Cryptography Pitfalls at BsidesMSP 2017

Slide 1

Slide 1 text

Cryptography Pitfalls John Downey | @jtdowney @jtdowney 1

Slide 2

Slide 2 text

@jtdowney 2

Slide 3

Slide 3 text

@jtdowney 3

Slide 4

Slide 4 text

The views expressed in this presentation are my own, and not those of PayPal or any of its afﬁliates. @jtdowney 4

Slide 5

Slide 5 text

@jtdowney 5

Slide 6

Slide 6 text

Conﬁdentiality @jtdowney 6

Slide 7

Slide 7 text

Authentication @jtdowney 7

Slide 8

Slide 8 text

Identiﬁcation @jtdowney 8

Slide 9

Slide 9 text

Rigorous Science @jtdowney 9

Slide 10

Slide 10 text

Peer Review @jtdowney 10

Slide 11

Slide 11 text

@jtdowney 11

Slide 12

Slide 12 text

You have probably seen the door to a bank vault, at least in the movies. You know, 10-inch- thick, hardened steel, with huge bolts to lock it in place. It certainly looks impressive. We often ﬁnd the digital equivalent of such a vault door installed in a tent. The people standing around it are arguing over how thick the door should be, rather than spending their time looking at the tent. — Cryptography Engineering by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno @jtdowney 12

Slide 13

Slide 13 text

• For data in transit • Use TLS, SSH, or VPN/IPsec • For data at rest • Use GnuPG • Data to be signed • Use GnuPG @jtdowney 13

Slide 14

Slide 14 text

• Avoid low level libraries • OpenSSL • PyCrypto • Bouncy Castle • Use a high level library • NaCL/libsodium (C, Ruby, PHP, etc) • Keyczar (C++, Python, and Java) @jtdowney 14

Slide 15

Slide 15 text

@jtdowney 15

Slide 16

Slide 16 text

Random Number Generation @jtdowney 16

Slide 17

Slide 17 text

Pitfalls 1. Not using a cryptographically strong random number generator 2. Not using random data when it is required 3. Broken random number generators @jtdowney 17

Slide 18

Slide 18 text

@jtdowney 18

Slide 19

Slide 19 text

@jtdowney 19

Slide 20

Slide 20 text

Pitfalls 1. Not using a cryptographically strong random number generator 2. Not using random data when it is required 3. Broken random number generators @jtdowney 20

Slide 21

Slide 21 text

@jtdowney 21

Slide 22

Slide 22 text

Pitfalls 1. Not using a cryptographically strong random number generator 2. Not using random data when it is required 3. Broken random number generators @jtdowney 22

Slide 23

Slide 23 text

@jtdowney 23

Slide 24

Slide 24 text

@jtdowney 24

Slide 25

Slide 25 text

@jtdowney 25

Slide 26

Slide 26 text

@jtdowney 26

Slide 27

Slide 27 text

MD_Update(&m,buf,j); @jtdowney 27

Slide 28

Slide 28 text

Don't add uninitialised data to the random number generator. This stop valgrind from giving error messages in unrelated code. (Closes: #363516) @jtdowney 28

Slide 29

Slide 29 text

/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */ MD_Update(&m,buf,j); /* We know that line may cause programs such as purify and valgrind to complain about use of uninitialized data. The problem is not, it's with the caller. Removing that line will make sure you get really bad randomness and thereby other problems such as very insecure keys. */ @jtdowney 29

Slide 30

Slide 30 text

Recommendations • Use a cryptographically strong random number generator • Unix-like • Read from /dev/urandom • Windows • RandomNumberGenerator in System.Security.Cryptography (.NET) • CryptGenRandom • Java use java.security.SecureRandom @jtdowney 30

Slide 31

Slide 31 text

Hash Functions @jtdowney 31

Slide 32

Slide 32 text

Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length extension attacks @jtdowney 32

