Tweet
Tweet

Slide 1

Slide 1 text

Tuesday, May 14, 13

Slide 2

Slide 2 text

Who basho Bryce Kerley Software Engineer Basho Technologies Tuesday, May 14, 13 This is my “pretending to be cool picture,” took that last Saturday. Next find me in my native habitat.

Slide 3

Slide 3 text

Who basho Bryce Kerley Software Engineer Basho Technologies Tuesday, May 14, 13 This is my “pretending to be cool picture,” took that last Saturday. Next find me in my native habitat.

Slide 4

Slide 4 text

Who basho Bryce Kerley Software Engineer Basho Technologies Tuesday, May 14, 13 This is my “pretending to be cool picture,” took that last Saturday. Next find me in my native habitat.

Slide 5

Slide 5 text

Contents •History •Algorithms •Best Practices •Cryptosystem Design Tuesday, May 14, 13

Slide 6

Slide 6 text

Cryptography “κρυπτός γράφειν” “Secret Writing” Tuesday, May 14, 13 “kryptos” “grapho”

Slide 7

Slide 7 text

Caesar Cipher ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHIJKLMNOPQRSTUVWXYZABCDE n = 0 Hello Hello Tuesday, May 14, 13

Slide 8

Slide 8 text

ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHIJKLMNOPQRSTUVWXYZABCDE n = 0 Hello Hello Tuesday, May 14, 13

Slide 9

Slide 9 text

ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHIJKLMNOPQRSTUVWXYZABCDE n = 0 Hello Hello Tuesday, May 14, 13

Slide 10

Slide 10 text

ABCDEFGHIJKLMNOPQRSTUVWXYZ IJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQR n = 13 Hello Uryyb Tuesday, May 14, 13

Slide 11

Slide 11 text

ABCDEFGHIJKLMNOPQRSTUVWXYZ VWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ n = 26 Hello Hello Tuesday, May 14, 13

Slide 12

Slide 12 text

Caesar Cipher (plain + key) % alphabet_size Tuesday, May 14, 13

Slide 13

Slide 13 text

Caesar Cipher (0..alphabet_size). map do |k| (cipher + k) % alphabet_size end Tuesday, May 14, 13 This is convenient in case you forget the key; look at every permutation since there aren’t that many

Slide 14

Slide 14 text

Affine Cipher ((plain * key_a) + key_b) % alphabet_size Must be coprime Tuesday, May 14, 13 What happens if they aren’t coprime? You’ll have a “weak key” that doesn’t have the full strength of the algorithm. Many algorithms have weak keys.

Slide 15

Slide 15 text

Enigma Machine German Federal Archives Bild 183-2007-0705-502 Tuesday, May 14, 13 German military during WWII Electromechanically operated cipher

Slide 16

Slide 16 text

Enigma Machine Tuesday, May 14, 13 Uses ratcheting rotors Read the Wikipedia articles Read books about it Everything about it is nerd-cool

Slide 17

Slide 17 text

Breaking Enigma Procedural weaknesses Mathematical weaknesses Tuesday, May 14, 13

Slide 18

Slide 18 text

Procedural Weakness • Set rotors to daily key from codebook • Type three-letter message key twice • Set rotors to message key • Type message Tuesday, May 14, 13 This mathematical relationship can then be used to attack the daily key, and from there decode all the day’s messages.

Slide 19

Slide 19 text

Procedural Weakness • Set rotors to daily key from codebook • Type three-letter message key twice • Set rotors to message key • Type message Tuesday, May 14, 13 This mathematical relationship can then be used to attack the daily key, and from there decode all the day’s messages.

Slide 20

Slide 20 text

Procedural Weakness • Set rotors to daily key from codebook • Type three-letter message key twice • Set rotors to message key • Type message Establishes a mathematical relationship between the first three- letter sequences Tuesday, May 14, 13 This mathematical relationship can then be used to attack the daily key, and from there decode all the day’s messages.

Slide 21

Slide 21 text

Mathematical Weaknesses Crib Tuesday, May 14, 13 Enigma has a property that letters will never encipher as themselves. This, coupled with knowledge of German military protocols, allowed cryptographers to narrow down what words are in which positions, and guess at what the plaintext might be. With the plaintext, attacking the key is easier.

