Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cryptography Pitfalls at THOTCON 0x8

Cryptography Pitfalls at THOTCON 0x8

John Downey

May 04, 2017
Tweet

More Decks by John Downey

Other Decks in Programming

Transcript

  1. Cryptography Pitfalls
    John Downey | @jtdowney
    @jtdowney 1

    View full-size slide

  2. The views expressed in this
    presentation are my own, and not
    those of PayPal or any of its
    affiliates.
    @jtdowney 4

    View full-size slide

  3. Confidentiality
    @jtdowney 5

    View full-size slide

  4. Authentication
    @jtdowney 6

    View full-size slide

  5. Identification
    @jtdowney 7

    View full-size slide

  6. Rigorous Science
    @jtdowney 8

    View full-size slide

  7. Peer Review
    @jtdowney 9

    View full-size slide

  8. @jtdowney 10

    View full-size slide

  9. You have probably seen the door to a bank vault, at least in
    the movies. You know, 10-inch-thick, hardened steel, with huge
    bolts to lock it in place. It certainly looks impressive. We
    often find the digital equivalent of such a vault door installed
    in a tent. The people standing around it are arguing over how
    thick the door should be, rather than spending their time
    looking at the tent.
    — Cryptography Engineering by Niels Ferguson, Bruce
    Schneier, and Tadayoshi Kohno
    @jtdowney 11

    View full-size slide

  10. • For data in transit
    • Use TLS (née SSL) or SSH
    • For data at rest
    • Use GnuPG
    • Data to be signed
    • Use GnuPG
    @jtdowney 12

    View full-size slide

  11. • Avoid low level libraries
    • OpenSSL
    • PyCrypto
    • Bouncy Castle
    • Use a high level library
    • NaCL/libsodium (C, Ruby, PHP, etc)
    • Keyczar (C++, Python, and Java)
    @jtdowney 13

    View full-size slide

  12. @jtdowney 14

    View full-size slide

  13. Random Number
    Generation
    @jtdowney 15

    View full-size slide

  14. Pitfalls
    1. Not using a cryptographically strong random number
    generator
    2. Not using random data when it is required
    3. Broken random number generators
    @jtdowney 16

    View full-size slide

  15. @jtdowney 17

    View full-size slide

  16. @jtdowney 18

    View full-size slide

  17. Pitfalls
    1. Not using a cryptographically strong random number
    generator
    2. Not using random data when it is required
    3. Broken random number generators
    @jtdowney 19

    View full-size slide

  18. @jtdowney 20

    View full-size slide

  19. Pitfalls
    1. Not using a cryptographically strong random number
    generator
    2. Not using random data when it is required
    3. Broken random number generators
    @jtdowney 21

    View full-size slide

  20. @jtdowney 22

    View full-size slide

  21. @jtdowney 23

    View full-size slide

  22. @jtdowney 24

    View full-size slide

  23. @jtdowney 25

    View full-size slide

  24. MD_Update(&m,buf,j);
    @jtdowney 26

    View full-size slide

  25. Don't add uninitialised data to
    the random number generator.
    This stop valgrind from giving
    error messages in unrelated code.
    (Closes: #363516)
    @jtdowney 27

    View full-size slide

  26. /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
    MD_Update(&m,buf,j);
    /* We know that line may cause programs such as
    purify and valgrind to complain about use of
    uninitialized data. The problem is not, it's
    with the caller. Removing that line will make
    sure you get really bad randomness and thereby
    other problems such as very insecure keys. */
    @jtdowney 28

    View full-size slide

  27. Recommendations
    • Use a cryptographically strong random number generator
    • Unix-like
    • Read from /dev/urandom
    • Windows
    • RandomNumberGenerator in System.Security.Cryptography (.NET)
    • CryptGenRandom
    • Java use java.security.SecureRandom
    @jtdowney 29

    View full-size slide

  28. Hash Functions
    @jtdowney 30

    View full-size slide

  29. Pitfalls
    1. Using weak/old algorithms
    2. Misunderstanding checksums
    3. Length extension attacks
    @jtdowney 31

