Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crypto manifesto 2015

Alvaro
March 22, 2016
Research
2
300

Crypto manifesto 2015

Alvaro

March 22, 2016
Tweet

More Decks by Alvaro

See All by Alvaro
.NET Serialization: Detecting and defending vulnerable endpoints
pwntester
0
4.7k
JVM Deserialization Attacks: Separating the Truth from the Hype
pwntester
0
690
Attacking .NET Serialization
pwntester
6
31k
Friday the 13th: JSON Attacks
pwntester
0
8.1k
Friday the 13th: JSON Attacks
pwntester
0
310
Friday the 13th: JSON Attacks
pwntester
0
170
Surviving the Java Deserialization Apocalypse
pwntester
0
6.4k
A Journey From JNDI/LDAP Manipulation to Remote Code Execution Dream Land
pwntester
0
630
Seguridad en las aplicaciones Android
pwntester
0
95

Other Decks in Research

See All in Research
精度を無視しない推薦多様化の評価指標
kuri8ive
1
240
20240820: Minimum Bayes Risk Decoding for High-Quality Text Generation Beyond High-Probability Text
de9uch1
0
120
MIRU2024_招待講演_RALF_in_CVPR2024
udonda
1
330
3次元点群の分類における評価指標について
kentaitakura
0
410
Isotropy, Clusters, and Classifiers
hpprc
3
630
工学としてのSRE再訪 / Revisiting SRE as Engineering
yuukit
19
11k
渋谷Well-beingアンケート調査結果
shibuyasmartcityassociation
0
260
Active Adaptive Experimental Design for Treatment Effect Estimation with Covariate Choices
masakat0
0
220
Large Vision Language Model (LVLM) に関する最新知見まとめ (Part 1)
onely7
18
3.2k
授業評価アンケートのテキストマイニング
langstat
1
360
129 2 th
0325
0
240
湯村研究室の紹介2024 / yumulab2024
yumulab
0
280

Featured

See All Featured
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
GraphQLとの向き合い方2022年版
quramy
43
13k
What's in a price? How to price your products and services
michaelherold
243
12k
Code Reviewing Like a Champion
maltzj
520
39k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
Making Projects Easy
brettharned
115
5.9k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Designing for humans not robots
tammielis
250
25k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k

Transcript

  1. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice.

  2. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Crypto manifesto 2015 Alvaro Munoz, Principal Security Researcher Yekaterina O’Neil, Principal Security Researcher #HPProtect

  3. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Agenda • Why now? • Common misuses • What to do? • Food for thought

  4. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. A few terms • Entropy • Pseudo-random number generator (PRNG) • Hash function • Password-based key derivation function (PBKDF) • Asymmetric encryption • Symmetric encryption • Password-based encryption (PBE) • Mode of operation • Padding • Digital signature • Protocol • Ciphersuite

  5. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Why now? High-profile vulnerabilities

  6. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice.

  7. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Attacks on SSL 2011 2012 2013 2014 2015 September BEAST September POODLE September CRIME August BREACH April Heartbleed March FREAK May Logjam

  8. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Common themes • Attacks on SSL and TLS • Require man-in-the-middle • Exploit protocols that use cryptography known to be broken for many years – Export ciphers – RC4 stream cipher – Block ciphers in CBC mode • Exploit protocols’ backwards compatibility with broken versions for interoperability with legacy systems • Result in ability to extract plaintext from encrypted sessions

  9. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. POODLE • POODLE = Padding Oracle on Downgraded Legacy Encryption • CVE-2014-3566 • September 2014 • SSL 3.0 uses: – RC4 stream cipher or a block cipher in – CBC mode with – Non-deterministic padding – Not covered by Message Authentication Code (MAC) à integrity of padding cannot be fully verified at decryption • Allows to steal “secure” HTTP cookies or HTTP Authorization header contents using BEAST techniques • On average, requires 256 SSL 3.0 requests in order to reveal one byte of encrypted message

  10. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. POODLE in action Server Browser Attacker TLS 1.2 TLS 1.1 TLS 1.0 SSL 3.0

  11. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Padding Oracle attack in action Attacker Server Pi = D(Ci ) Ci-1 Padding Cn = xxxxxxxxxxxxxxxx15 We want to know Pi [15] Attacker replaces Cn with Ci Fail? Yes No D(Ci )[15] Cn-1 [15] = 15 Pi [15] = 15 Cn-1 [15] Ci-1 [15]

