Enough Cryptography to Be Dangerous

Transcript

1. None

2. Enough Cryptography to Be Dangerous Steve Marx @smarx

3. None
4. None

5. I’m perfectly qualified to give this talk • Not an

   expert • Definitely dangerous

6. My goals • Get you interested in cryptography • Get

   you familiar with concepts and terminology • Encourage use of known, tested solutions

7. http://www.collegehumor.com/post/6867508

8. Secrets • Unguessable random numbers • GUID example: f82038a2-ddf4-4cad-b8c1-b7346f34c69c •

   340,282,366,920,938,463,463,374,607,431,768,211,456 possiblities • If you generate 10 trillion GUIDs this year… • Passwords • Threats • Online attacks • Offline attacks

9. Hash functions • One-way function • Maps arbitrary data to

   a fixed-size bit string • Bad (for cryptography) example: f(x) = f mod 100 • Cryptographic hash functions • Given h, it should be hard to find m such that h = hash(m) • Given m1 , it should be hard to find m2 such that hash(m1 ) = hash(m2 ) • It should be hard to find m1 and m2 such that hash(m1 ) = hash(m2 ) • Good example: SHA256

10. Password hashing • Cryptographic hash function + expensive • “Expensive”

    is relative, ideally has configurable work factor • Salt: random additional input to the hash • Prevents cracking with a precomputed table • Good example: bcrypt

11. How would you attack this? isit(password) à boolean • 20-character

    password, all uppercase letters • 2620 = 19,928,148,895,209,409,152,340,197,376 possibilities • My laptop can guess 500,000 passwords per second • 1.2 quadrillion years to guess them all • I wrote a program to do it in 4 minutes

12. DEMO Timing attack

13. Implementation of isit(password) def isit(text): for i in range(len(password)): if

    len(text) <= i: return False if text[i] != password[i]: return False return len(text) == len(password)

14. Timing attacks • The time your algorithm takes can be

    source of leaks • Don’t hash and compare, use a provided “check” method >>> bcrypt.hashpw(b'correct horse battery staple', salt=bcrypt.gensalt(rounds=12)) b'$2b$12$qeYnf…' >>> bcrypt.checkpw(b'correct horse battery staple', b'$2b$12$qeYnf…') True

15. DEMO Time for a card trick!

16. $2b$15$bSEHlFk8N0EeVRHnGRwio.RClRZUfz5FWb79ewxky4H6FUkM8/25m

17. Encryption • Encode a message such that only authorized parties

    can read it • Unguessable key • Infeasible to break without knowing the key • Two major types • Symmetric key • Public key

18. Symmetric encryption • Same key (shared secret) used for encryption

    and decryption • One-time pad • Provably perfect • Random bit string at least the length of the message • XOR message and OTP together • Good example: AES

19. Public key encryption • Public key / private key •

    Things encrypted with one can be decrypted by the other • Rely on some process difficult to reverse • Integer factorization • Discrete logarithm • Elliptic curve relationships • Sometimes used just to establish a symmetric “session” key • Good example: RSA

20. Key exchange • How do two people agree on a

    key over an insecure channel? • Good example: Diffie-Hellman key exchange

21. Diffie-Hellman example p = 23, g = 5 ALICE chooses

    a=6, computes A = ga mod p = 56 mod 23 = 8 ALICE tells Bob 8 BOB chooses b=15, computes B = gb mod p = 515 mod 23 = 19 BOB tells Alice 19 ALICE computes s = Ba mod p = 196 mod 23 = 2 BOB computes s = Ab mod p = 815 mod 23 = 2

22. Signatures • HMAC • Keyed-hash message authentication code • Don’t

    do this: SHA256(secret + message) • Or this: SHA256(message + secret) • Or this: SHA256(secret + message + secret) • See “length extension attack”

23. Time-based one-time passwords (TOTP) • Used for 2-factor authentication, e.g.

    Google Authenticator • Roughly HMAC-SHA1(secret, timestamp)
24. None
25. None
26. None

27. ORUGC5DDN5XGMZLSMVXGGZI=

28. Python implementation of TOTP data = struct.pack('>Q', int(time.time()) // 30)

    signature = hmac.new(secret, data, hashlib.sha1).digest() offset = signature[-1] & 0xF b = bytearray(signature[offset:offset+4]) b[0] &= 0x7F print('{:0>6}'.format( struct.unpack('>L', b)[0] % 10**6))

29. JSON web tokens (JWT) • Message is JSON • Signature

    concatenated to message

30. Python implementation of JWT header = b64(j({ "alg": "HS256", "typ":

    "JWT" })) payload = b64(j({ "username": "smarx", "admin": True })) signature = b64(hmac.new(b"secret", header + b"." + payload, hashlib.sha256).digest()) print(".".join(s.decode("utf-8") for s in (header, payload, signature)))

31. Summary • There are lots of GUIDs • Good cryptographic

    hash function: SHA256 • Good password hash function: bcrypt • Symmetric encryption: AES • Public key encryption: RSA • Me: @smarx, [email protected]
32. None