Stories from the crypt(ography)

Transcript

1. The future in mobile Why? Because I can Stories from

   the crypt(ography)
2. None
3. None
4. None
5. None
6. None

7. Marcin Krzyżanowski PDFViewer.io pspdfkit.com @krzyzanowskim github.com/krzyzanowskim CryptoSwift ObjectivePGP blog.krzyzanowskim.com

8. CRYPTOSWIFT https://cryptoswift.io https://github.com/krzyzanowskim/CryptoSwift

9. Cryptography course was given in an hour

10. There were some useful mentions about crypto, that I've never

    heard before. But it wasn't so completed as I expected

11. Banal, nothing new

12. Obvious things were explained

13. None

14. UInt8 = byte = 8 bits

15. , Loren lpsum " STRING @x4CyOx6Fi0x72y0x65i0x6D.i . . ) BYTES

    £iorI , . . . . Bits 1001100 w a t t t d MyENCRypt

16. MyENCRypt 1 t I t yinnoonn , . . .

    Bits d to [0×73 , OxcD] BYTES

17. 1 t I t yinnoonn , . . . Bits

    d to [0×73 , OxcD] BYTES i. STRING ? NULL

18. Encrypt: bytes<->bytes Encode: string<->bytes BASE64 HEX STRING - "0x0102FF"

19. ENCRYPTION in cryptography, the one-time pad (OTP) is an encryption

    technique (cipher) that cannot be cracked, but requires the use of a one-time pre-shared key the same size as, or longer than, the message being sent. key A T e 5 1 / b J { z q C G plaintext L O R E M I P S U M L O R ciphertext 0x12 0xA 0x9F 0x1 0xFF 0x41 0xB 0x97 0x6A 0xA 0xBB 0x3 0x67

20. SYMMETRIC-KEY ENCRYPTION XOR EVERYTHING

21. XORXOR - Exclusive oR

22. None

23. EVERYTHING IS HARD ASYMMETRIC-KEY ENCRYPTION

24. CCCrypt(kCCEncrypt, kCCAlgorithmAES128, // Algorithm kCCOptionPKCS7Padding, // Padding key.bytes, // Key

    key.length, // keylength iv.bytes,// IV (NULL) data.bytes, // dataIn data.length, // dataInLength, cipherData.mutableBytes, // dataOut cipherData.length, // dataOutAvailable &outLength); // dataOutMoved COMMONCRYPTO

25. COMMONCRYPTO CCCrypt(_ op: CCOperation, _ alg: CCAlgorithm, _ options: CCOptions,

    _ key: UnsafeRawPointer!, _ keyLength: Int, _ iv: UnsafeRawPointer!, _ dataIn: UnsafeRawPointer!, _ dataInLength: Int, _ dataOut: UnsafeMutableRawPointer!, _ dataOutAvailable: Int, _ dataOutMoved: UnsafeMutablePointer<Int>!) -> CCCryptorStatus

26. CCCryptorCreateWithMode(kCCEncrypt, kCCModeCBC, // Block mode kCCAlgorithmAES128, // Algorithm kCCOptionPKCS7Padding, //

    Padding iv.bytes, // IV (OR NULL) key.bytes, // Key key.length, NULL, 0, 0, 0, &cryptor) COMMONCRYPTO

27. try AES(key: [1,2,3,...,16], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7) CRYPTOSWIFT

28. AES ADVANCED ENCRYPTION STANDARD MyENCRypt 1 t I t yinnoonn

    , . . . Bits d to [0×73 , OxcD] BYTES CIPHER

29. CIPHER MODE Stream Block

30. STREAM

31. CIPHER BLOCK MODE ... CTR counter mode CCM counter with

    CBC OFB output feedback GCM Galois/Counter Mode

32. COUNTER MODE (CTR)

33. BLOCK 16 bytes AES

34. CIPHER BLOCK MODE ... CBC cipher-block chaining ECB block dummy

    mode

35. CIPHER BLOCK CHAINING (CBC)

36. IV IS PUBLIC INITIALIZATIONVECTORCIPHERTEXT NONCE - In cryptography, a nonce

    is an arbitrary number that can be used just once

37. CCCrypt(kCCEncrypt, kCCAlgorithmAES128, // Algorithm kCCOptionPKCS7Padding, // Padding key.bytes, // Key

    key.length, // keylength NULL, // IV data.bytes, // dataIn data.length, // dataInLength, cipherData.mutableBytes, // dataOut cipherData.length, // dataOutAvailable &outLength); // dataOutMoved COMMONCRYPTO CBC If no IV is provided, an IV of all zeroes will be used.