  12. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Why now? Evolution of standards

  13. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Standards • Elaine Barker and Allen Roginsky. “Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths”. NIST Special Publication 800-131A, 2011. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf • Payment Card Industry (PCI) Data Security Standard (DSS). “Requirements and Security Assessment Procedures”. Version 3.0, November 2013. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf • Payment Card Industry (PCI) Data Security Standard (DSS). “Requirements and Security Assessment Procedures”. Version 3.1, April 2015. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

  14. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. NIST SP 800-131A Encryption transitions

  15. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. NIST SP 800-131A Encryption transitions cont.

  16. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. NIST SP 800-131A Digital signatures generation transitions

  17. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. NIST SP 800-131A Digital signatures verification transitions

  18. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. NIST SP 800-131A Random number generation transitions

  19. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. NIST SP 800-131A RSA-based key length transitions

  20. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. NIST SP 800-131A Hash function transitions

  21. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. PCI DSS Version 3.0 Version 3.1

  22. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Common misuses

  23. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions • Cryptographic hashes and password-based encryption • Digital signatures • Encryption • Key management

  24. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources – Insecure Randomness: Hardcoded seed – Insecure Randomness: User-controlled seed – Insecure Randomness: Weak entropy source • Password management and key derivation functions • Cryptographic hashes and password-based encryption • Digital signatures • Encryption • Key management

  25. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 25 CSPRNG PRNG 12345601110110111001001000101011101010010101010100010010 100010110101111110010101010101010000101010101010101110 12345601110110111001001000101011101010010101010100010010 100010110101111110010101010101010000101010101010101110

  26. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 26 CSPRNG PRNG 12345611111000101000001111100011101010100001111010101111 010101011000001010101000010010010010010101010100001010 12345601110110111001001000101011101010010101010100010010 100010110101111110010101010101010000101010101010101110

  27. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Example: Weak entropy source • CWE-332: Insufficient Entropy in PRNG • A PRNG is as strong as its entropy • Low entropy means seed is predictable • If seed is predictable, PRNG internal state will also be and so the generated sequence • Weak entropy sources: – Non-hardware sources of randomness • System clock • System/input/output buffers • User/system/hardware/network serial numbers or addresses and timing • User controlled input • PIDs

  28. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice.

  29. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice.

  30. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions – Password Management: Lack of Key Derivation Function • Cryptographic hashes and password-based encryption • Digital signatures • Encryption • Key management

  31. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. KDF in a nutshell Derived key Salt Password Key length Pseudo random function Iteration count

  32. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Password storage evolution • Completely insecure Clear passwords • Vulnerable to dictionary attacks (rainbow tables) Hashed passwords • Still brute-forceable with modern HW Hashed salted passwords • Computationally expensive Derived functions 32

  33. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Estimated cost of hardware to crack a password in 1 year KDF 6 letters 8 letters 8 chars 10 chars 40-char text 80-char text DES CRYPT < $1 < $1 < $1 < $1 < $1 < $1 MD5 < $1 < $1 < $1 $1.1k $1 $1.5T MD5 CRYPT < $1 < $1 $130 $1.1M $1.4k $1.5 x 10^15 PBKDF2 (100 ms) < $1 < $1 $18k $160M $200k $2.2 x 10^17 bcrypt (95 ms) < $1 $4 $130k $1.2B $1.5M $48B scrypt (64 ms) < $1 $150 $4.8M $43B $52M $6 x 10^19 PBKDF2 (5.0 s) < $1 $29 $920k $8.3B $10M $11 x 10^18 bcrypt (3.0 s) < $1 $130 $4.3M $39B $47M $1.5T scrypt (3.8 s) $900 $610k $19B $175T $210B $2.3 x 10^23 33 Source: https://www.tarsnap.com/scrypt/scrypt.pdf

  34. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions • Cryptographic hashes and password-based encryption – Weak Cryptographic Hash: Hardcoded PBE Salt – Weak Cryptographic Hash: User-Controlled PBE Salt – Weak Cryptographic Hash: Insecure PBE Iteration Count – Weak Cryptographic Hash: User-Controlled Algorithm – Weak Cryptographic Hash: Predictable Salt – Weak Cryptographic Hash: Missing Required Step • Digital signatures • Encryption • Key management

  35. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Example: Insecure PBE count • CWE-916: Use of Password Hash With Insufficient Computational Effort • Again: a system is as strong as its weakest link • Weakest links: – Hardcoded salt – Not unique-per-user salt – Predictable salt – Low iteration count

  36. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice.

