Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stories from the crypt(ography)

Stories from the crypt(ography)

Marcin Krzyzanowski

November 17, 2018
Tweet

More Decks by Marcin Krzyzanowski

Other Decks in Technology

Transcript

  1. The future in mobile
    Why? Because I can
    Stories from the
    crypt(ography)

    View Slide

  2. View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. Marcin Krzyżanowski
    PDFViewer.io
    pspdfkit.com
    @krzyzanowskim
    github.com/krzyzanowskim
    CryptoSwift
    ObjectivePGP
    blog.krzyzanowskim.com

    View Slide

  8. CRYPTOSWIFT
    https://cryptoswift.io
    https://github.com/krzyzanowskim/CryptoSwift

    View Slide

  9. Cryptography course was given in an hour

    View Slide

  10. There were some useful mentions about
    crypto, that I've never heard before. But it
    wasn't so completed as I expected

    View Slide

  11. Banal, nothing new

    View Slide

  12. Obvious things were explained

    View Slide

  13. View Slide

  14. UInt8 = byte = 8 bits

    View Slide

  15. ,
    Loren lpsum " STRING
    @x4CyOx6Fi0x72y0x65i0x6D.i
    . .
    )
    BYTES
    £iorI
    , . .
    .
    .
    Bits
    1001100
    w a
    t
    t t d
    MyENCRypt

    View Slide

  16. MyENCRypt
    1 t I t
    yinnoonn , .
    .
    .
    Bits
    d to
    [0×73
    ,
    OxcD]
    BYTES

    View Slide

  17. 1 t I t
    yinnoonn , .
    .
    .
    Bits
    d to
    [0×73
    ,
    OxcD]
    BYTES
    i. STRING ?
    NULL

    View Slide

  18. Encrypt: bytes<->bytes
    Encode: string<->bytes
    BASE64
    HEX STRING - "0x0102FF"

    View Slide

  19. ENCRYPTION
    in cryptography, the one-time pad (OTP) is an
    encryption technique (cipher) that cannot be
    cracked, but requires the use of a one-time
    pre-shared key the same size as, or longer
    than, the message being sent.
    key A T e 5 1 / b J { z q C G
    plaintext L O R E M I P S U M L O R
    ciphertext 0x12 0xA 0x9F 0x1 0xFF 0x41 0xB 0x97 0x6A 0xA 0xBB 0x3 0x67

    View Slide

  20. SYMMETRIC-KEY ENCRYPTION
    XOR EVERYTHING

    View Slide

  21. XORXOR - Exclusive oR

    View Slide

  22. View Slide

  23. EVERYTHING IS HARD
    ASYMMETRIC-KEY ENCRYPTION

    View Slide

  24. CCCrypt(kCCEncrypt,
    kCCAlgorithmAES128, // Algorithm
    kCCOptionPKCS7Padding, // Padding
    key.bytes, // Key
    key.length, // keylength
    iv.bytes,// IV (NULL)
    data.bytes, // dataIn
    data.length, // dataInLength,
    cipherData.mutableBytes, // dataOut
    cipherData.length, // dataOutAvailable
    &outLength); // dataOutMoved
    COMMONCRYPTO

    View Slide

  25. COMMONCRYPTO
    CCCrypt(_ op: CCOperation,
    _ alg: CCAlgorithm,
    _ options: CCOptions,
    _ key: UnsafeRawPointer!,
    _ keyLength: Int,
    _ iv: UnsafeRawPointer!,
    _ dataIn: UnsafeRawPointer!,
    _ dataInLength: Int,
    _ dataOut: UnsafeMutableRawPointer!,
    _ dataOutAvailable: Int,
    _ dataOutMoved: UnsafeMutablePointer!) -> CCCryptorStatus

    View Slide

  26. CCCryptorCreateWithMode(kCCEncrypt,
    kCCModeCBC, // Block mode
    kCCAlgorithmAES128, // Algorithm
    kCCOptionPKCS7Padding, // Padding
    iv.bytes, // IV (OR NULL)
    key.bytes, // Key
    key.length,
    NULL,
    0,
    0,
    0,
    &cryptor)
    COMMONCRYPTO

    View Slide

  27. try AES(key: [1,2,3,...,16],
    blockMode: CBC(iv: [1,2,3,...,16]),
    padding: .pkcs7)
    CRYPTOSWIFT

    View Slide

  28. AES
    ADVANCED ENCRYPTION STANDARD
    MyENCRypt
    1 t I t
    yinnoonn , .
    .
    .
    Bits
    d to
    [0×73
    ,
    OxcD]
    BYTES
    CIPHER

    View Slide

  29. CIPHER MODE
    Stream
    Block

    View Slide

  30. STREAM

    View Slide

  31. CIPHER BLOCK MODE
    ...
    CTR counter mode
    CCM counter with CBC
    OFB output feedback
    GCM Galois/Counter Mode

