Cryptography Pitfalls at GOTO Chicago 2016

Transcript

1. Cryptography Pitfalls
   John Downey | @jtdowney
   @jtdowney 1
   

   View Slide

2. @jtdowney 2
   

   View Slide

3. Chicago
   @jtdowney 3
   

   View Slide

4. The views expressed in this presentation are my own,
   and not those of PayPal or any of its affiliates.
   @jtdowney 4
   

   View Slide

5. @jtdowney 5
   

   View Slide

6. Confidentiality
   @jtdowney 6
   

   View Slide

7. Authentication
   @jtdowney 7
   

   View Slide

8. Identification
   @jtdowney 8
   

   View Slide

9. Rigorous Science
   @jtdowney 9
   

   View Slide

10. Peer Review
    @jtdowney 10
    

    View Slide

11. @jtdowney 11
    

    View Slide

12. You have probably seen the door to a bank vault, at least in
    the movies. You know, 10-inch-thick, hardened steel, with huge
    bolts to lock it in place. It certainly looks impressive. We
    often find the digital equivalent of such a vault door installed
    in a tent. The people standing around it are arguing over how
    thick the door should be, rather than spending their time
    looking at the tent.
    — Cryptography Engineering by Niels Ferguson, Bruce
    Schneier, and Tadayoshi Kohno
    @jtdowney 12
    

    View Slide

13. • For data in transit
    • Use TLS (née SSL), SSH, or VPN/IPsec
    • For data at rest
    • Use GnuPG
    @jtdowney 13
    

    View Slide

14. • Avoid low level libraries
    • OpenSSL
    • PyCrypto
    • Bouncy Castle
    • Use a high level library
    • NaCL/libsodium (C, Ruby, etc)
    • Keyczar (Python and Java)
    @jtdowney 14
    

    View Slide

15. @jtdowney 15
    

    View Slide

16. Random Number
    Generation
    @jtdowney 16
    

    View Slide

17. • Randomness is a central part of any crypto system
    • Used to generate:
    • Encryption keys
    • API keys
    • Session tokens
    • Password reset tokens
    @jtdowney 17
    

    View Slide

18. Pitfalls
    1. Not using a cryptographically strong random number
    generator
    2. Broken random random number generators
    3. Not using random data when it is required
    @jtdowney 18
    

    View Slide

19. @jtdowney 19
    

    View Slide

20. @jtdowney 20
    

    View Slide

21. Pitfalls
    1. Not using the right random number generator
    2. Broken random random number generators
    3. Not using random data when it is required
    @jtdowney 21
    

    View Slide

22. @jtdowney 22
    

    View Slide

23. MD_Update(&m,buf,j);
    @jtdowney 23
    

    View Slide

24. Don't add uninitialised data to the random number generator.
    This stop valgrind from giving error messages in unrelated
    code. (Closes: #363516)
    @jtdowney 24
    

    View Slide

25. /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
    MD_Update(&m,buf,j);
    /* We know that line may cause programs such as
    purify and valgrind to complain about use of
    uninitialized data. The problem is not, it's
    with the caller. Removing that line will make
    sure you get really bad randomness and thereby
    other problems such as very insecure keys. */
    @jtdowney 25
    

    View Slide

26. @jtdowney 26
    

    View Slide

27. @jtdowney 27
    

    View Slide

28. @jtdowney 28
    

    View Slide

29. Pitfalls
    1. Not using the right random number generator
    2. Broken random random number generators
    3. Not using random data when it is required
    @jtdowney 29
    

    View Slide

30. @jtdowney 30
    

    View Slide

31. Recommendations
    • Unix-like
    • Read from /dev/urandom
    • Windows
    • RandomNumberGenerator.Create() (.NET)
    • CryptGenRandom (Windows)
    @jtdowney 31
    

    View Slide

32. Hash Functions
    @jtdowney 32
    

    View Slide

33. • Often called a fingerprint
    • One way
    • Not reversible (can’t find person without fingerprint DB)
    • Ideally, no two people with same fingerprint (no two inputs)
    @jtdowney 33
    

    View Slide

34. Pitfalls
    1. Using weak/old algorithms
    2. Misunderstanding checksums
    3. Length extension attacks
    @jtdowney 34
    

    View Slide

35. @jtdowney 35
    

    View Slide

36. @jtdowney 36
    

    View Slide

37. @jtdowney 37
    

    View Slide

38. @jtdowney 38
    

    View Slide

39. 9EC4C12949A4F31474F299058CE2B22A
    @jtdowney 39
    

    View Slide

40. mission = """
    USCYBERCOM plans, coordinates, integrates, synchronizes and conducts
    activities to: direct the operations and defense of specified
    Department of Defense information networks and; prepare to, and when
    directed, conduct full spectrum military cyberspace operations in order
    to enable actions in all domains, ensure US/Allied freedom of action
    in cyberspace and deny the same to our adversaries.
    """
    md5(mission)
    # => 9EC4C12949A4F31474F299058CE2B22A
    @jtdowney 40
    

