Stories from the crypt(ography)

Transcript

1. The future in mobile
   Why? Because I can
   Stories from the
   crypt(ography)
   

   View Slide

2. View Slide

3. View Slide

4. View Slide

5. View Slide

6. View Slide

7. Marcin Krzyżanowski
   PDFViewer.io
   pspdfkit.com
   @krzyzanowskim
   github.com/krzyzanowskim
   CryptoSwift
   ObjectivePGP
   blog.krzyzanowskim.com
   

   View Slide

8. CRYPTOSWIFT
   https://cryptoswift.io
   https://github.com/krzyzanowskim/CryptoSwift
   

   View Slide

9. Cryptography course was given in an hour
   

   View Slide

10. There were some useful mentions about
    crypto, that I've never heard before. But it
    wasn't so completed as I expected
    

    View Slide

11. Banal, nothing new
    

    View Slide

12. Obvious things were explained
    

    View Slide

13. View Slide

14. UInt8 = byte = 8 bits
    

    View Slide

15. ,
    Loren lpsum " STRING
    @x4CyOx6Fi0x72y0x65i0x6D.i
    . .
    )
    BYTES
    £iorI
    , . .
    .
    .
    Bits
    1001100
    w a
    t
    t t d
    MyENCRypt
    

    View Slide

16. MyENCRypt
    1 t I t
    yinnoonn , .
    .
    .
    Bits
    d to
    [0×73
    ,
    OxcD]
    BYTES
    

    View Slide

17. 1 t I t
    yinnoonn , .
    .
    .
    Bits
    d to
    [0×73
    ,
    OxcD]
    BYTES
    i. STRING ?
    NULL
    

    View Slide

18. Encrypt: bytes<->bytes
    Encode: string<->bytes
    BASE64
    HEX STRING - "0x0102FF"
    

    View Slide

19. ENCRYPTION
    in cryptography, the one-time pad (OTP) is an
    encryption technique (cipher) that cannot be
    cracked, but requires the use of a one-time
    pre-shared key the same size as, or longer
    than, the message being sent.
    key A T e 5 1 / b J { z q C G
    plaintext L O R E M I P S U M L O R
    ciphertext 0x12 0xA 0x9F 0x1 0xFF 0x41 0xB 0x97 0x6A 0xA 0xBB 0x3 0x67
    

    View Slide

20. SYMMETRIC-KEY ENCRYPTION
    XOR EVERYTHING
    

    View Slide

21. XORXOR - Exclusive oR
    

    View Slide

22. View Slide

23. EVERYTHING IS HARD
    ASYMMETRIC-KEY ENCRYPTION
    

    View Slide

24. CCCrypt(kCCEncrypt,
    kCCAlgorithmAES128, // Algorithm
    kCCOptionPKCS7Padding, // Padding
    key.bytes, // Key
    key.length, // keylength
    iv.bytes,// IV (NULL)
    data.bytes, // dataIn
    data.length, // dataInLength,
    cipherData.mutableBytes, // dataOut
    cipherData.length, // dataOutAvailable
    &outLength); // dataOutMoved
    COMMONCRYPTO
    

    View Slide

25. COMMONCRYPTO
    CCCrypt(_ op: CCOperation,
    _ alg: CCAlgorithm,
    _ options: CCOptions,
    _ key: UnsafeRawPointer!,
    _ keyLength: Int,
    _ iv: UnsafeRawPointer!,
    _ dataIn: UnsafeRawPointer!,
    _ dataInLength: Int,
    _ dataOut: UnsafeMutableRawPointer!,
    _ dataOutAvailable: Int,
    _ dataOutMoved: UnsafeMutablePointer!) -> CCCryptorStatus
    

    View Slide

26. CCCryptorCreateWithMode(kCCEncrypt,
    kCCModeCBC, // Block mode
    kCCAlgorithmAES128, // Algorithm
    kCCOptionPKCS7Padding, // Padding
    iv.bytes, // IV (OR NULL)
    key.bytes, // Key
    key.length,
    NULL,
    0,
    0,
    0,
    &cryptor)
    COMMONCRYPTO
    

    View Slide

27. try AES(key: [1,2,3,...,16],
    blockMode: CBC(iv: [1,2,3,...,16]),
    padding: .pkcs7)
    CRYPTOSWIFT
    

    View Slide

28. AES
    ADVANCED ENCRYPTION STANDARD
    MyENCRypt
    1 t I t
    yinnoonn , .
    .
    .
    Bits
    d to
    [0×73
    ,
    OxcD]
    BYTES
    CIPHER
    

    View Slide

29. CIPHER MODE
    Stream
    Block
    

    View Slide

30. STREAM
    

    View Slide

31. CIPHER BLOCK MODE
    ...
    CTR counter mode
    CCM counter with CBC
    OFB output feedback
    GCM Galois/Counter Mode
    

