentication Proxy Clients authenticate to Application with credentials for Service

    Tuesday, May 14, 13

68. Authentication Proxy Application returns an OAuth2 token for future requests

    Tuesday, May 14, 13

69. Authentication Proxy Application should not be able to use Client

    1’s credentials for other clients Tuesday, May 14, 13

70. Token Structure serv-r1-tokenkey-tokensecret Tuesday, May 14, 13

71. Token Structure serv-r1-tokenkey-tokensecret Shibboleth Allows for future changes Tuesday, May

    14, 13

72. Token Structure serv-r1-tokenkey-tokensecret Shibboleth Allows for future changes Database key

    Tuesday, May 14, 13

73. Token Structure serv-r1-tokenkey-tokensecret Shibboleth Allows for future changes Database key

    Root for token security Tuesday, May 14, 13

74. Security Root http://arstechnica.com/apple/2011/07/mac-os-x-10-7/13/#file-vault-enable Tuesday, May 14, 13 This is an

    example of a security root: the recovery key for FileVault in modern Mac OS. Without it, the math of cryptography makes the system strong.

75. Guessing the Security Root EC2 isn’t expensive PBKDF2 is slow

    Slow is good Tuesday, May 14, 13 In particular, you want to make validating a guess for a security root slow. A legit user will only need to do it once, an attacker will do it millions of times.

76. The Prize Service Credentials AES is strong Keyed by token

    secret Tuesday, May 14, 13 We don’t actually use the whole token secret for this; we expand it with PBKDF2-SHA2-512, and use the first half of the key we derived with AES.

77. Chosen Ciphertext Alter ciphertext HMAC is strong Keyed by token

    secret Tuesday, May 14, 13 AES doesn’t provide any message authentication, but we can add our own with HMAC. The second half of the derived-key does this.

78. Nonces Number used Once Never ever reuse Tuesday, May 14,

    13 Key reuse is generally okay; nonces provide variability. Initialization Vectors, Salts, etc. Reuse can compromise keys: seriously, never reuse.

79. Storage { original_token_encrypted: aes(service_credentials), original_token_hmac: hmac(service_credentials), secret_salt: pbkdf_salt, secret_iv: aes_iv,

    other_token_metadata: … } Tuesday, May 14, 13 We also store a couple utilities: PBKDF needs a salt, which we keep around, and all the good AES modes need an initialization vector. Both of these must be randomly generated. If you reuse them awful things will happen.

80. Flowchart Service Credentials CSPRNG Token Secret CSPRNG secret_salt PBKDF2 Secret

    Derived key Derived Token Key Derived HMAC Key AES Encrypted Service Credentials HMAC Service Credentials HMAC CSPRNG secret_iv Tuesday, May 14, 13

81. Service Credentials CSPRNG Token Secret CSPRNG secret_salt PBKDF2 Secret Derived

    key Derived Token Key Derived HMAC Key AES Encrypted Service Credentials HMAC Service Credentials HMAC CSPRNG secret_iv Tuesday, May 14, 13

82. Se Cred CSPRNG Token Secret CSPRNG secret_salt PBK Secret k

    Derived Token Key AES Encrypted Service Credentials CSPRNG secret_iv Tuesday, May 14, 13

83. Service Credentials SPRNG Token Secret SPRNG secret_salt PBKDF2 Secret Derived

    key Derived Token Key Derived H Key AES Encrypted Service Credentials HMAC Servic Credent HMAC SPRNG secret_iv Tuesday, May 14, 13

84. Service Credentials Secret Derived key Derived Token Key Derived HMA

    Key AES Encrypted Service Credentials HMAC Service Credentials HMAC NG secret_iv Tuesday, May 14, 13

85. Service Credentials Key Key AES Encrypted Service Credentials HMAC Service

    Credentials HMAC Tuesday, May 14, 13

86. Service Credentials Secret Derived key Derived Token Key Derived HMAC

    Key AES Encrypted Service Credentials HMAC Service Credentials HMAC ecret_iv Tuesday, May 14, 13

87. Service Credentials Derived Token Key Derived HMAC Key AES Encrypted

    Service Credentials HMAC Service Credentials HMAC Tuesday, May 14, 13

88. Attacks Possesses dumped database Has to brute AES Tuesday, May

    14, 13

89. Attacks Evil DBA Writing can only destroy stored credentials Tuesday,

    May 14, 13

90. Attacks Possesses token from client Has client-equivalent privileges Tuesday, May

    14, 13

91. Attacks Database & client Can get stored credentials Tuesday, May

    14, 13

92. Contents •History •Algorithms •Best Practices •Cryptosystem Design Tuesday, May 14,

    13

93. “Any fool can design a lock they themselves can’t pick.”

    Tuesday, May 14, 13

94. Peer review is everything Tuesday, May 14, 13

95. References and Links http://www.matasano.com/articles/javascript-cryptography/ http://hax.tor.hu/read/aes/ Tuesday, May 14, 13

96. Thanks [email protected] https://twitter.com/bonzoesc http://bit.ly/crypto-src2013 Tuesday, May 14, 13