Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cryptography Pitfalls at ConFoo Montreal 2017

58376779023f009fc13d160bb3e82515?s=47 John Downey
March 10, 2017
Programming
1
230

Cryptography Pitfalls at ConFoo Montreal 2017

58376779023f009fc13d160bb3e82515?s=128

John Downey

March 10, 2017
Tweet

More Decks by John Downey

See All by John Downey
Cryptography Pitfalls at CactusCon 2019
58376779023f009fc13d160bb3e82515?s=48 jtdowney
0
79
Intro to Cybersecurity Workshop
58376779023f009fc13d160bb3e82515?s=48 jtdowney
0
100
Cryptography Pitfalls at BsidesMSP 2017
58376779023f009fc13d160bb3e82515?s=48 jtdowney
0
100
Cryptography Pitfalls at THOTCON 0x8
58376779023f009fc13d160bb3e82515?s=48 jtdowney
0
150
Cryptography Pitfalls at BSidesPhilly 2016
58376779023f009fc13d160bb3e82515?s=48 jtdowney
0
75
Cryptography Pitfalls at LASCON 2016
58376779023f009fc13d160bb3e82515?s=48 jtdowney
0
110
Debugging TLS/SSL at DevOps Days Detroit 2016
58376779023f009fc13d160bb3e82515?s=48 jtdowney
1
150
Debugging TLS/SSL at DevOpsDays Boston
58376779023f009fc13d160bb3e82515?s=48 jtdowney
1
260
Cryptography Pitfalls at Abstractions
58376779023f009fc13d160bb3e82515?s=48 jtdowney
0
70

Other Decks in Programming

See All in Programming
Pythonによる開発をアップデートするライブラリの紹介
4b46b5f1acab7f5a64c0036c1fc39f31?s=48 daikikatsuragawa
1
800
Git Rebase
E0e036f89c14b3e59640318eedf9670b?s=48 bkuhlmann
7
1.1k
料理の注文メニューの3D化への挑戦
Fbe7836c8ca96e3099dd5bbd83d1a391?s=48 hideg
0
290
FullStack eXchange, July 2022
6f3ec7315ad0715ae2a5f89a52877218?s=48 brucel
0
200
Babylon.jsで作ったsceneをレイトレーシングで映えさせる
C54e383f9597a63832fcc1c2547c7540?s=48 turamy
1
210
Pythonで鉄道指向プログラミング
Cc15f7fbb06e96bdb56992e3d42ea8cd?s=48 usabarashi
0
130
WindowsコンテナDojo: 第4回 Red Hat OpenShift Localを使ってみよう
E5eb221d34d4ffbe973f8542b4c3a00e?s=48 oniak3ibm
PRO
0
190
Enzyme から React Native Testing Library に移行した経緯 / 2022-07-20
41c9dedd1b4c53ace82e040bb09334fe?s=48 tamago3keran
1
160
ベストプラクティス・ドリフト
A15b71ae6fbdecb3216bdcba552d9a77?s=48 sssssssssssshhhhhhhhhh
1
220
Introduction to Property-Based Testing @ COSCUP 2022
Fd9f21969cd8a0cbf0b2f48a9af0cc28?s=48 cybai
1
150
サーバーレスパターンから学ぶデータ分析基盤構築 / devio2022
82d6167c4d14393c2e20b37a74b363c5?s=48 kasacchiful
0
510
NestJS_meetup_atamaplus
F0a8d07597a19192791bf663504d2a17?s=48 atamaplus
0
220

Featured

See All Featured
Building Adaptive Systems
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
25
1.2k
Learning to Love Humans: Emotional Interface Design
5f50f94346fbcb23706f0707169317a4?s=48 aarron
261
37k
Fight the Zombie Pattern Library - RWD Summit 2016
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
226
15k
Making Projects Easy
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
98
4.4k
The Brand Is Dead. Long Live the Brand.
A415db3ac9e9668acbc1fb36eead84ac?s=48 mthomps
46
2.7k
Bootstrapping a Software Product
A9179349dd2bdc67f377719f56d85656?s=48 garrettdimon
296
110k
The Success of Rails: Ensuring Growth for the Next 100 Years
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
15
3.9k
Helping Users Find Their Own Way: Creating Modern Search Experiences
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
7
1.1k
Thoughts on Productivity
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
44
2.4k
Debugging Ruby Performance
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
65
10k
Designing for Performance
245cee81a9c424266e5e401d844ea881?s=48 lara
597
64k
The Language of Interfaces
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
148
21k

Transcript

  1. Cryptography Pitfalls John Downey | @jtdowney @jtdowney 1

  2. @jtdowney 2

  3. @jtdowney 3

  4. @jtdowney 4

  5. The views expressed in this presentation are my own, and

    not those of PayPal or any of its affiliates. @jtdowney 5

  6. @jtdowney 6

  7. Confidentiality @jtdowney 7

  8. Authentication @jtdowney 8

  9. Identification @jtdowney 9

  10. Rigorous Science @jtdowney 10

  11. Peer Review @jtdowney 11

  12. @jtdowney 12

  13. You have probably seen the door to a bank vault,

    at least in the movies. You know, 10-inch- thick, hardened steel, with huge bolts to lock it in place. It certainly looks impressive. We often find the digital equivalent of such a vault door installed in a tent. The people standing around it are arguing over how thick the door should be, rather than spending their time looking at the tent. — Cryptography Engineering by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno @jtdowney 13

