Tweet
Tweet

Slide 1

Slide 1 text

Jérémy Courtial Data encryption Practical cryptography

Slide 2

Slide 2 text

Password hashing breaking news

Slide 3

Slide 3 text

Final impl. on the way Winner : Argon2 Goal: find a new password hashing algorithm Password Hashing Competition

Slide 4

Slide 4 text

Now back to the subject

Slide 5

Slide 5 text

Confidentiality Hide things

Slide 6

Slide 6 text

Authentication Ensure thing’s owner

Slide 7

Slide 7 text

Integrity Check things

Slide 8

Slide 8 text

The Cryptography Club’s Rules

Slide 9

Slide 9 text

Rule #1 Don’t reinvent crypto

Slide 10

Slide 10 text

Rule #2 Don’t reinvent crypto

Slide 11

Slide 11 text

Be aware of the Kerckhoffs Principle Rule #3

Slide 12

Slide 12 text

« The enemy knowns the system »

Slide 13

Slide 13 text

Forget about « security through obscurity »

Slide 14

Slide 14 text

The key is the secret

Slide 15

Slide 15 text

Data Encryption

Slide 16

Slide 16 text

Not messing up Cipher stuff Keys management Challenges

Slide 17

Slide 17 text

Key Management

Slide 18

Slide 18 text

Should be easy to retrieve Must be kept secret (from Rule #3) Maximum entropy Key Properties

Slide 19

Slide 19 text

Con: must be shared between actors Pro: shorter keys, ie. better performances Opposed to asymmetric keys (obviously…) Symmetric Key

Slide 20

Slide 20 text

Network services (ex: Vault) OS level container (ex: Keychain) Specialised hardware (ex: HSM) Key Storage

Slide 21

Slide 21 text

Better : no storage

Slide 22

Slide 22 text

But don’t count on him for entropy or reliability Ask the user BaaS : Brain as a Service No Storage

Slide 23

Slide 23 text

Sounds like a password hash no ? How to address brute force and rainbow tables ? Derive a password into a key Password- Based Derivation

Slide 24

Slide 24 text

Password-Based Derivation KDF( password, salt, cost ) = key

Slide 25

Slide 25 text

Do not store the result ! The key only live in memory Derived when need Key Derivation

Slide 26

Slide 26 text

Password KDF(pwd)

Slide 27

Slide 27 text

Specialised stored encrypted by the Master Key 1 Master Key N Specialised Keys On key per usage Key Rules

Slide 28

Slide 28 text

Password KDF(pwd) Setup

Slide 29

Slide 29 text

Encrypt Sub Key 1 Master Key Data Encryption Encrypted Keys database

Slide 30

Slide 30 text

Password KDF(pwd) Next connections

Slide 31

Slide 31 text

Decrypt Master Key 6B693D6A1 398424A … Sub Key 1

Slide 32

Slide 32 text

Data Encryption

Slide 33

Slide 33 text

data encryption

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

What’s just happen ??

Slide 37

Slide 37 text

Know what you’re doing APIs are usually terrible and don’t help Stack Overflow is not a way to learn crypto Data Encryption

Slide 38

Slide 38 text

The harder part : use it correctly Choose a mode (if relevant) Choose an algorithm Encryption : How to ?

Slide 39

Slide 39 text

What about certifications ? Good cryptanalysis, well implemented Symmetric encryption algorithm Which algorithm ?

Slide 40

Slide 40 text

Won’t save you RGS (ANSSI) in France FIPS for US & international Certifications See keylength.com

Slide 41

Slide 41 text

Have a doubt ? A E S dvance crypton tandard

Slide 42

Slide 42 text

Cryptography History 2001 NIST select Rijndael as AES Crypto. Dark Ages Brave new world* *For at least a week or two

Slide 43

Slide 43 text

Most studied algorithm, no realistic attack Universally supported « Nobody ever get fired for choosing AES » AES

Slide 44

Slide 44 text

Choose your AES mode (You thought it was that simple ?)

