Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cryptography Pitfalls at OSCON 2013

Cryptography Pitfalls at OSCON 2013

John Downey

July 26, 2013
Tweet

More Decks by John Downey

Other Decks in Programming

Transcript

  1. CRYPTOGRAPHY PITFALLS
    John Downey | @jtdowney

    View Slide

  2. John Downey | Security Engineer

    View Slide

  3. http://www.flickr.com/photos/60445767@N00/2466272019/

    View Slide

  4. http://www.flickr.com/photos/freefoto/5692512457/

    View Slide

  5. http://www.flickr.com/photos/zappowbang/2049368918/

    View Slide

  6. http://www.flickr.com/photos/katieharbath/4382294246/

    View Slide

  7. http://www.flickr.com/photos/kalebdf/2170180285/

    View Slide

  8. http://www.flickr.com/photos/alstonfamily/2237347597/

    View Slide

  9. View Slide

  10. http://www.flickr.com/photos/damiavos/4707651586/
    You have probably seen the door to a bank
    vault, at least in the movies. You know, 10-inch-
    thick, hardened steel, with huge bolts to lock it in
    place. It certainly looks impressive. We
    often find the digital equivalent of such a vault
    door installed in a tent. The people standing
    around it are arguing over how thick the door
    should be, rather than spending their time
    looking at the tent.
    Cryptography Engineering
    Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno

    View Slide

  11. http://www.flickr.com/photos/bootycat/5849904501/

    View Slide

  12. •For data in transit
    •Use TLS/SSL, SSH, or VPN/IPsec
    •For data at rest
    •Use GnuPG
    •Use a high level library
    •Keyczar (Python and Java)
    •NaCL (C, Ruby, etc)

    View Slide

  13. http://www.flickr.com/photos/proimos/4199675334/

    View Slide

  14. RANDOM NUMBER
    GENERATION

    View Slide

  15. http://www.flickr.com/photos/brentnewhall/6559793329/

    View Slide

  16. View Slide

  17. MD_Update(&m,buf,j);

    View Slide

  18. Don't add uninitialised data to the random number
    generator. This stop valgrind from giving error
    messages in unrelated code. (Closes: #363516)

    View Slide

  19. /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
    MD_Update(&m,buf,j);
    /* We know that line may cause programs such as
    purify and valgrind to complain about use of
    uninitialized data. The problem is not, it's
    with the caller. Removing that line will make
    sure you get really bad randomness and thereby
    other problems such as very insecure keys. */

    View Slide

  20. RECOMMENDATIONS
    • Use the crypto library RNG
    • OpenSSL random
    • On Linux (or other Unix-like OS)
    • /dev/random - blocks for entropy
    • /dev/urandom - non-blocking

    View Slide

  21. LENGTH EXTENSION
    ATTACKS

    View Slide

  22. HASH FUNCTIONS

    View Slide

  23. http://www.flickr.com/photos/littlejohncollection/3675547973/

    View Slide

  24. USCYBERCOM plans, coordinates, integrates, synchronizes and
    conducts activities to: direct the operations and defense of specified
    Department of Defense information networks and; prepare to, and
    when directed, conduct full spectrum military cyberspace operations
    in order to enable actions in all domains, ensure US/Allied freedom
    of action in cyberspace and deny the same to our adversaries.
    9EC4C12949A4F31474F299058CE2B22A
    MD5

    View Slide

  25. View Slide

  26. RECOMMENDATIONS
    •Use SHA-256 (SHA-2 family)
    •Stop using MD5
    •Don’t use SHA1 in new projects

    View Slide

  27. RestClient.post(
    'https://example.com/things',
    :name => 'Widget',
    :price => 1_23,
    :signature => signature
    )

    View Slide

  28. secret = "api-key"
    str = "name=#{name}&"
    str += "price=#{price}"
    body = "#{secret}|#{str}"
    signature = sha1(body)

    View Slide

  29. sha1("api-key|name=Widget&price=123")
    8CBBCB204861672F93B26A6401E685195AB5719B
    SHA1

