Slide 1

Slide 1 text

Cryptography Pitfalls John Downey | @jtdowney @jtdowney 1

Slide 2

Slide 2 text

@jtdowney 2

Slide 3

Slide 3 text

@jtdowney 3

Slide 4

Slide 4 text

Chicago @jtdowney 4

Slide 5

Slide 5 text

@jtdowney 5

Slide 6

Slide 6 text

Confidentiality @jtdowney 6

Slide 7

Slide 7 text

Authentication @jtdowney 7

Slide 8

Slide 8 text

Identification @jtdowney 8

Slide 9

Slide 9 text

Rigorous Science @jtdowney 9

Slide 10

Slide 10 text

Peer Review @jtdowney 10

Slide 11

Slide 11 text

@jtdowney 11

Slide 12

Slide 12 text

You have probably seen the door to a bank vault, at least in the movies. You know, 10-inch-thick, hardened steel, with huge bolts to lock it in place. It certainly looks impressive. We often find the digital equivalent of such a vault door installed in a tent. The people standing around it are arguing over how thick the door should be, rather than spending their time looking at the tent. -Cryptography Engineering by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno @jtdowney 12

Slide 13

Slide 13 text

• For data in transit • Use TLS (née SSL), SSH, or VPN/IPsec • For data at rest • Use GnuPG @jtdowney 13

Slide 14

Slide 14 text

• Avoid low level libraries • OpenSSL • PyCrypto • Bouncy Castle • Use a high level library • NaCL/libsodium (C, Ruby, etc) • Keyczar (Python and Java) @jtdowney 14

Slide 15

Slide 15 text

@jtdowney 15

Slide 16

Slide 16 text

Random Number Generation @jtdowney 16

Slide 17

Slide 17 text

• Randomness is a central part of any crypto system • Used to generate: • Encryption keys • API keys • Session tokens • Password reset tokens @jtdowney 17

Slide 18

Slide 18 text

Pitfalls 1. Not using a cryptographically strong random number generator 2. Broken random random number generators 3. Not using random data when it is required @jtdowney 18

Slide 19

Slide 19 text

@jtdowney 19

Slide 20

Slide 20 text

@jtdowney 20

Slide 21

Slide 21 text

Pitfalls 1. Not using the right random number generator 2. Broken random random number generators 3. Not using random data when it is required @jtdowney 21

Slide 22

Slide 22 text

@jtdowney 22

Slide 23

Slide 23 text

MD_Update(&m,buf,j); @jtdowney 23

Slide 24

Slide 24 text

Don't add uninitialised data to the random number generator. This stop valgrind from giving error messages in unrelated code. (Closes: #363516) @jtdowney 24

Slide 25

Slide 25 text

/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */ MD_Update(&m,buf,j); /* We know that line may cause programs such as purify and valgrind to complain about use of uninitialized data. The problem is not, it's with the caller. Removing that line will make sure you get really bad randomness and thereby other problems such as very insecure keys. */ @jtdowney 25

Slide 26

Slide 26 text

@jtdowney 26

Slide 27

Slide 27 text

Pitfalls 1. Not using the right random number generator 2. Broken random random number generators 3. Not using random data when it is required @jtdowney 27

Slide 28

Slide 28 text

@jtdowney 28

Slide 29

Slide 29 text

Recommendations • Unix-like • Read from /dev/urandom • Windows • RandomNumberGenerator.Create() (.NET) • CryptGenRandom (Windows) @jtdowney 29

Slide 30

Slide 30 text

Hash Functions @jtdowney 30

Slide 31

Slide 31 text

• Often called a fingerprint • One way • Not reversible (can’t find person without fingerprint DB) • Ideally, no two people with same fingerprint (no two inputs) @jtdowney 31

Slide 32

Slide 32 text

Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length extension attacks @jtdowney 32

Slide 33

Slide 33 text

@jtdowney 33

Slide 34

Slide 34 text

@jtdowney 34

Slide 35

Slide 35 text

@jtdowney 35

Slide 36

Slide 36 text

@jtdowney 36

Slide 37

Slide 37 text

9EC4C12949A4F31474F299058CE2B22A @jtdowney 37

Slide 38

Slide 38 text

mission = """ USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. """ md5(mission) # => 9EC4C12949A4F31474F299058CE2B22A @jtdowney 38

