BSides Indy: Crypto Defenses & Real World Threats

BSides Indy: Crypto Defenses & Real World Threats

(A work in progress)

671d41cff530fadcbc82a5d6e7070c4a?s=128

Kenneth White

March 13, 2017
Tweet

Transcript

  1. 2.

    Focus Legends, myths, and the oral tradition Threats, threat modeling,

    and snake oil Emerging work Parting thoughts
  2. 3.

    Cognitive Science/Computational Neuroscience ML & signal processing Safety-critical system development

    Mission system ops & network defense Offense Applied crypto engineering Open Crypto Audit Project (opencryptoaudit.org) My weird path
  3. 6.
  4. 7.
  5. 9.
  6. 10.
  7. 12.
  8. 13.
  9. 15.
  10. 16.
  11. 18.
  12. 19.
  13. 20.
  14. 22.
  15. 24.
  16. 26.
  17. 27.
  18. 29.
  19. 30.
  20. 31.
  21. 32.
  22. 35.
  23. 37.
  24. 39.
  25. 41.
  26. 43.
  27. 44.
  28. 48.
  29. 50.
  30. 54.
  31. 57.
  32. 58.
  33. 61.
  34. 62.
  35. 63.
  36. 64.
  37. 65.
  38. 67.
  39. 68.
  40. 69.
  41. 70.
  42. 77.
  43. 78.

    Praetorian Root Cause of Compromise Analysis Vectors commonly used by

    a>ackers to compromise internal networks aAer achieving ini,al access Data set includes 100 separate penetra@on test engagements spanning 75 unique organiza@ons https://www.praetorian.com/downloads/report/How%20to%20Dramatically%20Improve %20Corporate%20IT%20Security%20Without%20Spending%20Millions%20-%20Praetorian.pdf
  44. 79.
  45. 82.

    (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  46. 83.

    Network Transport Encryption SSL, TLS, IPsec, ssh Data exposure (confidentiality)

    Network intercept (passive & active) Credential theft (authentication) Identity theft (authorization) Authenticated cipher suites (integrity) Past session decrypt (long-lived key capture) Data-in-Motion compliance
  47. 84.
  48. 85.
  49. 86.
  50. 87.
  51. 88.
  52. 89.
  53. 90.
  54. 91.

    Network Transport Encryption SSL, TLS, IPsec, ssh Data Exposure (confidentiality)

    Network intercept (passive & active) Credential theft (authentication) Identity theft (authorization) Authenticated cipher suites (integrity) Past session decrypt (long-lived key capture) Data-in-Motion Compliance
  55. 98.

    Real-world Endpoint SSL/TLS §  Apache §  Nginx §  HAProxy § 

    Go §  AWS ELB & CloudFront §  CloudFlare §  CDNs
  56. 99.

    Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA
  57. 100.

    Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA
  58. 101.

    Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA
  59. 102.

    Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  60. 105.

    Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  61. 106.

    Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  62. 107.

    Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  63. 108.

    Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  64. 110.

    TLS 1.3 RFC Draft (v. 19, March 2017) MUST implement

    cipher suite: TLS_AES_128_GCM_SHA256 SHOULD implement cipher suites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 MUST support cer@ficate digital signatures: rsa_pkcs1_sha256 rsa_pss_sha256 ecdsa_secp256r1_sha256 MUST support key exchange with curve: secp256r1 (NIST P-256) SHOULD support key exchange with curve: X25519
  65. 111.

    TLS 1.3 RFC Draft (v. 19, March 2017) MUST implement

    cipher suite: TLS_AES_128_GCM_SHA256 SHOULD implement cipher suites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 MUST support cer@ficate digital signatures: rsa_pkcs1_sha256 rsa_pss_sha256 ecdsa_secp256r1_sha256 MUST support key exchange with curve: secp256r1 (NIST P-256) SHOULD support key exchange with curve: X25519
  66. 112.

    My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

    associated data (AEAD) mode of opera,on ciphers •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange –  Cer,ficate type –  Symmetric cipher –  Mode of opera,on (if block cipher) –  Message authen,cator construc,on
  67. 113.

