Tweet
Tweet

Slide 1

Slide 1 text

The  Open  Crypto  Audit  Project:   Our  Story Kenneth White & Matthew Green DEF CON 22 | 2014.08.08

Slide 2

Slide 2 text

Open  Crypto  Audit  Project Everyone has a story. This is ours. DEF CON 22 | 2014.08.08

Slide 3

Slide 3 text

Agenda •  First Principles •  Post-Snowden Era •  The TrueCrypt Story •  Open Crypto Audit Project •  Secure Coding & Trust •  Looking Ahead •  Open Discussion (and swag!) DEF CON 22 | 2014.08.08

Slide 4

Slide 4 text

About  Us DEF CON 22 | 2014.08.08

Slide 5

Slide 5 text

Kenneth  White •  Interests: RT signals, embedded systems, analytics •  First DEFCON: DC10 •  Formal training: bio-signals (EEG/ERP, MRI, PET, EKG, EOG) •  Early career: databases, *nix, RTOS, h/w drivers •  Lifecycle: FDA (cardiac safety), SEI SEPG, IA •  Defense: network security, API endpoints •  Recently: public cloud security, ML/classification, safety-critical systems, breaking crypto/networks/ websites/OS’ •  Now: OCAP, Linux Foundation CII, NGO security •  @kennwhite DEF CON 22 | 2014.08.08

Slide 6

Slide 6 text

I  like  to  work  on  interesting  problems DEF CON 22 | 2014.08.08

Slide 7

Slide 7 text

MaDhew  Green •  Johns Hopkins University: Computer Science •  Teaches applied cryptography •  Builds secure systems •  Trained under Susan Hohenberger &Avi Rubin •  Former senior research staff: AT&T Labs •  On-going Research includes: o  Techniques for privacy-enhanced information storage o  Anonymous payment systems (including ZeroCoin) o  Bilinear map-based cryptography •  @matthew_d_green DEF CON 22 | 2014.08.08

Slide 8

Slide 8 text

MaDhew  Green DEF CON 22 | 2014.08.08 (not his actual Dachshunds)

Slide 9

Slide 9 text

Long  journey  to  DEFCON  (no,  really) DEF CON 22 | 2014.08.08 (my actual Shepherds, semi-medicated)

Slide 10

Slide 10 text

“I’m here to share what I know, and learn with and from you.” — Jack Daniel DEF CON 22 | 2014.08.08

Slide 11

Slide 11 text

First  Principles “If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.” — Scott Culp DEF CON 22 | 2014.08.08

Slide 12

Slide 12 text

First  Principles “If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.” — Scott Culp “Even if it has disk encryption.” — Kenn White DEF CON 22 | 2014.08.08

Slide 13

Slide 13 text

Crypto  101:  First  Principles Thompson: Reflections on Trusting Trust cm.bell-labs.com/who/ken/trust.html Culp: 10 Immutable Laws of Security technet.microsoft.com/library/cc722487 Zimmerman: Beware of Snake Oil www.philzimmermann.com/EN/essays/SnakeOil DEF CON 22 | 2014.08.08

Slide 14

Slide 14 text

Post-­‐‑Snowden  Era •  NYT, Propublica, Guardian: NSA spends $250M/yr to counter & undermine “the use of ubiquitous encryption across the internet” •  NIST technical standards “intentionally weakened” •  BULLRUN: NSA actively working to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets” The New York Times, 2013/09/05 See: www.eff.org/nsa-spying/timeline DEF CON 22 | 2014.08.08

Slide 15

Slide 15 text

Post-­‐‑Snowden  Era “Furthermore, we will be reviewing our existing body of cryptographic work” — National Institute of Standards and Technology, Nov 2013 Recommends that the US government “fully support and not undermine efforts to create encryption standards” — Presidential Advisory Committee, Jan 2014 “[C]lassified [reports] have heightened concern over the possibility of a backdoor… after conducting its own review, NIST [has] removed DRBG” — National Institute of Standards and Technology, Apr 2014 DEF CON 22 | 2014.08.08

