Cryptography Pitfalls at OSCON 2013

CRYPTOGRAPHY PITFALLS
John Downey | @jtdowney

View Slide

John Downey | Security Engineer

View Slide

http://www.ﬂickr.com/photos/[email protected]/2466272019/

View Slide

http://www.ﬂickr.com/photos/freefoto/5692512457/

View Slide

http://www.ﬂickr.com/photos/zappowbang/2049368918/

View Slide

http://www.ﬂickr.com/photos/katieharbath/4382294246/

View Slide

http://www.ﬂickr.com/photos/kalebdf/2170180285/

View Slide

http://www.ﬂickr.com/photos/alstonfamily/2237347597/

View Slide

View Slide

http://www.ﬂickr.com/photos/damiavos/4707651586/
You have probably seen the door to a bank
vault, at least in the movies. You know, 10-inch-
thick, hardened steel, with huge bolts to lock it in
place. It certainly looks impressive. We
often ﬁnd the digital equivalent of such a vault
door installed in a tent. The people standing
around it are arguing over how thick the door
should be, rather than spending their time
looking at the tent.
Cryptography Engineering
Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno

View Slide

http://www.ﬂickr.com/photos/bootycat/5849904501/

View Slide

•For data in transit
•Use TLS/SSL, SSH, or VPN/IPsec
•For data at rest
•Use GnuPG
•Use a high level library
•Keyczar (Python and Java)
•NaCL (C, Ruby, etc)

View Slide

http://www.ﬂickr.com/photos/proimos/4199675334/

View Slide

RANDOM NUMBER
GENERATION

View Slide

http://www.ﬂickr.com/photos/brentnewhall/6559793329/

View Slide

View Slide

MD_Update(&m,buf,j);

View Slide

Don't add uninitialised data to the random number
generator. This stop valgrind from giving error
messages in unrelated code. (Closes: #363516)

View Slide

/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
MD_Update(&m,buf,j);
/* We know that line may cause programs such as
purify and valgrind to complain about use of
uninitialized data. The problem is not, it's
with the caller. Removing that line will make
sure you get really bad randomness and thereby
other problems such as very insecure keys. */

View Slide

RECOMMENDATIONS
• Use the crypto library RNG
• OpenSSL random
• On Linux (or other Unix-like OS)
• /dev/random - blocks for entropy
• /dev/urandom - non-blocking

View Slide

LENGTH EXTENSION
ATTACKS

View Slide

HASH FUNCTIONS

View Slide

http://www.ﬂickr.com/photos/littlejohncollection/3675547973/

View Slide

USCYBERCOM plans, coordinates, integrates, synchronizes and
conducts activities to: direct the operations and defense of speciﬁed
Department of Defense information networks and; prepare to, and
when directed, conduct full spectrum military cyberspace operations
in order to enable actions in all domains, ensure US/Allied freedom
of action in cyberspace and deny the same to our adversaries.
9EC4C12949A4F31474F299058CE2B22A
MD5

View Slide

View Slide

RECOMMENDATIONS
•Use SHA-256 (SHA-2 family)
•Stop using MD5
•Don’t use SHA1 in new projects

View Slide

RestClient.post(
'https://example.com/things',
:name => 'Widget',
:price => 1_23,
:signature => signature
)

View Slide

secret = "api-key"
str = "name=#{name}&"
str += "price=#{price}"
body = "#{secret}|#{str}"
signature = sha1(body)

View Slide

sha1("api-key|name=Widget&price=123")
8CBBCB204861672F93B26A6401E685195AB5719B
SHA1

View Slide

http://www.ﬂickr.com/photos/worldbank/3492662794/

View Slide

h0 = 0x8CBBCB20
h1 = 0x4861672F
h2 = 0x93B26A64
h3 = 0x01E68519
h4 = 0x5AB5719B
h0 = 0x67452301
h1 = 0xEFCDAB89
h2 = 0x98BADCFE
h3 = 0x10325476
h4 = 0xC3D2E1F0

View Slide

h0 = 0x8CBBCB20
h1 = 0x4861672F
h2 = 0x93B26A64
h3 = 0x01E68519
h4 = 0x5AB5719B
8CBBCB204861672F93B26A6401E685195AB5719B

View Slide

&price=0

View Slide

api-key|name=Widget&price=123&price=0

View Slide

h0 = 0x8CBBCB20
h1 = 0x4861672F
h2 = 0x93B26A64
h3 = 0x01E68519
h4 = 0x5AB5719B
h0 = 0x7CA17A2B
h1 = 0x91BD35C0
h2 = 0x9D50A3AD
h3 = 0x5CAD1E9B
h4 = 0x396DDEF4

View Slide

api-key|name=Widget&price=123&price=0
7CA17A2B91BD35C09D50A3AD5CAD1E9B396DDEF4
SHA1

View Slide

RestClient.post(
'https://example.com/things',
:name => 'Widget',
:price => 0,
:signature => signature
)

View Slide

RECOMMENDATIONS
•Use HMAC-SHA-256 for authentication
•Keyed hash function
•Resistant to length extension

View Slide

ECB MODE

View Slide

http://www.ﬂickr.com/photos/kevinomara/3422866722

View Slide

Plaintext
ECB

View Slide

Plaintext
“This is a secret”
Key
0xE60DC5C9747A
963A86FD9522547
Ciphertext
0x7CD937D779C4
555CF38244BEC63
AES-128(key, msg)
Random IV
0x20B8F0FBE8CCA
71A58FC86E6F256
⊕

