Cryptography Pitfalls at BSidesPhilly 2016

Cryptography Pitfalls
John Downey | @jtdowney
@jtdowney 1

View Slide

Chicago
@jtdowney 2

View Slide

@jtdowney 3

View Slide

@jtdowney 4

View Slide

The views expressed in this
presentation are my own, and not
those of PayPal or any of its
afﬁliates.
@jtdowney 5

View Slide

@jtdowney 6

View Slide

Conﬁdentiality
@jtdowney 7

View Slide

Authentication
@jtdowney 8

View Slide

Identiﬁcation
@jtdowney 9

View Slide

Rigorous Science
@jtdowney 10

View Slide

Peer Review
@jtdowney 11

View Slide

@jtdowney 12

View Slide

You have probably seen the door to a bank vault, at least in
the movies. You know, 10-inch-thick, hardened steel, with huge
bolts to lock it in place. It certainly looks impressive. We
often ﬁnd the digital equivalent of such a vault door installed
in a tent. The people standing around it are arguing over how
thick the door should be, rather than spending their time
looking at the tent.
— Cryptography Engineering by Niels Ferguson, Bruce
Schneier, and Tadayoshi Kohno
@jtdowney 13

View Slide

• For data in transit
• Use TLS (née SSL), SSH, or VPN/IPsec
• For data at rest
• Use GnuPG
• Data to be signed
• Use GnuPG
@jtdowney 14

View Slide

• Avoid low level libraries
• OpenSSL
• PyCrypto
• Bouncy Castle
• Use a high level library
• NaCL/libsodium (C, Ruby, etc)
• Keyczar (Python and Java)
@jtdowney 15

View Slide

@jtdowney 16

View Slide

Random Number
Generation
@jtdowney 17

View Slide

Pitfalls
1. Not using a cryptographically strong random number
generator
2. Broken random number generators
3. Not using random data when it is required
@jtdowney 18

View Slide

@jtdowney 19

View Slide

@jtdowney 20

View Slide

Pitfalls
generator
@jtdowney 21

View Slide

@jtdowney 22

View Slide

@jtdowney 23

View Slide

MD_Update(&m,buf,j);
@jtdowney 24

View Slide

Don't add uninitialised data to
the random number generator.
This stop valgrind from giving
error messages in unrelated code.
(Closes: #363516)
@jtdowney 25

View Slide

/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
MD_Update(&m,buf,j);
/* We know that line may cause programs such as
purify and valgrind to complain about use of
uninitialized data. The problem is not, it's
with the caller. Removing that line will make
sure you get really bad randomness and thereby
other problems such as very insecure keys. */
@jtdowney 26

View Slide

@jtdowney 27

View Slide

@jtdowney 28

View Slide

@jtdowney 29

View Slide

@jtdowney 30

View Slide

Pitfalls
generator
@jtdowney 31

View Slide

@jtdowney 32

View Slide

Recommendations
• Use a cryptographically strong random number generator
• Unix-like
• Read from /dev/urandom
• Windows
• RandomNumberGenerator in
System.Security.Cryptography (.NET)
• CryptGenRandom (Windows)
@jtdowney 33

View Slide

Hash Functions
@jtdowney 34

View Slide

Pitfalls
1. Using weak/old algorithms
2. Misunderstanding checksums
3. Length extension attacks
@jtdowney 35

View Slide

@jtdowney 36

View Slide

@jtdowney 37

View Slide

@jtdowney 38

View Slide

@jtdowney 39

View Slide

9EC4C12949A4F31474F299058CE2B22A
@jtdowney 40

View Slide

mission = """
USCYBERCOM plans, coordinates, integrates, synchronizes and conducts
activities to: direct the operations and defense of specified
Department of Defense information networks and; prepare to, and when
directed, conduct full spectrum military cyberspace operations in order
to enable actions in all domains, ensure US/Allied freedom of action
in cyberspace and deny the same to our adversaries.
"""
md5(mission)
# => 9EC4C12949A4F31474F299058CE2B22A
@jtdowney 41

View Slide

Pitfalls
@jtdowney 42

View Slide

@jtdowney 43

View Slide

Pitfalls
@jtdowney 44

View Slide

Message Authentication Code
(MAC)
tag = MAC(key, value)
• Takes:
• key - shared secret
• value - value to protected integrity of
• Returns:
• tag - value that represents the integrity
@jtdowney 45

View Slide

Naive approach
tag = sha256(key || value)
@jtdowney 46

View Slide

Length Extension Attacks
secret = "my-secret-key"
value = "buy 10 units at $1"
signature = sha256(secret + value)
@jtdowney 47

View Slide

value = "buy 10 units at $1actually make that at $0"
signature = sha256(secret + value)
@jtdowney 48

View Slide

value = "buy 10 units at $1"
signature = hmac_sha256(secret, value)
@jtdowney 49

View Slide

@jtdowney 50

View Slide

@jtdowney 51

View Slide

Recommendations
• Use SHA-256 (SHA-2 family)
• Choose HMAC-SHA-256 if you want a signature
• Stop using MD5
• Don't use SHA-1 in new projects
• Phase it out for uses that require collision resistance
@jtdowney 52

View Slide

Password Storage
@jtdowney 53

View Slide

Don't wait to ﬁx your password
storage
• http://www.bsidesphilly.org/2016/12/cryptography_pitfalls/
• https://jtdowney.com/blog/2015/11/01/dont-wait-to-ﬁx-
your-password-storage/
@jtdowney 54