  37. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice.

  38. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Now think what this can do …

  39. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Too expensive for you? Rent it Source: https://www.cloudcracker.com/

  40. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions • Cryptographic hashes and password-based encryption • Digital signatures – Weak Cryptographic Signature: Insufficient Key Size – Weak Cryptographic Signature: User-Controlled Key Size – Weak Cryptographic Signature: Missing Required Step • Encryption • Key management

  41. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Example: Missing required step • CWE-325: Missing Required Cryptographic Step • Signing and encryption processes are implemented as s sequence of steps in certain libraries • Missing required steps can compromise your crypto • Use libraries that abstract developers from algorithm details and internal steps • Crypto should be straight forward for developers

  42. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice.

  43. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions • Cryptographic hashes and password-based encryption • Digital signatures • Encryption – Weak Encryption: Insecure Mode of Operation – Weak Encryption: Stream Cipher – Weak Encryption: Insecure Initialization Vector – Weak Encryption: Missing Required Step – Weak Encryption: User-Controlled Key Size • Key management

  44. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 44 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ c[0] c[1] c[2] IV D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ CBC mode

  45. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Example: Insecure initializationvector • CWE-329: Not Using a Random IV with CBC Mode • IV is not secret, its sent with ciphertext • IVs should be random • IVs should not be reused • IVs should not be controlled by user • Insecure IVs: – IV = key – All zeros – Anything hardcoded – Default values when initialization step is not performed • Eg: PyCryptoAPI does not require an IV and if not passed, it defaults to 0. – def AES ( key , mode , IV = 0) – User controlled values

  46. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 46 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ c[0] c[1] c[2] IV=Key D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = Key

  47. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 47 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ c[0] 0 c[0] IV=Key D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = Key

  48. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 48 D(k,⋅) D(k,⋅) D(k, c[0]) ^ k D(k, 0) ^ c[0] D(k, c[0]) ^ 0 ⊕ ⊕ D(k,⋅) ⊕ c[0] 0 c[0] IV=Key D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = Key

  49. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 49 D(k,⋅) D(k,⋅) D(k, c[0]) ^ k D(k, c[0]) ^ 0 ⊕ ⊕ D(k,⋅) ⊕ c[0] 0 c[0] IV=Key D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = Key D(k, 0) ^ c[0]

  50. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. D(k, 0) ^ c[0] 50 D(k,⋅) D(k,⋅) D(k, c[0]) ^ k D(k, c[0]) ^ 0 ⊕ ⊕ D(k,⋅) ⊕ c[0] 0 c[0] IV=Key D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = Key To recover the key, just XOR the first and third unencrypted bytes: p’[0] ^ p’[2] = D(k, c[0]) ^ k ^ D(k, c[0]) ^ 0 = k

  51. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 51 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ c[0] c[1] c[2] IV=0 D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = 0

  52. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 52 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ c[1] c[2] IV=0 D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = 0 c[0]

  53. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 53 D(k,⋅) D(k,⋅) p[1] p[2] p[3] ⊕ ⊕ D(k,⋅) ⊕ c[1] c[2] IV=0 D(k,⋅) p[1] p[2] p[3] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = 0 c[1]

  54. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 54 D(k,⋅) D(k,⋅) p[2] p[3] p[4] ⊕ ⊕ D(k,⋅) ⊕ c[3] c[4] IV=0 D(k,⋅) p[2] p[3] p[4] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = 0 c[2]

  55. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Example: Insecure mode of operation • CWE-327: Use of a Broken or Risky Cryptographic Algorithm • Modes of Operation: – ECB • Yep, you can see penguins in ECB mode, but there is much more than that – Byte-at-a-time ECB decryption – Cut-and-paste attack – CTR (Stream mode) • Stream ciphers are ok for communication, but not good for storage. If you use the same section of stream cipher twice, you have 0 security. As long as there is a fresh IV and you're not reading/writing to/from same file, you're ok. – CBC • Bit Flipping Attacks • Padding Oracles