  14. • For data in transit • Use TLS (née SSL),

    SSH, or VPN/IPsec • For data at rest • Use GnuPG • Data to be signed • Use GnuPG @jtdowney 14

  15. • Avoid low level libraries • OpenSSL • PyCrypto •

    Bouncy Castle • Use a high level library • NaCL/libsodium (C, Ruby, PHP, etc) • Keyczar (C++, Python, and Java) @jtdowney 15

  16. @jtdowney 16

  17. Random Number Generation @jtdowney 17

  18. Pitfalls 1. Not using a cryptographically strong random number generator

    2. Not using random data when it is required 3. Broken random number generators @jtdowney 18

  19. @jtdowney 19

  20. @jtdowney 20

  21. Pitfalls 1. Not using a cryptographically strong random number generator

    2. Not using random data when it is required 3. Broken random number generators @jtdowney 21

  22. @jtdowney 22

  23. Pitfalls 1. Not using a cryptographically strong random number generator

    2. Not using random data when it is required 3. Broken random number generators @jtdowney 23

  24. @jtdowney 24

  25. @jtdowney 25

  26. MD_Update(&m,buf,j); @jtdowney 26

  27. Don't add uninitialised data to the random number generator. This

    stop valgrind from giving error messages in unrelated code. (Closes: #363516) @jtdowney 27

  28. /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */

    MD_Update(&m,buf,j); /* We know that line may cause programs such as purify and valgrind to complain about use of uninitialized data. The problem is not, it's with the caller. Removing that line will make sure you get really bad randomness and thereby other problems such as very insecure keys. */ @jtdowney 28

  29. @jtdowney 29

  30. @jtdowney 30

  31. Recommendations • Use a cryptographically strong random number generator •

    Unix-like • Read from /dev/urandom • Windows • RandomNumberGenerator in System.Security.Cryptography (.NET) • CryptGenRandom • Java use java.security.SecureRandom @jtdowney 31

  32. Hash Functions @jtdowney 32

  33. Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length

    extension attacks @jtdowney 33

  34. @jtdowney 34

  35. @jtdowney 35

  36. @jtdowney 36

  37. @jtdowney 37

  38. 9EC4C12949A4F31474F299058CE2B22A @jtdowney 38

  39. 9EC4C12949A4F31474F299058CE2B22A USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to:

    direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. @jtdowney 39

  40. Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length

    extension attacks @jtdowney 40

  41. @jtdowney 41

  42. Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length

    extension attacks @jtdowney 42

  43. Message Authentication Code (MAC) tag = MAC(key, value) • Takes:

    • key - shared secret • value - value to protected integrity of • Returns: • tag - value that represents the integrity @jtdowney 43

  44. Naive approach tag = sha256(key + value) @jtdowney 44

  45. Length Extension Attacks secret = "my-secret-key" value = "buy 10

    units at $1" signature = sha256(secret + value) @jtdowney 45

  46. Length Extension Attacks secret = "my-secret-key" value = "buy 10

    units at $1" + " or $0" signature = sha256(secret + value) @jtdowney 46

  47. Fixed secret = "my-secret-key" value = "buy 10 units at

    $1" signature = hmac_sha256(secret, value) @jtdowney 47

  48. @jtdowney 48

  49. @jtdowney 49

  50. Recommendations • Use SHA-256 (SHA-2 family) • Choose HMAC-SHA-256 if

    you want a signature • Use BLAKE2b if you need speed • Stop using MD5 • Stop using SHA1 @jtdowney 50

  51. Passwords @jtdowney 51

  52. @jtdowney 52

  53. @jtdowney 53

  54. @jtdowney 54

  55. @jtdowney 55

  56. @jtdowney 56

  57. @jtdowney 57

  58. @jtdowney 58

  59. @jtdowney 59

  60. @jtdowney 60

  61. @jtdowney 61

  62. Hash functions are fast @jtdowney 62

  63. 1. One-way • Value can be used for verification 2.

    Randomized • Can largely defeat pre-computed tables • Forces attackers to focus on one password 3. Slow @jtdowney 63

  64. Adaptive Hashing bcrypt, scrypt, argon2, or PBKDF2 @jtdowney 64

  65. Recommendations • Delegate authentication if possible • Facebook, Twitter, Google,

    Github • Store one-way verifiers using bcrypt, scrypt, argon2, or PBDKF2 @jtdowney 65

  66. So your password storage is bad @jtdowney 66

  67. It will be ok, you can fix it @jtdowney 67

  68. Example: password_hash column is sha1(salt + password) @jtdowney 68

  69. • Don't wait for user to login and silently upgrade

    • Wrap bcrypt around existing scheme • Use bcrypt(sha1(salt + password) • Upgrade all passwords in place • This does require the previous password scheme wasn't atrociously bad (e.g. DES crypt) @jtdowney 69

