Cryptography Pitfalls at BSidesPhilly 2016

Slide 1

Slide 1 text

Cryptography Pitfalls John Downey | @jtdowney @jtdowney 1

Slide 2

Slide 2 text

Chicago @jtdowney 2

Slide 3

Slide 3 text

@jtdowney 3

Slide 4

Slide 4 text

@jtdowney 4

Slide 5

Slide 5 text

The views expressed in this presentation are my own, and not those of PayPal or any of its afﬁliates. @jtdowney 5

Slide 6

Slide 6 text

@jtdowney 6

Slide 7

Slide 7 text

Conﬁdentiality @jtdowney 7

Slide 8

Slide 8 text

Authentication @jtdowney 8

Slide 9

Slide 9 text

Identiﬁcation @jtdowney 9

Slide 10

Slide 10 text

Rigorous Science @jtdowney 10

Slide 11

Slide 11 text

Peer Review @jtdowney 11

Slide 12

Slide 12 text

@jtdowney 12

Slide 13

Slide 13 text

You have probably seen the door to a bank vault, at least in the movies. You know, 10-inch-thick, hardened steel, with huge bolts to lock it in place. It certainly looks impressive. We often ﬁnd the digital equivalent of such a vault door installed in a tent. The people standing around it are arguing over how thick the door should be, rather than spending their time looking at the tent. — Cryptography Engineering by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno @jtdowney 13

Slide 14

Slide 14 text

• For data in transit • Use TLS (née SSL), SSH, or VPN/IPsec • For data at rest • Use GnuPG • Data to be signed • Use GnuPG @jtdowney 14

Slide 15

Slide 15 text

• Avoid low level libraries • OpenSSL • PyCrypto • Bouncy Castle • Use a high level library • NaCL/libsodium (C, Ruby, etc) • Keyczar (Python and Java) @jtdowney 15

Slide 16

Slide 16 text

@jtdowney 16

Slide 17

Slide 17 text

Random Number Generation @jtdowney 17

Slide 18

Slide 18 text

Pitfalls 1. Not using a cryptographically strong random number generator 2. Broken random number generators 3. Not using random data when it is required @jtdowney 18

Slide 19

Slide 19 text

@jtdowney 19

Slide 20

Slide 20 text

@jtdowney 20

Slide 21

Slide 21 text

Pitfalls 1. Not using a cryptographically strong random number generator 2. Broken random number generators 3. Not using random data when it is required @jtdowney 21

Slide 22

Slide 22 text

@jtdowney 22

Slide 23

Slide 23 text

@jtdowney 23

Slide 24

Slide 24 text

MD_Update(&m,buf,j); @jtdowney 24

Slide 25

Slide 25 text

Don't add uninitialised data to the random number generator. This stop valgrind from giving error messages in unrelated code. (Closes: #363516) @jtdowney 25

Slide 26

Slide 26 text

/* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */ MD_Update(&m,buf,j); /* We know that line may cause programs such as purify and valgrind to complain about use of uninitialized data. The problem is not, it's with the caller. Removing that line will make sure you get really bad randomness and thereby other problems such as very insecure keys. */ @jtdowney 26

Slide 27

Slide 27 text

@jtdowney 27

Slide 28

Slide 28 text

@jtdowney 28

Slide 29

Slide 29 text

@jtdowney 29

Slide 30

Slide 30 text

@jtdowney 30

Slide 31

Slide 31 text

Pitfalls 1. Not using a cryptographically strong random number generator 2. Broken random number generators 3. Not using random data when it is required @jtdowney 31

Slide 32

Slide 32 text

@jtdowney 32

Slide 33

Slide 33 text

Recommendations • Use a cryptographically strong random number generator • Unix-like • Read from /dev/urandom • Windows • RandomNumberGenerator in System.Security.Cryptography (.NET) • CryptGenRandom (Windows) @jtdowney 33

Slide 34

Slide 34 text

Hash Functions @jtdowney 34

Slide 35

Slide 35 text

Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length extension attacks @jtdowney 35