View Slide

Plaintext
“message”
Key
0xE60DC5C9747A
963A86FD9522547
Ciphertext
0x5867695E0F48DE
A14A33F1E70C416
AES-128(key, msg)
⊕
Last Ciphertext
0x7CD937D779C4
555CF38244BEC63

View Slide

Random IV
0x20B8F0FBE8CCA
71A58FC86E6F256
Ciphertext
0x7CD937D779C4
555CF38244BEC63
Ciphertext
0x5867695E0F48DE
A14A33F1E70C416

View Slide

Plaintext
ECB
CBC

View Slide

RECOMMENDATIONS
• Use AES
• Do not use DES
• Do not use ECB mode
• Use an authenticated encryption mode
• GCM, CCM, OCB
• CBC with an HMAC of IV and ciphertext
• Verify the tag/MAC ﬁrst

View Slide

PASSWORD STORAGE

View Slide

http://www.ﬂickr.com/photos/sponng/4554602341/

View Slide

View Slide

sha1(password)

View Slide

1.One-way
•Only useful for veriﬁcation

View Slide

sha1(salt + password)

View Slide

1.One-way
2.Randomized
•Defeats pre-computed tables
•Forces focus on one password

View Slide

http://www.ﬂickr.com/photos/jaffathecake/2618896075/

View Slide

1.One-way
2.Randomized
•Defeats pre-computed tables
•Forces focus on one password
3.Slow

View Slide

bcrypt, scrypt, or PBKDF2
ADAPTIVE HASHING

View Slide

RECOMMENDATIONS
• Delegate authentication if possible
• Facebook, Twitter, Google, Github
• Store one-way veriﬁers using bcrypt, scrypt, or PBDKF2
• Use existing framework
• has_secure_password (Rails >= 3.1)
• devise

View Slide

TLS/SSL VERIFICATION

View Slide

http://www.ﬂickr.com/photos/your_teacher/400805545/

View Slide

View Slide

RECOMMENDATIONS
• Check your SSL connections
• Verify certiﬁcate / verify peer
• Verify host
• Setup an automated test

View Slide

TRUST

View Slide

The authenticity of host 'apollo.local (10.0.2.56)' can't be established.
RSA key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
Are you sure you want to continue connecting (yes/no)?

View Slide

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
Please contact your system administrator.

View Slide

• AOL Time Warner Inc.
• AS Sertifitseerimiskeskus
• AddTrust
• Baltimore
• beTRUSTed
• Buypass
• CNNIC
• COMODO CA Limited
• Certplus
• certSIGN
• Chambersign
• Chunghwa Telecom Co., Ltd.
• ComSign
• Comodo CA Limited
• Cybertrust, Inc
• Deutsche Telekom AG
• Deutscher Sparkassen Verlag GmbH
• Dhimyotis
• DigiCert Inc
• DigiNotar
• Digital Signature Trust Co.
• Disig a.s.
• EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.
• EDICOM
• Entrust, Inc.
• Equifax
• GTE Corporation
• GeoTrust Inc.
• GlobalSign nv-sa
• Hongkong Post
• Japan Certification Services, Inc.
• Japanese Government
• Microsec Ltd.
• NetLock Halozatbiztonsagi Kft.
• Network Solutions L.L.C.
• PM/SGDN
• QuoVadis Limited
• RSA Security Inc
• SECOM Trust Systems CO.,LTD.
• SecureTrust Corporation
• Sociedad Cameral de Certificación Digital
• Sonera
• Staat der Nederlanden
• Starfield Technologies, Inc.
• StartCom Ltd.
• SwissSign AG
• Swisscom
• TC TrustCenter GmbH
• TDC
• Taiwan Government
• Thawte
• The Go Daddy Group, Inc.
• The USERTRUST Network
• TÜBİTAK
• TÜRKTRUST
• Unizeto Sp. z o.o.
• VISA
• ValiCert, Inc.
• VeriSign, Inc.
• WISeKey
• Wells Fargo
• XRamp Security Services Inc

View Slide

CERTIFICATE PINNING

View Slide

View Slide

RECOMMENDATIONS
• Think about what organizations you really trust
• Consider disabling some roots
• Use certiﬁcate pinning in your apps

View Slide

https://www.coursera.org/course/crypto
STANFORD CRYPTO CLASS

View Slide

http://www.matasano.com/articles/crypto-challenges/
MATASANO CRYPTO
CHALLENGES

View Slide

PRAGMATIC CRYPTOGRAPHY
http://pragmaticcrypto.com/

View Slide

• Videos
• Theory and Practice of Cryptography series
• http://www.youtube.com/watch?v=IzVCrSrZIX8
• http://www.youtube.com/watch?v=KDvt_0cafPw
• http://www.youtube.com/watch?v=YcgqBEzcD_I
• http://www.youtube.com/watch?v=ZDnShu5V99s
• Crypto Strikes Back!
• http://www.youtube.com/watch?v=ySQl0NhW1J0
• Presentations
• http://www.bsdcan.org/2010/schedule/attachments/135_crypto1hr.pdf
• http://www.eff.org/ﬁles/DefconSSLiverse.pdf
• Books
• Cryptography Engineering - Ferguson, Schneier, and Kohno
• Blogs
• http://blog.cryptographyengineering.com/
• http://rdist.root.org/

View Slide

QUESTIONS?
John Downey | @jtdowney

View Slide

Cryptography Pitfalls at OSCON 2013

Cryptography Pitfalls at OSCON 2013

John Downey

More Decks by John Downey

Other Decks in Programming

Featured

Transcript