Crypto 101@lvh
View Slide
@lvh[email protected]
POST /quantum HTTP/1.1
Lightning Talk Version
In motion: TLS
At rest: GPG
(Py)NaClKeyCzarcryptlib
If you are typing the lettersA-E-S into your code,you’re doing it wrong.
DES: extra wrongMD5, SHA: maybe wrong
Why stay?
Recognizing wrongstuff still matters
Understandingstuff still matters
xor
1 ^ 0 == 10 ^ 1 == 1
1 ^ 1 == 00 ^ 0 == 0
Invert?Input Output
Invert: yes (1)Input: 1 Output: 0
Invert: no (0)Input: 1 Output: 1
One-time Pad
111001010101011010101000001111010100101010101010...
OTPcrypto XWCVPR
Perfect secrecy
0?1? 1
1?0? 1
Victory!
len(one_time_pad)
== len(all_data_ever)
== very_big_number
Exchange?
Ciphers
Block Ciphers
BlockCipherKeyabc XYZCiphertextSame fixed sizePlaintextFixed size
P C
Random permutation
000: 001001: 010010: 111011: 000100: 110101: 011110: 100111: 101
x, C(k, x)vsy, C(k, y)
AES
Blowfish/Twofish
DES/3DES
“Hello”
with open(“x.jpg”) as f:send(f, you)
Block Cipher
len(message)> block_size
aes.block_size == 128(16 bytes)
Stream Ciphers
Native stream ciphers
RC4
Salsa20ChaCha20
Implemented asconstruction withblock ciphers
abcdefghijklmnopqrstuvwCkCkCkCkCkCkCk{{{{{{{{CkpaddingKEGASVTPCFDRUWBOJNMHXQIL{{{{{{{{
ECB
plaintext chunkciphertext chunk
Replay Attacks
Block CipherModes of Operation
ECB, (P)CBC,CFB, OFB, CTR
CBC
Most commonin the wild
BEAST
CTR
{nonce}{count:08d}
D501320200000000D501320200000001D501320200000002Nonce Count...
CkCkD501320200000000, D501320200000001, ...D1DC4D1FE3679212, 0FD25C7B1CF46485, ...
D1DC4D1FE36792120FD25C7B1CF46485...
Keystream
Pseudo-OTP
GCM, EAX, OCB,IAPM, CCM, CWC
PATENTPENDING
Key exchange?
In person?
O(n2)
Diffie-HellmanKey Exchange
=+
=++
- =
InternetMe You
+=+=
=+ ++ +
Cease fire!ZSTAMUTJMEFFILHCease fire!
Attack at dawn!HUWKEMMQTXMRAttack at dawn!
Authenticity
sender==expected_sender
message==expected_message
Encryption withoutauthentication
Almost certainly wrong
Attackers don’t need todecrypt to modify
Cryptographichash functions
lorem ipsum 358d846c39digest (state)fixed sizemessagearbitrary sizeHashFunction
lorem ipsum 358d846c39HashFunction
lorem python 358d846c39lorem ipsum 358d846c39HashFunctionHashFunction
That’s it.
H(x) can be usedto compute H(f(x))
Extension attacks
hf = HF(“hello pycon\n”)hf.update(“how are you”)hf.hexdigest()
hf = HF(state=your_hash)hf.update(my_string)hf.hexdigest()
my_string = “\nI am notattending, because Ihave switched to PHP”
Payment processor
MD5(secret + amount)
$12.00: “1200”
hf = HF(state=your_hash)hf.update(“0” * 12)hf.hexdigest()
bwall/HashPump
SHA-3 era: fixed(SHA-3, BLAKE2)
SHA-256, SHA-3(both are fine)
BLAKE2
MAC
MAC(k, x)says nothing aboutMAC(k, f(x))
MAC(k, x)says nothing aboutMAC(k, y)
HMAC
hmac(k, hf, msg)
import hmac
Password storage
CHFs are WRONG
password 45ed8f8c31HashFunction
Brute force?
ATI HD 5970, 2GB5.6e9 MD5/s2.3e9 SHA2/s
SHA-3?
SHA-2-256: 14 cpbSHA-3-256: 11 cpb(Intel Ivy Bridge/Sandy Bridge)
Salts?
Dictionary attacks
KDFs should behard to compute
bcrypt(tunably) time-hard
scrypttime- and space-hard
Sender authentication?
Public keyCryptography
Key generation
memeyouyou
meyou
Encryption
PKEncyouhelloworldBXUWDVWQEF
Decryption
PKDecyouhelloworldBXUWDVWQEFyou
Signing
Anyone can usemy public key
How do I knowyou’re you?
PKDecyouSignatureHF(m)you
PKEncyouSignature HF(m)
RSA
“me” == actually me?
Chains of signatures
I don’t trust you.
But X trusts you.
And I trust X.
So I trust you.
GPG key signing
SSL
TLS
version, ciphersuites, ...
Key exchange method(RSA, DH, ...)
Signing algorithm(RSA, DSA, ECDSA)
Bulk encryption algorithm(AES-CBC, RC4...)
MAC algorithm(HMAC-{MD5, SHA2})
✓
RSAEncsrvrrandomsecretOUTDXBHXUS
OUTDXBHXUS
RSADecsrvrrandomsecretOUTDXBHXUSsrvr
randomsecretAES MACrandomsecretAES MAC
Encrypted+Authenticated
CAs
...
valid vs trustworthy?
What if I planta root cert?
sslbump
ICAP/eCAP
lvh/minitrue
Questions?
Timing attacks
Side-channel
Implementation,not theory
provided == password
compare length
compare byte by byte
“abc” == “xyz”
“abc” == “ayz”
“abc” == “abz”
len(alpha) ** len(pw)
X * X * X * ....len(alpha) possibilitieslen(pwd) times
k * len(alpha) * len(pw)possibilitiesmeasurements characters
More TLS
Client certificates
EphemeralDiffie-Hellman
Elliptic CurvesECDH/ECDSA