Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cryptography at ChicagoRuby

Cryptography at ChicagoRuby

Deck from my Cryptography presentation at ChicagoRuby

John Downey

June 05, 2012

More Decks by John Downey

Other Decks in Programming


  1. • John Downey • @jtdowney • Developer at Braintree •

    Payment gateway • We’re hiring http://xkcd.com/153/
  2. • For data in transit • Use TLS/SSL, SSH, VPN,

    etc • For data at rest • Use GnuPG
  3. Don't add uninitialised data to the random number generator. This

    stop valgrind from giving error messages in unrelated code. (Closes: #363516)

    MD_Update(&m,buf,j); /* We know that line may cause programs such as purify and valgrind to complain about use of uninitialized data. The problem is not, it's with the caller. Removing that line will make sure you get really bad randomness and thereby other problems such as very insecure keys. */
  5. Recommendations • Use the crypto library RNG • OpenSSL::Random •

    SecureRandom • On Linux (or other Unix-like OS) • /dev/random - blocks for entropy • /dev/urandom - non-blocking
  6. USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct

    the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. 9EC4C12949A4F31474F299058CE2B22A
  7. The quick brown fox jumps over t he lazy dog

    Compression function Compression function Compression function 0xb7ddad199e432646 a6ea890e68eb69db 0x2e6fa4a42945f7e49 88b2147f292fdf1 0x770abbd9d5af6e0b 6b90aac27c507f35 The quick brown fox jumps over the lazy dog 0x770abbd9d5af6e0b6b90aac27c507f35
  8. Recommendations • Use SHA-256 (SHA-2 family) • Stop using MD5

    and SHA-1 • Keep and eye on SHA-3 contest • Be aware of length extensions • Flickr API used hash as signature
  9. Password KDF • Generates keys from a secret value •

    Attempt to thwart brute forcing • Intentionally slow • Tunable work factor
  10. Recommendations • Password-based • Use PBKDF2 • Look into scrypt

    • Do tune your work factor • Already have a random key • Use HKDF
  11. When to use it • Symmetric cipher keys • Symmetric

    authentication keys • Password storage
  12. • Delegate authentication if possible • CAS • Kerberos •

    Change passwords into a verifier as soon as possible • Using bcrypt, scrypt, PBDKF2, etc • Don’t store passwords on your server • Even if it is encrypted • Store one-way keys or verifiers Recommendations
  13. msg = “Attack at dawn” key = “Caeser is so

    cool” hash = sha256(key + msg)
  14. msg = “Attack at dawn” key = “Caeser is so

    cool” hash = sha256(key + msg)
  15. msg = “Attack at dawn” key = “Caeser is so

    cool” hash = hmac(key, msg)
  16. When to use it • Prevent user tampering • Cookies

    • Single sign-on • Transparent redirect • Encrypted documents • Find out if there is a shared secret
  17. • Use HMAC • Special construction using a hash •

    Preferably with SHA-256 • Look at S3 for example of RESTful API authentication Recommendations
  18. Caveats • Keep your data structured • Amazon got this

    wrong • keyb=value2&keya=value1 • keyavalue1keybvalue2 • Avoid timing side channels
  19. Exclusive OR (Xor) • Bitwise operation • Represented by ^

    or ⊕ • Interesting properties • A ⊕ B = C • B ⊕ C = A • A ⊕ 0 = A • A ⊕ A = 0 A ⊕ B A ⊕ B A ⊕ B A B Output 0 0 0 1 0 1 0 1 1 1 1 0
  20. Block Ciphers • Maps n-bit input to n-bit output •

    Confusion • Diffusion • Works on a single block • AES block size = 16 bytes (128 bits)
  21. Block Cipher Modes • Electronic Code Book (ECB) • Cipher

    Block Chaining (CBC) • Previous data mixed in • Changes cascade • Counter (CTR) • Operates like a stream cipher • Computable in parallel
  22. Plaintext “This is a secret” Key 0xE60DC5C9747A963 A86FD952254782D77 Ciphertext 0x7CD937D779C4555

