Crypto 101 by Laurens Van Houtven

Transcript

1. Crypto 101
   @lvh
   

   View Slide

2. @lvh
   [email protected]
   

   View Slide

3. View Slide

4. View Slide

5. View Slide

6. POST /quantum HTTP/1.1
   

   View Slide

7. View Slide

8. Lightning Talk Version
   

   View Slide

9. In motion: TLS
   

   View Slide

10. At rest: GPG
    

    View Slide

11. (Py)NaCl
    KeyCzar
    cryptlib
    

    View Slide

12. If you are typing the letters
    A-E-S into your code,
    you’re doing it wrong.
    

    View Slide

13. DES: extra wrong
    MD5, SHA: maybe wrong
    

    View Slide

14. Why stay?
    

    View Slide

15. Recognizing wrong
    stuff still matters
    

    View Slide

16. Understanding
    stuff still matters
    

    View Slide

17. View Slide

18. View Slide

19. xor
    

    View Slide

20. 1 ^ 0 == 1
    0 ^ 1 == 1
    

    View Slide

21. 1 ^ 1 == 0
    0 ^ 0 == 0
    

    View Slide

22. Invert?
    Input Output
    

    View Slide

23. Invert: yes (1)
    Input: 1 Output: 0
    

    View Slide

24. Invert: no (0)
    Input: 1 Output: 1
    

    View Slide

25. One-time Pad
    

    View Slide

26. 1110010101010110
    1010100000111101
    0100101010101010
    ...
    

    View Slide

27. OTP
    crypto XWCVPR
    

    View Slide

28. Perfect secrecy
    

    View Slide

29. 0?
    1? 1
    

    View Slide

30. 1?
    0? 1
    

    View Slide

31. View Slide

32. View Slide

33. View Slide

34. Victory!
    

    View Slide

35. len(one_time_pad)
    

    View Slide

36. == len(all_data_ever)
    

    View Slide

37. == very_big_number
    

    View Slide

38. Exchange?
    

    View Slide

39. Ciphers
    

    View Slide

40. Block Ciphers
    

    View Slide

41. Block
    Cipher
    Key
    abc XYZ
    Ciphertext
    Same fixed size
    Plaintext
    Fixed size
    

    View Slide

42. P C
    

    View Slide

43. Random permutation
    

    View Slide

44. 000: 001
    001: 010
    010: 111
    011: 000
    100: 110
    101: 011
    110: 100
    111: 101
    

    View Slide

45. x, C(k, x)
    vs
    y, C(k, y)
    

    View Slide

46. P C
    

    View Slide

47. AES
    

    View Slide

48. Blowfish/Twofish
    

    View Slide

49. DES/3DES
    

    View Slide

50. Victory!
    

    View Slide

51. “Hello”
    

    View Slide

52. with open(“x.jpg”) as f:
    send(f, you)
    

    View Slide

53. Block Cipher
    

    View Slide

54. len(message)
    > block_size
    

    View Slide

55. aes.block_size == 128
    (16 bytes)
    

    View Slide

56. Stream Ciphers
    

    View Slide

57. Native stream ciphers
    

    View Slide

58. RC4
    

    View Slide

59. Salsa20
    ChaCha20
    

    View Slide

60. Implemented as
    construction with
    block ciphers
    

    View Slide

61. abcdefghijklmnopqrstuvw
    C
    k
    C
    k
    C
    k
    C
    k
    C
    k
    C
    k
    C
    k
    {
    {
    {
    {
    {
    {
    {
    {
    C
    k
    padding
    KEGASVTPCFDRUWBOJNMHXQIL
    {
    {
    {
    {
    {
    {
    {
    {
    

