Cryptography Pitfalls at BsidesMSP 2017

Cryptography
Pitfalls
John Downey | @jtdowney
@jtdowney 1

View Slide

@jtdowney 2

View Slide

@jtdowney 3

View Slide

The views expressed in
this presentation are my
own, and not those of
PayPal or any of its
afﬁliates.
@jtdowney 4

View Slide

@jtdowney 5

View Slide

Conﬁdentiality
@jtdowney 6

View Slide

Authentication
@jtdowney 7

View Slide

Identiﬁcation
@jtdowney 8

View Slide

Rigorous Science
@jtdowney 9

View Slide

Peer Review
@jtdowney 10

View Slide

@jtdowney 11

View Slide

You have probably seen the door to a bank
vault, at least in the movies. You know, 10-inch-
thick, hardened steel, with huge bolts to lock it in
place. It certainly looks impressive. We often
ﬁnd the digital equivalent of such a vault door
installed in a tent. The people standing around
it are arguing over how thick the door should be,
rather than spending their time looking at the
tent.
— Cryptography Engineering by Niels Ferguson,
Bruce Schneier, and Tadayoshi Kohno
@jtdowney 12

View Slide

• For data in transit
• Use TLS, SSH, or VPN/IPsec
• For data at rest
• Use GnuPG
• Data to be signed
• Use GnuPG
@jtdowney 13

View Slide

• Avoid low level libraries
• OpenSSL
• PyCrypto
• Bouncy Castle
• Use a high level library
• NaCL/libsodium (C, Ruby, PHP, etc)
• Keyczar (C++, Python, and Java)
@jtdowney 14

View Slide

@jtdowney 15

View Slide

Random Number
Generation
@jtdowney 16

View Slide

Pitfalls
1. Not using a cryptographically strong
random number generator
2. Not using random data when it is required
3. Broken random number generators
@jtdowney 17

View Slide

@jtdowney 18

View Slide

@jtdowney 19

View Slide

Pitfalls
1. Not using a cryptographically strong random
number generator
@jtdowney 20

View Slide

@jtdowney 21

View Slide

Pitfalls
1. Not using a cryptographically strong random
number generator
@jtdowney 22

View Slide

@jtdowney 23

View Slide

@jtdowney 24

View Slide

@jtdowney 25

View Slide

@jtdowney 26

View Slide

MD_Update(&m,buf,j);
@jtdowney 27

View Slide

Don't add uninitialised
data to the random
number generator. This
stop valgrind from giving
error messages in
unrelated code. (Closes:
#363516)
@jtdowney 28

View Slide

/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
MD_Update(&m,buf,j);
/* We know that line may cause programs such as
purify and valgrind to complain about use of
uninitialized data. The problem is not, it's
with the caller. Removing that line will make
sure you get really bad randomness and thereby
other problems such as very insecure keys. */
@jtdowney 29

View Slide

Recommendations
• Use a cryptographically strong random number
generator
• Unix-like
• Read from /dev/urandom
• Windows
• RandomNumberGenerator in
System.Security.Cryptography (.NET)
• CryptGenRandom
• Java use java.security.SecureRandom
@jtdowney 30

View Slide

Hash Functions
@jtdowney 31

View Slide

Pitfalls
1. Using weak/old algorithms
2. Misunderstanding checksums
3. Length extension attacks
@jtdowney 32

View Slide

@jtdowney 33

View Slide

@jtdowney 34

View Slide

@jtdowney 35

View Slide

@jtdowney 36

View Slide

9EC4C12949A4F31474F299058CE2B22A
@jtdowney 37

View Slide

9EC4C12949A4F31474F299058CE2B22A
USCYBERCOM plans, coordinates, integrates,
synchronizes and conducts activities to: direct
the operations and defense of speciﬁed
Department of Defense information networks
and; prepare to, and when directed, conduct full
spectrum military cyberspace operations in
order to enable actions in all domains, ensure
US/Allied freedom of action in cyberspace and
deny the same to our adversaries.
@jtdowney 38

View Slide

Pitfalls
@jtdowney 39

View Slide

@jtdowney 40

View Slide

Pitfalls
@jtdowney 41

View Slide

Message Authentication Code (MAC)
tag = MAC(key, value)
• Takes:
• key - shared secret
• value - value to protected integrity of
• Returns:
• tag - value that represents the integrity
@jtdowney 42

View Slide

Naive approach
tag = sha256(key + value)
@jtdowney 43

View Slide

Length Extension Attacks
secret = "my-secret-key"
value = "buy 10 units at $1"
signature = sha256(secret + value)
@jtdowney 44

View Slide

Length Extension Attacks
value = "buy 10 units at $1" + " or $0"
signature = sha256(secret + value)
@jtdowney 45

View Slide

Fixed
value = "buy 10 units at $1"
signature = hmac_sha256(secret, value)
@jtdowney 46

View Slide

@jtdowney 47

View Slide

@jtdowney 48

View Slide

Recommendations
• Use SHA-256 (SHA-2 family)
• Choose HMAC-SHA-256 if you want a
signature
• Use BLAKE2b if you need speed
• Stop using MD5
• Stop using SHA1
@jtdowney 49

View Slide

Ciphers
@jtdowney 50

View Slide

Pitfalls
1. Using old/weak algorithms
2. Using ECB mode for block ciphers
3. Not using authenticated encryption
@jtdowney 51