Slide 36

Slide 36 text

@jtdowney 36

Slide 37

Slide 37 text

@jtdowney 37

Slide 38

Slide 38 text

@jtdowney 38

Slide 39

Slide 39 text

@jtdowney 39

Slide 40

Slide 40 text

9EC4C12949A4F31474F299058CE2B22A @jtdowney 40

Slide 41

Slide 41 text

mission = """ USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. """ md5(mission) # => 9EC4C12949A4F31474F299058CE2B22A @jtdowney 41

Slide 42

Slide 42 text

Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length extension attacks @jtdowney 42

Slide 43

Slide 43 text

@jtdowney 43

Slide 44

Slide 44 text

Pitfalls 1. Using weak/old algorithms 2. Misunderstanding checksums 3. Length extension attacks @jtdowney 44

Slide 45

Slide 45 text

Message Authentication Code (MAC) tag = MAC(key, value) • Takes: • key - shared secret • value - value to protected integrity of • Returns: • tag - value that represents the integrity @jtdowney 45

Slide 46

Slide 46 text

Naive approach tag = sha256(key || value) @jtdowney 46

Slide 47

Slide 47 text

Length Extension Attacks secret = "my-secret-key" value = "buy 10 units at $1" signature = sha256(secret + value) @jtdowney 47

Slide 48

Slide 48 text

Length Extension Attacks secret = "my-secret-key" value = "buy 10 units at $1actually make that at $0" signature = sha256(secret + value) @jtdowney 48

Slide 49

Slide 49 text

Length Extension Attacks secret = "my-secret-key" value = "buy 10 units at $1" signature = hmac_sha256(secret, value) @jtdowney 49

Slide 50

Slide 50 text

@jtdowney 50

Slide 51

Slide 51 text

@jtdowney 51

Slide 52

Slide 52 text

Recommendations • Use SHA-256 (SHA-2 family) • Choose HMAC-SHA-256 if you want a signature • Stop using MD5 • Don't use SHA-1 in new projects • Phase it out for uses that require collision resistance @jtdowney 52

Slide 53

Slide 53 text

Password Storage @jtdowney 53

Slide 54

Slide 54 text

Don't wait to ﬁx your password storage • http://www.bsidesphilly.org/2016/12/cryptography_pitfalls/ • https://jtdowney.com/blog/2015/11/01/dont-wait-to-ﬁx- your-password-storage/ @jtdowney 54

Slide 55

Slide 55 text

Ciphers @jtdowney 55

Slide 56

Slide 56 text

Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for block ciphers 3. Not using authenticated encryption @jtdowney 56

Slide 57

Slide 57 text

@jtdowney 57

Slide 58

Slide 58 text

@jtdowney 58

Slide 59

Slide 59 text

@jtdowney 59

Slide 60

Slide 60 text

Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for block ciphers 3. Not using authenticated encryption @jtdowney 60

Slide 61

Slide 61 text

AES - primitive ciphertext = AES_Encrypt(key, plaintext) plaintext = AES_Decrypt(key, ciphertext) • Function over: • key - 128, 192, or 256 bit value • plaintext - 128 bit value • ciphertext - 128 bit value @jtdowney 61

Slide 62

Slide 62 text

ECB Encrypt while (remaining blocks) { block = ... # next 16 byte (128 bit chunk) ouput.append(AES_Encrypt(key, block)) } @jtdowney 62

Slide 63

Slide 63 text

@jtdowney 63

Slide 64

Slide 64 text

@jtdowney 64

Slide 65

Slide 65 text

Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for block ciphers 3. Not using authenticated encryption @jtdowney 65

Slide 66

Slide 66 text

@jtdowney 66

Slide 67

Slide 67 text

@jtdowney 67

Slide 68

Slide 68 text

@jtdowney 68

Slide 69

Slide 69 text

@jtdowney 69

Slide 70

Slide 70 text

World of hurt @jtdowney 70

Slide 71

Slide 71 text

Recommendations • Prefer to use box/secret box from NaCL/libsodium • Stop using DES • Stop building your own on top of AES • Stop encrypting without protecting integrity @jtdowney 71

Slide 72

Slide 72 text

What if you have to use AES • Do not use ECB mode • Be sure to use authenticated encryption • GCM mode would be a good ﬁrst choice • Verify the tag/MAC ﬁrst • Still easy to mess up in a critical way @jtdowney 72