Slide 22

Slide 22 text

Mathematical Weaknesses Crib Known plaintext attack Tuesday, May 14, 13 Enigma has a property that letters will never encipher as themselves. This, coupled with knowledge of German military protocols, allowed cryptographers to narrow down what words are in which positions, and guess at what the plaintext might be. With the plaintext, attacking the key is easier.

Slide 23

Slide 23 text

Kerckhoff’s Principle The algorithm must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience. Tuesday, May 14, 13

Slide 24

Slide 24 text

Kerchoff’s Principle All the good codes are open-source Most of the good codes have been open-source for a decade Tuesday, May 14, 13 There really should be an asterisk next to “good codes;” the NSA has a suite of cryptographic protocols and techniques broadly referred to as “Type 1,” the composition of which is undoubtedly classified and on a “need-to-know” basis.

Slide 25

Slide 25 text

Contents •History •Algorithms •Best Practices •Cryptosystem Design Tuesday, May 14, 13

Slide 26

Slide 26 text

Algorithms Building Blocks Tuesday, May 14, 13 Do not use these algorithms in isolation; think of them like engines or transmissions or other vehicle components: assembling them into a powerful, safe, and useful unit is extremely difficult.

Slide 27

Slide 27 text

Kinds of Algorithm •Symmetric •One-way, “Hash” •Asymmetric, “Public Key” Tuesday, May 14, 13

Slide 28

Slide 28 text

Symmetric Same key to encrypt and decrypt Tuesday, May 14, 13 Enigma, Caesar cipher, ROT-13: these are all symmetric.

Slide 29

Slide 29 text

DES, 1977 Developed by IBM Modified by NSA Approved by NIST Tuesday, May 14, 13

Slide 30

Slide 30 text

Differential Cryptanalysis NSA was ten years ahead Tuesday, May 14, 13 I don’t know if this will happen again. In the security community there’s a concept called the “Advanced Persistent Threat” that’s basically a euphemism for “China.” The theory is that the APT has resources similar to or greater than the NSA. My understanding is that the NSA has less to gain and more at risk by keeping cryptographic breakthroughs to themselves; most of the economy of the US and world depends on

Slide 31

Slide 31 text

AES, 1998 Née “Rijndael” Symmetric Cipher Developed by Rijmen & Daemen Public standardization process Tuesday, May 14, 13 After standardization, the Rijndael website still had a link to hear the authors pronounce the name of it; instead of being “rhine-doll,” the new recording simply said “A-E-S.”

Slide 32

Slide 32 text

One Way No decryption operation Tuesday, May 14, 13 This isn’t to say that it can’t be decrypted, just that it’s hard; run through candidate plaintexts until you find one that works. For most of these, a GPU helps.

Slide 33

Slide 33 text

One Way Ciphertext = Digest(Plaintext) Tuesday, May 14, 13

Slide 34

Slide 34 text

Pigeon Hole Principle Tuesday, May 14, 13

Slide 35

Slide 35 text

Pigeon Hole Principle More pigeons than holes? Tuesday, May 14, 13

Slide 36

Slide 36 text

Pigeon Hole Principle More pigeons than holes? At least one hole has multiple pigeons. Tuesday, May 14, 13

Slide 37

Slide 37 text

Pigeon Hole Principle More pigeons than holes? At least one hole has multiple pigeons. Size-limited digests? Tuesday, May 14, 13

Slide 38

Slide 38 text

Pigeon Hole Principle More pigeons than holes? At least one hole has multiple pigeons. Size-limited digests? At least one digest has multiple preimages. Tuesday, May 14, 13

Slide 39

Slide 39 text

SHA-1, 1995 Developed by NSA 160 bits Tuesday, May 14, 13 Git uses this, you shouldn’t. There’s been a couple attacks that reduce its strength, and it’s relatively small.

