Crypto defenses & real-world system threats - Duo Security

Crypto defenses & real-world system threats - Duo Security

671d41cff530fadcbc82a5d6e7070c4a?s=128

Kenneth White

April 13, 2017
Tweet

Transcript

  1. Crypto Defenses and Real-World System Threats Kenneth White @KennWhite Duo

    Security, April 13, 2017
  2. Focus Legends, myths, and the oral tradition Threats, threat modeling,

    and snake oil Emerging work Parting thoughts
  3. Cognitive Science/Computational Neuroscience ML & signal processing Safety-critical system development

    Mission system ops & network defense Offense Applied crypto engineering Open Crypto Audit Project (opencryptoaudit.org) My weird path
  4. Legends, myths, and the oral tradition

  5. We are a misunderstood people

  6. None
  7. None
  8. We are a misunderstood people

  9. None
  10. None
  11. Humans are the hard part

  12. None
  13. None
  14. Not all threats are properly modeled

  15. None
  16. None
  17. Sometimes the product people aren’t helping

  18. None
  19. None
  20. None
  21. Good UI is crucial

  22. None
  23. “Periodic reminder: Insecure software is almost always a management decision.”

    — @halvar6lake
  24. None
  25. Sometimes we have a failure to communicate

  26. None
  27. None
  28. Things you might not know

  29. None
  30. None
  31. None
  32. None
  33. What is this “Threat Model” of which you speak?

  34. Step 1: Know your adversary

  35. None
  36. Step 1: Know your adversary

  37. None
  38. Step 1: Know your adversary

  39. None
  40. Modeling user behavior is key

  41. None
  42. Consider the limits of mitigation

  43. None
  44. None
  45. Sometimes the payoff is totally worth the risk

  46. Sometimes the payoff is totally worth the risk

  47. Know your adversary

  48. None
  49. Your threat is probably not my threat.

  50. None
  51. Your threat is probably not my threat.

  52. Credit: Geoffrey Moore, Frankie Leon

  53. Snake Oil: Beware the naked man offering the shirt off

    his back
  54. None
  55. Snake Oil: Beware the naked man offering the shirt off

    his back
  56. “Battle-tested, military-grade encryption”

  57. None
  58. None
  59. Humans will always game the system

  60. Humans will always game the system

  61. None
  62. None
  63. None
  64. None
  65. None
  66. Re-learning History

  67. None
  68. None
  69. None
  70. None
  71. “All versions of Windows”

  72. Re-learning History

  73. Re-learning History Deserialization Exploits

  74. Java Deserializa,on RCEs are Everywhere https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet

  75. Java Deserializa,on RCEs are Everywhere https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With- Deserialization-Vulnerabilities.pdf Matthias Kaiser

  76. Re-learning History: Deserialization Exploits Java Deserializa,on RCEs are Everywhere

  77. None
  78. Praetorian Root Cause of Compromise Analysis Vectors commonly used by

    a>ackers to compromise internal networks aAer achieving ini,al access Data set includes 100 separate penetra@on test engagements spanning 75 unique organiza@ons https://www.praetorian.com/downloads/report/How%20to%20Dramatically%20Improve %20Corporate%20IT%20Security%20Without%20Spending%20Millions%20-%20Praetorian.pdf
  79. None
  80. I was told there would be crypto.

  81. — Maciej Ceglowski, on the Matasano CryptoPals Challenges The crypto

    problem
  82. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  83. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  84. Network Transport Encryption SSL, TLS, IPsec, ssh Data exposure (confidentiality)

    Network intercept (passive & active) Credential theft (authentication) Identity theft (authorization) Authenticated cipher suites (integrity) Past session decrypt (long-lived key capture) Data-in-Motion compliance
  85. None
  86. None
  87. None
  88. None
  89. None
  90. Network Transport Encryption SSL, TLS, IPsec, ssh Data Exposure (confidentiality)

    Network intercept (passive & active) Credential theft (authentication) Identity theft (authorization) Authenticated cipher suites (integrity) Past session decrypt (long-lived key capture) Data-in-Motion Compliance
  91. The Problem with Unauthenticated Block Modes

  92. The Problem with Unauthenticated Block Modes “Our new blinky box

    is awesome! It has AES 256!”
  93. The Problem with Unauthenticated Block Modes “My new vehicle is

    awesome! It has a V6!”
  94. The Problem with Unauthenticated Block Modes

  95. The Problem with Unauthenticated Block Modes

  96. Real-world Endpoint SSL/TLS

  97. Real-world Endpoint SSL/TLS §  Apache §  Nginx §  HAProxy § 

    Go §  AWS ELB & CloudFront §  CloudFlare §  CDNs
  98. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA
  99. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA
  100. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA
  101. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  102. CBC is a problem

