Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Enough Cryptography to Be Dangerous

Steve Marx
August 09, 2016

Enough Cryptography to Be Dangerous

This introductory talk aims to demystify cryptography. We’ll define and discuss concepts such as password hashing, cryptographic signatures, and encryption. We’ll also work through examples of what tool to use for what kind of job. This talk won’t make you an expert in cryptography, but it will give you working knowledge and a jumping off point to learn more on your own.

Steve Marx

August 09, 2016
Tweet

More Decks by Steve Marx

Other Decks in Technology

Transcript

  1. My goals • Get you interested in cryptography • Get

    you familiar with concepts and terminology • Encourage use of known, tested solutions
  2. Secrets • Unguessable random numbers • GUID example: f82038a2-ddf4-4cad-b8c1-b7346f34c69c •

    340,282,366,920,938,463,463,374,607,431,768,211,456 possiblities • If you generate 10 trillion GUIDs this year… • Passwords • Threats • Online attacks • Offline attacks
  3. Hash functions • One-way function • Maps arbitrary data to

    a fixed-size bit string • Bad (for cryptography) example: f(x) = f mod 100 • Cryptographic hash functions • Given h, it should be hard to find m such that h = hash(m) • Given m1 , it should be hard to find m2 such that hash(m1 ) = hash(m2 ) • It should be hard to find m1 and m2 such that hash(m1 ) = hash(m2 ) • Good example: SHA256
  4. Password hashing • Cryptographic hash function + expensive • “Expensive”

    is relative, ideally has configurable work factor • Salt: random additional input to the hash • Prevents cracking with a precomputed table • Good example: bcrypt
  5. How would you attack this? isit(password) à boolean • 20-character

    password, all uppercase letters • 2620 = 19,928,148,895,209,409,152,340,197,376 possibilities • My laptop can guess 500,000 passwords per second • 1.2 quadrillion years to guess them all • I wrote a program to do it in 4 minutes
  6. Implementation of isit(password) def isit(text): for i in range(len(password)): if

    len(text) <= i: return False if text[i] != password[i]: return False return len(text) == len(password)
  7. Timing attacks • The time your algorithm takes can be

    source of leaks • Don’t hash and compare, use a provided “check” method >>> bcrypt.hashpw(b'correct horse battery staple', salt=bcrypt.gensalt(rounds=12)) b'$2b$12$qeYnf…' >>> bcrypt.checkpw(b'correct horse battery staple', b'$2b$12$qeYnf…') True
  8. Encryption • Encode a message such that only authorized parties

    can read it • Unguessable key • Infeasible to break without knowing the key • Two major types • Symmetric key • Public key
  9. Symmetric encryption • Same key (shared secret) used for encryption

    and decryption • One-time pad • Provably perfect • Random bit string at least the length of the message • XOR message and OTP together • Good example: AES
  10. Public key encryption • Public key / private key •

    Things encrypted with one can be decrypted by the other • Rely on some process difficult to reverse • Integer factorization • Discrete logarithm • Elliptic curve relationships • Sometimes used just to establish a symmetric “session” key • Good example: RSA
  11. Key exchange • How do two people agree on a

    key over an insecure channel? • Good example: Diffie-Hellman key exchange
  12. Diffie-Hellman example p = 23, g = 5 ALICE chooses

    a=6, computes A = ga mod p = 56 mod 23 = 8 ALICE tells Bob 8 BOB chooses b=15, computes B = gb mod p = 515 mod 23 = 19 BOB tells Alice 19 ALICE computes s = Ba mod p = 196 mod 23 = 2 BOB computes s = Ab mod p = 815 mod 23 = 2
  13. Signatures • HMAC • Keyed-hash message authentication code • Don’t

    do this: SHA256(secret + message) • Or this: SHA256(message + secret) • Or this: SHA256(secret + message + secret) • See “length extension attack”
  14. Time-based one-time passwords (TOTP) • Used for 2-factor authentication, e.g.

    Google Authenticator • Roughly HMAC-SHA1(secret, timestamp)
  15. Python implementation of TOTP data = struct.pack('>Q', int(time.time()) // 30)

    signature = hmac.new(secret, data, hashlib.sha1).digest() offset = signature[-1] & 0xF b = bytearray(signature[offset:offset+4]) b[0] &= 0x7F print('{:0>6}'.format( struct.unpack('>L', b)[0] % 10**6))
  16. Python implementation of JWT header = b64(j({ "alg": "HS256", "typ":

    "JWT" })) payload = b64(j({ "username": "smarx", "admin": True })) signature = b64(hmac.new(b"secret", header + b"." + payload, hashlib.sha256).digest()) print(".".join(s.decode("utf-8") for s in (header, payload, signature)))
  17. Summary • There are lots of GUIDs • Good cryptographic

    hash function: SHA256 • Good password hash function: bcrypt • Symmetric encryption: AES • Public key encryption: RSA • Me: @smarx, [email protected]