38. PADDING

39. PADDING PKCS5 / PKCS7 Zero Padding No Padding

40. PKCS5 / PKCS7 PADDING T E X T ? ?

    ? ? ? ? ? ? ? ? ? ? T E X T 12 12 12 12 12 12 12 12 12 12 12 12

41. Zero Padding PADDING T E X T ? ? ?

    ? ? ? ? ? ? ? ? ? T E X T 0 0 0 0 0 0 0 0 0 0 0 0

42. NO PADDING

43. CIPHER BLOCK MODE CTR counter mode CCM counter with CBC

    OFB output feedback GCM Galois/Counter Mode no padding no padding no padding no padding

44. CIPHER BLOCK MODE CBC cipher-block chaining ECB block dummy mode

    PKCS7 padding PKCS7 padding

45. PADDING ORACLE ATTACK POODLE attack (up to TLS 1.2)

46. Padding Oracle Attack plaintext dec(Ci) XX XX XX XX XX

    XX XX XX Ci-1 AB 1 4F 21 0 7C 2 9E encoded data XX XX XX XX XX XX XX XX ⊕ =

47. SUCCESS Padding Oracle Attack plaintext dec(Ci) XX XX XX XX

    XX XX XX XX Ci-1 ZZ ZZ 4F 21 0 7C 2 9E encoded data YY YZ XX XX XX XX XX XX ⊕ =

48. ERROR Padding Oracle Attack plaintext dec(Ci) XX XX XX XX

    XX XX XX XX Ci-1 ZZ ZZ ZZ 21 0 7C 2 9E encoded data YY YZ ZY XX XX XX XX XX ⊕ =

49. Padding Oracle Attack plaintext dec(Ci) XX XX XX XX XX

    XX XX XX Ci-1 AB 1 4F 21 0 7C 2 9E encoded data XX XX 6 6 6 6 6 6 SUCCESS ⊕ =

50. Padding Oracle Attack plaintext dec(Ci) XX XX XX XX XX

    XX XX XX C'i-1 AB 1 4F 21 0 7C 2 9F encoded data XX 7 7 7 7 7 7 7 ERROR 0x9E ⊕ 0x06 ⊕ 0x07 ⊕ =

51. Padding Oracle Attack plaintext dec(Ci) XX XX XX XX XX

    XX XX XX C'i-1 AB 0,1,2,3,.. 4E 20 1 7D 3 9F encoded data XX 7 7 7 7 7 7 7 ERROR until SUCCESS 0x9E ⊕ 0x06 ⊕ 0x07 ⊕ =

52. Padding Oracle Attack plaintext dec(Ci) XX 47 XX XX XX

    XX XX XX Ci-1 AB ..., 41 4F 21 0 7C 2 9F encoded data XX 7 7 7 7 7 7 7 XX ⊕ 0x41 = 0x7 ⇒ XX ⊕ 0x01 = (XX ⊕ 0x41) ⊕ (0x41 ⊕ 0x7) ⇒ XX ⊕ 0x01 = 0x07 ⊕ 0x40 = 0x47 ⊕ =

53. Padding Oracle Attack plaintext dec(Ci) XX 47 XX XX XX

    XX XX XX Ci-1 AB ..., 41 4F 21 0 7C 2 9F encoded data XX 7 7 7 7 7 7 7 XX ⊕ 0x41 = 0x7 ⇒ XX ⊕ 0x01 = (XX ⊕ 0x41) ⊕ (0x41 ⊕ 0x7) ⇒ XX ⊕ 0x01 = 0x07 ⊕ 0x40 = 0x47 ⊕ =
54. None
55. None
56. None