Slide 16

Slide 16 text

Which  bring  us  to  TrueCrypt DEF CON 22 | 2014.08.08

Slide 17

Slide 17 text

TrueCrypt •  File, volume, full disk encryption (FDE) •  30M+ downloads •  Created Feb 2004 by anonymous development team •  Controversial license (Debian, Fedora, “forbidden items”) DEF CON 22 | 2014.08.08

Slide 18

Slide 18 text

TrueCrypt •  Tool of choice for human rights workers, activists, attorneys, thousands of organizations, investigative/national security journalists, security professionals, and...? DEF CON 22 | 2014.08.08

Slide 19

Slide 19 text

DEF CON 22 | 2014.08.08 Aug 2014: docs.aws.amazon.com/AWSImportExport/latest/DG/encrypting-using-truecrypt.html

Slide 20

Slide 20 text

TrueCrypt •  Never thoroughly audited on Windows •  Differences reported in volume headers •  Small differences in distributed binaries vs. source •  Windows vs. Mac & Linux •  With exception of deniability volume, no formal cryptanalysis •  Deterministic build? (Xavier de Carné de Carnavalet) •  Last license review in 2008 by RedHat/Fedora/OSSI concluded “we would not be protected from a lawsuit” and “this license is non-free” DEF CON 22 | 2014.08.08

Slide 21

Slide 21 text

By  many  measures,   relatively  strong* DEF CON 22 | 2014.08.08 *Hashes/sec on Sagitta Brutalis 290X: oclHashcat 1.00, AMD Catalyst 13.12 Accelerator: 8 x AMD Radeon R9 290X, stock clocks. Benchmark: Incremental brute force, alphanumcharset

Slide 22

Slide 22 text

Anonymous  Dev  Team The information is out there •  Follow the money •  Follow the attorneys •  What we can share •  What we won’t share DEF CON 22 | 2014.08.08

Slide 23

Slide 23 text

Public  Record •  State of Nevada Corporate Records •  US Trademark Office •  International Trademark Filings (UK, France, China, Russia, Czech Republic) •  Public IRS filings •  Usenet/mailing list forums •  Published academic papers •  Student theses DEF CON 22 | 2014.08.08

Slide 24

Slide 24 text

Public  Record Some things we chose not to share. DEF CON 22 | 2014.08.08

Slide 25

Slide 25 text

Why? DEF CON 22 | 2014.08.08

Slide 26

Slide 26 text

Remember  this  doxing? DEF CON 22 | 2014.08.08

Slide 27

Slide 27 text

Let’s  not  forget  this: DEF CON 22 | 2014.08.08

Slide 28

Slide 28 text

And  this: DEF CON 22 | 2014.08.08

Slide 29

Slide 29 text

And,  crucially,  this: DEF CON 22 | 2014.08.08

Slide 30

Slide 30 text

Back  to  the  Code DEF CON 22 | 2014.08.08

Slide 31

Slide 31 text

Conventional  Wisdom:   Given  enough  eyeballs,   all  bugs  are  shallow. DEF CON 22 | 2014.08.08

Slide 32

Slide 32 text

Meet  Samuel  Reshevsky,  age  8  defeating  14   French  chess  masters  at  once,  1920 DEF CON 22 | 2014.08.08

Slide 33

Slide 33 text

And  so,  it  began... DEF CON 22 | 2014.08.08

Slide 34

Slide 34 text

The  TrueCrypt  Audit •  IsTrueCryptAuditedYet.com: Sept 24, 2013 •  Announced on Twitter •  First contributions: Matthew & Me •  FundFill site set up DEF CON 22 | 2014.08.08

Slide 35

Slide 35 text

DEF CON 22 | 2014.08.08

Slide 36

Slide 36 text

DEF CON 22 | 2014.08.08

Slide 37

Slide 37 text

The  TrueCrypt  Audit "   Oct 9, 2014 •  Prof. Green blogs about it •  Front page Hacker News DEF CON 22 | 2014.08.08