Slide 33

Slide 33 text

@jtdowney 33

Slide 34

Slide 34 text

@jtdowney 34

Slide 35

Slide 35 text

@jtdowney 35

Slide 36

Slide 36 text

@jtdowney 36

Slide 37

Slide 37 text

9EC4C12949A4F31474F299058CE2B22A @jtdowney 37

Slide 38

Slide 38 text

9EC4C12949A4F31474F299058CE2B22A USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of speciﬁed Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. @jtdowney 38

Slide 39

Slide 39 text

Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length extension attacks @jtdowney 39

Slide 40

Slide 40 text

@jtdowney 40

Slide 41

Slide 41 text

Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length extension attacks @jtdowney 41

Slide 42

Slide 42 text

Message Authentication Code (MAC) tag = MAC(key, value) • Takes: • key - shared secret • value - value to protected integrity of • Returns: • tag - value that represents the integrity @jtdowney 42

Slide 43

Slide 43 text

Naive approach tag = sha256(key + value) @jtdowney 43

Slide 44

Slide 44 text

Length Extension Attacks secret = "my-secret-key" value = "buy 10 units at $1" signature = sha256(secret + value) @jtdowney 44

Slide 45

Slide 45 text

Length Extension Attacks secret = "my-secret-key" value = "buy 10 units at $1" + " or $0" signature = sha256(secret + value) @jtdowney 45

Slide 46

Slide 46 text

Fixed secret = "my-secret-key" value = "buy 10 units at $1" signature = hmac_sha256(secret, value) @jtdowney 46

Slide 47

Slide 47 text

@jtdowney 47

Slide 48

Slide 48 text

@jtdowney 48

Slide 49

Slide 49 text

Recommendations • Use SHA-256 (SHA-2 family) • Choose HMAC-SHA-256 if you want a signature • Use BLAKE2b if you need speed • Stop using MD5 • Stop using SHA1 @jtdowney 49

Slide 50

Slide 50 text

Ciphers @jtdowney 50

Slide 51

Slide 51 text

Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for block ciphers 3. Not using authenticated encryption @jtdowney 51

Slide 52

Slide 52 text

@jtdowney 52

Slide 53

Slide 53 text

@jtdowney 53

Slide 54

Slide 54 text

@jtdowney 54

Slide 55

Slide 55 text

Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for block ciphers 3. Not using authenticated encryption @jtdowney 55

Slide 56

Slide 56 text

AES - primitive ciphertext = AES_Encrypt(key, plaintext) plaintext = AES_Decrypt(key, ciphertext) • Function over: • key - 128, 192, or 256 bit value • plaintext - 128 bit value • ciphertext - 128 bit value @jtdowney 56

Slide 57

Slide 57 text

ECB Encrypt while (remaining blocks) { block = ... # next 16 byte (128 bit chunk) ouput.append(AES_Encrypt(key, block)) } @jtdowney 57

Slide 58

Slide 58 text

@jtdowney 58

Slide 59

Slide 59 text

@jtdowney 59

Slide 60

Slide 60 text

Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for block ciphers 3. Not using authenticated encryption @jtdowney 60

Slide 61

Slide 61 text

@jtdowney 61

Slide 62

Slide 62 text

@jtdowney 62

Slide 63

Slide 63 text

@jtdowney 63

Slide 64

Slide 64 text

@jtdowney 64

Slide 65

Slide 65 text

World of hurt @jtdowney 65

Slide 66

Slide 66 text

Recommendations • Prefer to use box/secret box from NaCL/ libsodium • Stop using DES • Stop building your own on top of AES • Stop encrypting without protecting integrity @jtdowney 66

Slide 67

Slide 67 text

What if you have to use AES • Do not use ECB mode • Be sure to use authenticated encryption • GCM mode would be a good ﬁrst choice • Verify the tag/MAC ﬁrst • Still easy to mess up in a critical way @jtdowney 67

Slide 68

Slide 68 text

TLS/SSL @jtdowney 68

Slide 69

Slide 69 text

Pitfalls 1. Not verifying the certiﬁcate chain or hostname 2. Misconﬁgured server settings 3. Using a broken library @jtdowney 69

