Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cryptography Pitfalls at ConFoo Montreal 2017

John Downey
March 10, 2017
Programming
1
260

Cryptography Pitfalls at ConFoo Montreal 2017

John Downey

March 10, 2017
Tweet

More Decks by John Downey

See All by John Downey
Cryptography Pitfalls at CactusCon 2019
jtdowney
0
79
Intro to Cybersecurity Workshop
jtdowney
0
100
Cryptography Pitfalls at BsidesMSP 2017
jtdowney
0
110
Cryptography Pitfalls at THOTCON 0x8
jtdowney
0
150
Cryptography Pitfalls at BSidesPhilly 2016
jtdowney
0
77
Cryptography Pitfalls at LASCON 2016
jtdowney
0
120
Debugging TLS/SSL at DevOps Days Detroit 2016
jtdowney
1
180
Debugging TLS/SSL at DevOpsDays Boston
jtdowney
1
270
Cryptography Pitfalls at Abstractions
jtdowney
0
71

Other Decks in Programming

See All in Programming
kotlin-resultを用いて鉄道志向なエラーハンドリングを試みる
blackbracken
1
170
GitHub ActionsとDeployGateで始めるAndroidアプリのCICD
yuhei_fujita
2
180
ChatGPT APIでセキュリティニュースを要約するシステムを作ってみた
sh1n0g1
0
1k
Cloudflare 概論 Cloudflare Meetup Kick Off! #CloudflareUG
maroon1st
0
620
一緒にスクラム開発___GPT-4と人間が共創するプロダクトの進化.pdf
itohiro73
5
6.5k
Réinventer le composant Console de Symfony
chalasr
3
730
#phperkaigi【実録】「PHP_CodeSniffer」で始める快適コードレビューライフ/codereviewlife
mrstsgk
0
260
NOT A HOTEL
AIコンシェルジュ「Kevin」の開発秘話
codehex
3
21k
時間を気にせず普通にカンニングもしつつ ISUCON12 本選問題を PHP でやってみる
sji
0
1.2k
どこでも動くWebフレームワークをつくる
yusukebe
13
6.6k
Eloquentとクエリビルダを両方使った実装の失敗例 - 第150回 PHP勉強会 #phpstudy
kotomin_m
0
190
Rendez-vous service et optimisez votre environnement de développement
bastnic
1
510

Featured

See All Featured
Pencils Down: Stop Designing & Start Developing
hursman
114
10k
Building Applications with DynamoDB
mza
86
5k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
Building Adaptive Systems
keathley
28
1.4k
Intergalactic Javascript Robots from Outer Space
tanoku
261
26k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
31
9k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
14
5.6k
Atom: Resistance is Futile
akmur
256
24k
Side Projects
sachag
451
38k

Transcript

  1. Cryptography
    Pitfalls
    John Downey | @jtdowney
    @jtdowney 1

    View Slide

  2. @jtdowney 2

    View Slide

  3. @jtdowney 3

    View Slide

  4. @jtdowney 4

    View Slide

  5. The views expressed in
    this presentation are my
    own, and not those of
    PayPal or any of its
    affiliates.
    @jtdowney 5

    View Slide

  6. @jtdowney 6

    View Slide

  7. Confidentiality
    @jtdowney 7

    View Slide

  8. Authentication
    @jtdowney 8

    View Slide

  9. Identification
    @jtdowney 9

    View Slide

  10. Rigorous Science
    @jtdowney 10

    View Slide

  11. Peer Review
    @jtdowney 11

    View Slide

  12. @jtdowney 12

    View Slide

  13. You have probably seen the door to a bank
    vault, at least in the movies. You know, 10-inch-
    thick, hardened steel, with huge bolts to lock it in
    place. It certainly looks impressive. We often
    find the digital equivalent of such a vault door
    installed in a tent. The people standing around
    it are arguing over how thick the door should be,
    rather than spending their time looking at the
    tent.
    — Cryptography Engineering by Niels Ferguson,
    Bruce Schneier, and Tadayoshi Kohno
    @jtdowney 13

    View Slide

  14. • For data in transit
    • Use TLS (née SSL), SSH, or VPN/IPsec
    • For data at rest
    • Use GnuPG
    • Data to be signed
    • Use GnuPG
    @jtdowney 14