    View full-size slide

  30. @jtdowney 32

    View full-size slide

  31. @jtdowney 33

    View full-size slide

  32. @jtdowney 34

    View full-size slide

  33. @jtdowney 35

    View full-size slide

  34. 9EC4C12949A4F31474F299058CE2B22A
    @jtdowney 36

    View full-size slide

  35. 9EC4C12949A4F31474F299058CE2B22A
    USCYBERCOM plans, coordinates, integrates, synchronizes
    and conducts activities to: direct the operations and defense of
    specified Department of Defense information networks and;
    prepare to, and when directed, conduct full spectrum military
    cyberspace operations in order to enable actions in all
    domains, ensure US/Allied freedom of action in cyberspace
    and deny the same to our adversaries.
    @jtdowney 37

    View full-size slide

  36. Pitfalls
    1. Using weak/old algorithms
    2. Misunderstanding checksums
    3. Length extension attacks
    @jtdowney 38

    View full-size slide

  37. @jtdowney 39

    View full-size slide

  38. Pitfalls
    1. Using weak/old algorithms
    2. Misunderstanding checksums
    3. Length extension attacks
    @jtdowney 40

    View full-size slide

  39. Message Authentication Code (MAC)
    tag = MAC(key, value)
    • Takes:
    • key - shared secret
    • value - value to protected integrity of
    • Returns:
    • tag - value that represents the integrity
    @jtdowney 41

    View full-size slide

  40. Naive approach
    tag = sha256(key + value)
    @jtdowney 42

    View full-size slide

  41. Length Extension Attacks
    secret = "my-secret-key"
    value = "buy 10 units at $1"
    signature = sha256(secret + value)
    @jtdowney 43

    View full-size slide

  42. Length Extension Attacks
    secret = "my-secret-key"
    value = "buy 10 units at $1" + " or $0"
    signature = sha256(secret + value)
    @jtdowney 44

    View full-size slide

  43. Fixed
    secret = "my-secret-key"
    value = "buy 10 units at $1"
    signature = hmac_sha256(secret, value)
    @jtdowney 45

    View full-size slide

  44. @jtdowney 46

    View full-size slide

  45. @jtdowney 47

    View full-size slide

  46. Recommendations
    • Use SHA-256 (SHA-2 family)
    • Choose HMAC-SHA-256 if you want a signature
    • Stop using MD5
    • Stop using SHA1
    @jtdowney 48

    View full-size slide

  47. Ciphers
    @jtdowney 49

    View full-size slide

  48. Pitfalls
    1. Using old/weak algorithms
    2. Using ECB mode for block ciphers
    3. Not using authenticated encryption
    @jtdowney 50

    View full-size slide

  49. @jtdowney 51

    View full-size slide

  50. @jtdowney 52

    View full-size slide

  51. @jtdowney 53

    View full-size slide

  52. Pitfalls
    1. Using old/weak algorithms
    2. Using ECB mode for block ciphers
    3. Not using authenticated encryption
    @jtdowney 54

    View full-size slide

  53. AES - primitive
    ciphertext = AES_Encrypt(key, plaintext)
    plaintext = AES_Decrypt(key, ciphertext)
    • Function over:
    • key - 128, 192, or 256 bit value
    • plaintext - 128 bit value
    • ciphertext - 128 bit value
    @jtdowney 55

    View full-size slide

  54. ECB Encrypt
    while (remaining blocks) {
    block = ... # next 16 byte (128 bit chunk)
    ouput.append(AES_Encrypt(key, block))
    }
    @jtdowney 56

    View full-size slide

  55. @jtdowney 57

    View full-size slide

  56. @jtdowney 58

    View full-size slide

  57. Pitfalls
    1. Using old/weak algorithms
    2. Using ECB mode for block ciphers
    3. Not using authenticated encryption
    @jtdowney 59

    View full-size slide

  58. @jtdowney 60

    View full-size slide

  59. @jtdowney 61

    View full-size slide

  60. @jtdowney 62

    View full-size slide

  61. @jtdowney 63

    View full-size slide

  62. World of hurt
    @jtdowney 64

    View full-size slide

  63. Recommendations
    • Prefer to use box/secret box from NaCL/libsodium
    • Stop using DES
    • Stop building your own on top of AES
    • Stop encrypting without protecting integrity
    @jtdowney 65

    View full-size slide

  64. What if you have to use AES
    • Do not use ECB mode
    • Be sure to use authenticated encryption
    • GCM mode would be a good first choice
    • Verify the tag/MAC first
    • Still easy to mess up in a critical way
    @jtdowney 66

