Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stories from the crypt(ography)

Stories from the crypt(ography)

7b2fdba8077c8495b3caa6f36d0928da?s=128

Marcin Krzyzanowski

November 17, 2018
Tweet

Transcript

  1. The future in mobile Why? Because I can Stories from

    the crypt(ography)
  2. None
  3. None
  4. None
  5. None
  6. None
  7. Marcin Krzyżanowski PDFViewer.io pspdfkit.com @krzyzanowskim github.com/krzyzanowskim CryptoSwift ObjectivePGP blog.krzyzanowskim.com

  8. CRYPTOSWIFT https://cryptoswift.io https://github.com/krzyzanowskim/CryptoSwift

  9. Cryptography course was given in an hour

  10. There were some useful mentions about crypto, that I've never

    heard before. But it wasn't so completed as I expected
  11. Banal, nothing new

  12. Obvious things were explained

  13. None
  14. UInt8 = byte = 8 bits

  15. , Loren lpsum " STRING @x4CyOx6Fi0x72y0x65i0x6D.i . . ) BYTES

    £iorI , . . . . Bits 1001100 w a t t t d MyENCRypt
  16. MyENCRypt 1 t I t yinnoonn , . . .

    Bits d to [0×73 , OxcD] BYTES
  17. 1 t I t yinnoonn , . . . Bits

    d to [0×73 , OxcD] BYTES i. STRING ? NULL
  18. Encrypt: bytes<->bytes Encode: string<->bytes BASE64 HEX STRING - "0x0102FF"

  19. ENCRYPTION in cryptography, the one-time pad (OTP) is an encryption

    technique (cipher) that cannot be cracked, but requires the use of a one-time pre-shared key the same size as, or longer than, the message being sent. key A T e 5 1 / b J { z q C G plaintext L O R E M I P S U M L O R ciphertext 0x12 0xA 0x9F 0x1 0xFF 0x41 0xB 0x97 0x6A 0xA 0xBB 0x3 0x67
  20. SYMMETRIC-KEY ENCRYPTION XOR EVERYTHING

  21. XORXOR - Exclusive oR

  22. None
  23. EVERYTHING IS HARD ASYMMETRIC-KEY ENCRYPTION

  24. CCCrypt(kCCEncrypt, kCCAlgorithmAES128, // Algorithm kCCOptionPKCS7Padding, // Padding key.bytes, // Key

    key.length, // keylength iv.bytes,// IV (NULL) data.bytes, // dataIn data.length, // dataInLength, cipherData.mutableBytes, // dataOut cipherData.length, // dataOutAvailable &outLength); // dataOutMoved COMMONCRYPTO
  25. COMMONCRYPTO CCCrypt(_ op: CCOperation, _ alg: CCAlgorithm, _ options: CCOptions,

    _ key: UnsafeRawPointer!, _ keyLength: Int, _ iv: UnsafeRawPointer!, _ dataIn: UnsafeRawPointer!, _ dataInLength: Int, _ dataOut: UnsafeMutableRawPointer!, _ dataOutAvailable: Int, _ dataOutMoved: UnsafeMutablePointer<Int>!) -> CCCryptorStatus
  26. CCCryptorCreateWithMode(kCCEncrypt, kCCModeCBC, // Block mode kCCAlgorithmAES128, // Algorithm kCCOptionPKCS7Padding, //

    Padding iv.bytes, // IV (OR NULL) key.bytes, // Key key.length, NULL, 0, 0, 0, &cryptor) COMMONCRYPTO
  27. try AES(key: [1,2,3,...,16], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7) CRYPTOSWIFT

  28. AES ADVANCED ENCRYPTION STANDARD MyENCRypt 1 t I t yinnoonn

    , . . . Bits d to [0×73 , OxcD] BYTES CIPHER
  29. CIPHER MODE Stream Block

  30. STREAM

  31. CIPHER BLOCK MODE ... CTR counter mode CCM counter with

    CBC OFB output feedback GCM Galois/Counter Mode
  32. COUNTER MODE (CTR)

  33. BLOCK 16 bytes AES

  34. CIPHER BLOCK MODE ... CBC cipher-block chaining ECB block dummy

    mode
  35. CIPHER BLOCK CHAINING (CBC)