    View Slide

  15. • Avoid low level libraries
    • OpenSSL
    • PyCrypto
    • Bouncy Castle
    • Use a high level library
    • NaCL/libsodium (C, Ruby, PHP, etc)
    • Keyczar (C++, Python, and Java)
    @jtdowney 15

    View Slide

  16. @jtdowney 16

    View Slide

  17. Random Number
    Generation
    @jtdowney 17

    View Slide

  18. Pitfalls
    1. Not using a cryptographically strong
    random number generator
    2. Not using random data when it is required
    3. Broken random number generators
    @jtdowney 18

    View Slide

  19. @jtdowney 19

    View Slide

  20. @jtdowney 20

    View Slide

  21. Pitfalls
    1. Not using a cryptographically strong random
    number generator
    2. Not using random data when it is required
    3. Broken random number generators
    @jtdowney 21

    View Slide

  22. @jtdowney 22

    View Slide

  23. Pitfalls
    1. Not using a cryptographically strong random
    number generator
    2. Not using random data when it is required
    3. Broken random number generators
    @jtdowney 23

    View Slide

  24. @jtdowney 24

    View Slide

  25. @jtdowney 25

    View Slide

  26. MD_Update(&m,buf,j);
    @jtdowney 26

    View Slide

  27. Don't add uninitialised
    data to the random
    number generator. This
    stop valgrind from giving
    error messages in
    unrelated code. (Closes:
    #363516)
    @jtdowney 27

    View Slide

  28. /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
    MD_Update(&m,buf,j);
    /* We know that line may cause programs such as
    purify and valgrind to complain about use of
    uninitialized data. The problem is not, it's
    with the caller. Removing that line will make
    sure you get really bad randomness and thereby
    other problems such as very insecure keys. */
    @jtdowney 28

    View Slide

  29. @jtdowney 29

    View Slide

  30. @jtdowney 30

    View Slide

  31. Recommendations
    • Use a cryptographically strong random number
    generator
    • Unix-like
    • Read from /dev/urandom
    • Windows
    • RandomNumberGenerator in
    System.Security.Cryptography (.NET)
    • CryptGenRandom
    • Java use java.security.SecureRandom
    @jtdowney 31

    View Slide

  32. Hash Functions
    @jtdowney 32

    View Slide

  33. Pitfalls
    1. Using weak/old algorithms
    2. Misunderstanding checksums
    3. Length extension attacks
    @jtdowney 33

    View Slide

  34. @jtdowney 34

    View Slide

  35. @jtdowney 35

    View Slide

  36. @jtdowney 36

    View Slide

  37. @jtdowney 37

    View Slide

  38. 9EC4C12949A4F31474F299058CE2B22A
    @jtdowney 38

    View Slide

  39. 9EC4C12949A4F31474F299058CE2B22A
    USCYBERCOM plans, coordinates, integrates,
    synchronizes and conducts activities to: direct
    the operations and defense of specified
    Department of Defense information networks
    and; prepare to, and when directed, conduct full
    spectrum military cyberspace operations in
    order to enable actions in all domains, ensure
    US/Allied freedom of action in cyberspace and
    deny the same to our adversaries.
    @jtdowney 39

    View Slide

  40. Pitfalls
    1. Using weak/old algorithms
    2. Misunderstanding checksums
    3. Length extension attacks
    @jtdowney 40

    View Slide

  41. @jtdowney 41

    View Slide

  42. Pitfalls
    1. Using weak/old algorithms
    2. Misunderstanding checksums
    3. Length extension attacks
    @jtdowney 42

    View Slide

  43. Message Authentication Code (MAC)
    tag = MAC(key, value)
    • Takes:
    • key - shared secret
    • value - value to protected integrity of
    • Returns:
    • tag - value that represents the integrity
    @jtdowney 43

    View Slide

  44. Naive approach
    tag = sha256(key + value)
    @jtdowney 44

    View Slide

  45. Length Extension Attacks
    secret = "my-secret-key"
    value = "buy 10 units at $1"
    signature = sha256(secret + value)
    @jtdowney 45

    View Slide

  46. Length Extension Attacks
    secret = "my-secret-key"
    value = "buy 10 units at $1" + " or $0"
    signature = sha256(secret + value)
    @jtdowney 46

    View Slide

  47. Fixed
    secret = "my-secret-key"
    value = "buy 10 units at $1"
    signature = hmac_sha256(secret, value)
    @jtdowney 47

