Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cryptography Pitfalls at GOTO Chicago 2016

John Downey
May 25, 2016
Programming
0
120

Cryptography Pitfalls at GOTO Chicago 2016

John Downey

May 25, 2016
Tweet

More Decks by John Downey

See All by John Downey
Cryptography Pitfalls at CactusCon 2019
jtdowney
0
140
Intro to Cybersecurity Workshop
jtdowney
0
110
Cryptography Pitfalls at BsidesMSP 2017
jtdowney
0
140
Cryptography Pitfalls at THOTCON 0x8
jtdowney
0
160
Cryptography Pitfalls at ConFoo Montreal 2017
jtdowney
1
310
Cryptography Pitfalls at BSidesPhilly 2016
jtdowney
0
120
Cryptography Pitfalls at LASCON 2016
jtdowney
0
170
Debugging TLS/SSL at DevOps Days Detroit 2016
jtdowney
1
200
Debugging TLS/SSL at DevOpsDays Boston
jtdowney
1
280

Other Decks in Programming

See All in Programming
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
370
障害対応を起点としたもっといい開発と運用のサイクル作りのためにできること / Hatena Enginner Seminar #29
polamjag
0
120
MicrosoftのPlatform Engineeringガイドを読んで実際になにかやってみた
ymd65536
1
320
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
170
StoreKit2によるiOSのアプリ内課金のリニューアル
kangnux
0
110
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
43
19k
雑に思考を整理する技術と効能
konifar
58
29k
SIMD Parallel Programming with the Vector API
josepaumard
0
160
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
360
GraphQLサーバの構成要素を整理する #ハッカー鮨 #tsukijigraphql / graphql server technology selection
izumin5210
4
830
MetricKitで予期せぬ終了を検知する話 / Detect unexpected termination with MetricKit
nekowen
1
180
エンターテイメント業界で利用されるAWS
demuyan
0
210

Featured

See All Featured
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Gamification - CAS2011
davidbonilla
76
4.6k
It's Worth the Effort
3n
180
27k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
20
1.9k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
How GitHub (no longer) Works
holman
304
140k
Designing for humans not robots
tammielis
248
25k
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
4 Signs Your Business is Dying
shpigford
175
21k
Atom: Resistance is Futile
akmur
259
25k

Transcript

  1. Cryptography Pitfalls John Downey | @jtdowney @jtdowney 1

  2. @jtdowney 2

  3. Chicago @jtdowney 3

  4. The views expressed in this presentation are my own, and

    not those of PayPal or any of its affiliates. @jtdowney 4

  5. @jtdowney 5

  6. Confidentiality @jtdowney 6

  7. Authentication @jtdowney 7

  8. Identification @jtdowney 8

  9. Rigorous Science @jtdowney 9

  10. Peer Review @jtdowney 10

  11. @jtdowney 11

  12. You have probably seen the door to a bank vault,

    at least in the movies. You know, 10-inch-thick, hardened steel, with huge bolts to lock it in place. It certainly looks impressive. We often find the digital equivalent of such a vault door installed in a tent. The people standing around it are arguing over how thick the door should be, rather than spending their time looking at the tent. — Cryptography Engineering by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno @jtdowney 12

  13. • For data in transit • Use TLS (née SSL),

    SSH, or VPN/IPsec • For data at rest • Use GnuPG @jtdowney 13

  14. • Avoid low level libraries • OpenSSL • PyCrypto •

    Bouncy Castle • Use a high level library • NaCL/libsodium (C, Ruby, etc) • Keyczar (Python and Java) @jtdowney 14

  15. @jtdowney 15

  16. Random Number Generation @jtdowney 16

  17. • Randomness is a central part of any crypto system

    • Used to generate: • Encryption keys • API keys • Session tokens • Password reset tokens @jtdowney 17

  18. Pitfalls 1. Not using a cryptographically strong random number generator

    2. Broken random random number generators 3. Not using random data when it is required @jtdowney 18

  19. @jtdowney 19

  20. @jtdowney 20

  21. Pitfalls 1. Not using the right random number generator 2.

    Broken random random number generators 3. Not using random data when it is required @jtdowney 21

  22. @jtdowney 22

  23. MD_Update(&m,buf,j); @jtdowney 23

  24. Don't add uninitialised data to the random number generator. This

    stop valgrind from giving error messages in unrelated code. (Closes: #363516) @jtdowney 24