  36. IV IS PUBLIC INITIALIZATIONVECTORCIPHERTEXT NONCE - In cryptography, a nonce

    is an arbitrary number that can be used just once
  37. CCCrypt(kCCEncrypt, kCCAlgorithmAES128, // Algorithm kCCOptionPKCS7Padding, // Padding key.bytes, // Key

    key.length, // keylength NULL, // IV data.bytes, // dataIn data.length, // dataInLength, cipherData.mutableBytes, // dataOut cipherData.length, // dataOutAvailable &outLength); // dataOutMoved COMMONCRYPTO CBC If no IV is provided, an IV of all zeroes will be used.
  38. PADDING

  39. PADDING PKCS5 / PKCS7 Zero Padding No Padding

  40. PKCS5 / PKCS7 PADDING T E X T ? ?

    ? ? ? ? ? ? ? ? ? ? T E X T 12 12 12 12 12 12 12 12 12 12 12 12
  41. Zero Padding PADDING T E X T ? ? ?

    ? ? ? ? ? ? ? ? ? T E X T 0 0 0 0 0 0 0 0 0 0 0 0
  42. NO PADDING

  43. CIPHER BLOCK MODE CTR counter mode CCM counter with CBC

    OFB output feedback GCM Galois/Counter Mode no padding no padding no padding no padding
  44. CIPHER BLOCK MODE CBC cipher-block chaining ECB block dummy mode

    PKCS7 padding PKCS7 padding
  45. PADDING ORACLE ATTACK POODLE attack (up to TLS 1.2)

  46. Padding Oracle Attack plaintext dec(Ci) XX XX XX XX XX

    XX XX XX Ci-1 AB 1 4F 21 0 7C 2 9E encoded data XX XX XX XX XX XX XX XX ⊕ =
  47. SUCCESS Padding Oracle Attack plaintext dec(Ci) XX XX XX XX

    XX XX XX XX Ci-1 ZZ ZZ 4F 21 0 7C 2 9E encoded data YY YZ XX XX XX XX XX XX ⊕ =
  48. ERROR Padding Oracle Attack plaintext dec(Ci) XX XX XX XX

    XX XX XX XX Ci-1 ZZ ZZ ZZ 21 0 7C 2 9E encoded data YY YZ ZY XX XX XX XX XX ⊕ =
  49. Padding Oracle Attack plaintext dec(Ci) XX XX XX XX XX

    XX XX XX Ci-1 AB 1 4F 21 0 7C 2 9E encoded data XX XX 6 6 6 6 6 6 SUCCESS ⊕ =
  50. Padding Oracle Attack plaintext dec(Ci) XX XX XX XX XX

    XX XX XX C'i-1 AB 1 4F 21 0 7C 2 9F encoded data XX 7 7 7 7 7 7 7 ERROR 0x9E ⊕ 0x06 ⊕ 0x07 ⊕ =
  51. Padding Oracle Attack plaintext dec(Ci) XX XX XX XX XX

    XX XX XX C'i-1 AB 0,1,2,3,.. 4E 20 1 7D 3 9F encoded data XX 7 7 7 7 7 7 7 ERROR until SUCCESS 0x9E ⊕ 0x06 ⊕ 0x07 ⊕ =
  52. Padding Oracle Attack plaintext dec(Ci) XX 47 XX XX XX

    XX XX XX Ci-1 AB ..., 41 4F 21 0 7C 2 9F encoded data XX 7 7 7 7 7 7 7 XX ⊕ 0x41 = 0x7 ⇒ XX ⊕ 0x01 = (XX ⊕ 0x41) ⊕ (0x41 ⊕ 0x7) ⇒ XX ⊕ 0x01 = 0x07 ⊕ 0x40 = 0x47 ⊕ =
  53. Padding Oracle Attack plaintext dec(Ci) XX 47 XX XX XX

    XX XX XX Ci-1 AB ..., 41 4F 21 0 7C 2 9F encoded data XX 7 7 7 7 7 7 7 XX ⊕ 0x41 = 0x7 ⇒ XX ⊕ 0x01 = (XX ⊕ 0x41) ⊕ (0x41 ⊕ 0x7) ⇒ XX ⊕ 0x01 = 0x07 ⊕ 0x40 = 0x47 ⊕ =
  54. None
  55. None
  56. None
  57. Frameworks mcrypt_