    View Slide

  32. COUNTER MODE (CTR)

    View Slide

  33. BLOCK
    16 bytes
    AES

    View Slide

  34. CIPHER BLOCK MODE
    ...
    CBC cipher-block chaining
    ECB block dummy mode

    View Slide

  35. CIPHER BLOCK CHAINING (CBC)

    View Slide

  36. IV IS PUBLIC
    INITIALIZATIONVECTORCIPHERTEXT
    NONCE - In cryptography, a nonce is an
    arbitrary number that can be used just
    once

    View Slide

  37. CCCrypt(kCCEncrypt,
    kCCAlgorithmAES128, // Algorithm
    kCCOptionPKCS7Padding, // Padding
    key.bytes, // Key
    key.length, // keylength
    NULL, // IV
    data.bytes, // dataIn
    data.length, // dataInLength,
    cipherData.mutableBytes, // dataOut
    cipherData.length, // dataOutAvailable
    &outLength); // dataOutMoved
    COMMONCRYPTO
    CBC
    If no IV is provided, an IV of all zeroes will be used.

    View Slide

  38. PADDING

    View Slide

  39. PADDING
    PKCS5 / PKCS7
    Zero Padding
    No Padding

    View Slide

  40. PKCS5 / PKCS7
    PADDING
    T E X T ? ? ? ? ? ? ? ? ? ? ? ?
    T E X T 12 12 12 12 12 12 12 12 12 12 12 12

    View Slide

  41. Zero Padding
    PADDING
    T E X T ? ? ? ? ? ? ? ? ? ? ? ?
    T E X T 0 0 0 0 0 0 0 0 0 0 0 0

    View Slide

  42. NO PADDING

    View Slide

  43. CIPHER BLOCK MODE
    CTR counter mode
    CCM counter with CBC
    OFB output feedback
    GCM Galois/Counter Mode
    no padding
    no padding
    no padding
    no padding

    View Slide

  44. CIPHER BLOCK MODE
    CBC cipher-block chaining
    ECB block dummy mode
    PKCS7 padding
    PKCS7 padding

    View Slide

  45. PADDING ORACLE ATTACK
    POODLE attack (up to TLS 1.2)

    View Slide

  46. Padding Oracle Attack
    plaintext
    dec(Ci) XX XX XX XX XX XX XX XX
    Ci-1 AB 1 4F 21 0 7C 2 9E
    encoded data XX XX XX XX XX XX XX XX

    =

    View Slide

  47. SUCCESS
    Padding Oracle Attack
    plaintext
    dec(Ci) XX XX XX XX XX XX XX XX
    Ci-1 ZZ ZZ 4F 21 0 7C 2 9E
    encoded data YY YZ XX XX XX XX XX XX

    =

    View Slide

  48. ERROR
    Padding Oracle Attack
    plaintext
    dec(Ci) XX XX XX XX XX XX XX XX
    Ci-1 ZZ ZZ ZZ 21 0 7C 2 9E
    encoded data YY YZ ZY XX XX XX XX XX

    =

    View Slide

  49. Padding Oracle Attack
    plaintext
    dec(Ci) XX XX XX XX XX XX XX XX
    Ci-1 AB 1 4F 21 0 7C 2 9E
    encoded data XX XX 6 6 6 6 6 6
    SUCCESS

    =

    View Slide

  50. Padding Oracle Attack
    plaintext
    dec(Ci) XX XX XX XX XX XX XX XX
    C'i-1 AB 1 4F 21 0 7C 2 9F
    encoded data XX 7 7 7 7 7 7 7
    ERROR
    0x9E ⊕ 0x06 ⊕ 0x07

    =

    View Slide

  51. Padding Oracle Attack
    plaintext
    dec(Ci) XX XX XX XX XX XX XX XX
    C'i-1 AB 0,1,2,3,.. 4E 20 1 7D 3 9F
    encoded data XX 7 7 7 7 7 7 7
    ERROR until SUCCESS
    0x9E ⊕ 0x06 ⊕ 0x07

    =

    View Slide

  52. Padding Oracle Attack
    plaintext
    dec(Ci) XX 47 XX XX XX XX XX XX
    Ci-1 AB ..., 41 4F 21 0 7C 2 9F
    encoded data XX 7 7 7 7 7 7 7
    XX ⊕ 0x41 = 0x7 ⇒ XX ⊕ 0x01 = (XX ⊕ 0x41) ⊕ (0x41 ⊕ 0x7) ⇒ XX ⊕ 0x01 = 0x07 ⊕ 0x40 = 0x47

    =

    View Slide

  53. Padding Oracle Attack
    plaintext
    dec(Ci) XX 47 XX XX XX XX XX XX
    Ci-1 AB ..., 41 4F 21 0 7C 2 9F
    encoded data XX 7 7 7 7 7 7 7
    XX ⊕ 0x41 = 0x7 ⇒ XX ⊕ 0x01 = (XX ⊕ 0x41) ⊕ (0x41 ⊕ 0x7) ⇒ XX ⊕ 0x01 = 0x07 ⊕ 0x40 = 0x47

