Slide 1

Slide 1 text

Cryptography Pitfalls John Downey | @jtdowney @jtdowney 1

Slide 2

Slide 2 text

@jtdowney 2

Slide 3

Slide 3 text

@jtdowney 3

Slide 4

Slide 4 text

@jtdowney 4

Slide 5

Slide 5 text

The views expressed in this presentation are my own, and not those of PayPal or any of its affiliates. @jtdowney 5

Slide 6

Slide 6 text

@jtdowney 6

Slide 7

Slide 7 text

Confidentiality @jtdowney 7

Slide 8

Slide 8 text

Authentication @jtdowney 8

Slide 9

Slide 9 text

Identification @jtdowney 9

Slide 10

Slide 10 text

Rigorous Science @jtdowney 10

Slide 11

Slide 11 text

Peer Review @jtdowney 11

Slide 12

Slide 12 text

@jtdowney 12

Slide 13

Slide 13 text

You have probably seen the door to a bank vault, at least in the movies. You know, 10-inch- thick, hardened steel, with huge bolts to lock it in place. It certainly looks impressive. We often find the digital equivalent of such a vault door installed in a tent. The people standing around it are arguing over how thick the door should be, rather than spending their time looking at the tent. — Cryptography Engineering by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno @jtdowney 13

Slide 14

Slide 14 text

• For data in transit • Use TLS (née SSL), SSH, or VPN/IPsec • For data at rest • Use GnuPG • Data to be signed • Use GnuPG @jtdowney 14

Slide 15

Slide 15 text

• Avoid low level libraries • OpenSSL • PyCrypto • Bouncy Castle • Use a high level library • NaCL/libsodium (C, Ruby, PHP, etc) • Keyczar (C++, Python, and Java) @jtdowney 15

Slide 16

Slide 16 text

@jtdowney 16

Slide 17

Slide 17 text

Random Number Generation @jtdowney 17

Slide 18

Slide 18 text

Pitfalls 1. Not using a cryptographically strong random number generator 2. Not using random data when it is required 3. Broken random number generators @jtdowney 18

Slide 19

Slide 19 text

@jtdowney 19

Slide 20

Slide 20 text

@jtdowney 20

Slide 21

Slide 21 text

Pitfalls 1. Not using a cryptographically strong random number generator 2. Not using random data when it is required 3. Broken random number generators @jtdowney 21

Slide 22

Slide 22 text

@jtdowney 22

Slide 23

Slide 23 text

Pitfalls 1. Not using a cryptographically strong random number generator 2. Not using random data when it is required 3. Broken random number generators @jtdowney 23

Slide 24

Slide 24 text

@jtdowney 24

Slide 25

Slide 25 text

@jtdowney 25

Slide 26

Slide 26 text

MD_Update(&m,buf,j); @jtdowney 26

Slide 27

Slide 27 text

Don't add uninitialised data to the random number generator. This stop valgrind from giving error messages in unrelated code. (Closes: #363516) @jtdowney 27

Slide 28

Slide 28 text

/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */ MD_Update(&m,buf,j); /* We know that line may cause programs such as purify and valgrind to complain about use of uninitialized data. The problem is not, it's with the caller. Removing that line will make sure you get really bad randomness and thereby other problems such as very insecure keys. */ @jtdowney 28

Slide 29

Slide 29 text

@jtdowney 29

Slide 30

Slide 30 text

@jtdowney 30

Slide 31

Slide 31 text

Recommendations • Use a cryptographically strong random number generator • Unix-like • Read from /dev/urandom • Windows • RandomNumberGenerator in System.Security.Cryptography (.NET) • CryptGenRandom • Java use java.security.SecureRandom @jtdowney 31

Slide 32

Slide 32 text

Hash Functions @jtdowney 32

Slide 33

Slide 33 text

Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length extension attacks @jtdowney 33

Slide 34

Slide 34 text

@jtdowney 34

Slide 35

Slide 35 text

@jtdowney 35

Slide 36

Slide 36 text

@jtdowney 36

Slide 37

Slide 37 text

@jtdowney 37

Slide 38

Slide 38 text

9EC4C12949A4F31474F299058CE2B22A @jtdowney 38

Slide 39

Slide 39 text

9EC4C12949A4F31474F299058CE2B22A USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. @jtdowney 39

Slide 40

Slide 40 text

Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length extension attacks @jtdowney 40

Slide 41

Slide 41 text

@jtdowney 41

Slide 42

Slide 42 text

Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length extension attacks @jtdowney 42

Slide 43

Slide 43 text

Message Authentication Code (MAC) tag = MAC(key, value) • Takes: • key - shared secret • value - value to protected integrity of • Returns: • tag - value that represents the integrity @jtdowney 43