Slide 70

Slide 70 text

@jtdowney 70

Slide 71

Slide 71 text

@jtdowney 71

Slide 72

Slide 72 text

@jtdowney 72

Slide 73

Slide 73 text

@jtdowney 73

Slide 74

Slide 74 text

Hostname veriﬁcation @jtdowney 74

Slide 75

Slide 75 text

Hostname verification • Check that you got the certificate for who you intended to connect to • Hostname verification is protocol dependent • OpenSSL doesn't have it built in @jtdowney 75

Slide 76

Slide 76 text

Pitfalls 1. Not verifying the certiﬁcate chain or hostname 2. Misconﬁgured server settings 3. Using a broken library @jtdowney 76

Slide 77

Slide 77 text

@jtdowney 77

Slide 78

Slide 78 text

SSL Labs https://www.ssllabs.com @jtdowney 78

Slide 79

Slide 79 text

testssl.sh https://testssl.sh @jtdowney 79

Slide 80

Slide 80 text

TLS Server Settings https://mozilla.github.io/server-side-tls/ssl-conﬁg-generator/ @jtdowney 80

Slide 81

Slide 81 text

Pitfalls 1. Not verifying the certiﬁcate chain or hostname 2. Misconﬁgured server settings 3. Using a broken library @jtdowney 81

Slide 82

Slide 82 text

@jtdowney 82

Slide 83

Slide 83 text

@jtdowney 83

Slide 84

Slide 84 text

Recommendations • Do ensure you're validating connections • Lean on a framework/library if possible • But check that it also does the right thing • Setup and automated test to validate this setting (badssl.com) @jtdowney 84

Slide 85

Slide 85 text

Trust @jtdowney 85

Slide 86

Slide 86 text

The authenticity of host 'apollo.local (10.0.2.56)' can't be established. RSA key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Are you sure you want to continue connecting (yes/no)? @jtdowney 86

Slide 87

Slide 87 text

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Please contact your system administrator. @jtdowney 87

Slide 88

Slide 88 text

@jtdowney 88

Slide 89

Slide 89 text

Certiﬁcate Pinning @jtdowney 89

Slide 90

Slide 90 text

@jtdowney 90

Slide 91

Slide 91 text

Recommendations • Think about what organizations you really trust • Investigate certiﬁcate pinning for your apps @jtdowney 91

Slide 92

Slide 92 text

@jtdowney 92

Slide 93

Slide 93 text

Stanford Crypto Class http://crypto-class.com @jtdowney 93

Slide 94

Slide 94 text

Matasano Crypto Challenges http://cryptopals.com @jtdowney 94

Slide 95

Slide 95 text

Questions John Downey | @jtdowney @jtdowney 95

Slide 96

Slide 96 text

Bonus Round @jtdowney 96

Slide 97

Slide 97 text

Quantum Computers @jtdowney 97

Slide 98

Slide 98 text

Pitfalls 1. Assuming current crypto will last forever @jtdowney 98

Slide 99

Slide 99 text

@jtdowney 99

Slide 100

Slide 100 text

@jtdowney 100

Slide 101

Slide 101 text

Recommendations • Follow the PQCrypto discussion • Stay away from PQCrypto until the industry starts to standardize • Hope that researchers are moving fast enough @jtdowney 101

Slide 102

Slide 102 text

Images • https://flic.kr/p/6eagaw • https://flic.kr/p/4KWhKn • https://flic.kr/p/9F2BCv • https://flic.kr/p/486xYS • https://flic.kr/p/7Ffppm • https://flic.kr/p/8TuJD9 • https://flic.kr/p/4iLJZt • https://flic.kr/p/4pGZuz • https://flic.kr/p/48w7wP • https://flic.kr/p/8aZWNE • https://flic.kr/p/5NRHp • https://flic.kr/p/7p7raq • https://flic.kr/p/aZEE1Z • https://flic.kr/p/7WtwAz • https://flic.kr/p/6AN9mM • https://flic.kr/p/6dt62u • https://flic.kr/p/4ZqwyB • https://flic.kr/p/Bqewr • https://flic.kr/p/ecdhVE • https://flic.kr/p/AV1Nd • https://flic.kr/p/5tWgh4 @jtdowney 102