Slide 40

Slide 40 text

RIPEMD-160, 1996 Designed at Katholieke Universiteit Leuven 160, 256, or 320 bits Tuesday, May 14, 13 RIPEMD is interesting from a social perspective: it was developed in an open, academic fashion, unlike SHA-1 and SHA-2. The biggest issue is that it’s not as well-researched as the SHA family, because it’s not as popular.

Slide 41

Slide 41 text

SHA-2, 2001 Developed by NSA 224, 256, 384, 512 bits Tuesday, May 14, 13 SHA-2 supports much bigger digests than SHA-1. 256 is a bit faster to compute (and requires half the storage space) as 512. 224 and 384 are simply cut-down versions of 256 and 512, respectively. If space isn’t an issue, use 512.

Slide 42

Slide 42 text

SHA-3, 2013? “Keccak” selected in AES-like public contest Not a NIST standard No official bit lengths described Tuesday, May 14, 13 A brief note about the US TLAs, LFLAs, and ELFLAs. The NSA, “None Such Agency” or “National Security Agency” does cryptography design and signals intelligence; they’re part of the DoD and most information about it classified. Think MI6 “Her Majesty’s Secret Service.” NIST, “National Institute of Standards and Technology” is part of the Department of Commerce, and in

Slide 43

Slide 43 text

HMAC, 1996 Message Authentication Code Uses a hash function and a secret key Tuesday, May 14, 13 Rack (and Rails) use HMAC to sign session cookies.

Slide 44

Slide 44 text

bcrypt, 1999 Key derivation function Configurable complexity Tuesday, May 14, 13 bcrypt is what has_secure_password in Rails uses. It’s theoretically weak against ASIC crackers because it doesn’t have huge memory/die space layouts.

Slide 45

Slide 45 text

PBKDF2, 2000 Key derivation function Supports multiple hashes Configurable complexity Tuesday, May 14, 13 Described in RFC 2898, easier to get through accreditation.

Slide 46

Slide 46 text

Asymmetric Different encrypt and decrypt keys Tuesday, May 14, 13

Slide 47

Slide 47 text

Asymmetric Encryption Ciphertext = Encrypt(Plaintext, Public Key) Plaintext = Decrypt(Ciphertext, Private Key) Tuesday, May 14, 13

Slide 48

Slide 48 text

Asymmetric Signing Plaintext = Digest(Message) Signature = Encrypt(Plaintext, Private Key) Plaintext = Decrypt(Signature, Public Key) Tuesday, May 14, 13

Slide 49

Slide 49 text

RSA, 1977 Rivest, Shamir, and Adleman Hugely popular Huge keys Tuesday, May 14, 13 RSA keys under 512 bits are no match for modern computers, especially if the attacker has money. “Halting State” by the excellent British author Charles Stross includes a situation in which a quantum computer is used to crack RSA keys by factoring them with Shor’s algorithm. Last year, a quantum computer factored 21, a number expressible in five bits, and that I’ve personally hand-cranked RSA with.

Slide 50

Slide 50 text

Elliptic Curve, 1985 Koblitz and Miller Less popular Tiny keys Tuesday, May 14, 13 Koblitz and Miller figured these out independently. One nice thing about ECC is that keys and ciphertexts are much smaller than RSA; small enough for a public key to be a Bitcoin address, in fact. I will not talk about Bitcoins for the rest of my presentation.

Slide 51

Slide 51 text

Algorithms •Symmetric: AES •One-way: SHA-2 •Asymmetric: RSA or ECC Tuesday, May 14, 13

Slide 52

Slide 52 text

Contents •History •Algorithms •Best Practices •Cryptosystem Design Tuesday, May 14, 13

Slide 53

Slide 53 text

Best Practices Don’t design cryptosystems Tuesday, May 14, 13 There’s lots of cryptosystems that are plenty good and have been well vetted.

Slide 54

Slide 54 text

Best Practices Tuesday, May 14, 13 This is for SSL/TLS. It provides authentication of endpoints and encryption in transit. It’s been one of the most popular cryptosystems in the world for the last 19 years.

Slide 55

Slide 55 text

Best Practices Use HTTPS Tuesday, May 14, 13 HTTPS solves lots of procedural and mathematical traps that come with using raw ciphers to encrypt data in transit. The SSL certificates that are such a pain to configure can be used to authenticate both sides of the exchange, so you can even set up HTTPS between internal services that are secure from third- parties.

