Cryptography at ChicagoRuby

Transcript

1. Cryptography John Downey | @jtdowney

2. • John Downey • @jtdowney • Developer at Braintree •

   Payment gateway • We’re hiring http://xkcd.com/153/

3. http://www.flickr.com/photos/freefoto/5692512457/

4. http://www.flickr.com/photos/zappowbang/2049368918/

5. http://www.flickr.com/photos/katieharbath/4382294246/

6. http://www.flickr.com/photos/kalebdf/2170180285/

7. http://www.flickr.com/photos/alstonfamily/2237347597/

8. http://www.flickr.com/photos/damiavos/4707651586/

9. None
10. None

11. • For data in transit • Use TLS/SSL, SSH, VPN,

    etc • For data at rest • Use GnuPG

12. Random Number Generators

13. None

14. MD_Update(&m,buf,j);

15. Don't add uninitialised data to the random number generator. This

    stop valgrind from giving error messages in unrelated code. (Closes: #363516)

16. /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */

    MD_Update(&m,buf,j); /* We know that line may cause programs such as purify and valgrind to complain about use of uninitialized data. The problem is not, it's with the caller. Removing that line will make sure you get really bad randomness and thereby other problems such as very insecure keys. */

17. Recommendations • Use the crypto library RNG • OpenSSL::Random •

    SecureRandom • On Linux (or other Unix-like OS) • /dev/random - blocks for entropy • /dev/urandom - non-blocking

18. Hash Functions

19. http://www.flickr.com/photos/littlejohncollection/3675547973/

20. USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct

    the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. 9EC4C12949A4F31474F299058CE2B22A
21. None

22. The quick brown fox jumps over the lazy dog

23. The quick brown fox jumps over t he lazy dog

    Compression function Compression function Compression function 0xb7ddad199e432646 a6ea890e68eb69db 0x2e6fa4a42945f7e49 88b2147f292fdf1 0x770abbd9d5af6e0b 6b90aac27c507f35 The quick brown fox jumps over the lazy dog 0x770abbd9d5af6e0b6b90aac27c507f35

24. Recommendations • Use SHA-256 (SHA-2 family) • Stop using MD5

    and SHA-1 • Keep and eye on SHA-3 contest • Be aware of length extensions • Flickr API used hash as signature

25. Key Derivation Functions

26. http://www.flickr.com/photos/jurvetson/5201796697/

27. Password KDF • Generates keys from a secret value •

    Attempt to thwart brute forcing • Intentionally slow • Tunable work factor

28. Recommendations • Password-based • Use PBKDF2 • Look into scrypt

    • Do tune your work factor • Already have a random key • Use HKDF

29. When to use it • Symmetric cipher keys • Symmetric

    authentication keys • Password storage

30. Passwords

31. http://www.flickr.com/photos/sponng/4554602341/

32. Password Fail

33. • Delegate authentication if possible • CAS • Kerberos •

    Change passwords into a verifier as soon as possible • Using bcrypt, scrypt, PBDKF2, etc • Don’t store passwords on your server • Even if it is encrypted • Store one-way keys or verifiers Recommendations

34. Symmetric Authentication

35. http://en.wikipedia.org/wiki/File:Baronnet-signet-ring.JPG

36. msg = “Attack at dawn” key = “Caeser is so

    cool” hash = sha256(key + msg)

37. msg = “Attack at dawn” key = “Caeser is so

    cool” hash = sha256(key + msg)

38. msg = “Attack at dawn” key = “Caeser is so

    cool” hash = hmac(key, msg)

39. When to use it • Prevent user tampering • Cookies

    • Single sign-on • Transparent redirect • Encrypted documents • Find out if there is a shared secret

40. • Use HMAC • Special construction using a hash •

    Preferably with SHA-256 • Look at S3 for example of RESTful API authentication Recommendations

41. Caveats • Keep your data structured • Amazon got this

    wrong • keyb=value2&keya=value1 • keyavalue1keybvalue2 • Avoid timing side channels

42. if hmac_known == hmac_given

43. a.size.times do |i| match = a[i] == b[i] return false

    unless match end return true

44. Exclusive OR (Xor) • Bitwise operation • Represented by ^

    or ⊕ • Interesting properties • A ⊕ B = C • B ⊕ C = A • A ⊕ 0 = A • A ⊕ A = 0 A ⊕ B A ⊕ B A ⊕ B A B Output 0 0 0 1 0 1 0 1 1 1 1 0

45. l = a.bytes.to_a res = 0 b.each_byte { |byte| res

    |= byte ^ l.shift } res == 0

46. Symmetric Encryption

47. http://www.flickr.com/photos/kevinomara/3422866722

48. Block Ciphers • Maps n-bit input to n-bit output •

    Confusion • Diffusion • Works on a single block • AES block size = 16 bytes (128 bits)