Slide 39

Slide 39 text

Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length extension attacks @jtdowney 39

Slide 40

Slide 40 text

@jtdowney 40

Slide 41

Slide 41 text

Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length extension attacks @jtdowney 41

Slide 42

Slide 42 text

Length Extension Attacks secret = "my-secret-key" value = "buy 10 units at $1" signature = sha256(secret + "|" + value) @jtdowney 42

Slide 43

Slide 43 text

Length Extension Attacks secret = "my-secret-key" value = "buy 10 units at $1actually make that at $0" signature = sha256(secret + "|" + value) @jtdowney 43

Slide 44

Slide 44 text

Length Extension Attacks secret = "my-secret-key" value = "buy 10 units at $1" signature = hmac_sha256(secret, value) @jtdowney 44

Slide 45

Slide 45 text

Message Authentication Code (MAC) tag = hmac_sha256(key, value) • key - shared secret • value - value to protected integrity of • tag - value that represents the integrity @jtdowney 45

Slide 46

Slide 46 text

@jtdowney 46

Slide 47

Slide 47 text

Recommendations • Use SHA-256 (SHA-2 family) • Choose HMAC-SHA-256 if you want a signature • Stop using MD5 • Don't use SHA-1 in new projects • Phase it out for uses that require collision resistance @jtdowney 47

Slide 48

Slide 48 text

Password Storage @jtdowney 48

Slide 49

Slide 49 text

@jtdowney 49

Slide 50

Slide 50 text

@jtdowney 50

Slide 51

Slide 51 text

@jtdowney 51

Slide 52

Slide 52 text

@jtdowney 52

Slide 53

Slide 53 text

@jtdowney 53

Slide 54

Slide 54 text

@jtdowney 54

Slide 55

Slide 55 text

sha1(password) @jtdowney 55

Slide 56

Slide 56 text

1. One-way • Value can be used for verification @jtdowney 56

Slide 57

Slide 57 text

sha1(salt + password) @jtdowney 57

Slide 58

Slide 58 text

1. One-way • Value can be used for verification 2. Randomized • Can largely defeat pre-computed tables • Forces attackers to focus on one password @jtdowney 58

Slide 59

Slide 59 text

Hash functions are fast @jtdowney 59

Slide 60

Slide 60 text

1. One-way • Value can be used for verification 2. Randomized • Can largely defeat pre-computed tables • Forces attackers to focus on one password 3. Slow @jtdowney 60

Slide 61

Slide 61 text

Adaptive Hashing bcrypt, scrypt, or PBKDF2 @jtdowney 61

Slide 62

Slide 62 text

Recommendations • Delegate authentication if possible • Facebook, Twitter, Google, Github • Store one-way verifiers using bcrypt, scrypt, or PBDKF2 @jtdowney 62

Slide 63

Slide 63 text

So your password storage is bad @jtdowney 63

Slide 64

Slide 64 text

It will be ok, you can fix it @jtdowney 64

Slide 65

Slide 65 text

Example: password_hash column is sha1(salt || password) @jtdowney 65

Slide 66

Slide 66 text

• Don't wait for user to login and silently upgrade • Wrap bcrypt around existing scheme • Use bcrypt(sha1(salt || password) • Upgrade all passwords in place @jtdowney 66

Slide 67

Slide 67 text

Now: password_hash column is bcrypt(sha1(salt || password)) @jtdowney 67

Slide 68

Slide 68 text

Block Ciphers @jtdowney 68

Slide 69

Slide 69 text

Pitfalls 1. Using old/weak algorithms 2. Using ECB mode 3. Not using authenticated encryption @jtdowney 69

Slide 70

Slide 70 text

@jtdowney 70

Slide 71

Slide 71 text

Pitfalls 1. Using old/weak algorithms 2. Using ECB mode 3. Not using authenticated encryption @jtdowney 71

Slide 72

Slide 72 text

AES - primitive ciphertext = AES_Encrypt(key, plaintext) plaintext = AES_Decrypt(key, ciphertext) • Function over: • key - 128, 192, or 256 bit value • plaintext - 128 bit value • ciphertext - 128 bit value @jtdowney 72

Slide 73

Slide 73 text

ECB Encrypt while (remaining blocks) { block = ... # next 16 byte (128 bit chunk) ouput.append(AES_Encrypt(key, block)) } @jtdowney 73

