Slide 1

Slide 1 text

CRYPTOGRAPHY PITFALLS John Downey | @jtdowney

Slide 2

Slide 2 text

John Downey | Security Engineer

Slide 3

Slide 3 text

http://www.flickr.com/photos/60445767@N00/2466272019/

Slide 4

Slide 4 text

http://www.flickr.com/photos/freefoto/5692512457/

Slide 5

Slide 5 text

http://www.flickr.com/photos/zappowbang/2049368918/

Slide 6

Slide 6 text

http://www.flickr.com/photos/katieharbath/4382294246/

Slide 7

Slide 7 text

http://www.flickr.com/photos/kalebdf/2170180285/

Slide 8

Slide 8 text

http://www.flickr.com/photos/alstonfamily/2237347597/

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

http://www.flickr.com/photos/damiavos/4707651586/ You have probably seen the door to a bank vault, at least in the movies. You know, 10-inch- thick, hardened steel, with huge bolts to lock it in place. It certainly looks impressive. We often find the digital equivalent of such a vault door installed in a tent. The people standing around it are arguing over how thick the door should be, rather than spending their time looking at the tent. Cryptography Engineering Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno

Slide 11

Slide 11 text

http://www.flickr.com/photos/bootycat/5849904501/

Slide 12

Slide 12 text

•For data in transit •Use TLS/SSL, SSH, or VPN/IPsec •For data at rest •Use GnuPG •Use a high level library •Keyczar (Python and Java) •NaCL (C, Ruby, etc)

Slide 13

Slide 13 text

http://www.flickr.com/photos/proimos/4199675334/

Slide 14

Slide 14 text

RANDOM NUMBER GENERATION

Slide 15

Slide 15 text

http://www.flickr.com/photos/brentnewhall/6559793329/

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

MD_Update(&m,buf,j);

Slide 18

Slide 18 text

Don't add uninitialised data to the random number generator. This stop valgrind from giving error messages in unrelated code. (Closes: #363516)

Slide 19

Slide 19 text

/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */ MD_Update(&m,buf,j); /* We know that line may cause programs such as purify and valgrind to complain about use of uninitialized data. The problem is not, it's with the caller. Removing that line will make sure you get really bad randomness and thereby other problems such as very insecure keys. */

Slide 20

Slide 20 text

RECOMMENDATIONS • Use the crypto library RNG • OpenSSL random • On Linux (or other Unix-like OS) • /dev/random - blocks for entropy • /dev/urandom - non-blocking

Slide 21

Slide 21 text

LENGTH EXTENSION ATTACKS

Slide 22

Slide 22 text

HASH FUNCTIONS

Slide 23

Slide 23 text

http://www.flickr.com/photos/littlejohncollection/3675547973/

Slide 24

Slide 24 text

USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. 9EC4C12949A4F31474F299058CE2B22A MD5

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

RECOMMENDATIONS •Use SHA-256 (SHA-2 family) •Stop using MD5 •Don’t use SHA1 in new projects

Slide 27

Slide 27 text

RestClient.post( 'https://example.com/things', :name => 'Widget', :price => 1_23, :signature => signature )

Slide 28

Slide 28 text

secret = "api-key" str = "name=#{name}&" str += "price=#{price}" body = "#{secret}|#{str}" signature = sha1(body)

Slide 29

Slide 29 text

sha1("api-key|name=Widget&price=123") 8CBBCB204861672F93B26A6401E685195AB5719B SHA1

Slide 30

Slide 30 text

http://www.flickr.com/photos/worldbank/3492662794/

Slide 31

Slide 31 text

h0 = 0x8CBBCB20 h1 = 0x4861672F h2 = 0x93B26A64 h3 = 0x01E68519 h4 = 0x5AB5719B h0 = 0x67452301 h1 = 0xEFCDAB89 h2 = 0x98BADCFE h3 = 0x10325476 h4 = 0xC3D2E1F0

Slide 32

Slide 32 text

h0 = 0x8CBBCB20 h1 = 0x4861672F h2 = 0x93B26A64 h3 = 0x01E68519 h4 = 0x5AB5719B 8CBBCB204861672F93B26A6401E685195AB5719B

Slide 33

Slide 33 text

&price=0

Slide 34

Slide 34 text

api-key|name=Widget&price=123&price=0

Slide 35

Slide 35 text

h0 = 0x8CBBCB20 h1 = 0x4861672F h2 = 0x93B26A64 h3 = 0x01E68519 h4 = 0x5AB5719B h0 = 0x7CA17A2B h1 = 0x91BD35C0 h2 = 0x9D50A3AD h3 = 0x5CAD1E9B h4 = 0x396DDEF4

Slide 36

Slide 36 text

api-key|name=Widget&price=123&price=0 7CA17A2B91BD35C09D50A3AD5CAD1E9B396DDEF4 SHA1

Slide 37

Slide 37 text

RestClient.post( 'https://example.com/things', :name => 'Widget', :price => 0, :signature => signature )

Slide 38

Slide 38 text

RECOMMENDATIONS •Use HMAC-SHA-256 for authentication •Keyed hash function •Resistant to length extension

Slide 39

Slide 39 text

ECB MODE

Slide 40

Slide 40 text

http://www.flickr.com/photos/kevinomara/3422866722

Slide 41

Slide 41 text

Plaintext ECB

Slide 42

Slide 42 text

Plaintext “This is a secret” Key 0xE60DC5C9747A 963A86FD9522547 Ciphertext 0x7CD937D779C4 555CF38244BEC63 AES-128(key, msg) Random IV 0x20B8F0FBE8CCA 71A58FC86E6F256 ⊕