  25. /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */

    MD_Update(&m,buf,j); /* We know that line may cause programs such as purify and valgrind to complain about use of uninitialized data. The problem is not, it's with the caller. Removing that line will make sure you get really bad randomness and thereby other problems such as very insecure keys. */ @jtdowney 25

  26. @jtdowney 26

  27. @jtdowney 27

  28. @jtdowney 28

  29. Pitfalls 1. Not using the right random number generator 2.

    Broken random random number generators 3. Not using random data when it is required @jtdowney 29

  30. @jtdowney 30

  31. Recommendations • Unix-like • Read from /dev/urandom • Windows •

    RandomNumberGenerator.Create() (.NET) • CryptGenRandom (Windows) @jtdowney 31

  32. Hash Functions @jtdowney 32

  33. • Often called a fingerprint • One way • Not

    reversible (can’t find person without fingerprint DB) • Ideally, no two people with same fingerprint (no two inputs) @jtdowney 33

  34. Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length

    extension attacks @jtdowney 34

  35. @jtdowney 35

  36. @jtdowney 36

  37. @jtdowney 37

  38. @jtdowney 38

  39. 9EC4C12949A4F31474F299058CE2B22A @jtdowney 39

  40. mission = """ USCYBERCOM plans, coordinates, integrates, synchronizes and conducts

    activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. """ md5(mission) # => 9EC4C12949A4F31474F299058CE2B22A @jtdowney 40

  41. Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length

    extension attacks @jtdowney 41

  42. @jtdowney 42

  43. Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length

    extension attacks @jtdowney 43

  44. Length Extension Attacks secret = "my-secret-key" value = "buy 10

    units at $1" signature = sha256(secret + "|" + value) @jtdowney 44

  45. Length Extension Attacks secret = "my-secret-key" value = "buy 10

    units at $1<garbage>actually make that at $0" signature = sha256(secret + "|" + value) @jtdowney 45

  46. Length Extension Attacks secret = "my-secret-key" value = "buy 10

    units at $1" signature = hmac_sha256(secret, value) @jtdowney 46

  47. Message Authentication Code (MAC) tag = hmac_sha256(key, value) • key

    - shared secret • value - value to protected integrity of • tag - value that represents the integrity @jtdowney 47

  48. @jtdowney 48

  49. @jtdowney 49

  50. Recommendations • Use SHA-256 (SHA-2 family) • Choose HMAC-SHA-256 if

    you want a signature • Stop using MD5 • Don't use SHA-1 in new projects • Phase it out for uses that require collision resistance @jtdowney 50

  51. Password Storage @jtdowney 51

  52. @jtdowney 52

  53. @jtdowney 53

  54. @jtdowney 54

  55. @jtdowney 55

  56. @jtdowney 56

  57. @jtdowney 57

  58. sha1(password) @jtdowney 58

  59. 1. One-way • Value can be used for verification @jtdowney

    59

  60. sha1(salt + password) @jtdowney 60

  61. 1. One-way • Value can be used for verification 2.

    Randomized • Can largely defeat pre-computed tables • Forces attackers to focus on one password @jtdowney 61

  62. Hash functions are fast @jtdowney 62

  63. 1. One-way • Value can be used for verification 2.

    Randomized • Can largely defeat pre-computed tables • Forces attackers to focus on one password 3. Slow @jtdowney 63

  64. Adaptive Hashing bcrypt, scrypt, or PBKDF2 @jtdowney 64

  65. Recommendations • Delegate authentication if possible • Facebook, Twitter, Google,

    Github • Store one-way verifiers using bcrypt, scrypt, or PBDKF2 @jtdowney 65

  66. So your password storage is bad @jtdowney 66

  67. It will be ok, you can fix it @jtdowney 67

  68. Example: password_hash column is sha1(salt || password) @jtdowney 68

  69. • Don't wait for user to login and silently upgrade

    • Wrap bcrypt around existing scheme • Use bcrypt(sha1(salt || password) • Upgrade all passwords in place • This does require you're previous password scheme wasn't atrociously bad (e.g. DES crypt) @jtdowney 69