    View Slide

41. Pitfalls
    1. Using weak/old algorithms
    2. Misunderstanding checksums
    3. Length extension attacks
    @jtdowney 41
    

    View Slide

42. @jtdowney 42
    

    View Slide

43. Pitfalls
    1. Using weak/old algorithms
    2. Misunderstanding checksums
    3. Length extension attacks
    @jtdowney 43
    

    View Slide

44. Length Extension Attacks
    secret = "my-secret-key"
    value = "buy 10 units at $1"
    signature = sha256(secret + "|" + value)
    @jtdowney 44
    

    View Slide

45. Length Extension Attacks
    secret = "my-secret-key"
    value = "buy 10 units at $1actually make that at $0"
    signature = sha256(secret + "|" + value)
    @jtdowney 45
    

    View Slide

46. Length Extension Attacks
    secret = "my-secret-key"
    value = "buy 10 units at $1"
    signature = hmac_sha256(secret, value)
    @jtdowney 46
    

    View Slide

47. Message Authentication Code
    (MAC)
    tag = hmac_sha256(key, value)
    • key - shared secret
    • value - value to protected integrity of
    • tag - value that represents the integrity
    @jtdowney 47
    

    View Slide

48. @jtdowney 48
    

    View Slide

49. @jtdowney 49
    

    View Slide

50. Recommendations
    • Use SHA-256 (SHA-2 family)
    • Choose HMAC-SHA-256 if you want a signature
    • Stop using MD5
    • Don't use SHA-1 in new projects
    • Phase it out for uses that require collision resistance
    @jtdowney 50
    

    View Slide

51. Password Storage
    @jtdowney 51
    

    View Slide

52. @jtdowney 52
    

    View Slide

53. @jtdowney 53
    

    View Slide

54. @jtdowney 54
    

    View Slide

55. @jtdowney 55
    

    View Slide

56. @jtdowney 56
    

    View Slide

57. @jtdowney 57
    

    View Slide

58. sha1(password)
    @jtdowney 58
    

    View Slide

59. 1. One-way
    • Value can be used for verification
    @jtdowney 59
    

    View Slide

60. sha1(salt + password)
    @jtdowney 60
    

    View Slide

61. 1. One-way
    • Value can be used for verification
    2. Randomized
    • Can largely defeat pre-computed tables
    • Forces attackers to focus on one password
    @jtdowney 61
    

    View Slide

62. Hash functions are fast
    @jtdowney 62
    

    View Slide

63. 1. One-way
    • Value can be used for verification
    2. Randomized
    • Can largely defeat pre-computed tables
    • Forces attackers to focus on one password
    3. Slow
    @jtdowney 63
    

    View Slide

64. Adaptive Hashing
    bcrypt, scrypt, or PBKDF2
    @jtdowney 64
    

    View Slide

65. Recommendations
    • Delegate authentication if possible
    • Facebook, Twitter, Google, Github
    • Store one-way verifiers using bcrypt, scrypt, or PBDKF2
    @jtdowney 65
    

    View Slide

66. So your password
    storage is bad
    @jtdowney 66
    

    View Slide

67. It will be ok,
    you can fix it
    @jtdowney 67
    

    View Slide

68. Example:
    password_hash column is sha1(salt || password)
    @jtdowney 68
    

    View Slide

69. • Don't wait for user to login and silently upgrade
    • Wrap bcrypt around existing scheme
    • Use bcrypt(sha1(salt || password)
    • Upgrade all passwords in place
    • This does require you're previous password scheme wasn't
    atrociously bad (e.g. DES crypt)
    @jtdowney 69
    

    View Slide

70. Now:
    password_hash column is bcrypt(sha1(salt || password))
    @jtdowney 70
    

    View Slide

71. Ciphers
    @jtdowney 71
    

    View Slide

72. Pitfalls
    1. Using old/weak algorithms
    2. Using ECB mode
    3. Not using authenticated encryption
    @jtdowney 72
    

    View Slide

73. @jtdowney 73
    

    View Slide

74. @jtdowney 74
    

    View Slide

75. @jtdowney 75
    

    View Slide

76. Pitfalls
    1. Using old/weak algorithms
    2. Using ECB mode
    3. Not using authenticated encryption
    @jtdowney 76
    

    View Slide

77. AES - primitive
    ciphertext = AES_Encrypt(key, plaintext)
    plaintext = AES_Decrypt(key, ciphertext)
    • Function over:
    • key - 128, 192, or 256 bit value
    • plaintext - 128 bit value
    • ciphertext - 128 bit value
    @jtdowney 77
    