Slide 44

Slide 44 text

Naive approach tag = sha256(key + value) @jtdowney 44

Slide 45

Slide 45 text

Length Extension Attacks secret = "my-secret-key" value = "buy 10 units at $1" signature = sha256(secret + value) @jtdowney 45

Slide 46

Slide 46 text

Length Extension Attacks secret = "my-secret-key" value = "buy 10 units at $1" + " or $0" signature = sha256(secret + value) @jtdowney 46

Slide 47

Slide 47 text

Fixed secret = "my-secret-key" value = "buy 10 units at $1" signature = hmac_sha256(secret, value) @jtdowney 47

Slide 48

Slide 48 text

@jtdowney 48

Slide 49

Slide 49 text

@jtdowney 49

Slide 50

Slide 50 text

Recommendations • Use SHA-256 (SHA-2 family) • Choose HMAC-SHA-256 if you want a signature • Use BLAKE2b if you need speed • Stop using MD5 • Stop using SHA1 @jtdowney 50

Slide 51

Slide 51 text

Passwords @jtdowney 51

Slide 52

Slide 52 text

@jtdowney 52

Slide 53

Slide 53 text

@jtdowney 53

Slide 54

Slide 54 text

@jtdowney 54

Slide 55

Slide 55 text

@jtdowney 55

Slide 56

Slide 56 text

@jtdowney 56

Slide 57

Slide 57 text

@jtdowney 57

Slide 58

Slide 58 text

@jtdowney 58

Slide 59

Slide 59 text

@jtdowney 59

Slide 60

Slide 60 text

@jtdowney 60

Slide 61

Slide 61 text

@jtdowney 61

Slide 62

Slide 62 text

Hash functions are fast @jtdowney 62

Slide 63

Slide 63 text

1. One-way • Value can be used for verification 2. Randomized • Can largely defeat pre-computed tables • Forces attackers to focus on one password 3. Slow @jtdowney 63

Slide 64

Slide 64 text

Adaptive Hashing bcrypt, scrypt, argon2, or PBKDF2 @jtdowney 64

Slide 65

Slide 65 text

Recommendations • Delegate authentication if possible • Facebook, Twitter, Google, Github • Store one-way verifiers using bcrypt, scrypt, argon2, or PBDKF2 @jtdowney 65

Slide 66

Slide 66 text

So your password storage is bad @jtdowney 66

Slide 67

Slide 67 text

It will be ok, you can fix it @jtdowney 67

Slide 68

Slide 68 text

Example: password_hash column is sha1(salt + password) @jtdowney 68

Slide 69

Slide 69 text

• Don't wait for user to login and silently upgrade • Wrap bcrypt around existing scheme • Use bcrypt(sha1(salt + password) • Upgrade all passwords in place • This does require the previous password scheme wasn't atrociously bad (e.g. DES crypt) @jtdowney 69

Slide 70

Slide 70 text

Now: password_hash column is bcrypt(sha1(salt + password)) @jtdowney 70

Slide 71

Slide 71 text

Ciphers @jtdowney 71

Slide 72

Slide 72 text

Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for block ciphers 3. Not using authenticated encryption @jtdowney 72

Slide 73

Slide 73 text

@jtdowney 73

Slide 74

Slide 74 text

@jtdowney 74

Slide 75

Slide 75 text

@jtdowney 75

Slide 76

Slide 76 text

Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for block ciphers 3. Not using authenticated encryption @jtdowney 76

Slide 77

Slide 77 text

AES - primitive ciphertext = AES_Encrypt(key, plaintext) plaintext = AES_Decrypt(key, ciphertext) • Function over: • key - 128, 192, or 256 bit value • plaintext - 128 bit value • ciphertext - 128 bit value @jtdowney 77

Slide 78

Slide 78 text

ECB Encrypt while (remaining blocks) { block = ... # next 16 byte (128 bit chunk) ouput.append(AES_Encrypt(key, block)) } @jtdowney 78

Slide 79

Slide 79 text

@jtdowney 79

Slide 80

Slide 80 text

@jtdowney 80

Slide 81

Slide 81 text

Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for block ciphers 3. Not using authenticated encryption @jtdowney 81

Slide 82

Slide 82 text

@jtdowney 82

Slide 83

Slide 83 text

@jtdowney 83

Slide 84

Slide 84 text

@jtdowney 84

Slide 85

Slide 85 text

@jtdowney 85

Slide 86

Slide 86 text

World of hurt @jtdowney 86

Slide 87

Slide 87 text

Recommendations • Prefer to use box/secret box from NaCL/ libsodium • Stop using DES • Stop building your own on top of AES • Stop encrypting without protecting integrity @jtdowney 87