View Slide

Ciphers
@jtdowney 55

View Slide

Pitfalls
1. Using old/weak algorithms
2. Using ECB mode for block ciphers
3. Not using authenticated encryption
@jtdowney 56

View Slide

@jtdowney 57

View Slide

@jtdowney 58

View Slide

@jtdowney 59

View Slide

Pitfalls
@jtdowney 60

View Slide

AES - primitive
ciphertext = AES_Encrypt(key, plaintext)
plaintext = AES_Decrypt(key, ciphertext)
• Function over:
• key - 128, 192, or 256 bit value
• plaintext - 128 bit value
• ciphertext - 128 bit value
@jtdowney 61

View Slide

ECB Encrypt
while (remaining blocks) {
block = ... # next 16 byte (128 bit chunk)
ouput.append(AES_Encrypt(key, block))
}
@jtdowney 62

View Slide

@jtdowney 63

View Slide

@jtdowney 64

View Slide

Pitfalls
@jtdowney 65

View Slide

@jtdowney 66

View Slide

@jtdowney 67

View Slide

@jtdowney 68

View Slide

@jtdowney 69

View Slide

World of hurt
@jtdowney 70

View Slide

Recommendations
• Prefer to use box/secret box from NaCL/libsodium
• Stop using DES
• Stop building your own on top of AES
• Stop encrypting without protecting integrity
@jtdowney 71

View Slide

What if you have to use AES
• Do not use ECB mode
• Be sure to use authenticated encryption
• GCM mode would be a good ﬁrst choice
• Verify the tag/MAC ﬁrst
• Still easy to mess up in a critical way
@jtdowney 72

View Slide

TLS/SSL
@jtdowney 73

View Slide

Pitfalls
1. Not verifying the certiﬁcate chain or hostname
2. Misconﬁgured server settings
3. Using a broken library
@jtdowney 74

View Slide

@jtdowney 75

View Slide

@jtdowney 76

View Slide

@jtdowney 77

View Slide

Hostname veriﬁcation
@jtdowney 78

View Slide

Hostname verification
• Check that you got the certificate for who you intended to
connect to
• Hostname verification is protocol dependent
• OpenSSL doesn't have it built in
@jtdowney 79

View Slide

Pitfalls
@jtdowney 80

View Slide

@jtdowney 81

View Slide

SSL Labs
https://www.ssllabs.com
@jtdowney 82

View Slide

testssl.sh
https://testssl.sh
@jtdowney 83

View Slide

TLS Server Settings
https://mozilla.github.io/server-side-tls/ssl-conﬁg-generator/
@jtdowney 84

View Slide

Pitfalls
@jtdowney 85

View Slide

@jtdowney 86

View Slide

@jtdowney 87

View Slide

Recommendations
• Do ensure you're validating connections
• Lean on a framework/library if possible
• But check that it also does the right thing
• Setup and automated test to validate this setting
(badssl.com)
@jtdowney 88

View Slide

Trust
@jtdowney 89

View Slide

The authenticity of host 'apollo.local (10.0.2.56)' can't be established.
RSA key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
Are you sure you want to continue connecting (yes/no)?
@jtdowney 90

View Slide

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
Please contact your system administrator.
@jtdowney 91

View Slide

@jtdowney 92

View Slide

Certiﬁcate Pinning
@jtdowney 93

View Slide

@jtdowney 94

View Slide

Recommendations
• Think about what organizations you really trust
• Investigate certiﬁcate pinning for your apps
@jtdowney 95

View Slide

Quantum Computers
@jtdowney 96

View Slide

Pitfalls
1. Assuming current crypto will last forever
@jtdowney 97

View Slide

@jtdowney 98

View Slide

@jtdowney 99

View Slide

Recommendations
• Follow the PQCrypto discussion
• Stay away from PQCrypto until the industry starts to
standardize
• Hope that researchers are moving fast enough
@jtdowney 100

View Slide

@jtdowney 101

View Slide

Stanford Crypto Class
http://crypto-class.com
@jtdowney 102

View Slide

Matasano Crypto Challenges
http://cryptopals.com
@jtdowney 103

View Slide

Questions
John Downey | @jtdowney
@jtdowney 104

View Slide

Images
• https://flic.kr/p/6eagaw
• https://flic.kr/p/4KWhKn
• https://flic.kr/p/9F2BCv
• https://flic.kr/p/486xYS
• https://flic.kr/p/7Ffppm
• https://flic.kr/p/8TuJD9
• https://flic.kr/p/4iLJZt
• https://flic.kr/p/4pGZuz
• https://flic.kr/p/48w7wP
• https://flic.kr/p/8aZWNE
• https://flic.kr/p/5NRHp
• https://flic.kr/p/7p7raq
• https://flic.kr/p/aZEE1Z
• https://flic.kr/p/7WtwAz
• https://flic.kr/p/6AN9mM
• https://flic.kr/p/6dt62u
• https://flic.kr/p/4ZqwyB
• https://flic.kr/p/Bqewr
• https://flic.kr/p/ecdhVE
• https://flic.kr/p/AV1Nd
@jtdowney 105

View Slide

Cryptography Pitfalls at BSidesPhilly 2016

Cryptography Pitfalls at BSidesPhilly 2016

John Downey

More Decks by John Downey

Other Decks in Programming

Featured

Transcript