  70. Now: password_hash column is bcrypt(sha1(salt || password)) @jtdowney 70

  71. Ciphers @jtdowney 71

  72. Pitfalls 1. Using old/weak algorithms 2. Using ECB mode 3.

    Not using authenticated encryption @jtdowney 72

  73. @jtdowney 73

  74. @jtdowney 74

  75. @jtdowney 75

  76. Pitfalls 1. Using old/weak algorithms 2. Using ECB mode 3.

    Not using authenticated encryption @jtdowney 76

  77. AES - primitive ciphertext = AES_Encrypt(key, plaintext) plaintext = AES_Decrypt(key,

    ciphertext) • Function over: • key - 128, 192, or 256 bit value • plaintext - 128 bit value • ciphertext - 128 bit value @jtdowney 77

  78. ECB Encrypt while (remaining blocks) { block = ... #

    next 16 byte (128 bit chunk) ouput.append(AES_Encrypt(key, block)) } @jtdowney 78

  79. @jtdowney 79

  80. @jtdowney 80

  81. Pitfalls 1. Using old/weak algorithms 2. Using ECB mode 3.

    Not using authenticated encryption @jtdowney 81

  82. @jtdowney 82

  83. @jtdowney 83

  84. @jtdowney 84

  85. @jtdowney 85

  86. World of hurt @jtdowney 86

  87. Recommendations • Prefer to use box/secret box from NaCL/libsodium •

    Stop using DES • Stop building your own on top of AES • Stop encrypting without protecting integrity @jtdowney 87

  88. What if you have to use AES • Do not

    use ECB mode • Be sure to use authenticated encryption • GCM mode would be a good first choice • Verify the tag/MAC first • Still easy to mess up in a critical way @jtdowney 88

  89. TLS/SSL Verification @jtdowney 89

  90. @jtdowney 90

  91. Pitfalls 1. Not verifying the certificate chain 2. Not verifying

    the hostname 3. Using a broken library @jtdowney 91

  92. @jtdowney 92

  93. $ curl -k https://example.com or curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); @jtdowney 93

  94. Pitfalls 1. Not verifying the certificate chain 2. Not verifying

    the hostname 3. Using a broken library @jtdowney 94

  95. • Hostname verification is protocol dependent • OpenSSL doesn't have

    it built in • Also, some people just turn it off: curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); @jtdowney 95

  96. Pitfalls 1. Not verifying the certificate chain 2. Not verifying

    the hostname 3. Using a broken library @jtdowney 96

  97. @jtdowney 97

  98. @jtdowney 98

  99. Recommendations • Do ensure you're validating connections • Lean on

    a framework/library if possible • But check that it also does the right thing • Setup and automated test to validate this setting (badssl.com) @jtdowney 99

  100. TLS Server Settings https://mozilla.github.io/server-side-tls/ssl-config-generator/ @jtdowney 100

  101. Trust @jtdowney 101

  102. The authenticity of host 'apollo.local (10.0.2.56)' can't be established. RSA

    key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Are you sure you want to continue connecting (yes/no)? @jtdowney 102

  103. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Please contact your system administrator. @jtdowney 103

  104. @jtdowney 104

  105. Certificate Pinning @jtdowney 105

  106. @jtdowney 106

  107. Recommendations • Think about what organizations you really trust •

    Investigate certificate pinning for your apps @jtdowney 107

  108. @jtdowney 108

  109. Stanford Crypto Class http://crypto-class.com @jtdowney 109

  110. Matasano Crypto Challenges http://cryptopals.com @jtdowney 110

  111. Questions John Downey | @jtdowney @jtdowney 111

  112. Images • https://flic.kr/p/6eagaw • https://flic.kr/p/4KWhKn • https://flic.kr/p/9F2BCv • https://flic.kr/p/486xYS •

    https://flic.kr/p/7Ffppm • https://flic.kr/p/8TuJD9 • https://flic.kr/p/4iLJZt • https://flic.kr/p/4pGZuz • https://flic.kr/p/48w7wP • https://flic.kr/p/8aZWNE • https://flic.kr/p/5NRHp • https://flic.kr/p/7p7raq • https://flic.kr/p/aZEE1Z • https://flic.kr/p/7WtwAz • https://flic.kr/p/6AN9mM • https://flic.kr/p/6dt62u • https://flic.kr/p/4ZqwyB • https://flic.kr/p/Bqewr • https://flic.kr/p/ecdhVE @jtdowney 112