Crypto manifesto 2015

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained
herein is subject to change without notice.

herein is subject to change without notice. Crypto manifesto 2015 Alvaro Munoz, Principal Security Researcher Yekaterina O’Neil, Principal Security Researcher #HPProtect

herein is subject to change without notice. Agenda • Why now? • Common misuses • What to do? • Food for thought

herein is subject to change without notice. A few terms • Entropy • Pseudo-random number generator (PRNG) • Hash function • Password-based key derivation function (PBKDF) • Asymmetric encryption • Symmetric encryption • Password-based encryption (PBE) • Mode of operation • Padding • Digital signature • Protocol • Ciphersuite

herein is subject to change without notice. Why now? High-profile vulnerabilities

herein is subject to change without notice. Attacks on SSL 2011 2012 2013 2014 2015 September BEAST September POODLE September CRIME August BREACH April Heartbleed March FREAK May Logjam

herein is subject to change without notice. Common themes • Attacks on SSL and TLS • Require man-in-the-middle • Exploit protocols that use cryptography known to be broken for many years – Export ciphers – RC4 stream cipher – Block ciphers in CBC mode • Exploit protocols’ backwards compatibility with broken versions for interoperability with legacy systems • Result in ability to extract plaintext from encrypted sessions

herein is subject to change without notice. POODLE • POODLE = Padding Oracle on Downgraded Legacy Encryption • CVE-2014-3566 • September 2014 • SSL 3.0 uses: – RC4 stream cipher or a block cipher in – CBC mode with – Non-deterministic padding – Not covered by Message Authentication Code (MAC) à integrity of padding cannot be fully verified at decryption • Allows to steal “secure” HTTP cookies or HTTP Authorization header contents using BEAST techniques • On average, requires 256 SSL 3.0 requests in order to reveal one byte of encrypted message

herein is subject to change without notice. POODLE in action Server Browser Attacker TLS 1.2 TLS 1.1 TLS 1.0 SSL 3.0

herein is subject to change without notice. Padding Oracle attack in action Attacker Server Pi = D(Ci ) Ci-1 Padding Cn = xxxxxxxxxxxxxxxx15 We want to know Pi [15] Attacker replaces Cn with Ci Fail? Yes No D(Ci )[15] Cn-1 [15] = 15 Pi [15] = 15 Cn-1 [15] Ci-1 [15]

herein is subject to change without notice. Why now? Evolution of standards

herein is subject to change without notice. Standards • Elaine Barker and Allen Roginsky. “Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths”. NIST Special Publication 800-131A, 2011. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf • Payment Card Industry (PCI) Data Security Standard (DSS). “Requirements and Security Assessment Procedures”. Version 3.0, November 2013. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf • Payment Card Industry (PCI) Data Security Standard (DSS). “Requirements and Security Assessment Procedures”. Version 3.1, April 2015. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

herein is subject to change without notice. NIST SP 800-131A Encryption transitions

herein is subject to change without notice. NIST SP 800-131A Encryption transitions cont.

herein is subject to change without notice. NIST SP 800-131A Digital signatures generation transitions

herein is subject to change without notice. NIST SP 800-131A Digital signatures verification transitions

herein is subject to change without notice. NIST SP 800-131A Random number generation transitions

herein is subject to change without notice. NIST SP 800-131A RSA-based key length transitions

herein is subject to change without notice. NIST SP 800-131A Hash function transitions

herein is subject to change without notice. PCI DSS Version 3.0 Version 3.1

herein is subject to change without notice. Common misuses

herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions • Cryptographic hashes and password-based encryption • Digital signatures • Encryption • Key management

herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources – Insecure Randomness: Hardcoded seed – Insecure Randomness: User-controlled seed – Insecure Randomness: Weak entropy source • Password management and key derivation functions • Cryptographic hashes and password-based encryption • Digital signatures • Encryption • Key management

herein is subject to change without notice. 25 CSPRNG PRNG 12345601110110111001001000101011101010010101010100010010 100010110101111110010101010101010000101010101010101110 12345601110110111001001000101011101010010101010100010010 100010110101111110010101010101010000101010101010101110

herein is subject to change without notice. 26 CSPRNG PRNG 12345611111000101000001111100011101010100001111010101111 010101011000001010101000010010010010010101010100001010 12345601110110111001001000101011101010010101010100010010 100010110101111110010101010101010000101010101010101110

herein is subject to change without notice. Example: Weak entropy source • CWE-332: Insufficient Entropy in PRNG • A PRNG is as strong as its entropy • Low entropy means seed is predictable • If seed is predictable, PRNG internal state will also be and so the generated sequence • Weak entropy sources: – Non-hardware sources of randomness • System clock • System/input/output buffers • User/system/hardware/network serial numbers or addresses and timing • User controlled input • PIDs

herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions – Password Management: Lack of Key Derivation Function • Cryptographic hashes and password-based encryption • Digital signatures • Encryption • Key management

herein is subject to change without notice. KDF in a nutshell Derived key Salt Password Key length Pseudo random function Iteration count