Slide 56

Slide 56 text

Best Practices Use GPG Tuesday, May 14, 13 GPG solves most of the problems with encrypting data at rest. You don’t have to worry about cipher modes, key management is relatively easy, and it’s already been through twenty-two years of review. The downside is that, last time I looked, there weren’t any seriously excellent implementations in Ruby.

Slide 57

Slide 57 text

Best Practices Use NaCl Tuesday, May 14, 13 “NaCl” as in “salt” as in DJB’s “Networking and Cryptography library.” Tony Arcieri has a gem for it that works on most Ruby VMs, and fits nicely in to a Ruby program. It provides nice tools for symmetric and asymmetric authenticated encryption.

Slide 58

Slide 58 text

Best Practices Use bcrypt Tuesday, May 14, 13 Or scrypt, or PBKDF2 if you need corporate to okay it (it’s a NIST standard!)

Slide 59

Slide 59 text

Best Practices Use PBKDF2 Tuesday, May 14, 13 PBKDF2 requires a bit more effort than bcrypt, since PBKDF2 libraries don’t bring their own salting functionality.

Slide 60

Slide 60 text

Best Practices Don’t design cryptosystems Tuesday, May 14, 13

Slide 61

Slide 61 text

Contents •History •Algorithms •Best Practices •Cryptosystem Design Tuesday, May 14, 13

Slide 62

Slide 62 text

Cryptosystem Design (seriously though, don’t) Tuesday, May 14, 13 We see the F-16 just sitting there, keys in the ignition, no one watching, lights blinking, ladder extended. And some infosec nerd is telling us we're can't climb in there, even though we just want to taxi around a little and we've totally read the manual. - Maciej Ceglowski

Slide 63

Slide 63 text

Why? Doing something tricky Tuesday, May 14, 13 Clever OAuth2 tricks with request tokens and multiple servers,

Slide 64

Slide 64 text

Functions Is the message safe from being read? Tuesday, May 14, 13

Slide 65

Slide 65 text

Functions What happens when the message is modified in transit? Tuesday, May 14, 13

Slide 66

Slide 66 text

Functions What happens when the message is attacked offline? Tuesday, May 14, 13

Slide 67

Slide 67 text

Authentication Proxy Clients authenticate to Application with credentials for Service Tuesday, May 14, 13

Slide 68

Slide 68 text

Authentication Proxy Application returns an OAuth2 token for future requests Tuesday, May 14, 13

Slide 69

Slide 69 text

Authentication Proxy Application should not be able to use Client 1’s credentials for other clients Tuesday, May 14, 13

Slide 70

Slide 70 text

Token Structure serv-r1-tokenkey-tokensecret Tuesday, May 14, 13

Slide 71

Slide 71 text

Token Structure serv-r1-tokenkey-tokensecret Shibboleth Allows for future changes Tuesday, May 14, 13

Slide 72

Slide 72 text

Token Structure serv-r1-tokenkey-tokensecret Shibboleth Allows for future changes Database key Tuesday, May 14, 13

Slide 73

Slide 73 text

Token Structure serv-r1-tokenkey-tokensecret Shibboleth Allows for future changes Database key Root for token security Tuesday, May 14, 13

Slide 74

Slide 74 text

Security Root http://arstechnica.com/apple/2011/07/mac-os-x-10-7/13/#file-vault-enable Tuesday, May 14, 13 This is an example of a security root: the recovery key for FileVault in modern Mac OS. Without it, the math of cryptography makes the system strong.

Slide 75

Slide 75 text

Guessing the Security Root EC2 isn’t expensive PBKDF2 is slow Slow is good Tuesday, May 14, 13 In particular, you want to make validating a guess for a security root slow. A legit user will only need to do it once, an attacker will do it millions of times.

Slide 76

Slide 76 text

The Prize Service Credentials AES is strong Keyed by token secret Tuesday, May 14, 13 We don’t actually use the whole token secret for this; we expand it with PBKDF2-SHA2-512, and use the first half of the key we derived with AES.