    CF38244BEC63C5F6C AES-128(key, msg) Random IV 0x20B8F0FBE8CCA71 A58FC86E6F2568F47 ⊕
  23. • Use AES-256 • Avoid using Blowfish and TripleDES •

    Stop using DES • Do verify the authenticity of your encrypted data before you decrypt it • Don’t use a block cipher without a cipher mode Recommendations
  24. Authenticated Encryption • Attach an HMAC • Be sure IV

    is authenticated • Use an Authenticated Encryption mode • GCM - Galois/Counter Mode • OCB - Offset Cookbook Mode • CCM - Counter with CBC-MAC
  25. Recommendations • Do use 2048-bit RSA • Checkout http://www.keylength.com/ •

    Do use RSA-PSS if you can • Do sign a secure hash (not MD5) • Don’t use RSA without padding • Be sure to verify the entire signature • Nintendo Wii got this wrong (strcmp vs. memcmp)
  26. • Do use a 2048-bit RSA key • Do use

    RSA-OAEP if you can • Do encrypt a symmetric cipher key • Don’t use RSA without padding • Don’t use the same key for signing/ encrypting Recommendations
  27. Certificate: Data: Version: 3 (0x2) Serial Number: c7:f4:8d:8e:22:9e:1d:17:46:f7:bc:0c:32:aa:5a:0c Signature Algorithm:

    sha1WithRSAEncryption Issuer: C=US, O=SecureTrust Corporation, CN=SecureTrust CA Validity Not Before: Oct 11 19:34:36 2011 GMT Not After : Sep 23 20:12:55 2013 GMT Subject: CN=www.braintreegateway.com, ST=Illinois, C=US, L=Chicago, O=Braintree Payment Solutions, LLC/serialNumber=01995472/businessCategory=V1.0, Clause 5.(d)/ Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c4:d1:d2:29:21:77:c8:80:fe:26:4c:b5:22:0f: f4:49:85:14:1c:80:cf:77:3f:ca:bc:19:da:b0:f7: a2:64:b6:f3:29:ec:71:9e:b1:a8:04:8f:40:63:b1: 17:61:69:00:50:fb:13:e8:46:60:10:15:f9:08:e3: aa:58:99:d7:66:3d:32:65:e3:61:b2:82:12:f8:72: 75:f0:d7:e5:d0:68:bd:28:de:8f:ab:10:4a:37:ee: 08:a7:71:3c:d3:f8:68:80:fc:ce:71:30:65:66:e5: 03:bf:64:2f:36:96:17:96:d7:7c:34:07:95:fe:91: 45:87:9c:60:75:5d:b4:6b:2b:34:8b:19:b3:42:8b: b2:17:9f:31:3a:07:ce:e7:b2:19:c2:d1:1d:6b:1d: ed:c2:94:10:9b:10:3c:8b:a6:13:7e:59:9e:8e:8c: 83:b4:d8:3e:55:f7:e0:85:d3:85:71:21:80:fb:58: 53:bd:dc:df:dd:60:cc:2b:c7:97:27:47:16:c4:ef: 2c:ad:95:af:84:37:c4:33:e6:7e:d7:fa:82:c9:36: a9:cf:53:10:d4:22:f2:68:4d:e4:93:d2:62:64:85: 3f:19:cd:a6:c1:96:93:4f:45:e9:22:75:91:7a:e2: cc:c2:a4:2c:1c:d8:8b:5d:c6:b1:2c:fa:a2:cd:d9: 14:31 Exponent: 65537 (0x10001)
  28. X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key