Slide 88

Slide 88 text

What if you have to use AES • Do not use ECB mode • Be sure to use authenticated encryption • GCM mode would be a good first choice • Verify the tag/MAC first • Still easy to mess up in a critical way @jtdowney 88

Slide 89

Slide 89 text

TLS/SSL @jtdowney 89

Slide 90

Slide 90 text

Pitfalls 1. Not verifying the certificate chain or hostname 2. Misconfigured server settings 3. Using a broken library @jtdowney 90

Slide 91

Slide 91 text

@jtdowney 91

Slide 92

Slide 92 text

@jtdowney 92

Slide 93

Slide 93 text

@jtdowney 93

Slide 94

Slide 94 text

@jtdowney 94

Slide 95

Slide 95 text

Hostname verification @jtdowney 95

Slide 96

Slide 96 text

Hostname verification • Check that you got the certificate for who you intended to connect to • Hostname verification is protocol dependent • OpenSSL doesn't have it built in @jtdowney 96

Slide 97

Slide 97 text

Pitfalls 1. Not verifying the certificate chain or hostname 2. Misconfigured server settings 3. Using a broken library @jtdowney 97

Slide 98

Slide 98 text

@jtdowney 98

Slide 99

Slide 99 text

SSL Labs https://www.ssllabs.com @jtdowney 99

Slide 100

Slide 100 text

testssl.sh https://testssl.sh @jtdowney 100

Slide 101

Slide 101 text

TLS Server Settings https://mozilla.github.io/server-side-tls/ssl-config-generator/ @jtdowney 101

Slide 102

Slide 102 text

Pitfalls 1. Not verifying the certificate chain or hostname 2. Misconfigured server settings 3. Using a broken library @jtdowney 102

Slide 103

Slide 103 text

@jtdowney 103

Slide 104

Slide 104 text

@jtdowney 104

Slide 105

Slide 105 text

Recommendations • Do ensure you're validating connections • Lean on a framework/library if possible • But check that it also does the right thing • Setup and automated test to validate this setting (badssl.com) @jtdowney 105

Slide 106

Slide 106 text

Trust @jtdowney 106

Slide 107

Slide 107 text

The authenticity of host 'apollo.local (10.0.2.56)' can't be established. RSA key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Are you sure you want to continue connecting (yes/no)? @jtdowney 107

Slide 108

Slide 108 text

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Please contact your system administrator. @jtdowney 108

Slide 109

Slide 109 text

@jtdowney 109

Slide 110

Slide 110 text

Certificate Pinning @jtdowney 110

Slide 111

Slide 111 text

@jtdowney 111

Slide 112

Slide 112 text

Recommendations • Think about what organizations you really trust • Investigate certificate pinning for your apps @jtdowney 112

Slide 113

Slide 113 text

@jtdowney 113

Slide 114

Slide 114 text

Stanford Crypto Class http://crypto-class.com @jtdowney 114

Slide 115

Slide 115 text

Matasano Crypto Challenges http://cryptopals.com @jtdowney 115

Slide 116

Slide 116 text

Questions John Downey | @jtdowney @jtdowney 116

Slide 117

Slide 117 text

Bonus Round @jtdowney 117

Slide 118

Slide 118 text

Quantum Computers @jtdowney 118

Slide 119

Slide 119 text

Pitfalls 1. Assuming current crypto will last forever @jtdowney 119

Slide 120

Slide 120 text

@jtdowney 120

Slide 121

Slide 121 text

@jtdowney 121

Slide 122

Slide 122 text

Recommendations • Follow the PQCrypto discussion • Stay away from PQCrypto until the industry starts to standardize • Hope that researchers are moving fast enough @jtdowney 122

Slide 123

Slide 123 text

Images • https://flic.kr/p/6eagaw • https://flic.kr/p/4KWhKn • https://flic.kr/p/9F2BCv • https://flic.kr/p/486xYS • https://flic.kr/p/7Ffppm • https://flic.kr/p/8TuJD9 • https://flic.kr/p/4iLJZt • https://flic.kr/p/4pGZuz • https://flic.kr/p/48w7wP • https://flic.kr/p/8aZWNE • https://flic.kr/p/5NRHp • https://flic.kr/p/7p7raq • https://flic.kr/p/aZEE1Z • https://flic.kr/p/7WtwAz • https://flic.kr/p/6AN9mM • https://flic.kr/p/6dt62u • https://flic.kr/p/4ZqwyB • https://flic.kr/p/Bqewr • https://flic.kr/p/ecdhVE • https://flic.kr/p/AV1Nd • https://flic.kr/p/5tWgh4 @jtdowney 123