Slide 77

Slide 77 text

Chosen Ciphertext Alter ciphertext HMAC is strong Keyed by token secret Tuesday, May 14, 13 AES doesn’t provide any message authentication, but we can add our own with HMAC. The second half of the derived-key does this.

Slide 78

Slide 78 text

Nonces Number used Once Never ever reuse Tuesday, May 14, 13 Key reuse is generally okay; nonces provide variability. Initialization Vectors, Salts, etc. Reuse can compromise keys: seriously, never reuse.

Slide 79

Slide 79 text

Storage { original_token_encrypted: aes(service_credentials), original_token_hmac: hmac(service_credentials), secret_salt: pbkdf_salt, secret_iv: aes_iv, other_token_metadata: … } Tuesday, May 14, 13 We also store a couple utilities: PBKDF needs a salt, which we keep around, and all the good AES modes need an initialization vector. Both of these must be randomly generated. If you reuse them awful things will happen.

Slide 80

Slide 80 text

Flowchart Service Credentials CSPRNG Token Secret CSPRNG secret_salt PBKDF2 Secret Derived key Derived Token Key Derived HMAC Key AES Encrypted Service Credentials HMAC Service Credentials HMAC CSPRNG secret_iv Tuesday, May 14, 13

Slide 81

Slide 81 text

Service Credentials CSPRNG Token Secret CSPRNG secret_salt PBKDF2 Secret Derived key Derived Token Key Derived HMAC Key AES Encrypted Service Credentials HMAC Service Credentials HMAC CSPRNG secret_iv Tuesday, May 14, 13

Slide 82

Slide 82 text

Se Cred CSPRNG Token Secret CSPRNG secret_salt PBK Secret k Derived Token Key AES Encrypted Service Credentials CSPRNG secret_iv Tuesday, May 14, 13

Slide 83

Slide 83 text

Service Credentials SPRNG Token Secret SPRNG secret_salt PBKDF2 Secret Derived key Derived Token Key Derived H Key AES Encrypted Service Credentials HMAC Servic Credent HMAC SPRNG secret_iv Tuesday, May 14, 13

Slide 84

Slide 84 text

Service Credentials Secret Derived key Derived Token Key Derived HMA Key AES Encrypted Service Credentials HMAC Service Credentials HMAC NG secret_iv Tuesday, May 14, 13

Slide 85

Slide 85 text

Service Credentials Key Key AES Encrypted Service Credentials HMAC Service Credentials HMAC Tuesday, May 14, 13

Slide 86

Slide 86 text

Service Credentials Secret Derived key Derived Token Key Derived HMAC Key AES Encrypted Service Credentials HMAC Service Credentials HMAC ecret_iv Tuesday, May 14, 13

Slide 87

Slide 87 text

Service Credentials Derived Token Key Derived HMAC Key AES Encrypted Service Credentials HMAC Service Credentials HMAC Tuesday, May 14, 13

Slide 88

Slide 88 text

Attacks Possesses dumped database Has to brute AES Tuesday, May 14, 13

Slide 89

Slide 89 text

Attacks Evil DBA Writing can only destroy stored credentials Tuesday, May 14, 13

Slide 90

Slide 90 text

Attacks Possesses token from client Has client-equivalent privileges Tuesday, May 14, 13

Slide 91

Slide 91 text

Attacks Database & client Can get stored credentials Tuesday, May 14, 13

Slide 92

Slide 92 text

Contents •History •Algorithms •Best Practices •Cryptosystem Design Tuesday, May 14, 13

Slide 93

Slide 93 text

“Any fool can design a lock they themselves can’t pick.” Tuesday, May 14, 13

Slide 94

Slide 94 text

Peer review is everything Tuesday, May 14, 13

Slide 95

Slide 95 text

References and Links http://www.matasano.com/articles/javascript-cryptography/ http://hax.tor.hu/read/aes/ Tuesday, May 14, 13

Slide 96

Slide 96 text

Thanks [email protected] https://twitter.com/bonzoesc http://bit.ly/crypto-src2013 Tuesday, May 14, 13