    My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

    associated data (AEAD) mode of opera,on ciphers (ChaCha20/Poly1305, AES-GCM…) •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange (e.g. Ephemeral Ellip@c Curve Diffie Hellman) –  Cer,ficate type (e.g., ECDSA or RSA) –  Symmetric cipher (e.g., ChaCha20, AES 128) –  Mode of opera,on (if block cipher, e.g. GCM) –  Message authen,cator construc,on or PRF (e.g., SHA256)
  68. 114.

    My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

    associated data (AEAD) mode of opera,on ciphers •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange –  Cer,ficate type –  Symmetric cipher –  Mode of opera,on (if block cipher) –  Message authen,cator construc,on or PRF Example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  69. 115.

    My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

    associated data (AEAD) mode of opera,on ciphers •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange –  Cer,ficate type –  Symmetric cipher –  Mode of opera,on (if block cipher) –  Message authen,cator construc,on or PRF Example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  70. 116.

    My (point-in-time) Advice These five cipher suites provide broad support

    for browsers, Android and iOS mobile clients, Windows Server 2008 & 2012, and most web service endpoints: If ECDSA cer@ficates TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (0xcca9) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) If RSA cer@ficates TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 (0xcc14) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc029) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
  71. 119.

    Disk/Volume Encryption (dmcrypt, BitLocker, FileVault) Media: Logical loss of control

    –  3rd party action, gov/civil capture, e-Discovery –  Co-tenant sandbox break (/dev/vg/*) –  Multi-tenant media reuse (new VMs on volume) Media: Physical loss of control –  Disk repurpose –  Disk/Server theft –  Server repurpose/retirement Content Repudiation Data-at-Rest Compliance Confidentiality from service provider –  Adversarial admin, incompetence, live VM motion
  72. 122.

    Memory Encryption Co-tenant sandbox break (hypervisor host) Cold boot attacks

    Multi-tenant reuse (/dev/[k]mem/*) Live migration snapshots
  73. 123.

    (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  74. 125.
  75. 126.
  76. 127.
  77. 129.
  78. 130.
  79. 132.
  80. 136.
  81. 137.
  82. 138.
  83. 139.
  84. 140.
  85. 142.
  86. 144.
  87. 145.
  88. 146.
  89. 147.
  90. 148.
  91. 149.
  92. 150.
  93. 152.

    Refs TLS Maturity Model https://blog.qualys.com/ssllabs/2015/06/08/introducing-tls-maturity-model Yelling at your servers https://www.youtube.com/watch?v=tDacjrSCeq4&feature=youtu.be

    Malver,sing on track for record year http://www.cyphort.com/malvertising-on-pace-for-a-record-breaking-year/ A>acks on SSL: A Comprehensive study of BEAST, CRIME, TIME, BREACH, LUCKY 13 & RC4 Biases https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/ssl_attacks_survey.pdf
  94. 153.

    Refs The Million Dollar Dissident: NSO Group’s iPhone Zero-Days (deserializa,on)

    https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso- group-uae/ iPhone 6 kernel exploit analysis (deserializa,on) http://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability- explained.html Matasano Crypto Challenges https://cryptopals.com/ https://blog.pinboard.in/2013/04/the_matasano_crypto_challenges/ Keys Under Doormats (problems with large-scale escrow) https://dspace.mit.edu/handle/1721.1/97690
  95. 154.

    Refs Weak Diffie-Hellman and the Logjam A>ack https://weakdh.org/ Qualys SSL

    Labs https://www.ssllabs.com/ssltest/ Bulletproof SSL & TLS https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ Mirage TLS Interac,ve Server (pre>y rad) https://tls.openmirage.org/ Adam Langley: Matching primi,ve strengths https://www.imperialviolet.org/2014/05/25/strengthmatching.html
  96. 155.

    Refs House Oversight final report on OPM breach https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a- Generation.pdf

    NIST 2016 draA guidance on authen,ca,on (depreca,ng arbitrary 90 day password rota,on) https://pages.nist.gov/800-63-3/sp800-63b.html GCHQ (UK Intel) guidance on passwords (depreca,ng arbitrary 90 day password rota,on) https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/ 458857/Password_guidance_-_simplifying_your_approach.pdf Peiter (Mudge) & Sarah Zatko’s Cyber UL https://theintercept.com/2016/07/29/a-famed-hacker-is-grading-thousands-of- programs-and-may-revolutionize-software-in-the-process/