Slide 43

Slide 43 text

Plaintext “message” Key 0xE60DC5C9747A 963A86FD9522547 Ciphertext 0x5867695E0F48DE A14A33F1E70C416 AES-128(key, msg) ⊕ Last Ciphertext 0x7CD937D779C4 555CF38244BEC63

Slide 44

Slide 44 text

Random IV 0x20B8F0FBE8CCA 71A58FC86E6F256 Ciphertext 0x7CD937D779C4 555CF38244BEC63 Ciphertext 0x5867695E0F48DE A14A33F1E70C416

Slide 45

Slide 45 text

Plaintext ECB CBC

Slide 46

Slide 46 text

RECOMMENDATIONS • Use AES • Do not use DES • Do not use ECB mode • Use an authenticated encryption mode • GCM, CCM, OCB • CBC with an HMAC of IV and ciphertext • Verify the tag/MAC first

Slide 47

Slide 47 text

PASSWORD STORAGE

Slide 48

Slide 48 text

http://www.flickr.com/photos/sponng/4554602341/

Slide 49

Slide 49 text

No content

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

No content

Slide 52

Slide 52 text

No content

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

sha1(password)

Slide 55

Slide 55 text

1.One-way •Only useful for verification

Slide 56

Slide 56 text

sha1(salt + password)

Slide 57

Slide 57 text

1.One-way •Only useful for verification 2.Randomized •Defeats pre-computed tables •Forces focus on one password

Slide 58

Slide 58 text

http://www.flickr.com/photos/jaffathecake/2618896075/

Slide 59

Slide 59 text

1.One-way •Only useful for verification 2.Randomized •Defeats pre-computed tables •Forces focus on one password 3.Slow

Slide 60

Slide 60 text

bcrypt, scrypt, or PBKDF2 ADAPTIVE HASHING

Slide 61

Slide 61 text

RECOMMENDATIONS • Delegate authentication if possible • Facebook, Twitter, Google, Github • Store one-way verifiers using bcrypt, scrypt, or PBDKF2 • Use existing framework • has_secure_password (Rails >= 3.1) • devise

Slide 62

Slide 62 text

TLS/SSL VERIFICATION

Slide 63

Slide 63 text

http://www.flickr.com/photos/your_teacher/400805545/

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

No content

Slide 66

Slide 66 text

No content

Slide 67

Slide 67 text

No content

Slide 68

Slide 68 text

RECOMMENDATIONS • Check your SSL connections • Verify certificate / verify peer • Verify host • Setup an automated test

Slide 69

Slide 69 text

TRUST

Slide 70

Slide 70 text

The authenticity of host 'apollo.local (10.0.2.56)' can't be established. RSA key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Are you sure you want to continue connecting (yes/no)?

Slide 71

Slide 71 text

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Please contact your system administrator.

Slide 72

Slide 72 text

• AOL Time Warner Inc. • AS Sertifitseerimiskeskus • AddTrust • Baltimore • beTRUSTed • Buypass • CNNIC • COMODO CA Limited • Certplus • certSIGN • Chambersign • Chunghwa Telecom Co., Ltd. • ComSign • Comodo CA Limited • Cybertrust, Inc • Deutsche Telekom AG • Deutscher Sparkassen Verlag GmbH • Dhimyotis • DigiCert Inc • DigiNotar • Digital Signature Trust Co. • Disig a.s. • EBG Bilişim Teknolojileri ve Hizmetleri A.Ş. • EDICOM • Entrust, Inc. • Equifax • GTE Corporation • GeoTrust Inc. • GlobalSign nv-sa • Hongkong Post • Japan Certification Services, Inc. • Japanese Government • Microsec Ltd. • NetLock Halozatbiztonsagi Kft. • Network Solutions L.L.C. • PM/SGDN • QuoVadis Limited • RSA Security Inc • SECOM Trust Systems CO.,LTD. • SecureTrust Corporation • Sociedad Cameral de Certificación Digital • Sonera • Staat der Nederlanden • Starfield Technologies, Inc. • StartCom Ltd. • SwissSign AG • Swisscom • TC TrustCenter GmbH • TDC • Taiwan Government • Thawte • The Go Daddy Group, Inc. • The USERTRUST Network • TÜBİTAK • TÜRKTRUST • Unizeto Sp. z o.o. • VISA • ValiCert, Inc. • VeriSign, Inc. • WISeKey • Wells Fargo • XRamp Security Services Inc

Slide 73

Slide 73 text

CERTIFICATE PINNING

Slide 74

Slide 74 text

No content

Slide 75

Slide 75 text

RECOMMENDATIONS • Think about what organizations you really trust • Consider disabling some roots • Use certificate pinning in your apps

Slide 76

Slide 76 text

https://www.coursera.org/course/crypto STANFORD CRYPTO CLASS

Slide 77

Slide 77 text

http://www.matasano.com/articles/crypto-challenges/ MATASANO CRYPTO CHALLENGES

Slide 78

Slide 78 text

PRAGMATIC CRYPTOGRAPHY http://pragmaticcrypto.com/

Slide 79

Slide 79 text

• Videos • Theory and Practice of Cryptography series • http://www.youtube.com/watch?v=IzVCrSrZIX8 • http://www.youtube.com/watch?v=KDvt_0cafPw • http://www.youtube.com/watch?v=YcgqBEzcD_I • http://www.youtube.com/watch?v=ZDnShu5V99s • Crypto Strikes Back! • http://www.youtube.com/watch?v=ySQl0NhW1J0 • Presentations • http://www.bsdcan.org/2010/schedule/attachments/135_crypto1hr.pdf • http://www.eff.org/files/DefconSSLiverse.pdf • Books • Cryptography Engineering - Ferguson, Schneier, and Kohno • Blogs • http://blog.cryptographyengineering.com/ • http://rdist.root.org/

Slide 80

Slide 80 text

QUESTIONS? John Downey | @jtdowney