49. Plaintext “Hello World 123” Key 0xE60DC5C9747A963 A86FD952254782D77 Ciphertext 0x97D735D3E4F3DAE A8BBBC1DF35F1AEC1

    AES-128(key, msg)

50. Block Cipher Modes • Electronic Code Book (ECB) • Cipher

    Block Chaining (CBC) • Previous data mixed in • Changes cascade • Counter (CTR) • Operates like a stream cipher • Computable in parallel

51. Plaintext “This is a secret” Key 0xE60DC5C9747A963 A86FD952254782D77 Ciphertext 0x7CD937D779C4555

    CF38244BEC63C5F6C AES-128(key, msg) Random IV 0x20B8F0FBE8CCA71 A58FC86E6F2568F47 ⊕

52. Plaintext “message” Key 0xE60DC5C9747A963 A86FD952254782D77 Ciphertext 0x5867695E0F48DEA1 4A33F1E70C4165DF AES-128(key, msg)

    ⊕ Last Ciphertext 0x7CD937D779C4555 CF38244BEC63C5F6C

53. Plaintext ECB CBC

54. • Use AES-256 • Avoid using Blowfish and TripleDES •

    Stop using DES • Do verify the authenticity of your encrypted data before you decrypt it • Don’t use a block cipher without a cipher mode Recommendations

55. Verify the authenticity of your encrypted data before you decrypt

    it

56. Authenticated Encryption • Attach an HMAC • Be sure IV

    is authenticated • Use an Authenticated Encryption mode • GCM - Galois/Counter Mode • OCB - Offset Cookbook Mode • CCM - Counter with CBC-MAC

57. http://www.flickr.com/photos/bohman/210977249/

58. Asymmetric Authentication

59. http://www.flickr.com/photos/larimdame/65917688/

60. Recommendations • Do use 2048-bit RSA • Checkout http://www.keylength.com/ •

    Do use RSA-PSS if you can • Do sign a secure hash (not MD5) • Don’t use RSA without padding • Be sure to verify the entire signature • Nintendo Wii got this wrong (strcmp vs. memcmp)

61. Asymmetric Encryption

62. http://www.flickr.com/photos/manyhighways/3402845439/

63. • Do use a 2048-bit RSA key • Do use

    RSA-OAEP if you can • Do encrypt a symmetric cipher key • Don’t use RSA without padding • Don’t use the same key for signing/ encrypting Recommendations

64. Transport Layer Security

65. SecureTrust CA www.braintreegateway.com Sub CA www.example.com

66. Certificate: Data: Version: 3 (0x2) Serial Number: c7:f4:8d:8e:22:9e:1d:17:46:f7:bc:0c:32:aa:5a:0c Signature Algorithm:

    sha1WithRSAEncryption Issuer: C=US, O=SecureTrust Corporation, CN=SecureTrust CA Validity Not Before: Oct 11 19:34:36 2011 GMT Not After : Sep 23 20:12:55 2013 GMT Subject: CN=www.braintreegateway.com, ST=Illinois, C=US, L=Chicago, O=Braintree Payment Solutions, LLC/serialNumber=01995472/businessCategory=V1.0, Clause 5.(d)/ 1.3.6.1.4.1.311.60.2.1.2=Illinois/1.3.6.1.4.1.311.60.2.1.3=US Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c4:d1:d2:29:21:77:c8:80:fe:26:4c:b5:22:0f: f4:49:85:14:1c:80:cf:77:3f:ca:bc:19:da:b0:f7: a2:64:b6:f3:29:ec:71:9e:b1:a8:04:8f:40:63:b1: 17:61:69:00:50:fb:13:e8:46:60:10:15:f9:08:e3: aa:58:99:d7:66:3d:32:65:e3:61:b2:82:12:f8:72: 75:f0:d7:e5:d0:68:bd:28:de:8f:ab:10:4a:37:ee: 08:a7:71:3c:d3:f8:68:80:fc:ce:71:30:65:66:e5: 03:bf:64:2f:36:96:17:96:d7:7c:34:07:95:fe:91: 45:87:9c:60:75:5d:b4:6b:2b:34:8b:19:b3:42:8b: b2:17:9f:31:3a:07:ce:e7:b2:19:c2:d1:1d:6b:1d: ed:c2:94:10:9b:10:3c:8b:a6:13:7e:59:9e:8e:8c: 83:b4:d8:3e:55:f7:e0:85:d3:85:71:21:80:fb:58: 53:bd:dc:df:dd:60:cc:2b:c7:97:27:47:16:c4:ef: 2c:ad:95:af:84:37:c4:33:e6:7e:d7:fa:82:c9:36: a9:cf:53:10:d4:22:f2:68:4d:e4:93:d2:62:64:85: 3f:19:cd:a6:c1:96:93:4f:45:e9:22:75:91:7a:e2: cc:c2:a4:2c:1c:d8:8b:5d:c6:b1:2c:fa:a2:cd:d9: 14:31 Exponent: 65537 (0x10001)