  56. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 56 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ c[0] c[1] c[2] IV D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ Bit flip attacks

  57. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 57 D(k,⋅) D(k,⋅) p[0] p[1] p[2] ⊕ ⊕ D(k,⋅) ⊕ Attacker supplied byte IV D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ Bit flip attacks c[0] c[2]

  58. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 58 D(k,⋅) D(k,⋅) p[0] Garbage p[2] ⊕ ⊕ D(k,⋅) ⊕ Attacker supplied byte IV D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ Bit flip attacks c[0] c[2]

  59. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Attacker controlled 59 D(k,⋅) D(k,⋅) p[0] Garbage ⊕ ⊕ D(k,⋅) ⊕ Attacker supplied IV D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ Bit flip attacks c[0] c[2]

  60. Demo: Bit flipping attack on AES-CBC encrypted cookies

  61. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions • Cryptographic hashes and password-based encryption • Digital signatures • Encryption • Key management – Key Management: Hardcoded HMAC Key – Key Management: Empty HMAC Key – Key Management: Null HMAC Key – Key Management: Hardcoded PBE Password – Key Management: Empty PBE Password – Key Management: Null PBE Password – Key Management: Unencrypted Private Key

  62. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. What to do?

  63. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Crypto manifesto 2009 2015

  64. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. HP Fortify SCA categories • Insecure SSL: Server Identity Verification Disabled • Insecure SSL: Android Customized Implementation • Insecure SSL: Android Hostname Verification Disabled • Insecure SSL: Android Socket • Insecure Storage: Insufficient Data Protection • Insecure Storage: Lacking Data Protection • Insecure Transport: Weak SSL Protocol • Insecure Randomness • Password Management: Weak Cryptography • Key Management: Empty Encryption Key • Key Management: Hardcoded Encryption Key • Key Management: Null Encryption Key • Weak Cryptographic Hash: Hardcoded Salt • Weak Cryptographic Hash: User-Controlled Salt • Weak Encryption: Weak Encryption • Weak Encryption: Inadequate RSA Padding • Weak Encryption: Insufficient Key Size • Insecure Randomness: Hardcoded Seed • Insecure Randomness: User-Controlled Seed • Insecure Randomness: Weak Entropy Source • Password Management: Lack of Key Derivation Function • Weak Cryptographic Hash: Hardcoded PBE Salt • Weak Cryptographic Hash: User-Controlled PBE Salt • Weak Cryptographic Hash: Insecure PBE Iteration Count • Weak Cryptographic Hash: User-Controlled Algorithm • Weak Cryptographic Hash: Predictable Salt • Weak Cryptographic Hash: Missing Required Step • Weak Cryptographic Signature: Insufficient Key Size • Weak Cryptographic Signature: User-Controlled Key Size • Weak Cryptographic Signature: Missing Required Step • Weak Encryption: Insecure Mode of Operation • Weak Encryption: Stream Cipher • Weak Encryption: Insecure Initialization Vector • Weak Encryption: Missing Required Step • Weak Encryption: User-Controlled Key Size • Key Management: Hardcoded HMAC Key • Key Management: Empty HMAC Key • Key Management: Null HMAC Key • Key Management: Hardcoded PBE Password • Key Management: Empty PBE Password • Key Management: Null PBE Password • Key Management: Unencrypted Private Key 17 existing categories across 13 languages 25 new categories across 14 languages

  65. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. HP Fortify WebInspect categories • Insecure Transport • Insecure Transport: Channel Mixing • Insecure Transport: Inadequate SSL Policy Enforcement • Insecure Transport: OAuth Communication Channel • Insecure Transport: Mail Transmission • Insecure Transport: Secure Section Access Not SSL-Enabled • Insecure Transport: Weak SSL Cipher • Insecure transport: Wek SSL Protocol 8 categories that cover 17 checks

  66. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Food for thought

  67. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Some concluding thoughts • Trusting “lower layers” to “do the right thing” is not always a valid assumption • What are possible approaches to dealing with such risk? • Open-source vs. proprietary crypto

  68. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Q&A

  69. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Please give us your feedback Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. Session B4005 Speakers Alvaro Munoz and Yekaterina O’Neil © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

  70. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Thank you [email protected] [email protected]