Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crypto 101 by Laurens Van Houtven

Crypto 101 by Laurens Van Houtven

PyCon 2013

March 16, 2013
Tweet

More Decks by PyCon 2013

Other Decks in Programming

Transcript

  1. Crypto 101
    @lvh

    View Slide

  2. View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. POST /quantum HTTP/1.1

    View Slide

  7. View Slide

  8. Lightning Talk Version

    View Slide

  9. In motion: TLS

    View Slide

  10. At rest: GPG

    View Slide

  11. (Py)NaCl
    KeyCzar
    cryptlib

    View Slide

  12. If you are typing the letters
    A-E-S into your code,
    you’re doing it wrong.

    View Slide

  13. DES: extra wrong
    MD5, SHA: maybe wrong

    View Slide

  14. Why stay?

    View Slide

  15. Recognizing wrong
    stuff still matters

    View Slide

  16. Understanding
    stuff still matters

    View Slide

  17. View Slide

  18. View Slide

  19. xor

    View Slide

  20. 1 ^ 0 == 1
    0 ^ 1 == 1

    View Slide

  21. 1 ^ 1 == 0
    0 ^ 0 == 0

    View Slide

  22. Invert?
    Input Output

    View Slide

  23. Invert: yes (1)
    Input: 1 Output: 0

    View Slide

  24. Invert: no (0)
    Input: 1 Output: 1

    View Slide

  25. One-time Pad

    View Slide

  26. 1110010101010110
    1010100000111101
    0100101010101010
    ...

    View Slide

  27. OTP
    crypto XWCVPR

    View Slide

  28. Perfect secrecy

    View Slide

  29. 0?
    1? 1

    View Slide

  30. 1?
    0? 1

    View Slide

  31. View Slide

  32. View Slide

  33. View Slide

  34. Victory!

    View Slide

  35. len(one_time_pad)

    View Slide

  36. == len(all_data_ever)

    View Slide

  37. == very_big_number

    View Slide

  38. Exchange?

    View Slide

  39. Ciphers

    View Slide

  40. Block Ciphers

    View Slide

  41. Block
    Cipher
    Key
    abc XYZ
    Ciphertext
    Same fixed size
    Plaintext
    Fixed size

    View Slide

  42. P C

    View Slide

  43. Random permutation

    View Slide

  44. 000: 001
    001: 010
    010: 111
    011: 000
    100: 110
    101: 011
    110: 100
    111: 101

    View Slide

  45. x, C(k, x)
    vs
    y, C(k, y)

    View Slide

  46. P C

    View Slide

  47. AES

    View Slide

  48. Blowfish/Twofish

    View Slide

  49. DES/3DES

    View Slide

  50. Victory!

    View Slide

  51. “Hello”

    View Slide

  52. with open(“x.jpg”) as f:
    send(f, you)

    View Slide

  53. Block Cipher

    View Slide

  54. len(message)
    > block_size

    View Slide

  55. aes.block_size == 128
    (16 bytes)

    View Slide

  56. Stream Ciphers

    View Slide

  57. Native stream ciphers

    View Slide

  58. RC4

    View Slide

  59. Salsa20
    ChaCha20

    View Slide

  60. Implemented as
    construction with
    block ciphers

    View Slide

  61. abcdefghijklmnopqrstuvw
    C
    k
    C
    k
    C
    k
    C
    k
    C
    k
    C
    k
    C
    k
    {
    {
    {
    {
    {
    {
    {
    {
    C
    k
    padding
    KEGASVTPCFDRUWBOJNMHXQIL
    {
    {
    {
    {
    {
    {
    {
    {