View Slide

@jtdowney 52

View Slide

@jtdowney 53

View Slide

@jtdowney 54

View Slide

Pitfalls
@jtdowney 55

View Slide

AES - primitive
ciphertext = AES_Encrypt(key, plaintext)
plaintext = AES_Decrypt(key, ciphertext)
• Function over:
• key - 128, 192, or 256 bit value
• plaintext - 128 bit value
• ciphertext - 128 bit value
@jtdowney 56

View Slide

ECB Encrypt
while (remaining blocks) {
block = ... # next 16 byte (128 bit chunk)
ouput.append(AES_Encrypt(key, block))
}
@jtdowney 57

View Slide

@jtdowney 58

View Slide

@jtdowney 59

View Slide

Pitfalls
@jtdowney 60

View Slide

@jtdowney 61

View Slide

@jtdowney 62

View Slide

@jtdowney 63

View Slide

@jtdowney 64

View Slide

World of hurt
@jtdowney 65

View Slide

Recommendations
• Prefer to use box/secret box from NaCL/
libsodium
• Stop using DES
• Stop building your own on top of AES
• Stop encrypting without protecting integrity
@jtdowney 66

View Slide

What if you have to use AES
• Do not use ECB mode
• Be sure to use authenticated encryption
• GCM mode would be a good ﬁrst choice
• Verify the tag/MAC ﬁrst
• Still easy to mess up in a critical way
@jtdowney 67

View Slide

TLS/SSL
@jtdowney 68

View Slide

Pitfalls
1. Not verifying the certiﬁcate chain or
hostname
2. Misconﬁgured server settings
3. Using a broken library
@jtdowney 69

View Slide

@jtdowney 70

View Slide

@jtdowney 71

View Slide

@jtdowney 72

View Slide

@jtdowney 73

View Slide

Hostname
veriﬁcation
@jtdowney 74

View Slide

Hostname verification
• Check that you got the certificate for who you
intended to connect to
• Hostname verification is protocol dependent
• OpenSSL doesn't have it built in
@jtdowney 75

View Slide

Pitfalls
1. Not verifying the certiﬁcate chain or hostname
@jtdowney 76

View Slide

@jtdowney 77

View Slide

SSL Labs
https://www.ssllabs.com
@jtdowney 78

View Slide

testssl.sh
https://testssl.sh
@jtdowney 79

View Slide

TLS Server Settings
https://mozilla.github.io/server-side-tls/ssl-conﬁg-generator/
@jtdowney 80

View Slide

Pitfalls
1. Not verifying the certiﬁcate chain or hostname
@jtdowney 81

View Slide

@jtdowney 82

View Slide

@jtdowney 83

View Slide

Recommendations
• Do ensure you're validating connections
• Lean on a framework/library if possible
• But check that it also does the right thing
• Setup and automated test to validate this
setting (badssl.com)
@jtdowney 84

View Slide

Trust
@jtdowney 85

View Slide

The authenticity of host 'apollo.local (10.0.2.56)' can't be established.
RSA key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
Are you sure you want to continue connecting (yes/no)?
@jtdowney 86

View Slide

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
Please contact your system administrator.
@jtdowney 87

View Slide

@jtdowney 88

View Slide

Certiﬁcate
Pinning
@jtdowney 89

View Slide

@jtdowney 90

View Slide

Recommendations
• Think about what organizations you really
trust
• Investigate certiﬁcate pinning for your apps
@jtdowney 91

View Slide

@jtdowney 92

View Slide

Stanford Crypto Class
http://crypto-class.com
@jtdowney 93

View Slide

Matasano Crypto Challenges
http://cryptopals.com
@jtdowney 94

View Slide

Questions
John Downey | @jtdowney
@jtdowney 95

View Slide

Bonus Round
@jtdowney 96

View Slide

Quantum
Computers
@jtdowney 97

View Slide

Pitfalls
1. Assuming current crypto will last forever
@jtdowney 98

View Slide

@jtdowney 99

View Slide

@jtdowney 100

View Slide

Recommendations
• Follow the PQCrypto discussion
• Stay away from PQCrypto until the industry
starts to standardize
• Hope that researchers are moving fast
enough
@jtdowney 101

View Slide

Images
• https://flic.kr/p/6eagaw
• https://flic.kr/p/4KWhKn
• https://flic.kr/p/9F2BCv
• https://flic.kr/p/486xYS
• https://flic.kr/p/7Ffppm
• https://flic.kr/p/8TuJD9
• https://flic.kr/p/4iLJZt
• https://flic.kr/p/4pGZuz
• https://flic.kr/p/48w7wP
• https://flic.kr/p/8aZWNE
• https://flic.kr/p/5NRHp
• https://flic.kr/p/7p7raq
• https://flic.kr/p/aZEE1Z
• https://flic.kr/p/7WtwAz
• https://flic.kr/p/6AN9mM
• https://flic.kr/p/6dt62u
• https://flic.kr/p/4ZqwyB
• https://flic.kr/p/Bqewr
• https://flic.kr/p/ecdhVE
• https://flic.kr/p/AV1Nd
• https://flic.kr/p/5tWgh4
@jtdowney 102

View Slide

Cryptography Pitfalls at BsidesMSP 2017

Cryptography Pitfalls at BsidesMSP 2017

John Downey

More Decks by John Downey

Other Decks in Programming

Featured

Transcript