  103. CBC is a problem

  104. CBC is a problem

  105. CBC is a problem

  106. CBC is a problem

  107. CBC is a problem Though maybe not your (biggest) problem

  108. CBC is a problem Though maybe not your (biggest) problem

    “We show that a network attacker who can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic” — SWEET32 team
  109. CBC is a problem Though maybe not your (biggest) problem

    “We show that a network attacker who can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic” — SWEET32 team
  110. Getting good data can be hard

  111. Getting good data can be hard The report’s most glaring

    flaw is the assertion that the TLS FREAK vulnerability is among the top 10 most exploited on the Internet. No experienced security practitioner believes that FREAK is widely exploited.” — Dan Guido
  112. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  113. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  114. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  115. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  116. TLS 1.3 RFC Draft (v. 19, March 2017)

  117. TLS 1.3 RFC Draft (v. 19, March 2017) MUST implement

    cipher suite: TLS_AES_128_GCM_SHA256 SHOULD implement cipher suites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 MUST support cer@ficate digital signatures: rsa_pkcs1_sha256 rsa_pss_sha256 ecdsa_secp256r1_sha256 MUST support key exchange with curve: secp256r1 (NIST P-256) SHOULD support key exchange with curve: X25519
  118. TLS 1.3 RFC Draft (v. 19, March 2017) MUST implement

    cipher suite: TLS_AES_128_GCM_SHA256 SHOULD implement cipher suites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 MUST support cer@ficate digital signatures: rsa_pkcs1_sha256 rsa_pss_sha256 ecdsa_secp256r1_sha256 MUST support key exchange with curve: secp256r1 (NIST P-256) SHOULD support key exchange with curve: X25519
  119. My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

    associated data (AEAD) mode of opera,on ciphers •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange –  Cer,ficate type –  Symmetric cipher –  Mode of opera,on (if block cipher) –  Message authen,cator construc,on
  120. My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

    associated data (AEAD) mode of opera,on ciphers (ChaCha20/Poly1305, AES-GCM…) •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange (e.g. Ephemeral Ellip@c Curve Diffie Hellman) –  Cer,ficate type (e.g., ECDSA or RSA) –  Symmetric cipher (e.g., ChaCha20, AES 128) –  Mode of opera,on (if block cipher, e.g. GCM) –  Message authen,cator construc,on or PRF (e.g., SHA256)
  121. My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

    associated data (AEAD) mode of opera,on ciphers •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange –  Cer,ficate type –  Symmetric cipher –  Mode of opera,on (if block cipher) –  Message authen,cator construc,on or PRF Example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  122. My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

    associated data (AEAD) mode of opera,on ciphers •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange –  Cer,ficate type –  Symmetric cipher –  Mode of opera,on (if block cipher) –  Message authen,cator construc,on or PRF Example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  123. My (point-in-time) Advice These five cipher suites provide broad support

    for browsers, Android and iOS mobile clients, Windows Server 2008 & 2012, and most web service endpoints: If ECDSA cer@ficates TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (0xcca9) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) If RSA cer@ficates TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 (0xcc14) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc029) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
  124. TL;DR: h_ps://mozilla.github.io/server-side-tls/ssl-config-generator/

  125. And now, a brief rant about VPN services.

  126. VPNs provide: •  A shiAed trust endpoint – from tonys-sketchy-hotspot to,

    say, us-east-1c – from TOTES-LEGIT-FREE-WIFI to, say, duosec-mi- vpn
  127. VPNs may provide: •  Data confiden,ality, via encryp,on – public networks/hotspots

    – cap,ve portals – untrusted/hos,le networks (airports, cafes, hotels)
  128. VPNs do not guarantee: •  Anonymity •  Privacy (Certainly while

    using most browsers on the modern public web)
  129. VPNs do not guarantee: •  Anonymity •  Privacy (Certainly while

    using most browsers on the modern public web)
  130. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  131. Disk/Volume Encryption (dmcrypt, BitLocker, FileVault) Media: Logical loss of control

    –  3rd party action, gov/civil capture, e-Discovery –  Co-tenant sandbox break (/dev/vg/*) –  Multi-tenant media reuse (new VMs on volume) Media: Physical loss of control –  Disk repurpose –  Disk/Server theft –  Server repurpose/retirement Content Repudiation Data-at-Rest Compliance Confidentiality from service provider –  Adversarial admin, incompetence, live VM motion
  132. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  133. Memory Encryption Co-tenant sandbox break (hypervisor host) Cold boot attacks