57. Frameworks mcrypt_

58. The output is not just a raw ciphertext "IV +

    Salted__ + 8 random bytes + ciphertext"
59. None

60. Password != Key Key != Password Implicit conversion between password

    and key

61. KEY DERIVATION FUNCTIONS password → KDF magic → key

62. try AES(key: [1,2,3,...,16], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7) CRYPTOSWIFT

63. try AES(key: [1,2,3,...,16], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7) CRYPTOSWIFT was

    modified? is authentic? sent by impostor?

64. Cryptography course was given in an hour

65. MAC

66. MAC MESSAGE AUTHENTICATION CODE

67. MAC MESSAGE AUTHENTICATION CODE ALSO KNOWN AS "TAG"

68. MAC IV CIPHERTEXT TAG

69. AUTHENTICATE IV CIPHERTEXT TAG EVERYTHING TAG MAC

70. AUTHENTICATE TAG A security flaw in your operating system allows

    carefully encrypted messages to be effectively decrypted offline. That’s what happened to Apple with its iOS 9.2 operating system. EVERYTHING MAC

71. Banal, nothing new

72. KEY EXCHANGE ASSYMETRIC CRYPTOGRAPHY Diffie–Hellman key exchange PUBLIC KEY -

    PRIVATE KEY PUBLIC KEY ENCRYPTS PRIVATE KEY DECRYPTS

73. KEY EXCHANGE ASYMMETRIC IS SLOW USE TO TRANSMIT SESSION KEY

    FOR A SYMMETRIC CIPHER

74. KEY EXCHANGE GENERATE SESSION KEY ENCRYPT SESSION KEY WITH PUBLIC

    KEY → ← DECRYPT SESSION KEY WITH PRIVATE KEY ESTABLISH AES ENCRYPTION

75. ➤ CIPHER (STREAM OR BLOCK)

76. ➤ CIPHER (STREAM OR BLOCK) ➤ CIPHER OPERATION MODE -

    CBC

77. ➤ CIPHER (STREAM OR BLOCK) ➤ CIPHER OPERATION MODE -

    CBC ➤ IV - INITIALIZATION VECTOR (NONCE) - SHOULD BE RANDOM AND USED ONCE

78. ➤ CIPHER (STREAM OR BLOCK) ➤ CIPHER OPERATION MODE -

    CBC ➤ IV - INITIALIZATION VECTOR (NONCE) - SHOULD BE RANDOM AND USED ONCE ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM A PASSWORD

79. ➤ CIPHER (STREAM OR BLOCK) ➤ CIPHER OPERATION MODE -

    CBC ➤ IV - INITIALIZATION VECTOR (NONCE) - SHOULD BE RANDOM AND USED ONCE ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM A PASSWORD ➤ PADDING CAN BE DANGEROUS

80. ➤ CIPHER (STREAM OR BLOCK) ➤ CIPHER OPERATION MODE -

    CBC ➤ IV - INITIALIZATION VECTOR (NONCE) - SHOULD BE RANDOM AND USED ONCE ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM A PASSWORD ➤ PADDING CAN BE DANGEROUS ➤ AUTHENTICATE MESSAGE WITH A MAC

81. ➤ CIPHER (STREAM OR BLOCK) ➤ CIPHER OPERATION MODE -

    CBC ➤ IV - INITIALIZATION VECTOR (NONCE) - SHOULD BE RANDOM AND USED ONCE ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM A PASSWORD ➤ PADDING CAN BE DANGEROUS ➤ AUTHENTICATE MESSAGE WITH A MAC ➤ USE RSA TO EXCHANGE AES KEY

82. There were some useful mentions about crypto, that I've never

    heard before. But it wasn't so completed as I expected

83. Connecting designers and developers! Thank you!

84. Marcin Krzyżanowski PDFViewer.io pspdfkit.com @krzyzanowskim github.com/krzyzanowskim CryptoSwift ObjectivePGP blog.krzyzanowskim.com