    View Slide

62. ECB
    

    View Slide

63. plaintext chunk
    ciphertext chunk
    

    View Slide

64. View Slide

65. View Slide

66. View Slide

67. View Slide

68. Replay Attacks
    

    View Slide

69. View Slide

70. View Slide

71. Block Cipher
    Modes of Operation
    

    View Slide

72. ECB, (P)CBC,
    CFB, OFB, CTR
    

    View Slide

73. ECB, (P)CBC,
    CFB, OFB, CTR
    

    View Slide

74. CBC
    

    View Slide

75. Most common
    in the wild
    

    View Slide

76. BEAST
    

    View Slide

77. CTR
    

    View Slide

78. {nonce}{count:08d}
    

    View Slide

79. D501320200000000
    D501320200000001
    D501320200000002
    Nonce Count
    .
    .
    .
    

    View Slide

80. C
    k
    C
    k
    D501320200000000, D501320200000001, ...
    D1DC4D1FE3679212, 0FD25C7B1CF46485, ...
    

    View Slide

81. D1DC4D1FE3679212
    0FD25C7B1CF46485
    ...
    

    View Slide

82. Keystream
    

    View Slide

83. Pseudo-OTP
    

    View Slide

84. GCM, EAX, OCB,
    IAPM, CCM, CWC
    

    View Slide

85. GCM, EAX, OCB,
    IAPM, CCM, CWC
    

    View Slide

86. PATENT
    PENDING
    

    View Slide

87. Victory!
    

    View Slide

88. View Slide

89. Key exchange?
    

    View Slide

90. In person?
    

    View Slide

91. View Slide

92. O(n2)
    

    View Slide

93. Diffie-Hellman
    Key Exchange
    

    View Slide

94. View Slide

95. =
    +
    

    View Slide

96. =
    +
    +
    

    View Slide

97. - =
    

    View Slide

98. Internet
    Me You
    

    View Slide

99. View Slide

100. +
     =
     +
     =
     

     View Slide

101. View Slide

102. View Slide

103. +
     =
     +
     =
     

     View Slide

104. =
     + +
     + +
     

     View Slide

105. Victory!
     

     View Slide

106. View Slide

107. Cease fire!
     ZSTAMUTJMEFFILH
     Cease fire!
     

     View Slide

108. Attack at dawn!
     HUWKEMMQTXMR
     Attack at dawn!
     

     View Slide

109. Authenticity
     

     View Slide

110. sender
     ==
     expected_sender
     

     View Slide

111. message
     ==
     expected_message
     

     View Slide

112. Encryption without
     authentication
     

     View Slide

113. Almost certainly wrong
     

     View Slide

114. Attackers don’t need to
     decrypt to modify
     

     View Slide

115. Cryptographic
     hash functions
     

     View Slide

116. lorem ipsum 358d846c39
     digest (state)
     fixed size
     message
     arbitrary size
     Hash
     Function
     

     View Slide

117. lorem ipsum 358d846c39
     Hash
     Function
     

     View Slide

118. lorem ipsum 358d846c39
     Hash
     Function
     

     View Slide

119. lorem python 358d846c39
     lorem ipsum 358d846c39
     Hash
     Function
     Hash
     Function
     

     View Slide

120. lorem python 358d846c39
     lorem ipsum 358d846c39
     Hash
     Function
     Hash
     Function
     

     View Slide

121. That’s it.
     

     View Slide

122. H(x) can be used
     to compute H(f(x))
     

     View Slide

123. Extension attacks
     

     View Slide

124. hf = HF(“hello pycon\n”)
     hf.update(“how are you”)
     hf.hexdigest()
     

     View Slide

125. hf = HF(state=your_hash)
     hf.update(my_string)
     hf.hexdigest()
     

     View Slide

126. my_string = “\nI am not
     attending, because I
     have switched to PHP”
     

     View Slide

127. Payment processor
     

     View Slide

128. MD5(secret + amount)
     

     View Slide

129. $12.00: “1200”
     

     View Slide

130. hf = HF(state=your_hash)
     hf.update(“0” * 12)
     hf.hexdigest()
     

     View Slide

131. bwall/HashPump
     

     View Slide

132. SHA-3 era: fixed
     (SHA-3, BLAKE2)
     

     View Slide

133. SHA-256, SHA-3
     (both are fine)
     

     View Slide

134. BLAKE2
     

     View Slide

135. MAC
     

     View Slide

136. H(x) can be used
     to compute H(f(x))
     

     View Slide

137. MAC(k, x)
     says nothing about
     MAC(k, f(x))
     

     View Slide

138. MAC(k, x)
     says nothing about
     MAC(k, y)
     

     View Slide

139. HMAC
     

     View Slide

140. hmac(k, hf, msg)
     