    Multi-tenant reuse (/dev/[k]mem/*) Live migration snapshots
  134. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  135. Data-in-Use Encryption (TDE, FPE, PPE) Local filesystem attack Blackbox custodian

    Rogue (weak) admin
  136. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  137. Hardware Security Modules Key theft Signature manipulation Token generation Key

    tampering
  138. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  139. Putting it all together

  140. None
  141. None
  142. None
  143. Then things got weird

  144. None
  145. None
  146. Emerging Work

  147. Verification & formal methods

  148. None
  149. Verification & formal methods

  150. Verification & formal methods - DARPA drone project

  151. Verification & formal methods - DARPA drone project - Signal

  152. Verification & formal methods - DARPA drone project - Signal

    - Core network stacks - BoringSSL - s2n - CoreCrypto - SChannel
  153. CyberUL Project - Peiter (Mudge) & Sarah Zatko

  154. More goodness (lec as an exercise to the reader) iOS

    TLS Inspector tlsinspector.com Crypto Challenges cryptopals.com Nonce Disrespec,ng Adversaries eprint.iacr.org/2016/475.pdf Sco> Helme’s Security Headers securityheaders.io Mozilla TLS Observatory tls-observatory.services.mozilla.com Lucas Garron (Chrome Team) BadSSL.com Thomas Pornin’s BearSSL www.bearssl.org/BearSSL-BSidesEdinburgh2017.pdf George Tankersley’s Go CryptoPasta github.com/gtank/cryptopasta Bad AV www.sec.cs.tu-bs.de/pubs/2017-asiaccs.pdf Vault www.vaultproject.io
  155. Some Parting Thoughts

  156. Revisiting First Principles

  157. Revisiting First Principles Security hygiene Trusted supply chain Root of

    trust Trust Signals
  158. Revisiting First Principles Security hygiene Trusted supply chain Root of

    trust Trust Signals
  159. None
  160. None
  161. None
  162. Humans will always game the system

  163. None
  164. This stuff is hard

  165. None
  166. None
  167. None
  168. I don’t care what anything was designed to do. I

    care about what it can do.
  169. I don’t care what anything was designed to do. I

    care about what it can do.
  170. None
  171. fin

  172. Ques,ons? Twi>er: @kennwhite OCAP: opencryptoaudit.org/people

  173. Refs TLS Maturity Model https://blog.qualys.com/ssllabs/2015/06/08/introducing-tls-maturity-model Malver,sing on track for record

    year http://www.cyphort.com/malvertising-on-pace-for-a-record-breaking-year/ A>acks on SSL: A Comprehensive study of BEAST, CRIME, TIME, BREACH, LUCKY 13 & RC4 Biases https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/ssl_attacks_survey.pdf DARPA Drone Project https://www.wired.com/2016/09/computer-scientists-close-perfect-hack-proof-code/ A Formal Analysis of the Signal Messaging Protocol https://eprint.iacr.org/2016/1013.pdf
  174. Refs The Million Dollar Dissident: NSO Group’s iPhone Zero-Days (deserializa,on)

    https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso- group-uae/ iPhone 6 kernel exploit analysis (deserializa,on) http://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability- explained.html Matasano Crypto Challenges https://cryptopals.com/ https://blog.pinboard.in/2013/04/the_matasano_crypto_challenges/ Keys Under Doormats (problems with large-scale escrow) https://dspace.mit.edu/handle/1721.1/97690
  175. Refs Weak Diffie-Hellman and the Logjam A>ack https://weakdh.org/ Qualys SSL

    Labs https://www.ssllabs.com/ssltest/ Bulletproof SSL & TLS https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ Mirage TLS Interac,ve Server (pre>y rad) https://tls.openmirage.org/ Adam Langley: Matching primi,ve strengths https://www.imperialviolet.org/2014/05/25/strengthmatching.html
  176. Refs House Oversight final report on OPM breach https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach- How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-

    Generation.pdf NIST 2016 draA guidance on authen,ca,on (depreca,ng arbitrary 90 day password rota,on) https://pages.nist.gov/800-63-3/sp800-63b.html GCHQ (UK Intel) guidance on passwords (depreca,ng arbitrary 90 day password rota,on) https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/ 458857/Password_guidance_-_simplifying_your_approach.pdf Peiter (Mudge) & Sarah Zatko’s Cyber UL https://theintercept.com/2016/07/29/a-famed-hacker-is-grading-thousands-of- programs-and-may-revolutionize-software-in-the-process/