herein is subject to change without notice. Password storage evolution • Completely insecure Clear passwords • Vulnerable to dictionary attacks (rainbow tables) Hashed passwords • Still brute-forceable with modern HW Hashed salted passwords • Computationally expensive Derived functions 32

herein is subject to change without notice. Estimated cost of hardware to crack a password in 1 year KDF 6 letters 8 letters 8 chars 10 chars 40-char text 80-char text DES CRYPT < $1 < $1 < $1 < $1 < $1 < $1 MD5 < $1 < $1 < $1 $1.1k $1 $1.5T MD5 CRYPT < $1 < $1 $130 $1.1M $1.4k $1.5 x 10^15 PBKDF2 (100 ms) < $1 < $1 $18k $160M $200k $2.2 x 10^17 bcrypt (95 ms) < $1 $4 $130k $1.2B $1.5M $48B scrypt (64 ms) < $1 $150 $4.8M $43B $52M $6 x 10^19 PBKDF2 (5.0 s) < $1 $29 $920k $8.3B $10M $11 x 10^18 bcrypt (3.0 s) < $1 $130 $4.3M $39B $47M $1.5T scrypt (3.8 s) $900 $610k $19B $175T $210B $2.3 x 10^23 33 Source: https://www.tarsnap.com/scrypt/scrypt.pdf

herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions • Cryptographic hashes and password-based encryption – Weak Cryptographic Hash: Hardcoded PBE Salt – Weak Cryptographic Hash: User-Controlled PBE Salt – Weak Cryptographic Hash: Insecure PBE Iteration Count – Weak Cryptographic Hash: User-Controlled Algorithm – Weak Cryptographic Hash: Predictable Salt – Weak Cryptographic Hash: Missing Required Step • Digital signatures • Encryption • Key management

herein is subject to change without notice. Example: Insecure PBE count • CWE-916: Use of Password Hash With Insufficient Computational Effort • Again: a system is as strong as its weakest link • Weakest links: – Hardcoded salt – Not unique-per-user salt – Predictable salt – Low iteration count

herein is subject to change without notice. Now think what this can do …

herein is subject to change without notice. Too expensive for you? Rent it Source: https://www.cloudcracker.com/

herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions • Cryptographic hashes and password-based encryption • Digital signatures – Weak Cryptographic Signature: Insufficient Key Size – Weak Cryptographic Signature: User-Controlled Key Size – Weak Cryptographic Signature: Missing Required Step • Encryption • Key management

herein is subject to change without notice. Example: Missing required step • CWE-325: Missing Required Cryptographic Step • Signing and encryption processes are implemented as s sequence of steps in certain libraries • Missing required steps can compromise your crypto • Use libraries that abstract developers from algorithm details and internal steps • Crypto should be straight forward for developers

herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions • Cryptographic hashes and password-based encryption • Digital signatures • Encryption – Weak Encryption: Insecure Mode of Operation – Weak Encryption: Stream Cipher – Weak Encryption: Insecure Initialization Vector – Weak Encryption: Missing Required Step – Weak Encryption: User-Controlled Key Size • Key management

herein is subject to change without notice. 44 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ c[0] c[1] c[2] IV D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ CBC mode

herein is subject to change without notice. Example: Insecure initializationvector • CWE-329: Not Using a Random IV with CBC Mode • IV is not secret, its sent with ciphertext • IVs should be random • IVs should not be reused • IVs should not be controlled by user • Insecure IVs: – IV = key – All zeros – Anything hardcoded – Default values when initialization step is not performed • Eg: PyCryptoAPI does not require an IV and if not passed, it defaults to 0. – def AES ( key , mode , IV = 0) – User controlled values

herein is subject to change without notice. 46 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ c[0] c[1] c[2] IV=Key D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = Key

herein is subject to change without notice. 47 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ c[0] 0 c[0] IV=Key D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = Key

herein is subject to change without notice. 48 D(k,⋅) D(k,⋅) D(k, c[0]) ^ k D(k, 0) ^ c[0] D(k, c[0]) ^ 0 ⊕ ⊕ D(k,⋅) ⊕ c[0] 0 c[0] IV=Key D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = Key

herein is subject to change without notice. 49 D(k,⋅) D(k,⋅) D(k, c[0]) ^ k D(k, c[0]) ^ 0 ⊕ ⊕ D(k,⋅) ⊕ c[0] 0 c[0] IV=Key D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = Key D(k, 0) ^ c[0]

herein is subject to change without notice. D(k, 0) ^ c[0] 50 D(k,⋅) D(k,⋅) D(k, c[0]) ^ k D(k, c[0]) ^ 0 ⊕ ⊕ D(k,⋅) ⊕ c[0] 0 c[0] IV=Key D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = Key To recover the key, just XOR the first and third unencrypted bytes: p’[0] ^ p’[2] = D(k, c[0]) ^ k ^ D(k, c[0]) ^ 0 = k

herein is subject to change without notice. 51 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ c[0] c[1] c[2] IV=0 D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = 0

herein is subject to change without notice. 52 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ c[1] c[2] IV=0 D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = 0 c[0]