    View Slide

32. COUNTER MODE (CTR)
    

    View Slide

33. BLOCK
    16 bytes
    AES
    

    View Slide

34. CIPHER BLOCK MODE
    ...
    CBC cipher-block chaining
    ECB block dummy mode
    

    View Slide

35. CIPHER BLOCK CHAINING (CBC)
    

    View Slide

36. IV IS PUBLIC
    INITIALIZATIONVECTORCIPHERTEXT
    NONCE - In cryptography, a nonce is an
    arbitrary number that can be used just
    once
    

    View Slide

37. CCCrypt(kCCEncrypt,
    kCCAlgorithmAES128, // Algorithm
    kCCOptionPKCS7Padding, // Padding
    key.bytes, // Key
    key.length, // keylength
    NULL, // IV
    data.bytes, // dataIn
    data.length, // dataInLength,
    cipherData.mutableBytes, // dataOut
    cipherData.length, // dataOutAvailable
    &outLength); // dataOutMoved
    COMMONCRYPTO
    CBC
    If no IV is provided, an IV of all zeroes will be used.
    

    View Slide

38. PADDING
    

    View Slide

39. PADDING
    PKCS5 / PKCS7
    Zero Padding
    No Padding
    

    View Slide

40. PKCS5 / PKCS7
    PADDING
    T E X T ? ? ? ? ? ? ? ? ? ? ? ?
    T E X T 12 12 12 12 12 12 12 12 12 12 12 12
    

    View Slide

41. Zero Padding
    PADDING
    T E X T ? ? ? ? ? ? ? ? ? ? ? ?
    T E X T 0 0 0 0 0 0 0 0 0 0 0 0
    

    View Slide

42. NO PADDING
    

    View Slide

43. CIPHER BLOCK MODE
    CTR counter mode
    CCM counter with CBC
    OFB output feedback
    GCM Galois/Counter Mode
    no padding
    no padding
    no padding
    no padding
    

    View Slide

44. CIPHER BLOCK MODE
    CBC cipher-block chaining
    ECB block dummy mode
    PKCS7 padding
    PKCS7 padding
    

    View Slide

45. PADDING ORACLE ATTACK
    POODLE attack (up to TLS 1.2)
    

    View Slide

46. Padding Oracle Attack
    plaintext
    dec(Ci) XX XX XX XX XX XX XX XX
    Ci-1 AB 1 4F 21 0 7C 2 9E
    encoded data XX XX XX XX XX XX XX XX
    ⊕
    =
    

    View Slide

47. SUCCESS
    Padding Oracle Attack
    plaintext
    dec(Ci) XX XX XX XX XX XX XX XX
    Ci-1 ZZ ZZ 4F 21 0 7C 2 9E
    encoded data YY YZ XX XX XX XX XX XX
    ⊕
    =
    

    View Slide

48. ERROR
    Padding Oracle Attack
    plaintext
    dec(Ci) XX XX XX XX XX XX XX XX
    Ci-1 ZZ ZZ ZZ 21 0 7C 2 9E
    encoded data YY YZ ZY XX XX XX XX XX
    ⊕
    =
    

    View Slide

49. Padding Oracle Attack
    plaintext
    dec(Ci) XX XX XX XX XX XX XX XX
    Ci-1 AB 1 4F 21 0 7C 2 9E
    encoded data XX XX 6 6 6 6 6 6
    SUCCESS
    ⊕
    =
    

    View Slide

50. Padding Oracle Attack
    plaintext
    dec(Ci) XX XX XX XX XX XX XX XX
    C'i-1 AB 1 4F 21 0 7C 2 9F
    encoded data XX 7 7 7 7 7 7 7
    ERROR
    0x9E ⊕ 0x06 ⊕ 0x07
    ⊕
    =
    

    View Slide

51. Padding Oracle Attack
    plaintext
    dec(Ci) XX XX XX XX XX XX XX XX
    C'i-1 AB 0,1,2,3,.. 4E 20 1 7D 3 9F
    encoded data XX 7 7 7 7 7 7 7
    ERROR until SUCCESS
    0x9E ⊕ 0x06 ⊕ 0x07
    ⊕
    =
    

    View Slide

52. Padding Oracle Attack
    plaintext
    dec(Ci) XX 47 XX XX XX XX XX XX
    Ci-1 AB ..., 41 4F 21 0 7C 2 9F
    encoded data XX 7 7 7 7 7 7 7
    XX ⊕ 0x41 = 0x7 ⇒ XX ⊕ 0x01 = (XX ⊕ 0x41) ⊕ (0x41 ⊕ 0x7) ⇒ XX ⊕ 0x01 = 0x07 ⊕ 0x40 = 0x47
    ⊕
    =
    

    View Slide

53. Padding Oracle Attack
    plaintext
    dec(Ci) XX 47 XX XX XX XX XX XX
    Ci-1 AB ..., 41 4F 21 0 7C 2 9F
    encoded data XX 7 7 7 7 7 7 7
    XX ⊕ 0x41 = 0x7 ⇒ XX ⊕ 0x01 = (XX ⊕ 0x41) ⊕ (0x41 ⊕ 0x7) ⇒ XX ⊕ 0x01 = 0x07 ⊕ 0x40 = 0x47
    ⊕
    =
    