Slide 74

Slide 74 text

@jtdowney 74

Slide 75

Slide 75 text

@jtdowney 75

Slide 76

Slide 76 text

Pitfalls 1. Using old/weak algorithms 2. Using ECB mode 3. Not using authenticated encryption @jtdowney 76

Slide 77

Slide 77 text

@jtdowney 77

Slide 78

Slide 78 text

World of hurt @jtdowney 78

Slide 79

Slide 79 text

Recommendations • Prefer to use box/secret box from NaCL/libsodium • Stop using DES • Stop building your own on top of AES @jtdowney 79

Slide 80

Slide 80 text

What if you have to use AES • Do not use ECB mode • Be sure to use authenticated encryption: • GCM mode would be a good first choice • Verify the tag/MAC first • Still easy to mess up in a critical way @jtdowney 80

Slide 81

Slide 81 text

Stream Ciphers @jtdowney 81

Slide 82

Slide 82 text

XOR Refresher @jtdowney 82

Slide 83

Slide 83 text

XOR Refresher A xor 0 = A A xor A = 0 A xor B = C A xor C = B B xor C = A A xor A xor B = B @jtdowney 83

Slide 84

Slide 84 text

Encrypting keystream = expand(key) # => "\x84\x859\x87\xBC\x15\x91\x01N\xD4^\xA0\xAC371" message = 'attack at dawn' ciphertext = message xor keystream # => "\xE5\xF1M\xE6\xDF~\xB1`:\xF4:\xC1\xDB]" @jtdowney 84

Slide 85

Slide 85 text

Decrypting keystream = expand(key) # => "\x84\x859\x87\xBC\x15\x91\x01N\xD4^\xA0\xAC371" message = ciphertext xor keystream # => 'attack at dawn' @jtdowney 85

Slide 86

Slide 86 text

Pitfalls 1. Using old/weak algorithms 2. Reusing the same key 3. Not using authenticated encryption @jtdowney 86

Slide 87

Slide 87 text

@jtdowney 87

Slide 88

Slide 88 text

@jtdowney 88

Slide 89

Slide 89 text

Pitfalls 1. Using old/weak algorithms 2. Reusing the same key 3. Not using authenticated encryption @jtdowney 89

Slide 90

Slide 90 text

keystream = expand(key) message1 = 'attack at dawn' ciphertext1 = message1 xor keystream message2 = 'attack at dusk' ciphertext2 = message2 xor keystream @jtdowney 90

Slide 91

Slide 91 text

(ciphertext1) xor (ciphertext2) ! ! (message1 xor keystream) xor (message2 xor keystream) @jtdowney 91

Slide 92

Slide 92 text

message1 xor keystream xor message2 xor keystream @jtdowney 92

Slide 93

Slide 93 text

message1 xor message2 @jtdowney 93

Slide 94

Slide 94 text

@jtdowney 94

Slide 95

Slide 95 text

Pitfalls 1. Using old/weak algorithms 2. Reusing the same key 3. Not using authenticated encryption @jtdowney 95

Slide 96

Slide 96 text

General 1 keystream = expand(key) message = 'attack at dawn' ciphertext = message xor keystream @jtdowney 96

Slide 97

Slide 97 text

Spy tweak = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x04\x05" new_ciphertext = message xor tweak @jtdowney 97

Slide 98

Slide 98 text

General 2 keystream = expand(key) message = new_ciphertext xor keystream message = 'attack at dusk' @jtdowney 98

Slide 99

Slide 99 text

General 2 message = (new_ciphertext) xor keystream ! message = (ciphertext xor tweak) xor keystream @jtdowney 99

Slide 100

Slide 100 text

General 2 'attack at dawn' xor tweak 'attack at dusk' @jtdowney 100

Slide 101

Slide 101 text

Recommendations • Use box/secret box from NaCL/libsodium • Stop using RC4 • Ensure you don't reuse keys • This means reusing nonces as well • Always protect ciphertext integrity (i.e. with a MAC) @jtdowney 101

Slide 102

Slide 102 text

TLS/SSL Verification @jtdowney 102

Slide 103

Slide 103 text

@jtdowney 103

Slide 104

Slide 104 text

Pitfalls 1. Not verifying the certificate chain 2. Not verifying the hostname 3. Using a broken library @jtdowney 104

Slide 105

Slide 105 text

@jtdowney 105

Slide 106

Slide 106 text

$ curl -k https://example.com or curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); @jtdowney 106