    =

    View Slide

  54. View Slide

  55. View Slide

  56. View Slide

  57. Frameworks
    mcrypt_

    View Slide

  58. The output is not just a raw ciphertext
    "IV + Salted__ + 8 random bytes + ciphertext"

    View Slide

  59. View Slide

  60. Password != Key
    Key != Password
    Implicit conversion
    between password and
    key

    View Slide

  61. KEY DERIVATION FUNCTIONS
    password → KDF magic → key

    View Slide

  62. try AES(key: [1,2,3,...,16],
    blockMode: CBC(iv: [1,2,3,...,16]),
    padding: .pkcs7)
    CRYPTOSWIFT

    View Slide

  63. try AES(key: [1,2,3,...,16],
    blockMode: CBC(iv: [1,2,3,...,16]),
    padding: .pkcs7)
    CRYPTOSWIFT
    was modified?
    is authentic?
    sent by impostor?

    View Slide

  64. Cryptography course was given in an hour

    View Slide

  65. MAC

    View Slide

  66. MAC
    MESSAGE AUTHENTICATION CODE

    View Slide

  67. MAC
    MESSAGE AUTHENTICATION CODE
    ALSO KNOWN AS
    "TAG"

    View Slide

  68. MAC
    IV CIPHERTEXT TAG

    View Slide

  69. AUTHENTICATE
    IV CIPHERTEXT TAG
    EVERYTHING TAG
    MAC

    View Slide

  70. AUTHENTICATE
    TAG
    A security flaw in your operating system allows
    carefully encrypted messages to be effectively
    decrypted offline. That’s what happened to Apple
    with its iOS 9.2 operating system.
    EVERYTHING
    MAC

    View Slide

  71. Banal, nothing new

    View Slide

  72. KEY EXCHANGE
    ASSYMETRIC CRYPTOGRAPHY
    Diffie–Hellman key exchange
    PUBLIC KEY - PRIVATE KEY
    PUBLIC KEY ENCRYPTS
    PRIVATE KEY DECRYPTS

    View Slide

  73. KEY EXCHANGE
    ASYMMETRIC IS SLOW
    USE TO TRANSMIT SESSION KEY FOR A SYMMETRIC CIPHER

    View Slide

  74. KEY EXCHANGE
    GENERATE SESSION KEY
    ENCRYPT SESSION KEY WITH PUBLIC KEY →
    ← DECRYPT SESSION KEY WITH PRIVATE KEY
    ESTABLISH AES ENCRYPTION

    View Slide

  75. ➤ CIPHER (STREAM OR BLOCK)

    View Slide

  76. ➤ CIPHER (STREAM OR BLOCK)
    ➤ CIPHER OPERATION MODE - CBC

    View Slide

  77. ➤ CIPHER (STREAM OR BLOCK)
    ➤ CIPHER OPERATION MODE - CBC
    ➤ IV - INITIALIZATION VECTOR (NONCE) -
    SHOULD BE RANDOM AND USED ONCE

    View Slide

  78. ➤ CIPHER (STREAM OR BLOCK)
    ➤ CIPHER OPERATION MODE - CBC
    ➤ IV - INITIALIZATION VECTOR (NONCE) -
    SHOULD BE RANDOM AND USED ONCE
    ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM
    A PASSWORD

    View Slide

  79. ➤ CIPHER (STREAM OR BLOCK)
    ➤ CIPHER OPERATION MODE - CBC
    ➤ IV - INITIALIZATION VECTOR (NONCE) -
    SHOULD BE RANDOM AND USED ONCE
    ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM
    A PASSWORD
    ➤ PADDING CAN BE DANGEROUS

    View Slide

  80. ➤ CIPHER (STREAM OR BLOCK)
    ➤ CIPHER OPERATION MODE - CBC
    ➤ IV - INITIALIZATION VECTOR (NONCE) -
    SHOULD BE RANDOM AND USED ONCE
    ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM
    A PASSWORD
    ➤ PADDING CAN BE DANGEROUS
    ➤ AUTHENTICATE MESSAGE WITH A MAC

    View Slide

  81. ➤ CIPHER (STREAM OR BLOCK)
    ➤ CIPHER OPERATION MODE - CBC
    ➤ IV - INITIALIZATION VECTOR (NONCE) -
    SHOULD BE RANDOM AND USED ONCE
    ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM
    A PASSWORD
    ➤ PADDING CAN BE DANGEROUS
    ➤ AUTHENTICATE MESSAGE WITH A MAC
    ➤ USE RSA TO EXCHANGE AES KEY

    View Slide

  82. There were some useful mentions about
    crypto, that I've never heard before. But it
    wasn't so completed as I expected

    View Slide

  83. Connecting designers
    and developers!
    Thank you!

    View Slide

  84. Marcin Krzyżanowski
    PDFViewer.io
    pspdfkit.com
    @krzyzanowskim
    github.com/krzyzanowskim
    CryptoSwift
    ObjectivePGP
    blog.krzyzanowskim.com

    View Slide