Slide 38

Slide 38 text

Why,  hello  there! DEF CON 22 | 2014.08.08

Slide 39

Slide 39 text

And  so  it  went... •  No, we don’t take Bitcoin. •  Yes, we take Bitcoin. •  Yes, the site is mobile-friendly. •  No, we don’t take PayPal. •  /sets up IndieGoGo site. •  Yes! We take PayPal. DEF CON 22 | 2014.08.08

Slide 40

Slide 40 text

And  so  on... “Hi, I’d like to buy 500 t-shirts, please.” “Do you ship to Thailand?” Where does one purchase 150 DVDs of Sneakers? DEF CON 22 | 2014.08.08

Slide 41

Slide 41 text

Incredible  community DEF CON 22 | 2014.08.08

Slide 42

Slide 42 text

DEF CON 22 | 2014.08.08 Fiducial  responsibility  is   complicated

Slide 43

Slide 43 text

Fiducial  responsibility  is   complicated DEF CON 22 | 2014.08.08

Slide 44

Slide 44 text

Then,  a  few  days  later •  Ars Technica, ThreatPost, The Economist, Nature, CIO, The Register, InfoWorld, PC World, Network World . . . •  What do you mean you there’s $30,000 in PayPal?! DEF CON 22 | 2014.08.08

Slide 45

Slide 45 text

Then,  a  few  days  later •  Ars Technica, ThreatPost, The Economist, Nature, CIO, The Register, InfoWorld, PC World, Network World . . . •  What do you mean you there’s $30,000 in PayPal?! DEF CON 22 | 2014.08.08

Slide 46

Slide 46 text

And  thus  was  born  the  Open   Crypto  Audit  Project A U.S. non-profit organization, incorporated in the state of North Carolina, currently seeking federal 501c(3) tax-exempt designation DEF CON 22 | 2014.08.08

Slide 47

Slide 47 text

Open  Crypto  Audit  Project Mission o  Provide technical assistance to free open source software (“FOSS”) projects in the public interest o  Coordinate volunteer technical experts in security, software engineering, and cryptography o  Conduct analysis and research on FOSS and other widely software in the public interest DEF CON 22 | 2014.08.08

Slide 48

Slide 48 text

DEF CON 22 | 2014.08.08

Slide 49

Slide 49 text

Open  Crypto  Audit  Project Advisory Board o  Jean-Philippe Aumasson o  Nate Lawson o  Runa Sandvik o  Bruce Schneier o  Thomas Ptacek o  Jim Denaro o  Moxie Marlinspike o  Trevor Perrin o  Joseph Lorenzo Hall DEF CON 22 | 2014.08.08

Slide 50

Slide 50 text

And  thus  was  born  the  Open   Crypto  Audit  Project OpenCryptoAudit.org/people DEF CON 22 | 2014.08.08

Slide 51

Slide 51 text

Open  Crypto  Audit  Project Officers & Directors o  Matthew Green o  Marcia Hoffman o  Kenneth White DEF CON 22 | 2014.08.08

Slide 52

Slide 52 text

Our  first  Board  meeting DEF CON 22 | 2014.08.08

Slide 53

Slide 53 text

Making  the  connections... DEF CON 22 | 2014.08.08

Slide 54

Slide 54 text

The  work  begins •  Reached out to a few of the small handful of organizations that are capable of doing this work •  Great response from iSec Labs •  Open Technology Fund matching grant DEF CON 22 | 2014.08.08

Slide 55

Slide 55 text

Fast-­‐‑forward DEF CON 22 | 2014.08.08

Slide 56

Slide 56 text

Fast-­‐‑forward DEF CON 22 | 2014.08.08

Slide 57

Slide 57 text

Fast-­‐‑forward •  iSec’s final security assessment: •  Weak volume header key derivation (low kdf iteration count) •  Sensitive information could be paged out from kernel stacks •  Issues in the boot loader decompressor •  Use of memset() to clear sensitive data •  Overall findings: “no evidence of backdoors or intentional flaws” DEF CON 22 | 2014.08.08

Slide 58

Slide 58 text

What  does  that  mean? •  Password strength is crucial (same as always) •  Vulnerabilities discovered would likely require physical access to a mounted volume to construct exploit chains (scape key material, page files, etc) •  This is *not* a part of the TrueCrypt security model •  If your machine is compromised, disk crypto will not help you (see Culp-White Law, earlier) •  PSA: *All* major FDEs, including Bitlocker, DM-Crypt, and FileVault have identical attack vectors •  So far, so good. DEF CON 22 | 2014.08.08