67. X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key

    Identifier: 3A:CF:96:4B:45:24:7A:0D:0D:73:9C:2E:89:32:FE:D7:1D:F1:8C:1F X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: URI:http://crl.securetrust.com/STCA.crl Authority Information Access: OCSP - URI:http://ocsp.trustwave.com/ X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.30360.3.0 Policy: 2.16.840.1.114404.1.1.2.4.1 CPS: http://ssl.trustwave.com/CA Signature Algorithm: sha1WithRSAEncryption ab:4e:f4:e1:28:ff:2a:b4:58:ae:25:d2:fe:43:ae:0d:c8:ef: 78:43:f1:c2:a5:59:d5:43:38:55:9e:03:15:7b:54:16:22:72: 6f:49:0a:32:e8:ef:14:a2:6b:8b:9d:01:a8:d5:b7:45:12:91: 4f:ef:f4:5c:7c:b0:bc:7a:50:3d:51:f3:3e:96:17:fa:9b:4c: ac:85:fa:86:56:27:6f:06:60:35:cf:ac:6a:9b:83:1c:2a:78: 3c:18:b8:68:9e:d6:05:d0:ea:7d:55:c2:87:d2:c2:de:4a:f5: b0:49:4a:8e:23:11:83:75:57:67:39:27:97:95:27:a6:77:d8: c0:d4:4e:57:ca:35:70:ba:96:18:47:d8:0c:5e:bb:0a:09:9a: 01:84:96:97:bc:eb:42:cb:ba:57:88:43:67:fb:91:b7:44:34: d3:0c:b0:37:ea:b8:b3:ba:9e:df:34:03:59:0c:67:84:40:da: 8f:b4:2a:de:37:62:52:30:76:e8:77:af:c5:5f:31:3e:aa:e7: b0:9a:2b:45:b3:a8:c7:57:16:3f:b4:83:2a:79:66:4c:47:10: ab:24:e5:2f:4f:1d:ad:10:e2:83:b1:3f:74:1d:3f:07:68:0a: 04:93:25:c6:e1:9f:f9:71:8b:54:54:e9:e9:50:57:80:d6:af: 83:93:0c:c2

68. Recommendations • Do use TLS to secure your web server,

    email, etc • Do validate the certificate chain • The whole chain (iOS got this wrong)

69. Trust

70. The authenticity of host 'apollo.local (10.0.2.56)' can't be established. RSA

    key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Are you sure you want to continue connecting (yes/no)?

71. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Please contact your system administrator.

72. •AOL Time Warner Inc. •AS Sertifitseerimiskeskus •AddTrust •Baltimore •beTRUSTed •Buypass

    •CNNIC •COMODO CA Limited •Certplus •certSIGN •Chambersign •Chunghwa Telecom Co., Ltd. •ComSign •Comodo CA Limited •Cybertrust, Inc •Deutsche Telekom AG •Deutscher Sparkassen Verlag GmbH •Dhimyotis •DigiCert Inc •DigiNotar •Digital Signature Trust Co. •Disig a.s. •EBG Bilişim Teknolojileri ve Hizmetleri A.Ş. •EDICOM •Entrust, Inc. •Equifax •GTE Corporation •GeoTrust Inc. •GlobalSign nv-sa •Hongkong Post •Japan Certification Services, Inc. •Japanese Government •Microsec Ltd. •NetLock Halozatbiztonsagi Kft. •Network Solutions L.L.C. •PM/SGDN •QuoVadis Limited •RSA Security Inc •SECOM Trust Systems CO.,LTD. •SecureTrust Corporation •Sociedad Cameral de Certificación Digital •Sonera •Staat der Nederlanden •Starfield Technologies, Inc. •StartCom Ltd. •SwissSign AG •Swisscom •TC TrustCenter GmbH •TDC •Taiwan Government •Thawte •The Go Daddy Group, Inc. •The USERTRUST Network •TÜBİTAK •TÜRKTRUST •Unizeto Sp. z o.o. •VISA •ValiCert, Inc. •VeriSign, Inc. •WISeKey •Wells Fargo •XRamp Security Services Inc

73. Coursera Crypto Class Starts again June 11th https://www.coursera.org/course/crypto

74. Krypt https://github.com/emboss/krypt

75. • Videos • Theory and Practice of Cryptography series •

    http://www.youtube.com/watch?v=IzVCrSrZIX8 • http://www.youtube.com/watch?v=KDvt_0cafPw • http://www.youtube.com/watch?v=YcgqBEzcD_I • http://www.youtube.com/watch?v=ZDnShu5V99s • Crypto Strikes Back! • http://www.youtube.com/watch?v=ySQl0NhW1J0 • Presentations • http://www.bsdcan.org/2010/schedule/attachments/135_crypto1hr.pdf • http://www.eff.org/files/DefconSSLiverse.pdf • Blogs • http://blog.cryptographyengineering.com/ • http://rdist.root.org/