    View Slide

54. View Slide

55. View Slide

56. View Slide

57. Frameworks
    mcrypt_
    

    View Slide

58. The output is not just a raw ciphertext
    "IV + Salted__ + 8 random bytes + ciphertext"
    

    View Slide

59. View Slide

60. Password != Key
    Key != Password
    Implicit conversion
    between password and
    key
    

    View Slide

61. KEY DERIVATION FUNCTIONS
    password → KDF magic → key
    

    View Slide

62. try AES(key: [1,2,3,...,16],
    blockMode: CBC(iv: [1,2,3,...,16]),
    padding: .pkcs7)
    CRYPTOSWIFT
    

    View Slide

63. try AES(key: [1,2,3,...,16],
    blockMode: CBC(iv: [1,2,3,...,16]),
    padding: .pkcs7)
    CRYPTOSWIFT
    was modified?
    is authentic?
    sent by impostor?
    

    View Slide

64. Cryptography course was given in an hour
    

    View Slide

65. MAC
    

    View Slide

66. MAC
    MESSAGE AUTHENTICATION CODE
    

    View Slide

67. MAC
    MESSAGE AUTHENTICATION CODE
    ALSO KNOWN AS
    "TAG"
    

    View Slide

68. MAC
    IV CIPHERTEXT TAG
    

    View Slide

69. AUTHENTICATE
    IV CIPHERTEXT TAG
    EVERYTHING TAG
    MAC
    

    View Slide

70. AUTHENTICATE
    TAG
    A security flaw in your operating system allows
    carefully encrypted messages to be effectively
    decrypted offline. That’s what happened to Apple
    with its iOS 9.2 operating system.
    EVERYTHING
    MAC
    

    View Slide

71. Banal, nothing new
    

    View Slide

72. KEY EXCHANGE
    ASSYMETRIC CRYPTOGRAPHY
    Diffie–Hellman key exchange
    PUBLIC KEY - PRIVATE KEY
    PUBLIC KEY ENCRYPTS
    PRIVATE KEY DECRYPTS
    

    View Slide

73. KEY EXCHANGE
    ASYMMETRIC IS SLOW
    USE TO TRANSMIT SESSION KEY FOR A SYMMETRIC CIPHER
    

    View Slide

74. KEY EXCHANGE
    GENERATE SESSION KEY
    ENCRYPT SESSION KEY WITH PUBLIC KEY →
    ← DECRYPT SESSION KEY WITH PRIVATE KEY
    ESTABLISH AES ENCRYPTION
    

    View Slide

75. ➤ CIPHER (STREAM OR BLOCK)
    

    View Slide

76. ➤ CIPHER (STREAM OR BLOCK)
    ➤ CIPHER OPERATION MODE - CBC
    

    View Slide

77. ➤ CIPHER (STREAM OR BLOCK)
    ➤ CIPHER OPERATION MODE - CBC
    ➤ IV - INITIALIZATION VECTOR (NONCE) -
    SHOULD BE RANDOM AND USED ONCE
    

    View Slide

78. ➤ CIPHER (STREAM OR BLOCK)
    ➤ CIPHER OPERATION MODE - CBC
    ➤ IV - INITIALIZATION VECTOR (NONCE) -
    SHOULD BE RANDOM AND USED ONCE
    ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM
    A PASSWORD
    

    View Slide

79. ➤ CIPHER (STREAM OR BLOCK)
    ➤ CIPHER OPERATION MODE - CBC
    ➤ IV - INITIALIZATION VECTOR (NONCE) -
    SHOULD BE RANDOM AND USED ONCE
    ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM
    A PASSWORD
    ➤ PADDING CAN BE DANGEROUS
    

    View Slide

80. ➤ CIPHER (STREAM OR BLOCK)
    ➤ CIPHER OPERATION MODE - CBC
    ➤ IV - INITIALIZATION VECTOR (NONCE) -
    SHOULD BE RANDOM AND USED ONCE
    ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM
    A PASSWORD
    ➤ PADDING CAN BE DANGEROUS
    ➤ AUTHENTICATE MESSAGE WITH A MAC
    

    View Slide

81. ➤ CIPHER (STREAM OR BLOCK)
    ➤ CIPHER OPERATION MODE - CBC
    ➤ IV - INITIALIZATION VECTOR (NONCE) -
    SHOULD BE RANDOM AND USED ONCE
    ➤ PASSWORD IS NOT A KEY. DERIVE KEY FROM
    A PASSWORD
    ➤ PADDING CAN BE DANGEROUS
    ➤ AUTHENTICATE MESSAGE WITH A MAC
    ➤ USE RSA TO EXCHANGE AES KEY
    

    View Slide

82. There were some useful mentions about
    crypto, that I've never heard before. But it
    wasn't so completed as I expected
    

    View Slide

83. Connecting designers
    and developers!
    Thank you!
    

    View Slide

84. Marcin Krzyżanowski
    PDFViewer.io
    pspdfkit.com
    @krzyzanowskim
    github.com/krzyzanowskim
    CryptoSwift
    ObjectivePGP
    blog.krzyzanowskim.com
    

    View Slide