    View Slide

  30. http://www.flickr.com/photos/worldbank/3492662794/

    View Slide

  31. h0 = 0x8CBBCB20
    h1 = 0x4861672F
    h2 = 0x93B26A64
    h3 = 0x01E68519
    h4 = 0x5AB5719B
    h0 = 0x67452301
    h1 = 0xEFCDAB89
    h2 = 0x98BADCFE
    h3 = 0x10325476
    h4 = 0xC3D2E1F0

    View Slide

  32. h0 = 0x8CBBCB20
    h1 = 0x4861672F
    h2 = 0x93B26A64
    h3 = 0x01E68519
    h4 = 0x5AB5719B
    8CBBCB204861672F93B26A6401E685195AB5719B

    View Slide

  33. &price=0

    View Slide

  34. api-key|name=Widget&price=123&price=0

    View Slide

  35. h0 = 0x8CBBCB20
    h1 = 0x4861672F
    h2 = 0x93B26A64
    h3 = 0x01E68519
    h4 = 0x5AB5719B
    h0 = 0x7CA17A2B
    h1 = 0x91BD35C0
    h2 = 0x9D50A3AD
    h3 = 0x5CAD1E9B
    h4 = 0x396DDEF4

    View Slide

  36. api-key|name=Widget&price=123&price=0
    7CA17A2B91BD35C09D50A3AD5CAD1E9B396DDEF4
    SHA1

    View Slide

  37. RestClient.post(
    'https://example.com/things',
    :name => 'Widget',
    :price => 0,
    :signature => signature
    )

    View Slide

  38. RECOMMENDATIONS
    •Use HMAC-SHA-256 for authentication
    •Keyed hash function
    •Resistant to length extension

    View Slide

  39. ECB MODE

    View Slide

  40. http://www.flickr.com/photos/kevinomara/3422866722

    View Slide

  41. Plaintext
    ECB

    View Slide

  42. Plaintext
    “This is a secret”
    Key
    0xE60DC5C9747A
    963A86FD9522547
    Ciphertext
    0x7CD937D779C4
    555CF38244BEC63
    AES-128(key, msg)
    Random IV
    0x20B8F0FBE8CCA
    71A58FC86E6F256

    View Slide

  43. Plaintext
    “message”
    Key
    0xE60DC5C9747A
    963A86FD9522547
    Ciphertext
    0x5867695E0F48DE
    A14A33F1E70C416
    AES-128(key, msg)

    Last Ciphertext
    0x7CD937D779C4
    555CF38244BEC63

    View Slide

  44. Random IV
    0x20B8F0FBE8CCA
    71A58FC86E6F256
    Ciphertext
    0x7CD937D779C4
    555CF38244BEC63
    Ciphertext
    0x5867695E0F48DE
    A14A33F1E70C416

    View Slide

  45. Plaintext
    ECB
    CBC

    View Slide

  46. RECOMMENDATIONS
    • Use AES
    • Do not use DES
    • Do not use ECB mode
    • Use an authenticated encryption mode
    • GCM, CCM, OCB
    • CBC with an HMAC of IV and ciphertext
    • Verify the tag/MAC first

    View Slide

  47. PASSWORD STORAGE

    View Slide

  48. http://www.flickr.com/photos/sponng/4554602341/

    View Slide

  49. View Slide

  50. View Slide

  51. View Slide

  52. View Slide

  53. View Slide

  54. sha1(password)

    View Slide

  55. 1.One-way
    •Only useful for verification

    View Slide

  56. sha1(salt + password)

    View Slide

  57. 1.One-way
    •Only useful for verification
    2.Randomized
    •Defeats pre-computed tables
    •Forces focus on one password

    View Slide

  58. http://www.flickr.com/photos/jaffathecake/2618896075/

    View Slide

  59. 1.One-way
    •Only useful for verification
    2.Randomized
    •Defeats pre-computed tables
    •Forces focus on one password
    3.Slow

    View Slide

  60. bcrypt, scrypt, or PBKDF2
    ADAPTIVE HASHING

    View Slide

  61. RECOMMENDATIONS
    • Delegate authentication if possible
    • Facebook, Twitter, Google, Github
    • Store one-way verifiers using bcrypt, scrypt, or PBDKF2
    • Use existing framework
    • has_secure_password (Rails >= 3.1)
    • devise