    View Slide

  62. ECB

    View Slide

  63. plaintext chunk
    ciphertext chunk

    View Slide

  64. View Slide

  65. View Slide

  66. View Slide

  67. View Slide

  68. Replay Attacks

    View Slide

  69. View Slide

  70. View Slide

  71. Block Cipher
    Modes of Operation

    View Slide

  72. ECB, (P)CBC,
    CFB, OFB, CTR

    View Slide

  73. ECB, (P)CBC,
    CFB, OFB, CTR

    View Slide

  74. CBC

    View Slide

  75. Most common
    in the wild

    View Slide

  76. BEAST

    View Slide

  77. CTR

    View Slide

  78. {nonce}{count:08d}

    View Slide

  79. D501320200000000
    D501320200000001
    D501320200000002
    Nonce Count
    .
    .
    .

    View Slide

  80. C
    k
    C
    k
    D501320200000000, D501320200000001, ...
    D1DC4D1FE3679212, 0FD25C7B1CF46485, ...

    View Slide

  81. D1DC4D1FE3679212
    0FD25C7B1CF46485
    ...

    View Slide

  82. Keystream

    View Slide

  83. Pseudo-OTP

    View Slide

  84. GCM, EAX, OCB,
    IAPM, CCM, CWC

    View Slide

  85. GCM, EAX, OCB,
    IAPM, CCM, CWC

    View Slide

  86. PATENT
    PENDING

    View Slide

  87. Victory!

    View Slide

  88. View Slide

  89. Key exchange?

    View Slide

  90. In person?

    View Slide

  91. View Slide

  92. O(n2)

    View Slide

  93. Diffie-Hellman
    Key Exchange

    View Slide

  94. View Slide

  95. =
    +

    View Slide

  96. =
    +
    +

    View Slide

  97. - =

    View Slide

  98. Internet
    Me You

    View Slide

  99. View Slide

  100. +
    =
    +
    =

    View Slide

  101. View Slide

  102. View Slide

  103. +
    =
    +
    =

    View Slide

  104. =
    + +
    + +

    View Slide

  105. Victory!

    View Slide

  106. View Slide

  107. Cease fire!
    ZSTAMUTJMEFFILH
    Cease fire!

    View Slide

  108. Attack at dawn!
    HUWKEMMQTXMR
    Attack at dawn!

    View Slide

  109. Authenticity

    View Slide

  110. sender
    ==
    expected_sender

    View Slide

  111. message
    ==
    expected_message

    View Slide

  112. Encryption without
    authentication

    View Slide

  113. Almost certainly wrong

    View Slide

  114. Attackers don’t need to
    decrypt to modify

    View Slide

  115. Cryptographic
    hash functions

    View Slide

  116. lorem ipsum 358d846c39
    digest (state)
    fixed size
    message
    arbitrary size
    Hash
    Function

    View Slide

  117. lorem ipsum 358d846c39
    Hash
    Function

    View Slide

  118. lorem ipsum 358d846c39
    Hash
    Function

    View Slide

  119. lorem python 358d846c39
    lorem ipsum 358d846c39
    Hash
    Function
    Hash
    Function

    View Slide

  120. lorem python 358d846c39
    lorem ipsum 358d846c39
    Hash
    Function
    Hash
    Function

    View Slide

  121. That’s it.

    View Slide

  122. H(x) can be used
    to compute H(f(x))

    View Slide

  123. Extension attacks

    View Slide

  124. hf = HF(“hello pycon\n”)
    hf.update(“how are you”)
    hf.hexdigest()

    View Slide

  125. hf = HF(state=your_hash)
    hf.update(my_string)
    hf.hexdigest()

    View Slide

  126. my_string = “\nI am not
    attending, because I
    have switched to PHP”

    View Slide

  127. Payment processor

    View Slide

  128. MD5(secret + amount)

    View Slide

  129. $12.00: “1200”

    View Slide

  130. hf = HF(state=your_hash)
    hf.update(“0” * 12)
    hf.hexdigest()

    View Slide

  131. bwall/HashPump

    View Slide

  132. SHA-3 era: fixed
    (SHA-3, BLAKE2)

    View Slide

  133. SHA-256, SHA-3
    (both are fine)

    View Slide

  134. BLAKE2

    View Slide

  135. MAC

    View Slide

  136. H(x) can be used
    to compute H(f(x))

    View Slide

  137. MAC(k, x)
    says nothing about
    MAC(k, f(x))

    View Slide

  138. MAC(k, x)
    says nothing about
    MAC(k, y)

    View Slide

  139. HMAC

    View Slide

  140. hmac(k, hf, msg)