    View Slide

78. ECB Encrypt
    while (remaining blocks) {
    block = ... # next 16 byte (128 bit chunk)
    ouput.append(AES_Encrypt(key, block))
    }
    @jtdowney 78
    

    View Slide

79. @jtdowney 79
    

    View Slide

80. @jtdowney 80
    

    View Slide

81. Pitfalls
    1. Using old/weak algorithms
    2. Using ECB mode
    3. Not using authenticated encryption
    @jtdowney 81
    

    View Slide

82. @jtdowney 82
    

    View Slide

83. @jtdowney 83
    

    View Slide

84. @jtdowney 84
    

    View Slide

85. @jtdowney 85
    

    View Slide

86. World of hurt
    @jtdowney 86
    

    View Slide

87. Recommendations
    • Prefer to use box/secret box from NaCL/libsodium
    • Stop using DES
    • Stop building your own on top of AES
    • Stop encrypting without protecting integrity
    @jtdowney 87
    

    View Slide

88. What if you have to use AES
    • Do not use ECB mode
    • Be sure to use authenticated encryption
    • GCM mode would be a good first choice
    • Verify the tag/MAC first
    • Still easy to mess up in a critical way
    @jtdowney 88
    

    View Slide

89. TLS/SSL Verification
    @jtdowney 89
    

    View Slide

90. @jtdowney 90
    

    View Slide

91. Pitfalls
    1. Not verifying the certificate chain
    2. Not verifying the hostname
    3. Using a broken library
    @jtdowney 91
    

    View Slide

92. @jtdowney 92
    

    View Slide

93. $ curl -k https://example.com
    or
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
    @jtdowney 93
    

    View Slide

94. Pitfalls
    1. Not verifying the certificate chain
    2. Not verifying the hostname
    3. Using a broken library
    @jtdowney 94
    

    View Slide

95. • Hostname verification is protocol dependent
    • OpenSSL doesn't have it built in
    • Also, some people just turn it off:
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
    @jtdowney 95
    

    View Slide

96. Pitfalls
    1. Not verifying the certificate chain
    2. Not verifying the hostname
    3. Using a broken library
    @jtdowney 96
    

    View Slide

97. @jtdowney 97
    

    View Slide

98. @jtdowney 98
    

    View Slide

99. Recommendations
    • Do ensure you're validating connections
    • Lean on a framework/library if possible
    • But check that it also does the right thing
    • Setup and automated test to validate this setting
    (badssl.com)
    @jtdowney 99
    

    View Slide

100. TLS Server Settings
     https://mozilla.github.io/server-side-tls/ssl-config-generator/
     @jtdowney 100
     

     View Slide

101. Trust
     @jtdowney 101
     

     View Slide

102. The authenticity of host 'apollo.local (10.0.2.56)' can't be established.
     RSA key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
     Are you sure you want to continue connecting (yes/no)?
     @jtdowney 102
     

     View Slide

103. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
     @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
     @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
     IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
     Someone could be eavesdropping on you right now (man-in-the-middle attack)!
     It is also possible that the RSA host key has just been changed.
     The fingerprint for the RSA key sent by the remote host is
     04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
     Please contact your system administrator.
     @jtdowney 103
     

     View Slide

104. @jtdowney 104
     

     View Slide

105. Certificate Pinning
     @jtdowney 105
     

     View Slide

106. @jtdowney 106
     

     View Slide

107. Recommendations
     • Think about what organizations you really trust
     • Investigate certificate pinning for your apps
     @jtdowney 107
     

     View Slide

108. @jtdowney 108
     

     View Slide

109. Stanford Crypto Class
     http://crypto-class.com
     @jtdowney 109
     

     View Slide

110. Matasano Crypto Challenges
     http://cryptopals.com
     @jtdowney 110
     

     View Slide

111. Questions
     John Downey | @jtdowney
     @jtdowney 111
     

     View Slide

112. Images
     • https://flic.kr/p/6eagaw
     • https://flic.kr/p/4KWhKn
     • https://flic.kr/p/9F2BCv
     • https://flic.kr/p/486xYS
     • https://flic.kr/p/7Ffppm
     • https://flic.kr/p/8TuJD9
     • https://flic.kr/p/4iLJZt
     • https://flic.kr/p/4pGZuz
     • https://flic.kr/p/48w7wP
     • https://flic.kr/p/8aZWNE
     • https://flic.kr/p/5NRHp
     • https://flic.kr/p/7p7raq
     • https://flic.kr/p/aZEE1Z
     • https://flic.kr/p/7WtwAz
     • https://flic.kr/p/6AN9mM
     • https://flic.kr/p/6dt62u
     • https://flic.kr/p/4ZqwyB
     • https://flic.kr/p/Bqewr
     • https://flic.kr/p/ecdhVE
     @jtdowney 112
     

     View Slide