Slide 73

Slide 73 text

TLS/SSL @jtdowney 73

Slide 74

Slide 74 text

Pitfalls 1. Not verifying the certiﬁcate chain or hostname 2. Misconﬁgured server settings 3. Using a broken library @jtdowney 74

Slide 75

Slide 75 text

@jtdowney 75

Slide 76

Slide 76 text

@jtdowney 76

Slide 77

Slide 77 text

@jtdowney 77

Slide 78

Slide 78 text

Hostname veriﬁcation @jtdowney 78

Slide 79

Slide 79 text

Hostname verification • Check that you got the certificate for who you intended to connect to • Hostname verification is protocol dependent • OpenSSL doesn't have it built in @jtdowney 79

Slide 80

Slide 80 text

Pitfalls 1. Not verifying the certiﬁcate chain or hostname 2. Misconﬁgured server settings 3. Using a broken library @jtdowney 80

Slide 81

Slide 81 text

@jtdowney 81

Slide 82

Slide 82 text

SSL Labs https://www.ssllabs.com @jtdowney 82

Slide 83

Slide 83 text

testssl.sh https://testssl.sh @jtdowney 83

Slide 84

Slide 84 text

TLS Server Settings https://mozilla.github.io/server-side-tls/ssl-conﬁg-generator/ @jtdowney 84

Slide 85

Slide 85 text

Pitfalls 1. Not verifying the certiﬁcate chain or hostname 2. Misconﬁgured server settings 3. Using a broken library @jtdowney 85

Slide 86

Slide 86 text

@jtdowney 86

Slide 87

Slide 87 text

@jtdowney 87

Slide 88

Slide 88 text

Recommendations • Do ensure you're validating connections • Lean on a framework/library if possible • But check that it also does the right thing • Setup and automated test to validate this setting (badssl.com) @jtdowney 88

Slide 89

Slide 89 text

Trust @jtdowney 89

Slide 90

Slide 90 text

The authenticity of host 'apollo.local (10.0.2.56)' can't be established. RSA key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Are you sure you want to continue connecting (yes/no)? @jtdowney 90

Slide 91

Slide 91 text

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Please contact your system administrator. @jtdowney 91

Slide 92

Slide 92 text

@jtdowney 92

Slide 93

Slide 93 text

Certiﬁcate Pinning @jtdowney 93

Slide 94

Slide 94 text

@jtdowney 94

Slide 95

Slide 95 text

Recommendations • Think about what organizations you really trust • Investigate certiﬁcate pinning for your apps @jtdowney 95

Slide 96

Slide 96 text

Quantum Computers @jtdowney 96

Slide 97

Slide 97 text

Pitfalls 1. Assuming current crypto will last forever @jtdowney 97

Slide 98

Slide 98 text

@jtdowney 98

Slide 99

Slide 99 text

@jtdowney 99

Slide 100

Slide 100 text

Recommendations • Follow the PQCrypto discussion • Stay away from PQCrypto until the industry starts to standardize • Hope that researchers are moving fast enough @jtdowney 100

Slide 101

Slide 101 text

@jtdowney 101

Slide 102

Slide 102 text

Stanford Crypto Class http://crypto-class.com @jtdowney 102

Slide 103

Slide 103 text

Matasano Crypto Challenges http://cryptopals.com @jtdowney 103

Slide 104

Slide 104 text

Questions John Downey | @jtdowney @jtdowney 104

Slide 105

Slide 105 text

Images • https://flic.kr/p/6eagaw • https://flic.kr/p/4KWhKn • https://flic.kr/p/9F2BCv • https://flic.kr/p/486xYS • https://flic.kr/p/7Ffppm • https://flic.kr/p/8TuJD9 • https://flic.kr/p/4iLJZt • https://flic.kr/p/4pGZuz • https://flic.kr/p/48w7wP • https://flic.kr/p/8aZWNE • https://flic.kr/p/5NRHp • https://flic.kr/p/7p7raq • https://flic.kr/p/aZEE1Z • https://flic.kr/p/7WtwAz • https://flic.kr/p/6AN9mM • https://flic.kr/p/6dt62u • https://flic.kr/p/4ZqwyB • https://flic.kr/p/Bqewr • https://flic.kr/p/ecdhVE • https://flic.kr/p/AV1Nd @jtdowney 105