    View Slide

  141. import hmac

    View Slide

  142. Password storage

    View Slide

  143. CHFs are WRONG

    View Slide

  144. password 45ed8f8c31
    Hash
    Function

    View Slide

  145. Brute force?

    View Slide

  146. View Slide

  147. ATI HD 5970, 2GB
    5.6e9 MD5/s
    2.3e9 SHA2/s

    View Slide

  148. View Slide

  149. SHA-3?

    View Slide

  150. lorem ipsum 358d846c39
    Hash
    Function

    View Slide

  151. SHA-2-256: 14 cpb
    SHA-3-256: 11 cpb
    (Intel Ivy Bridge/Sandy Bridge)

    View Slide

  152. Salts?

    View Slide

  153. Dictionary attacks

    View Slide

  154. KDFs should be
    hard to compute

    View Slide

  155. bcrypt
    (tunably) time-hard

    View Slide

  156. scrypt
    time- and space-hard

    View Slide

  157. Sender authentication?

    View Slide

  158. View Slide

  159. Public key
    Cryptography

    View Slide

  160. View Slide

  161. View Slide

  162. View Slide

  163. Key generation

    View Slide

  164. me
    me
    you
    you

    View Slide

  165. me
    you

    View Slide

  166. Encryption

    View Slide

  167. PK
    Enc
    you
    hello
    world
    BXUWD
    VWQEF

    View Slide

  168. Decryption

    View Slide

  169. PK
    Dec
    you
    hello
    world
    BXUWD
    VWQEF
    you

    View Slide

  170. Signing

    View Slide

  171. Anyone can use
    my public key

    View Slide

  172. How do I know
    you’re you?

    View Slide

  173. PK
    Dec
    you
    Signature
    HF(m)
    you

    View Slide

  174. PK
    Enc
    you
    Signature HF(m)

    View Slide

  175. RSA

    View Slide

  176. Victory!

    View Slide

  177. “me” == actually me?

    View Slide

  178. Chains of signatures

    View Slide

  179. I don’t trust you.

    View Slide

  180. But X trusts you.

    View Slide

  181. And I trust X.

    View Slide

  182. So I trust you.

    View Slide

  183. GPG key signing

    View Slide

  184. SSL

    View Slide

  185. TLS

    View Slide

  186. View Slide

  187. version, ciphersuites, ...

    View Slide

  188. Key exchange method
    (RSA, DH, ...)

    View Slide

  189. Signing algorithm
    (RSA, DSA, ECDSA)

    View Slide

  190. Bulk encryption algorithm
    (AES-CBC, RC4...)

    View Slide

  191. MAC algorithm
    (HMAC-{MD5, SHA2})

    View Slide

  192. version, ciphersuites, ...

    View Slide


  193. View Slide

  194. RSA
    Enc
    srvr
    random
    secret
    OUTDX
    BHXUS

    View Slide

  195. OUTDXBHXUS

    View Slide

  196. RSA
    Dec
    srvr
    random
    secret
    OUTDX
    BHXUS
    srvr

    View Slide

  197. random
    secret
    AES MAC
    random
    secret
    AES MAC

    View Slide

  198. MAC

    View Slide

  199. View Slide

  200. Encrypted
    +
    Authenticated

    View Slide


  201. View Slide

  202. View Slide

  203. CAs

    View Slide

  204. ...

    View Slide

  205. View Slide

  206. valid vs trustworthy?

    View Slide

  207. valid vs trustworthy?

    View Slide

  208. What if I plant
    a root cert?

    View Slide

  209. sslbump

    View Slide

  210. ICAP/eCAP

    View Slide

  211. lvh/minitrue

    View Slide

  212. Questions?

    View Slide

  213. Timing attacks

    View Slide

  214. Side-channel

    View Slide

  215. Implementation,
    not theory

    View Slide

  216. View Slide

  217. View Slide

  218. View Slide

  219. View Slide

  220. View Slide

  221. provided == password

    View Slide

  222. compare length

    View Slide

  223. compare byte by byte

    View Slide

  224. “abc” == “xyz”

    View Slide

  225. “abc” == “ayz”

    View Slide

  226. “abc” == “abz”

    View Slide

  227. len(alpha) ** len(pw)

    View Slide

  228. X * X * X * ....
    len(alpha) possibilities
    len(pwd) times

    View Slide

  229. k * len(alpha) * len(pw)
    possibilities
    measurements characters

    View Slide

  230. More TLS

    View Slide

  231. Client certificates

    View Slide

  232. Ephemeral
    Diffie-Hellman

    View Slide

  233. Elliptic Curves
    ECDH/ECDSA

    View Slide