Slide 59

Slide 59 text

But  then... DEF CON 22 | 2014.08.08

Slide 60

Slide 60 text

Life  is  what  happens  when  you’re   busy  making  other  plans DEF CON 22 | 2014.08.08

Slide 61

Slide 61 text

TrueCrypt.org  goes  dark •  v. 7.2 is released, signed with developer keys (updated cert) •  Now read-only •  Archive is taken offline •  Recommendations for alternatives non-optimal DEF CON 22 | 2014.08.08

Slide 62

Slide 62 text

DEF CON 22 | 2014.08.08

Slide 63

Slide 63 text

Our  Response •  OCAP is continuing through with the Phase II (formal cryptanalysis) of the code •  We have created a trusted repository of source and binaries for all platforms •  Thomas Ptacek and Nate Lawson organizing Phase II •  We are considering several post-audit scenarios, •  /possibly/ including financial support for a trusted fork •  *Many* challenges and questions remain DEF CON 22 | 2014.08.08

Slide 64

Slide 64 text

Secure  Coding  and  Trust DEF CON 22 | 2014.08.08

Slide 65

Slide 65 text

Crypto  Engineering “There is no difference, from the attacker's point of view, between gross and tiny errors. Both of them are equally exploitable...This lesson is very hard to internalize. In the real world, if you build a bookshelf and forget to tighten one of the screws all the way, it does not burn down your house.” — Maciej Cegłowski DEF CON 22 | 2014.08.08

Slide 66

Slide 66 text

(In)secure  Coding:   Where  static  analysis  might  help •  Unintended compiler optimizations •  Primitive type transpositions •  Pointer assignment vs. array assignments/terminators From: www.viva64.com/en/examples (recommend preparing a tall glass of Scotch first) DEF CON 22 | 2014.08.08

Slide 67

Slide 67 text

(In)secure  Coding DEF CON 22 | 2014.08.08 “Source code is interesting. Everybody thinks if you have source code, you’re going to be able to find everything wrong with [a system]. That’s a misconception. It’s nice to have source code so if you see something funny happening, you can check and see why – try to dig down… But for somebody to [manually] analyze millions of lines of source code, it’s just not going to happen.” — Richard George Former Technical Director NSA Information Assurance Directorate Retrospective Keynote, June, 2014 vimeo.com/97891042 [35:50]

Slide 68

Slide 68 text

Consider  a  hypothetical: DEF CON 22 | 2014.08.08

Slide 69

Slide 69 text

Consider  a  hypothetical: DEF CON 22 | 2014.08.08

Slide 70

Slide 70 text

In  Action Credits: Program Verification Systems (http://www.viva64.com/en/d/0208/) DEF CON 22 | 2014.08.08

Slide 71

Slide 71 text

Visual  Studio  2010 DEF CON 22 | 2014.08.08

Slide 72

Slide 72 text

memset()  didn’t DEF CON 22 | 2014.08.08

Slide 73

Slide 73 text

Back  to  the  source DEF CON 22 | 2014.08.08

Slide 74

Slide 74 text

RtlSecureZeroMemory()  does DEF CON 22 | 2014.08.08

Slide 75

Slide 75 text

Multiple  options •  Prefer secure memory/copy functions of stdlib •  Review limitations of the language/framework •  Understand compiler optimization side-effects •  GCC 4.4+ (2009) offers a pragma for function-level optimization control or prevention (see: gcc.gnu.org/onlinedocs/gcc-4.4.0/gcc/Optimize-Options.html) •  Learn from others’ experience DEF CON 22 | 2014.08.08

Slide 76

Slide 76 text

Multiple  options •  Prefer secure memory/copy functions of stdlib •  Review limitations of the language/framework •  Understand compiler optimization side-effects •  GCC 4.4+ (2009) offers a pragma for function-level optimization control or prevention (see: gcc.gnu.org/onlinedocs/gcc-4.4.0/gcc/Optimize-Options.html) •  Learn from others’ experience DEF CON 22 | 2014.08.08

