Practical Cryptography : Data Encryption

Transcript

1. Jérémy Courtial Data encryption Practical cryptography

2. Password hashing breaking news

3. Final impl. on the way Winner : Argon2 Goal: find

   a new password hashing algorithm Password Hashing Competition

4. Now back to the subject

5. Confidentiality Hide things

6. Authentication Ensure thing’s owner

7. Integrity Check things

8. The Cryptography Club’s Rules

9. Rule #1 Don’t reinvent crypto

10. Rule #2 Don’t reinvent crypto

11. Be aware of the Kerckhoffs Principle Rule #3

12. « The enemy knowns the system »

13. Forget about « security through obscurity »

14. The key is the secret

15. Data Encryption

16. Not messing up Cipher stuff Keys management Challenges

17. Key Management

18. Should be easy to retrieve Must be kept secret (from

    Rule #3) Maximum entropy Key Properties

19. Con: must be shared between actors Pro: shorter keys, ie.

    better performances Opposed to asymmetric keys (obviously…) Symmetric Key

20. Network services (ex: Vault) OS level container (ex: Keychain) Specialised

    hardware (ex: HSM) Key Storage

21. Better : no storage

22. But don’t count on him for entropy or reliability Ask

    the user BaaS : Brain as a Service No Storage

23. Sounds like a password hash no ? How to address

    brute force and rainbow tables ? Derive a password into a key Password- Based Derivation

24. Password-Based Derivation KDF( password, salt, cost ) = key

25. Do not store the result ! The key only live

    in memory Derived when need Key Derivation

26. Password KDF(pwd)

27. Specialised stored encrypted by the Master Key 1 Master Key

    N Specialised Keys On key per usage Key Rules

28. Password KDF(pwd) Setup

29. Encrypt Sub Key 1 Master Key Data Encryption Encrypted Keys

    database

30. Password KDF(pwd) Next connections

31. Decrypt Master Key 6B693D6A1 398424A … Sub Key 1

32. Data Encryption

33. data encryption

34. None
35. None

36. What’s just happen ??

37. Know what you’re doing APIs are usually terrible and don’t

    help Stack Overflow is not a way to learn crypto Data Encryption

38. The harder part : use it correctly Choose a mode

    (if relevant) Choose an algorithm Encryption : How to ?

39. What about certifications ? Good cryptanalysis, well implemented Symmetric encryption

    algorithm Which algorithm ?

40. Won’t save you RGS (ANSSI) in France FIPS for US

    & international Certifications See keylength.com

41. Have a doubt ? A E S dvance crypton tandard

42. Cryptography History 2001 NIST select Rijndael as AES Crypto. Dark

    Ages Brave new world* *For at least a week or two

43. Most studied algorithm, no realistic attack Universally supported « Nobody

    ever get fired for choosing AES » AES

44. Choose your AES mode (You thought it was that simple

    ?)
45. None

46. blabla blabla blabla blabla not ECB blabla blabla blabla blabla

    blabla blabla blabla blabla not OCB blabla blabla block cipher blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla CBC blabla blabla blabla blabla blabla blabla blabla padding blabla blabla blabla CTR blabla blabla blabla blabla blabla blabla blabla blabla stream cipher blabla blabla counter blabla blabla blabla blabla blabla blabla Please stop It’s already 18h no ? I want to die… I will never do crypto…

47. Just tell me what to choose…

48. What do we need ? Confidentiality

49. What do we need ? Confidentiality Not just

50. How to detect tampering ? Some modes are very malleable

    Attacks are rarely read-only Cipher text tampering

51. What do we need ? Confidentiality

52. What do we need ? Confidentiality, Authentication, Integrity

53. What do we need ? Authenticated Encryption

54. Automatically checks before decrypting Computes an auth tag along the

    cipher text New recommended encryption scheme AE

55. Plain text Cipher Cipher text MAC MAC function AE :

    encrypt

56. Cipher text Cipher Plain text MAC MAC MAC function =

    ? AE : decrypt

57. Block cipher in counter mode Recommended by the NIST Dedicated

    AES mode AES GCM

58. What if I don’t have GCM ? Do It Yourself

    style* *Not recommended

59. One key for each algorithm A MAC function : HMAC

    (at least SHA-256) A good AES mode : CBC or CTR What you need

60. One rule Encrypt-Then-Mac

61. HMAC_update (IV, key1) 1 AES_encrypt (data, key2, IV) = cipher

    text 2 HMAC_update (cipher text, key1) 3 concat ( IV + cipher text + MAC) 5 HMAC_final () = MAC 4

62. Prevent messages reordering Encrypt-then-MAC each piece Chunk it in small

    pieces What about large data ?

63. A word about IVs Depends of your AES mode …

64. None

65. Not a secret, can be stored along the cipher text

    CTR/GCM : never reuse a key + nonce combinaison CBC : unique per msg and unpredictable aka. random IV / Nonce

66. Done ?

67. Nope

68. Forget all of this

69. In fact, if you type the letters « A-E-S »

    you’ve already lost

70. Treat crypto primitives like plutonium not AAA batteries

71. Attackers have a lot of imagination One error can invalidate

    your whole system Using crypto primitives is incredibly tricky Why ?

72. Attacks Timing attacks Extension length Padding oracle Preimage attacks Cache

    timing
73. None

74. Avoid OpenSSL Choose mature OSS lib, carefully audited Only use

    high-level crypto library The right tools

75. Don’t write a line before extensive learning Errors messages are

    information Be careful not leaking information The right use

76. Bindings exist in multiple languages Carefully designed to be safe

    and easy to use Currently the most lib recommended by experts NaCl/ LibSodium

77. New kid in the block, so no certification Stream cipher,

    good perf. even in software NaCl’s underlying primitives Chacha20/ Salsa20

78. Perish in flames Huuu… Keyczar in Java, Python, C++ Alternatives

79. It will hurt By crypto experts Every line of crypto

    should be audited Audit

80. Be prepared for JS WebCryptocalypse Watch out for CAESAR competition

    All I’ve said will probably be wrong in some months Stay tuned

81. Bibliography Cryptography Engineering by N. Ferguson & B. Schneier Some

    cryptographers to follow - Adam Langley (imperialviolet.org) - Matthew Green (blog.cryptographyengineering.com) - Thomas Ptacek (@tqbf & tptacek on Hacker News) - JP Aumasson (@veorq) http://www.cryptofails.com https://cryptocoding.net/

82. Thank you Questions ? To be continued…