  58. The output is not just a raw ciphertext "IV +

    Salted__ + 8 random bytes + ciphertext"
  59. None
  60. Password != Key Key != Password Implicit conversion between password

    and key
  61. KEY DERIVATION FUNCTIONS password → KDF magic → key

  62. try AES(key: [1,2,3,...,16], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7) CRYPTOSWIFT

  63. try AES(key: [1,2,3,...,16], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7) CRYPTOSWIFT was

    modified? is authentic? sent by impostor?
  64. Cryptography course was given in an hour

  65. MAC

  66. MAC MESSAGE AUTHENTICATION CODE

  67. MAC MESSAGE AUTHENTICATION CODE ALSO KNOWN AS "TAG"

  68. MAC IV CIPHERTEXT TAG

  69. AUTHENTICATE IV CIPHERTEXT TAG EVERYTHING TAG MAC

  70. AUTHENTICATE TAG A security flaw in your operating system allows

    carefully encrypted messages to be effectively decrypted offline. That’s what happened to Apple with its iOS 9.2 operating system. EVERYTHING MAC
  71. Banal, nothing new

  72. KEY EXCHANGE ASSYMETRIC CRYPTOGRAPHY Diffie–Hellman key exchange PUBLIC KEY -

    PRIVATE KEY PUBLIC KEY ENCRYPTS PRIVATE KEY DECRYPTS
  73. KEY EXCHANGE ASYMMETRIC IS SLOW USE TO TRANSMIT SESSION KEY

    FOR A SYMMETRIC CIPHER
  74. KEY EXCHANGE GENERATE SESSION KEY ENCRYPT SESSION KEY WITH PUBLIC

    KEY → ← DECRYPT SESSION KEY WITH PRIVATE KEY ESTABLISH AES ENCRYPTION
  75. ➤ CIPHER (STREAM OR BLOCK)

  76. ➤ CIPHER (STREAM OR BLOCK) ➤ CIPHER OPERATION MODE -

    CBC
  77. ➤ CIPHER (STREAM OR BLOCK) ➤ CIPHER OPERATION MODE -

    CBC ➤ IV - INITIALIZATION VECTOR (NONCE) - SHOULD BE RANDOM AND USED ONCE
  78. ➤ CIPHER (STREAM OR BLOCK) ➤ CIPHER OPERATION MODE -

    CBC ➤ IV - INITIALIZATION VECTOR (NONCE) - SHOULD BE RANDOM AND USED ONCE ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM A PASSWORD
  79. ➤ CIPHER (STREAM OR BLOCK) ➤ CIPHER OPERATION MODE -

    CBC ➤ IV - INITIALIZATION VECTOR (NONCE) - SHOULD BE RANDOM AND USED ONCE ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM A PASSWORD ➤ PADDING CAN BE DANGEROUS
  80. ➤ CIPHER (STREAM OR BLOCK) ➤ CIPHER OPERATION MODE -

    CBC ➤ IV - INITIALIZATION VECTOR (NONCE) - SHOULD BE RANDOM AND USED ONCE ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM A PASSWORD ➤ PADDING CAN BE DANGEROUS ➤ AUTHENTICATE MESSAGE WITH A MAC
  81. ➤ CIPHER (STREAM OR BLOCK) ➤ CIPHER OPERATION MODE -

    CBC ➤ IV - INITIALIZATION VECTOR (NONCE) - SHOULD BE RANDOM AND USED ONCE ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM A PASSWORD ➤ PADDING CAN BE DANGEROUS ➤ AUTHENTICATE MESSAGE WITH A MAC ➤ USE RSA TO EXCHANGE AES KEY
  82. There were some useful mentions about crypto, that I've never

    heard before. But it wasn't so completed as I expected
  83. Connecting designers and developers! Thank you!

  84. Marcin Krzyżanowski PDFViewer.io pspdfkit.com @krzyzanowskim github.com/krzyzanowskim CryptoSwift ObjectivePGP blog.krzyzanowskim.com