    View Slide

  48. @jtdowney 48

    View Slide

  49. @jtdowney 49

    View Slide

  50. Recommendations
    • Use SHA-256 (SHA-2 family)
    • Choose HMAC-SHA-256 if you want a
    signature
    • Use BLAKE2b if you need speed
    • Stop using MD5
    • Stop using SHA1
    @jtdowney 50

    View Slide

  51. Passwords
    @jtdowney 51

    View Slide

  52. @jtdowney 52

    View Slide

  53. @jtdowney 53

    View Slide

  54. @jtdowney 54

    View Slide

  55. @jtdowney 55

    View Slide

  56. @jtdowney 56

    View Slide

  57. @jtdowney 57

    View Slide

  58. @jtdowney 58

    View Slide

  59. @jtdowney 59

    View Slide

  60. @jtdowney 60

    View Slide

  61. @jtdowney 61

    View Slide

  62. Hash functions are fast
    @jtdowney 62

    View Slide

  63. 1. One-way
    • Value can be used for verification
    2. Randomized
    • Can largely defeat pre-computed tables
    • Forces attackers to focus on one password
    3. Slow
    @jtdowney 63

    View Slide

  64. Adaptive Hashing
    bcrypt, scrypt, argon2, or PBKDF2
    @jtdowney 64

    View Slide

  65. Recommendations
    • Delegate authentication if possible
    • Facebook, Twitter, Google, Github
    • Store one-way verifiers using bcrypt, scrypt,
    argon2, or PBDKF2
    @jtdowney 65

    View Slide

  66. So your
    password
    storage is bad
    @jtdowney 66

    View Slide

  67. It will be ok,
    you can fix it
    @jtdowney 67

    View Slide

  68. Example:
    password_hash column is sha1(salt + password)
    @jtdowney 68

    View Slide

  69. • Don't wait for user to login and silently
    upgrade
    • Wrap bcrypt around existing scheme
    • Use bcrypt(sha1(salt + password)
    • Upgrade all passwords in place
    • This does require the previous password
    scheme wasn't atrociously bad (e.g. DES
    crypt)
    @jtdowney 69

    View Slide

  70. Now:
    password_hash column is bcrypt(sha1(salt + password))
    @jtdowney 70

    View Slide

  71. Ciphers
    @jtdowney 71

    View Slide

  72. Pitfalls
    1. Using old/weak algorithms
    2. Using ECB mode for block ciphers
    3. Not using authenticated encryption
    @jtdowney 72

    View Slide

  73. @jtdowney 73

    View Slide

  74. @jtdowney 74

    View Slide

  75. @jtdowney 75

    View Slide

  76. Pitfalls
    1. Using old/weak algorithms
    2. Using ECB mode for block ciphers
    3. Not using authenticated encryption
    @jtdowney 76

    View Slide

  77. AES - primitive
    ciphertext = AES_Encrypt(key, plaintext)
    plaintext = AES_Decrypt(key, ciphertext)
    • Function over:
    • key - 128, 192, or 256 bit value
    • plaintext - 128 bit value
    • ciphertext - 128 bit value
    @jtdowney 77

    View Slide

  78. ECB Encrypt
    while (remaining blocks) {
    block = ... # next 16 byte (128 bit chunk)
    ouput.append(AES_Encrypt(key, block))
    }
    @jtdowney 78

    View Slide

  79. @jtdowney 79

    View Slide

  80. @jtdowney 80

    View Slide

  81. Pitfalls
    1. Using old/weak algorithms
    2. Using ECB mode for block ciphers
    3. Not using authenticated encryption
    @jtdowney 81

    View Slide

  82. @jtdowney 82

    View Slide

  83. @jtdowney 83

    View Slide

  84. @jtdowney 84

    View Slide

  85. @jtdowney 85

    View Slide

  86. World of hurt
    @jtdowney 86

    View Slide

  87. Recommendations
    • Prefer to use box/secret box from NaCL/
    libsodium
    • Stop using DES
    • Stop building your own on top of AES
    • Stop encrypting without protecting integrity
    @jtdowney 87

    View Slide

  88. What if you have to use AES
    • Do not use ECB mode
    • Be sure to use authenticated encryption
    • GCM mode would be a good first choice
    • Verify the tag/MAC first
    • Still easy to mess up in a critical way
    @jtdowney 88