    Identifier: 3A:CF:96:4B:45:24:7A:0D:0D:73:9C:2E:89:32:FE:D7:1D:F1:8C:1F X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: URI:http://crl.securetrust.com/STCA.crl Authority Information Access: OCSP - URI:http://ocsp.trustwave.com/ X509v3 Certificate Policies: Policy: Policy: 2.16.840.1.114404. CPS: http://ssl.trustwave.com/CA Signature Algorithm: sha1WithRSAEncryption ab:4e:f4:e1:28:ff:2a:b4:58:ae:25:d2:fe:43:ae:0d:c8:ef: 78:43:f1:c2:a5:59:d5:43:38:55:9e:03:15:7b:54:16:22:72: 6f:49:0a:32:e8:ef:14:a2:6b:8b:9d:01:a8:d5:b7:45:12:91: 4f:ef:f4:5c:7c:b0:bc:7a:50:3d:51:f3:3e:96:17:fa:9b:4c: ac:85:fa:86:56:27:6f:06:60:35:cf:ac:6a:9b:83:1c:2a:78: 3c:18:b8:68:9e:d6:05:d0:ea:7d:55:c2:87:d2:c2:de:4a:f5: b0:49:4a:8e:23:11:83:75:57:67:39:27:97:95:27:a6:77:d8: c0:d4:4e:57:ca:35:70:ba:96:18:47:d8:0c:5e:bb:0a:09:9a: 01:84:96:97:bc:eb:42:cb:ba:57:88:43:67:fb:91:b7:44:34: d3:0c:b0:37:ea:b8:b3:ba:9e:df:34:03:59:0c:67:84:40:da: 8f:b4:2a:de:37:62:52:30:76:e8:77:af:c5:5f:31:3e:aa:e7: b0:9a:2b:45:b3:a8:c7:57:16:3f:b4:83:2a:79:66:4c:47:10: ab:24:e5:2f:4f:1d:ad:10:e2:83:b1:3f:74:1d:3f:07:68:0a: 04:93:25:c6:e1:9f:f9:71:8b:54:54:e9:e9:50:57:80:d6:af: 83:93:0c:c2
  29. Recommendations • Do use TLS to secure your web server,

    email, etc • Do validate the certificate chain • The whole chain (iOS got this wrong)
  30. The authenticity of host 'apollo.local (' can't be established. RSA

    key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Are you sure you want to continue connecting (yes/no)?
  31. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Please contact your system administrator.
  32. •AOL Time Warner Inc. •AS Sertifitseerimiskeskus •AddTrust •Baltimore •beTRUSTed •Buypass

    •CNNIC •COMODO CA Limited •Certplus •certSIGN •Chambersign •Chunghwa Telecom Co., Ltd. •ComSign •Comodo CA Limited •Cybertrust, Inc •Deutsche Telekom AG •Deutscher Sparkassen Verlag GmbH •Dhimyotis •DigiCert Inc •DigiNotar •Digital Signature Trust Co. •Disig a.s. •EBG Bilişim Teknolojileri ve Hizmetleri A.Ş. •EDICOM •Entrust, Inc. •Equifax •GTE Corporation •GeoTrust Inc. •GlobalSign nv-sa •Hongkong Post •Japan Certification Services, Inc. •Japanese Government •Microsec Ltd. •NetLock Halozatbiztonsagi Kft. •Network Solutions L.L.C. •PM/SGDN •QuoVadis Limited •RSA Security Inc •SECOM Trust Systems CO.,LTD. •SecureTrust Corporation •Sociedad Cameral de Certificación Digital •Sonera •Staat der Nederlanden •Starfield Technologies, Inc. •StartCom Ltd. •SwissSign AG •Swisscom •TC TrustCenter GmbH •TDC •Taiwan Government •Thawte •The Go Daddy Group, Inc. •The USERTRUST Network •TÜBİTAK •TÜRKTRUST •Unizeto Sp. z o.o. •VISA •ValiCert, Inc. •VeriSign, Inc. •WISeKey •Wells Fargo •XRamp Security Services Inc
  33. • Videos • Theory and Practice of Cryptography series •

    http://www.youtube.com/watch?v=IzVCrSrZIX8 • http://www.youtube.com/watch?v=KDvt_0cafPw • http://www.youtube.com/watch?v=YcgqBEzcD_I • http://www.youtube.com/watch?v=ZDnShu5V99s • Crypto Strikes Back! • http://www.youtube.com/watch?v=ySQl0NhW1J0 • Presentations • http://www.bsdcan.org/2010/schedule/attachments/135_crypto1hr.pdf • http://www.eff.org/files/DefconSSLiverse.pdf • Blogs • http://blog.cryptographyengineering.com/ • http://rdist.root.org/