Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cryptography Pitfalls at Chicago Coder Conference

John Downey
May 14, 2015
Programming
1
120

Cryptography Pitfalls at Chicago Coder Conference

John Downey

May 14, 2015
Tweet

More Decks by John Downey

See All by John Downey
Cryptography Pitfalls at CactusCon 2019
jtdowney
0
150
Intro to Cybersecurity Workshop
jtdowney
0
120
Cryptography Pitfalls at BsidesMSP 2017
jtdowney
0
160
Cryptography Pitfalls at THOTCON 0x8
jtdowney
0
160
Cryptography Pitfalls at ConFoo Montreal 2017
jtdowney
1
330
Cryptography Pitfalls at BSidesPhilly 2016
jtdowney
0
140
Cryptography Pitfalls at LASCON 2016
jtdowney
0
190
Debugging TLS/SSL at DevOps Days Detroit 2016
jtdowney
1
210
Debugging TLS/SSL at DevOpsDays Boston
jtdowney
1
300

Other Decks in Programming

See All in Programming
Golang と Erlang
taiyow
7
1.8k
/←このスケジュール表に立ち向かう フロントエンド開発戦略 / A front-end development strategy to tackle a single-slash schedule.
nrslib
1
430
2024-10-02 dev2next - Application Observability like you've never heard before
jonatan_ivanov
0
200
知られざるNaNの世界
hole
3
1.1k
フロントエンドの現在地とこれから
koba04
10
4.7k
tc39 x jsconf.jp Panel Discussion 2024
yosuke_furukawa
PRO
0
110
テスト駆動開発✅️
akitoshiga
1
170
CSC509 Lecture 05
javiergs
PRO
0
180
Subclassing, Composition, Python, and You
hynek
3
190
The Efficiency Paradox and How to Save Yourself and the World
hollycummins
0
230
Nuxt UI Pro、NuxtHub、Nuxt Scripts、Nuxtエコシステムをふんだんに利用して開発するコーポレートサイト@Vue Fes Japan 2024
shingangan
3
540
Jakarta EE as Seen Trough the Lens of the ASF
ivargrimstad
0
860

Featured

See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Optimising Largest Contentful Paint
csswizardry
31
2.9k
Automating Front-end Workflow
addyosmani
1365
200k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
5
130
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
31
1.7k
Visualization
eitanlees
143
15k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Writing Fast Ruby
sferik
626
60k
Adopting Sorbet at Scale
ufuk
73
9k
The Invisible Side of Design
smashingmag
297
50k
Navigating Team Friction
lara
183
14k

Transcript

  1. Cryptography Pitfalls John Downey | @jtdowney @jtdowney 1

  2. @jtdowney 2

  3. @jtdowney 3

  4. Confidentiality @jtdowney 4

  5. Authentication @jtdowney 5

  6. Identification @jtdowney 6

  7. Rigorous Science @jtdowney 7

  8. Peer Review @jtdowney 8

  9. @jtdowney 9

  10. You have probably seen the door to a bank vault,

    at least in the movies. You know, 10-inch-thick, hardened steel, with huge bolts to lock it in place. It certainly looks impressive. We often find the digital equivalent of such a vault door installed in a tent. The people standing around it are arguing over how thick the door should be, rather than spending their time looking at the tent. -Cryptography Engineering by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno @jtdowney 10

  11. • For data in transit • Use TLS/SSL, SSH, or

    VPN/IPsec • For data at rest • Use GnuPG • Use a high level library • NaCL/libsodium (C, Ruby, etc) • Keyczar (Python and Java) @jtdowney 11

  12. @jtdowney 12

  13. Random Number Generation @jtdowney 13

  14. @jtdowney 14

  15. @jtdowney 15

  16. @jtdowney 16

  17. MD_Update(&m,buf,j); @jtdowney 17

  18. Don't add uninitialised data to the random number generator. This

    stop valgrind from giving error messages in unrelated code. (Closes: #363516) @jtdowney 18

  19. /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */

    MD_Update(&m,buf,j); /* We know that line may cause programs such as purify and valgrind to complain about use of uninitialized data. The problem is not, it's with the caller. Removing that line will make sure you get really bad randomness and thereby other problems such as very insecure keys. */ @jtdowney 19