  70. Now: password_hash column is bcrypt(sha1(salt + password)) @jtdowney 70

  71. Ciphers @jtdowney 71

  72. Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for

    block ciphers 3. Not using authenticated encryption @jtdowney 72

  73. @jtdowney 73

  74. @jtdowney 74

  75. @jtdowney 75

  76. Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for

    block ciphers 3. Not using authenticated encryption @jtdowney 76

  77. AES - primitive ciphertext = AES_Encrypt(key, plaintext) plaintext = AES_Decrypt(key,

    ciphertext) • Function over: • key - 128, 192, or 256 bit value • plaintext - 128 bit value • ciphertext - 128 bit value @jtdowney 77

  78. ECB Encrypt while (remaining blocks) { block = ... #

    next 16 byte (128 bit chunk) ouput.append(AES_Encrypt(key, block)) } @jtdowney 78

  79. @jtdowney 79

  80. @jtdowney 80

  81. Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for

    block ciphers 3. Not using authenticated encryption @jtdowney 81

  82. @jtdowney 82

  83. @jtdowney 83

  84. @jtdowney 84

  85. @jtdowney 85

  86. World of hurt @jtdowney 86

  87. Recommendations • Prefer to use box/secret box from NaCL/ libsodium

    • Stop using DES • Stop building your own on top of AES • Stop encrypting without protecting integrity @jtdowney 87

  88. What if you have to use AES • Do not

    use ECB mode • Be sure to use authenticated encryption • GCM mode would be a good first choice • Verify the tag/MAC first • Still easy to mess up in a critical way @jtdowney 88

  89. TLS/SSL @jtdowney 89

  90. Pitfalls 1. Not verifying the certificate chain or hostname 2.

    Misconfigured server settings 3. Using a broken library @jtdowney 90

  91. @jtdowney 91

  92. @jtdowney 92

  93. @jtdowney 93

  94. @jtdowney 94

  95. Hostname verification @jtdowney 95

  96. Hostname verification • Check that you got the certificate for

    who you intended to connect to • Hostname verification is protocol dependent • OpenSSL doesn't have it built in @jtdowney 96

  97. Pitfalls 1. Not verifying the certificate chain or hostname 2.

    Misconfigured server settings 3. Using a broken library @jtdowney 97

  98. @jtdowney 98

  99. SSL Labs https://www.ssllabs.com @jtdowney 99

  100. testssl.sh https://testssl.sh @jtdowney 100

  101. TLS Server Settings https://mozilla.github.io/server-side-tls/ssl-config-generator/ @jtdowney 101

  102. Pitfalls 1. Not verifying the certificate chain or hostname 2.

    Misconfigured server settings 3. Using a broken library @jtdowney 102

  103. @jtdowney 103

  104. @jtdowney 104

  105. Recommendations • Do ensure you're validating connections • Lean on

    a framework/library if possible • But check that it also does the right thing • Setup and automated test to validate this setting (badssl.com) @jtdowney 105

  106. Trust @jtdowney 106

  107. The authenticity of host 'apollo.local (10.0.2.56)' can't be established. RSA

    key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Are you sure you want to continue connecting (yes/no)? @jtdowney 107

  108. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Please contact your system administrator. @jtdowney 108

  109. @jtdowney 109

  110. Certificate Pinning @jtdowney 110

  111. @jtdowney 111

  112. Recommendations • Think about what organizations you really trust •

    Investigate certificate pinning for your apps @jtdowney 112

  113. @jtdowney 113

  114. Stanford Crypto Class http://crypto-class.com @jtdowney 114

  115. Matasano Crypto Challenges http://cryptopals.com @jtdowney 115

  116. Questions John Downey | @jtdowney @jtdowney 116

  117. Bonus Round @jtdowney 117

  118. Quantum Computers @jtdowney 118

  119. Pitfalls 1. Assuming current crypto will last forever @jtdowney 119

  120. @jtdowney 120

  121. @jtdowney 121

  122. Recommendations • Follow the PQCrypto discussion • Stay away from

    PQCrypto until the industry starts to standardize • Hope that researchers are moving fast enough @jtdowney 122

  123. Images • https://flic.kr/p/6eagaw • https://flic.kr/p/4KWhKn • https://flic.kr/p/9F2BCv • https://flic.kr/p/486xYS •

    https://flic.kr/p/7Ffppm • https://flic.kr/p/8TuJD9 • https://flic.kr/p/4iLJZt • https://flic.kr/p/4pGZuz • https://flic.kr/p/48w7wP • https://flic.kr/p/8aZWNE • https://flic.kr/p/5NRHp • https://flic.kr/p/7p7raq • https://flic.kr/p/aZEE1Z • https://flic.kr/p/7WtwAz • https://flic.kr/p/6AN9mM • https://flic.kr/p/6dt62u • https://flic.kr/p/4ZqwyB • https://flic.kr/p/Bqewr • https://flic.kr/p/ecdhVE • https://flic.kr/p/AV1Nd • https://flic.kr/p/5tWgh4 @jtdowney 123