herein is subject to change without notice. Example: Insecure mode of operation • CWE-327: Use of a Broken or Risky Cryptographic Algorithm • Modes of Operation: – ECB • Yep, you can see penguins in ECB mode, but there is much more than that – Byte-at-a-time ECB decryption – Cut-and-paste attack – CTR (Stream mode) • Stream ciphers are ok for communication, but not good for storage. If you use the same section of stream cipher twice, you have 0 security. As long as there is a fresh IV and you're not reading/writing to/from same file, you're ok. – CBC • Bit Flipping Attacks • Padding Oracles

herein is subject to change without notice. 56 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ c[0] c[1] c[2] IV D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ Bit flip attacks

herein is subject to change without notice. 57 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ Attacker supplied byte IV D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ Bit flip attacks c[0] c[2]

herein is subject to change without notice. 58 D(k,⋅) D(k,⋅) p[0] Garbage p[2] ⊕ ⊕ D(k,⋅) ⊕ Attacker supplied byte IV D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ Bit flip attacks c[0] c[2]

herein is subject to change without notice. Attacker controlled 59 D(k,⋅) D(k,⋅) p[0] Garbage ⊕ ⊕ D(k,⋅) ⊕ Attacker supplied IV D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ Bit flip attacks c[0] c[2]

Demo: Bit flipping attack on AES-CBC encrypted cookies

herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions • Cryptographic hashes and password-based encryption • Digital signatures • Encryption • Key management – Key Management: Hardcoded HMAC Key – Key Management: Empty HMAC Key – Key Management: Null HMAC Key – Key Management: Hardcoded PBE Password – Key Management: Empty PBE Password – Key Management: Null PBE Password – Key Management: Unencrypted Private Key

herein is subject to change without notice. What to do?

herein is subject to change without notice. Crypto manifesto 2009 2015

herein is subject to change without notice. HP Fortify SCA categories • Insecure SSL: Server Identity Verification Disabled • Insecure SSL: Android Customized Implementation • Insecure SSL: Android Hostname Verification Disabled • Insecure SSL: Android Socket • Insecure Storage: Insufficient Data Protection • Insecure Storage: Lacking Data Protection • Insecure Transport: Weak SSL Protocol • Insecure Randomness • Password Management: Weak Cryptography • Key Management: Empty Encryption Key • Key Management: Hardcoded Encryption Key • Key Management: Null Encryption Key • Weak Cryptographic Hash: Hardcoded Salt • Weak Cryptographic Hash: User-Controlled Salt • Weak Encryption: Weak Encryption • Weak Encryption: Inadequate RSA Padding • Weak Encryption: Insufficient Key Size • Insecure Randomness: Hardcoded Seed • Insecure Randomness: User-Controlled Seed • Insecure Randomness: Weak Entropy Source • Password Management: Lack of Key Derivation Function • Weak Cryptographic Hash: Hardcoded PBE Salt • Weak Cryptographic Hash: User-Controlled PBE Salt • Weak Cryptographic Hash: Insecure PBE Iteration Count • Weak Cryptographic Hash: User-Controlled Algorithm • Weak Cryptographic Hash: Predictable Salt • Weak Cryptographic Hash: Missing Required Step • Weak Cryptographic Signature: Insufficient Key Size • Weak Cryptographic Signature: User-Controlled Key Size • Weak Cryptographic Signature: Missing Required Step • Weak Encryption: Insecure Mode of Operation • Weak Encryption: Stream Cipher • Weak Encryption: Insecure Initialization Vector • Weak Encryption: Missing Required Step • Weak Encryption: User-Controlled Key Size • Key Management: Hardcoded HMAC Key • Key Management: Empty HMAC Key • Key Management: Null HMAC Key • Key Management: Hardcoded PBE Password • Key Management: Empty PBE Password • Key Management: Null PBE Password • Key Management: Unencrypted Private Key 17 existing categories across 13 languages 25 new categories across 14 languages

herein is subject to change without notice. HP Fortify WebInspect categories • Insecure Transport • Insecure Transport: Channel Mixing • Insecure Transport: Inadequate SSL Policy Enforcement • Insecure Transport: OAuth Communication Channel • Insecure Transport: Mail Transmission • Insecure Transport: Secure Section Access Not SSL-Enabled • Insecure Transport: Weak SSL Cipher • Insecure transport: Wek SSL Protocol 8 categories that cover 17 checks

herein is subject to change without notice. Food for thought

herein is subject to change without notice. Some concluding thoughts • Trusting “lower layers” to “do the right thing” is not always a valid assumption • What are possible approaches to dealing with such risk? • Open-source vs. proprietary crypto

herein is subject to change without notice. Q&A

herein is subject to change without notice. Please give us your feedback Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. Session B4005 Speakers Alvaro Munoz and Yekaterina O’Neil © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

herein is subject to change without notice. Thank you [email protected] [email protected]

Crypto manifesto 2015

Crypto manifesto 2015

More Decks by Alvaro

Other Decks in Research

Featured

Transcript