Slide 77

Slide 77 text

The  Onion  Router  (TOR) crypto.c tortls.c connection_or.c onion.c rendclient.c tor-gencert.c DEF CON 22 | 2014.08.08

Slide 78

Slide 78 text

The  Onion  Router  (TOR) crypto.c tortls.c connection_or.c onion.c rendclient.c tor-gencert.c DEF CON 22 | 2014.08.08

Slide 79

Slide 79 text

Network  Security  Services   (NSS) sha512.c DEF CON 22 | 2014.08.08

Slide 80

Slide 80 text

Network  Security  Services   (NSS) sha512.c DEF CON 22 | 2014.08.08

Slide 81

Slide 81 text

OpenSSL ec_mult.c DEF CON 22 | 2014.08.08

Slide 82

Slide 82 text

OpenSSL ec_mult.c DEF CON 22 | 2014.08.08

Slide 83

Slide 83 text

On  Trust DEF CON 22 | 2014.08.08

Slide 84

Slide 84 text

Probably  not  your  threat  model DEF CON 22 | 2014.08.08

Slide 85

Slide 85 text

Trust  is  complicated DEF CON 22 | 2014.08.08

Slide 86

Slide 86 text

*Really*  complicated DEF CON 22 | 2014.08.08

Slide 87

Slide 87 text

On  Trust DEF CON 22 | 2014.08.08

Slide 88

Slide 88 text

On  Trust DEF CON 22 | 2014.08.08

Slide 89

Slide 89 text

Strong  crypto  does  not   equal  secure  code DEF CON 22 | 2014.08.08

Slide 90

Slide 90 text

Forward  Secrecy  won’t  help DEF CON 22 | 2014.08.08

Slide 91

Slide 91 text

Even  with  the  best  designs… DEF CON 22 | 2014.08.08

Slide 92

Slide 92 text

Things  that  make  you  go   “hmmm” DEF CON 22 | 2014.08.08

Slide 93

Slide 93 text

It  bears  repeating... DEF CON 22 | 2014.08.08

Slide 94

Slide 94 text

Usable  Crypto  is  HARD DEF CON 22 | 2014.08.08

Slide 95

Slide 95 text

Take-­‐‑Aways •  Many recent catastrophic failures are secure coding errors, not crypto errors •  Static analyzers are not enough •  Manual inspection is not enough •  Source code can result in unexpected binary code •  Subject matter experts (protocols, crypto, network) may bring more perspective than “enough” eyes DEF CON 22 | 2014.08.08

Slide 96

Slide 96 text

If  the  game  is  rigged,  strong   crypto  probably  won’t  help  you. DEF CON 22 | 2014.08.08

Slide 97

Slide 97 text

DEF CON 22 | 2014.08.08 Looking  forward

Slide 98

Slide 98 text

Recap:  Where  are  we  now? •  Phase I Report released April 23, 2014 •  Beginning Phase II, to include: •  Formal cryptanalysis •  OSX & Linux review •  Additional license work •  Partnering with Linux Foundation Core Infrastructure Initiative •  Auditing OpenSSL, possibly more •  Looking ahead! •  Trusted TC mirror: github.com/AuditProject/truecrypt-verified-mirror DEF CON 22 | 2014.08.08

Slide 99

Slide 99 text

Final  Thoughts  &  Goals •  Unpaid volunteers are not enough •  One-off bug bounties are not enough •  Encourage secure coding practices •  Support & create smarter test harnesses •  Develop a workable model for public code review DEF CON 22 | 2014.08.08

Slide 100

Slide 100 text

Open  Discussion   DEF CON 22 | 2014.08.08

Slide 101

Slide 101 text

Talk  to  us DEF CON 22 | 2014.08.08 @matthew_d_green @kennwhite @OpenCryptoAudit [email protected] IsTrueCryptAuditedYet.com (partly!) OpenCryptoAudit.org blog.cryptographyengineering.com github.com/AuditProject/truecrypt-verified-mirror