     View Slide

141. import hmac
     

     View Slide

142. Password storage
     

     View Slide

143. CHFs are WRONG
     

     View Slide

144. password 45ed8f8c31
     Hash
     Function
     

     View Slide

145. Brute force?
     

     View Slide

146. View Slide

147. ATI HD 5970, 2GB
     5.6e9 MD5/s
     2.3e9 SHA2/s
     

     View Slide

148. View Slide

149. SHA-3?
     

     View Slide

150. lorem ipsum 358d846c39
     Hash
     Function
     

     View Slide

151. SHA-2-256: 14 cpb
     SHA-3-256: 11 cpb
     (Intel Ivy Bridge/Sandy Bridge)
     

     View Slide

152. Salts?
     

     View Slide

153. Dictionary attacks
     

     View Slide

154. KDFs should be
     hard to compute
     

     View Slide

155. bcrypt
     (tunably) time-hard
     

     View Slide

156. scrypt
     time- and space-hard
     

     View Slide

157. Sender authentication?
     

     View Slide

158. View Slide

159. Public key
     Cryptography
     

     View Slide

160. View Slide

161. View Slide

162. View Slide

163. Key generation
     

     View Slide

164. me
     me
     you
     you
     

     View Slide

165. me
     you
     

     View Slide

166. Encryption
     

     View Slide

167. PK
     Enc
     you
     hello
     world
     BXUWD
     VWQEF
     

     View Slide

168. Decryption
     

     View Slide

169. PK
     Dec
     you
     hello
     world
     BXUWD
     VWQEF
     you
     

     View Slide

170. Signing
     

     View Slide

171. Anyone can use
     my public key
     

     View Slide

172. How do I know
     you’re you?
     

     View Slide

173. PK
     Dec
     you
     Signature
     HF(m)
     you
     

     View Slide

174. PK
     Enc
     you
     Signature HF(m)
     

     View Slide

175. RSA
     

     View Slide

176. Victory!
     

     View Slide

177. “me” == actually me?
     

     View Slide

178. Chains of signatures
     

     View Slide

179. I don’t trust you.
     

     View Slide

180. But X trusts you.
     

     View Slide

181. And I trust X.
     

     View Slide

182. So I trust you.
     

     View Slide

183. GPG key signing
     

     View Slide

184. SSL
     

     View Slide

185. TLS
     

     View Slide

186. View Slide

187. version, ciphersuites, ...
     

     View Slide

188. Key exchange method
     (RSA, DH, ...)
     

     View Slide

189. Signing algorithm
     (RSA, DSA, ECDSA)
     

     View Slide

190. Bulk encryption algorithm
     (AES-CBC, RC4...)
     

     View Slide

191. MAC algorithm
     (HMAC-{MD5, SHA2})
     

     View Slide

192. version, ciphersuites, ...
     

     View Slide

193. ✓
     

     View Slide

194. RSA
     Enc
     srvr
     random
     secret
     OUTDX
     BHXUS
     

     View Slide

195. OUTDXBHXUS
     

     View Slide

196. RSA
     Dec
     srvr
     random
     secret
     OUTDX
     BHXUS
     srvr
     

     View Slide

197. random
     secret
     AES MAC
     random
     secret
     AES MAC
     

     View Slide

198. MAC
     

     View Slide

199. View Slide

200. Encrypted
     +
     Authenticated
     

     View Slide

201. ✓
     

     View Slide

202. View Slide

203. CAs
     

     View Slide

204. ...
     

     View Slide

205. View Slide

206. valid vs trustworthy?
     

     View Slide

207. valid vs trustworthy?
     

     View Slide

208. What if I plant
     a root cert?
     

     View Slide

209. sslbump
     

     View Slide

210. ICAP/eCAP
     

     View Slide

211. lvh/minitrue
     

     View Slide

212. Questions?
     

     View Slide

213. Timing attacks
     

     View Slide

214. Side-channel
     

     View Slide

215. Implementation,
     not theory
     

     View Slide

216. View Slide

217. View Slide

218. View Slide

219. View Slide

220. View Slide

221. provided == password
     

     View Slide

222. compare length
     

     View Slide

223. compare byte by byte
     

     View Slide

224. “abc” == “xyz”
     

     View Slide

225. “abc” == “ayz”
     

     View Slide

226. “abc” == “abz”
     

     View Slide

227. len(alpha) ** len(pw)
     

     View Slide

228. X * X * X * ....
     len(alpha) possibilities
     len(pwd) times
     

     View Slide

229. k * len(alpha) * len(pw)
     possibilities
     measurements characters
     

     View Slide

230. More TLS
     

     View Slide

231. Client certificates
     

     View Slide

232. Ephemeral
     Diffie-Hellman
     

     View Slide

233. Elliptic Curves
     ECDH/ECDSA
     

     View Slide