    View Slide

  62. TLS/SSL VERIFICATION

    View Slide

  63. http://www.flickr.com/photos/your_teacher/400805545/

    View Slide

  64. View Slide

  65. View Slide

  66. View Slide

  67. View Slide

  68. RECOMMENDATIONS
    • Check your SSL connections
    • Verify certificate / verify peer
    • Verify host
    • Setup an automated test

    View Slide

  69. TRUST

    View Slide

  70. The authenticity of host 'apollo.local (10.0.2.56)' can't be established.
    RSA key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
    Are you sure you want to continue connecting (yes/no)?

    View Slide

  71. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that the RSA host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
    Please contact your system administrator.

    View Slide

  72. • AOL Time Warner Inc.
    • AS Sertifitseerimiskeskus
    • AddTrust
    • Baltimore
    • beTRUSTed
    • Buypass
    • CNNIC
    • COMODO CA Limited
    • Certplus
    • certSIGN
    • Chambersign
    • Chunghwa Telecom Co., Ltd.
    • ComSign
    • Comodo CA Limited
    • Cybertrust, Inc
    • Deutsche Telekom AG
    • Deutscher Sparkassen Verlag GmbH
    • Dhimyotis
    • DigiCert Inc
    • DigiNotar
    • Digital Signature Trust Co.
    • Disig a.s.
    • EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.
    • EDICOM
    • Entrust, Inc.
    • Equifax
    • GTE Corporation
    • GeoTrust Inc.
    • GlobalSign nv-sa
    • Hongkong Post
    • Japan Certification Services, Inc.
    • Japanese Government
    • Microsec Ltd.
    • NetLock Halozatbiztonsagi Kft.
    • Network Solutions L.L.C.
    • PM/SGDN
    • QuoVadis Limited
    • RSA Security Inc
    • SECOM Trust Systems CO.,LTD.
    • SecureTrust Corporation
    • Sociedad Cameral de Certificación Digital
    • Sonera
    • Staat der Nederlanden
    • Starfield Technologies, Inc.
    • StartCom Ltd.
    • SwissSign AG
    • Swisscom
    • TC TrustCenter GmbH
    • TDC
    • Taiwan Government
    • Thawte
    • The Go Daddy Group, Inc.
    • The USERTRUST Network
    • TÜBİTAK
    • TÜRKTRUST
    • Unizeto Sp. z o.o.
    • VISA
    • ValiCert, Inc.
    • VeriSign, Inc.
    • WISeKey
    • Wells Fargo
    • XRamp Security Services Inc

    View Slide

  73. CERTIFICATE PINNING

    View Slide

  74. View Slide

  75. RECOMMENDATIONS
    • Think about what organizations you really trust
    • Consider disabling some roots
    • Use certificate pinning in your apps

    View Slide

  76. https://www.coursera.org/course/crypto
    STANFORD CRYPTO CLASS

    View Slide

  77. http://www.matasano.com/articles/crypto-challenges/
    MATASANO CRYPTO
    CHALLENGES

    View Slide

  78. PRAGMATIC CRYPTOGRAPHY
    http://pragmaticcrypto.com/

    View Slide

  79. • Videos
    • Theory and Practice of Cryptography series
    • http://www.youtube.com/watch?v=IzVCrSrZIX8
    • http://www.youtube.com/watch?v=KDvt_0cafPw
    • http://www.youtube.com/watch?v=YcgqBEzcD_I
    • http://www.youtube.com/watch?v=ZDnShu5V99s
    • Crypto Strikes Back!
    • http://www.youtube.com/watch?v=ySQl0NhW1J0
    • Presentations
    • http://www.bsdcan.org/2010/schedule/attachments/135_crypto1hr.pdf
    • http://www.eff.org/files/DefconSSLiverse.pdf
    • Books
    • Cryptography Engineering - Ferguson, Schneier, and Kohno
    • Blogs
    • http://blog.cryptographyengineering.com/
    • http://rdist.root.org/

    View Slide

  80. QUESTIONS?
    John Downey | @jtdowney

    View Slide