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

blabla blabla blabla blabla not ECB blabla blabla blabla blabla blabla blabla blabla blabla not OCB blabla blabla block cipher blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla blabla CBC blabla blabla blabla blabla blabla blabla blabla padding blabla blabla blabla CTR blabla blabla blabla blabla blabla blabla blabla blabla stream cipher blabla blabla counter blabla blabla blabla blabla blabla blabla Please stop It’s already 18h no ? I want to die… I will never do crypto…

Slide 47

Slide 47 text

Just tell me what to choose…

Slide 48

Slide 48 text

What do we need ? Confidentiality

Slide 49

Slide 49 text

What do we need ? Confidentiality Not just

Slide 50

Slide 50 text

How to detect tampering ? Some modes are very malleable Attacks are rarely read-only Cipher text tampering

Slide 51

Slide 51 text

What do we need ? Confidentiality

Slide 52

Slide 52 text

What do we need ? Confidentiality, Authentication, Integrity

Slide 53

Slide 53 text

What do we need ? Authenticated Encryption

Slide 54

Slide 54 text

Automatically checks before decrypting Computes an auth tag along the cipher text New recommended encryption scheme AE

Slide 55

Slide 55 text

Plain text Cipher Cipher text MAC MAC function AE : encrypt

Slide 56

Slide 56 text

Cipher text Cipher Plain text MAC MAC MAC function = ? AE : decrypt

Slide 57

Slide 57 text

Block cipher in counter mode Recommended by the NIST Dedicated AES mode AES GCM

Slide 58

Slide 58 text

What if I don’t have GCM ? Do It Yourself style* *Not recommended

Slide 59

Slide 59 text

One key for each algorithm A MAC function : HMAC (at least SHA-256) A good AES mode : CBC or CTR What you need

Slide 60

Slide 60 text

One rule Encrypt-Then-Mac

Slide 61

Slide 61 text

HMAC_update (IV, key1) 1 AES_encrypt (data, key2, IV) = cipher text 2 HMAC_update (cipher text, key1) 3 concat ( IV + cipher text + MAC) 5 HMAC_final () = MAC 4

Slide 62

Slide 62 text

Prevent messages reordering Encrypt-then-MAC each piece Chunk it in small pieces What about large data ?

Slide 63

Slide 63 text

A word about IVs Depends of your AES mode …

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

Not a secret, can be stored along the cipher text CTR/GCM : never reuse a key + nonce combinaison CBC : unique per msg and unpredictable aka. random IV / Nonce

Slide 66

Slide 66 text

Done ?

Slide 67

Slide 67 text

Nope

Slide 68

Slide 68 text

Forget all of this

Slide 69

Slide 69 text

In fact, if you type the letters « A-E-S » you’ve already lost

Slide 70

Slide 70 text

Treat crypto primitives like plutonium not AAA batteries

Slide 71

Slide 71 text

Attackers have a lot of imagination One error can invalidate your whole system Using crypto primitives is incredibly tricky Why ?

Slide 72

Slide 72 text

Attacks Timing attacks Extension length Padding oracle Preimage attacks Cache timing

Slide 73

Slide 73 text

No content

Slide 74

Slide 74 text

Avoid OpenSSL Choose mature OSS lib, carefully audited Only use high-level crypto library The right tools

Slide 75

Slide 75 text

Don’t write a line before extensive learning Errors messages are information Be careful not leaking information The right use

Slide 76

Slide 76 text

Bindings exist in multiple languages Carefully designed to be safe and easy to use Currently the most lib recommended by experts NaCl/ LibSodium

Slide 77

Slide 77 text

New kid in the block, so no certification Stream cipher, good perf. even in software NaCl’s underlying primitives Chacha20/ Salsa20

Slide 78

Slide 78 text

Perish in flames Huuu… Keyczar in Java, Python, C++ Alternatives

Slide 79

Slide 79 text

It will hurt By crypto experts Every line of crypto should be audited Audit

Slide 80

Slide 80 text

Be prepared for JS WebCryptocalypse Watch out for CAESAR competition All I’ve said will probably be wrong in some months Stay tuned

Slide 81

Slide 81 text

Bibliography Cryptography Engineering by N. Ferguson & B. Schneier Some cryptographers to follow - Adam Langley (imperialviolet.org) - Matthew Green (blog.cryptographyengineering.com) - Thomas Ptacek (@tqbf & tptacek on Hacker News) - JP Aumasson (@veorq) http://www.cryptofails.com https://cryptocoding.net/

Slide 82

Slide 82 text

Thank you Questions ? To be continued…