    View full-size slide

  65. TLS/SSL
    @jtdowney 67

    View full-size slide

  66. Pitfalls
    1. Not verifying the certificate chain or hostname
    2. Misconfigured server settings
    3. Using a broken library
    @jtdowney 68

    View full-size slide

  67. @jtdowney 69

    View full-size slide

  68. @jtdowney 70

    View full-size slide

  69. @jtdowney 71

    View full-size slide

  70. @jtdowney 72

    View full-size slide

  71. Hostname verification
    @jtdowney 73

    View full-size slide

  72. Hostname verification
    • Check that you got the certificate for who you intended to
    connect to
    • Hostname verification is protocol dependent
    • OpenSSL doesn't have it built in
    @jtdowney 74

    View full-size slide

  73. Pitfalls
    1. Not verifying the certificate chain or hostname
    2. Misconfigured server settings
    3. Using a broken library
    @jtdowney 75

    View full-size slide

  74. @jtdowney 76

    View full-size slide

  75. SSL Labs
    https://www.ssllabs.com
    @jtdowney 77

    View full-size slide

  76. testssl.sh
    https://testssl.sh
    @jtdowney 78

    View full-size slide

  77. TLS Server Settings
    https://mozilla.github.io/server-side-tls/ssl-config-generator/
    @jtdowney 79

    View full-size slide

  78. Pitfalls
    1. Not verifying the certificate chain or hostname
    2. Misconfigured server settings
    3. Using a broken library
    @jtdowney 80

    View full-size slide

  79. @jtdowney 81

    View full-size slide

  80. @jtdowney 82

    View full-size slide

  81. Recommendations
    • Do ensure you're validating connections
    • Lean on a framework/library if possible
    • But check that it also does the right thing
    • Setup and automated test to validate this setting
    (badssl.com)
    @jtdowney 83

    View full-size slide

  82. @jtdowney 84

    View full-size slide

  83. Stanford Crypto Class
    http://crypto-class.com
    @jtdowney 85

    View full-size slide

  84. Matasano Crypto Challenges
    http://cryptopals.com
    @jtdowney 86

    View full-size slide

  85. Bonus Round
    @jtdowney 87

    View full-size slide

  86. Quantum Computers
    @jtdowney 88

    View full-size slide

  87. Pitfalls
    1. Assuming current crypto will last forever
    @jtdowney 89

    View full-size slide

  88. @jtdowney 90

    View full-size slide

  89. @jtdowney 91

    View full-size slide

  90. Recommendations
    • Follow the PQCrypto discussion
    • Stay away from PQCrypto until the industry starts to
    standardize
    • Hope that researchers are moving fast enough
    @jtdowney 92

    View full-size slide

  91. Trust
    @jtdowney 93

    View full-size slide

  92. The authenticity of host 'apollo.local (10.0.2.56)' can't be established.
    RSA key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
    Are you sure you want to continue connecting (yes/no)?
    @jtdowney 94

    View full-size slide

  93. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that the RSA host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec.
    Please contact your system administrator.
    @jtdowney 95

    View full-size slide

  94. @jtdowney 96

    View full-size slide

  95. Certificate Pinning
    @jtdowney 97

    View full-size slide

  96. @jtdowney 98

    View full-size slide

  97. Recommendations
    • Think about what organizations you really trust
    • Investigate certificate pinning for your apps
    @jtdowney 99

    View full-size slide

  98. Images
    • https://flic.kr/p/6eagaw
    • https://flic.kr/p/4KWhKn
    • https://flic.kr/p/9F2BCv
    • https://flic.kr/p/486xYS
    • https://flic.kr/p/7Ffppm
    • https://flic.kr/p/8TuJD9
    • https://flic.kr/p/4iLJZt
    • https://flic.kr/p/4pGZuz
    • https://flic.kr/p/48w7wP
    • https://flic.kr/p/8aZWNE
    • https://flic.kr/p/5NRHp
    • https://flic.kr/p/7p7raq
    • https://flic.kr/p/aZEE1Z
    • https://flic.kr/p/7WtwAz
    • https://flic.kr/p/6AN9mM
    • https://flic.kr/p/6dt62u
    • https://flic.kr/p/4ZqwyB
    • https://flic.kr/p/Bqewr
    • https://flic.kr/p/ecdhVE
    • https://flic.kr/p/AV1Nd
    • https://flic.kr/p/5tWgh4
    @jtdowney 100

    View full-size slide