    View Slide

  89. TLS/SSL
    @jtdowney 89

    View Slide

  90. Pitfalls
    1. Not verifying the certificate chain or
    hostname
    2. Misconfigured server settings
    3. Using a broken library
    @jtdowney 90

    View Slide

  91. @jtdowney 91

    View Slide

  92. @jtdowney 92

    View Slide

  93. @jtdowney 93

    View Slide

  94. @jtdowney 94

    View Slide

  95. Hostname
    verification
    @jtdowney 95

    View Slide

  96. Hostname verification
    • Check that you got the certificate for who you
    intended to connect to
    • Hostname verification is protocol dependent
    • OpenSSL doesn't have it built in
    @jtdowney 96

    View Slide

  97. Pitfalls
    1. Not verifying the certificate chain or hostname
    2. Misconfigured server settings
    3. Using a broken library
    @jtdowney 97

    View Slide

  98. @jtdowney 98

    View Slide

  99. SSL Labs
    https://www.ssllabs.com
    @jtdowney 99

    View Slide

  100. testssl.sh
    https://testssl.sh
    @jtdowney 100

    View Slide

  101. TLS Server Settings
    https://mozilla.github.io/server-side-tls/ssl-config-generator/
    @jtdowney 101

    View Slide

  102. Pitfalls
    1. Not verifying the certificate chain or hostname
    2. Misconfigured server settings
    3. Using a broken library
    @jtdowney 102

    View Slide

  103. @jtdowney 103

    View Slide

  104. @jtdowney 104

    View Slide

  105. Recommendations
    • Do ensure you're validating connections
    • Lean on a framework/library if possible
    • But check that it also does the right thing
    • Setup and automated test to validate this
    setting (badssl.com)
    @jtdowney 105

    View Slide

  106. Trust
    @jtdowney 106

    View Slide

  107. The authenticity of host 'apollo.local (10.0.2.56)' can't be established.
    RSA key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
    Are you sure you want to continue connecting (yes/no)?
    @jtdowney 107

    View Slide

  108. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that the RSA host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
    Please contact your system administrator.
    @jtdowney 108

    View Slide

  109. @jtdowney 109

    View Slide

  110. Certificate
    Pinning
    @jtdowney 110

    View Slide

  111. @jtdowney 111

    View Slide

  112. Recommendations
    • Think about what organizations you really
    trust
    • Investigate certificate pinning for your apps
    @jtdowney 112

    View Slide

  113. @jtdowney 113

    View Slide

  114. Stanford Crypto Class
    http://crypto-class.com
    @jtdowney 114

    View Slide

  115. Matasano Crypto Challenges
    http://cryptopals.com
    @jtdowney 115

    View Slide

  116. Questions
    John Downey | @jtdowney
    @jtdowney 116

    View Slide

  117. Bonus Round
    @jtdowney 117

    View Slide

  118. Quantum
    Computers
    @jtdowney 118

    View Slide

  119. Pitfalls
    1. Assuming current crypto will last forever
    @jtdowney 119

    View Slide

  120. @jtdowney 120

    View Slide

  121. @jtdowney 121

    View Slide

  122. Recommendations
    • Follow the PQCrypto discussion
    • Stay away from PQCrypto until the industry
    starts to standardize
    • Hope that researchers are moving fast
    enough
    @jtdowney 122

    View Slide

  123. Images
    • https://flic.kr/p/6eagaw
    • https://flic.kr/p/4KWhKn
    • https://flic.kr/p/9F2BCv
    • https://flic.kr/p/486xYS
    • https://flic.kr/p/7Ffppm
    • https://flic.kr/p/8TuJD9
    • https://flic.kr/p/4iLJZt
    • https://flic.kr/p/4pGZuz
    • https://flic.kr/p/48w7wP
    • https://flic.kr/p/8aZWNE
    • https://flic.kr/p/5NRHp
    • https://flic.kr/p/7p7raq
    • https://flic.kr/p/aZEE1Z
    • https://flic.kr/p/7WtwAz
    • https://flic.kr/p/6AN9mM
    • https://flic.kr/p/6dt62u
    • https://flic.kr/p/4ZqwyB
    • https://flic.kr/p/Bqewr
    • https://flic.kr/p/ecdhVE
    • https://flic.kr/p/AV1Nd
    • https://flic.kr/p/5tWgh4
    @jtdowney 123

    View Slide