Slide 107

Slide 107 text

Pitfalls 1. Not verifying the certificate chain 2. Not verifying the hostname 3. Using a broken library @jtdowney 107

Slide 108

Slide 108 text

• Hostname verification is protocol dependent • OpenSSL doesn't have it built in • Also, some people just turn it off: curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); @jtdowney 108

Slide 109

Slide 109 text

Pitfalls 1. Not verifying the certificate chain 2. Not verifying the hostname 3. Using a broken library @jtdowney 109

Slide 110

Slide 110 text

@jtdowney 110

Slide 111

Slide 111 text

@jtdowney 111

Slide 112

Slide 112 text

Recommendations • Do ensure you're validating connections • Lean on a framework/library if possible • But check that it also does the right thing • Setup and automated test to validate this setting (badssl.com) @jtdowney 112

Slide 113

Slide 113 text

TLS Server Settings https://mozilla.github.io/server-side-tls/ssl-config-generator/ @jtdowney 113

Slide 114

Slide 114 text

Trust @jtdowney 114

Slide 115

Slide 115 text

The authenticity of host 'apollo.local (10.0.2.56)' can't be established. RSA key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Are you sure you want to continue connecting (yes/no)? @jtdowney 115

Slide 116

Slide 116 text

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Please contact your system administrator. @jtdowney 116

Slide 117

Slide 117 text

AOL Time Warner Inc. AS Sertifitseerimiskeskus AddTrust Baltimore beTRUSTed Buypass CNNIC COMODO CA Limited Certplus certSIGN Chambersign Chunghwa Telecom Co., Ltd. ComSign Comodo CA Limited Cybertrust, Inc Deutsche Telekom AG Deutscher Sparkassen Verlag GmbH Dhimyotis DigiCert Inc DigiNotar Digital Signature Trust Co. Disig a.s. EBG Bilişim Teknolojileri ve Hizmetleri A.Ş. EDICOM Entrust, Inc. Equifax GTE Corporation GeoTrust Inc. GlobalSign nv-sa Hongkong Post Japan Certification Services, Inc. Japanese Government Microsec Ltd. NetLock Halozatbiztonsagi Kft. Network Solutions L.L.C. PM/SGDN QuoVadis Limited RSA Security Inc SECOM Trust Systems CO.,LTD. SecureTrust Corporation Sociedad Cameral de Certificación Digital Sonera Staat der Nederlanden Starfield Technologies, Inc. StartCom Ltd. SwissSign AG Swisscom TC TrustCenter GmbH TDC Taiwan Government Thawte The Go Daddy Group, Inc. The USERTRUST Network TÜBİTAK TÜRKTRUST Unizeto Sp. z o.o. VISA ValiCert, Inc. VeriSign, Inc. WISeKey Wells Fargo XRamp Security Services Inc @jtdowney 117

Slide 118

Slide 118 text

Certificate Pinning @jtdowney 118

Slide 119

Slide 119 text

Recommendations • Think about what organizations you really trust • Investigate certificate pinning for your apps @jtdowney 119

Slide 120

Slide 120 text

@jtdowney 120

Slide 121

Slide 121 text

Stanford Crypto Class https://www.coursera.org/course/crypto @jtdowney 121

Slide 122

Slide 122 text

Matasano Crypto Challenges http://cryptopals.com @jtdowney 122

Slide 123

Slide 123 text

Questions John Downey | @jtdowney @jtdowney 123

Slide 124

Slide 124 text

Images • https://flic.kr/p/6eagaw • https://flic.kr/p/4KWhKn • https://flic.kr/p/9F2BCv • https://flic.kr/p/486xYS • https://flic.kr/p/7Ffppm • https://flic.kr/p/8TuJD9 • https://flic.kr/p/4iLJZt • https://flic.kr/p/4pGZuz • https://flic.kr/p/48w7wP • https://flic.kr/p/8aZWNE • https://flic.kr/p/5NRHp • https://flic.kr/p/7p7raq • https://flic.kr/p/aZEE1Z • https://flic.kr/p/7WtwAz • https://flic.kr/p/6AN9mM • https://flic.kr/p/6dt62u • https://flic.kr/p/4ZqwyB • https://flic.kr/p/Bqewr • https://flic.kr/p/ecdhVE @jtdowney 124