  20. @jtdowney 20

  21. Recommendations • Unix-like • Use /dev/urandom • Never ending file

    you read from • Each read is more random data • Wrappers • SecureRandom (Ruby) • SecureRandom.getInstance("NativePRNG") (Java) • Windows • RandomNumberGenerator.Create() (.NET) • CryptGenRandom (.NET / Windows) @jtdowney 21

  22. Length Extension Attacks @jtdowney 22

  23. Hash Functions @jtdowney 23

  24. @jtdowney 24

  25. 9EC4C12949A4F31474F299058CE2B22A @jtdowney 25

  26. mission = """ USCYBERCOM plans, coordinates, integrates, synchronizes and conducts

    activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. """ md5(mission) # => 9EC4C12949A4F31474F299058CE2B22A @jtdowney 26

  27. Recommendations • Use SHA-256 (SHA-2 family) • Stop using MD5

    • Don't use SHA-1 in new projects • Remember fingerprints are not authentication • Someone can recompute the hash without knowing any secret @jtdowney 27

  28. Length Extension Attacks @jtdowney 28

  29. RestClient.post( "https://example.com/things", name: 'Widget', price: 1_23, signature: signature ) @jtdowney

    29

  30. signature = sha1("api-key|name=Widget&price=123") # => 8CBBCB204861672F93B26A6401E685195AB5719B @jtdowney 30

  31. Internal State @jtdowney 31

  32. Initial State h0 = 0x67452301 h1 = 0xEFCDAB89 h2 =

    0x98BADCFE h3 = 0x10325476 h4 = 0xC3D2E1F0 @jtdowney 32

  33. Merkle–Damgård construction 1. Take block (64 bytes) 2. Run "compression"

    function (updates h0-h4) 3. Repeat on next block @jtdowney 33

  34. End State h0 = 0x8CBBCB20 h1 = 0x4861672F h2 =

    0x93B26A64 h3 = 0x01E68519 h4 = 0x5AB5719B 8CBBCB20 | 4861672F | 93B26A64 | 01E68519 | 5AB5719B @jtdowney 34

  35. &price=0 @jtdowney 35

  36. api-key|name=Widget&price=123&price=0 @jtdowney 36

  37. signature = sha1("api-key|name=Widget&price=123&price=0") # => 7CA17A2B91BD35C09D50A3AD5CAD1E9B396DDEF4 @jtdowney 37

  38. RestClient.post( "https://example.com/things", name: 'Widget', price: 0, signature: signature ) @jtdowney

    38

  39. Recommendations • Use HMAC-SHA-256 for similar cases • Message Authentication

    Code • HMAC / Keyed hash function • Resistant to length extension attacks @jtdowney 39

  40. ECB Mode @jtdowney 40

  41. Block Ciphers @jtdowney 41

  42. AES ciphertext = AES_Encrypt(key, plaintext) plaintext = AES_Decrypt(key, ciphertext) •

    Function over: • key - 128, 192, or 256 bit value • plaintext - 128 bit value • ciphertext - 128 bit value @jtdowney 42

  43. ECB Encrypt while (remaining blocks) { block = ... #

    next 64 byte (128 bit chunk) ouput.append(AES_Encrypt(key, block)) } @jtdowney 43

  44. @jtdowney 44

  45. @jtdowney 45

  46. Recommendations • Prefer to use "secret box" from libsodium/NaCl •

    Stop using DES • Stop building your own ontop of AES @jtdowney 46

  47. What if you have to use AES • Do not

    use ECB mode • Be sure to use authenticated encryption: • GCM, CCM, OCB mode • CBC/CTR with an HMAC of IV and ciphertext • Verify the tag/MAC first • Still easy to break in a critical way @jtdowney 47

  48. Password Storage @jtdowney 48

  49. @jtdowney 49

  50. @jtdowney 50

  51. @jtdowney 51

  52. @jtdowney 52

  53. @jtdowney 53

  54. @jtdowney 54

  55. sha1(password) @jtdowney 55

  56. 1. One-way • Value can be used for verification @jtdowney

    56

  57. sha1(salt + password) @jtdowney 57

  58. 1. One-way • Value can be used for verification 2.

    Randomized • Can largely defeat pre-computed tables • Forces attackers to focus on one password @jtdowney 58

  59. Hash functions are fast @jtdowney 59

  60. 1. One-way • Value can be used for verification 2.

    Randomized • Can largely defeat pre-computed tables • Forces attackers to focus on one password 3. Slow @jtdowney 60

  61. Adaptive Hashing bcrypt, scrypt, or PBKDF2 @jtdowney 61

  62. Recommendations • Delegate authentication if possible • Facebook, Twitter, Google,

    Github • Store one-way verifiers using bcrypt, scrypt, or PBDKF2 @jtdowney 62

  63. TLS/SSL Verification @jtdowney 63

  64. @jtdowney 64

  65. 1. Verify the certificate chain to a trusted root (VERIFY_PEER)

    1. Follow chain of trust 2. Check all of the signatures 3. Validate certificate parameters 2. Verify hostname of server (not always done for you) @jtdowney 65

  66. @jtdowney 66

  67. @jtdowney 67

  68. @jtdowney 68

  69. @jtdowney 69

  70. Recommendations • Do ensure you're validating connections • Lean on

    a framework/library if possible • But check that it also does the right thing • Setup and automated test to validate this setting @jtdowney 70

  71. Trust @jtdowney 71

  72. The authenticity of host 'apollo.local (10.0.2.56)' can't be established. RSA

    key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Are you sure you want to continue connecting (yes/no)? @jtdowney 72

  73. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Please contact your system administrator. @jtdowney 73

  74. AOL Time Warner Inc. AS Sertifitseerimiskeskus AddTrust Baltimore beTRUSTed Buypass

    CNNIC COMODO CA Limited Certplus certSIGN Chambersign Chunghwa Telecom Co., Ltd. ComSign Comodo CA Limited Cybertrust, Inc Deutsche Telekom AG Deutscher Sparkassen Verlag GmbH Dhimyotis DigiCert Inc DigiNotar Digital Signature Trust Co. Disig a.s. EBG Bilişim Teknolojileri ve Hizmetleri A.Ş. EDICOM Entrust, Inc. Equifax GTE Corporation GeoTrust Inc. GlobalSign nv-sa Hongkong Post Japan Certification Services, Inc. Japanese Government Microsec Ltd. NetLock Halozatbiztonsagi Kft. Network Solutions L.L.C. PM/SGDN QuoVadis Limited RSA Security Inc SECOM Trust Systems CO.,LTD. SecureTrust Corporation Sociedad Cameral de Certificación Digital Sonera Staat der Nederlanden Starfield Technologies, Inc. StartCom Ltd. SwissSign AG Swisscom TC TrustCenter GmbH TDC Taiwan Government Thawte The Go Daddy Group, Inc. The USERTRUST Network TÜBİTAK TÜRKTRUST Unizeto Sp. z o.o. VISA ValiCert, Inc. VeriSign, Inc. WISeKey Wells Fargo XRamp Security Services Inc @jtdowney 74

  75. Certificate Pinning @jtdowney 75

  76. Recommendations • Think about what organizations you really trust •

    Consider disabling some roots • Use certificate pinning in your apps @jtdowney 76

  77. Stanford Crypto Class https://www.coursera.org/course/crypto @jtdowney 77

  78. Matasano Crypto Challenges http://cryptopals.com @jtdowney 78

  79. Questions @jtdowney 79

  80. Images • https://flic.kr/p/4KWhKn • https://flic.kr/p/9F2BCv • https://flic.kr/p/486xYS • https://flic.kr/p/7Ffppm •

    https://flic.kr/p/4iLJZt • https://flic.kr/p/4pGZuz • https://flic.kr/p/8aZWNE • https://flic.kr/p/5NRHp • https://flic.kr/p/7p7raq • https://flic.kr/p/aZEE1Z • https://flic.kr/p/6AN9mM • https://flic.kr/p/6jCNY3 • https://flic.kr/p/6dt62u • https://flic.kr/p/7WtwAz • https://flic.kr/p/4ZqwyB • https://flic.kr/p/Bqewr • https://flic.kr/p/ecdhVE @jtdowney 80