Being Boring: A Survivor's Guide to Ruby Cryptography

4131d2f57a0db2a2b4d9a62bd389fd44?s=47 tarcieri
November 10, 2013

Being Boring: A Survivor's Guide to Ruby Cryptography

We all know that security is hard, and that math is hard, but what happens when you put them together? Cryptography is an increasingly essential tool for building secure systems, but also a perilous minefield where any number of mistakes can lead to insecure systems.

This talk will take you step-by-step through the difficulties of building secure cryptosystems on top of Ruby's existing OpenSSL bindings and contrast that with RbNaCl, a next generation Ruby cryptography library specifically designed to be more mistake-proof and put cryptography "on Rails". Attendees will hopefully learn that the best approaches to cryptography rest in making systems simple, straightforward, and boring... in a good way.

Video: https://www.youtube.com/watch?v=e13irYP6WJA

4131d2f57a0db2a2b4d9a62bd389fd44?s=128

tarcieri

November 10, 2013
Tweet

Transcript

  1. None
  2. @bascule TONY ARCIERI

  3. None
  4. How hard could it be? I JUST WANT TO ENCRYPT

    SOMETHING
  5. HARD!

  6. HOW HARD?

  7. You Will Learn! TODAY

  8. TODAY Attacks

  9. Authenticated Encryption HOWTO TODAY Attacks

  10. Authenticated Encryption HOWTO TODAY Attacks Avoiding The Problem By Letting

    Cryptographers Do The Hard Work For Us
  11. RUBY OPENSSL

  12. How does it work??? CRYPTO

  13. MAGIC

  14. MAGIC

  15. MATH

  16. SYMMETRIC MSG

  17. SYMMETRIC

  18. SYMMETRIC MSG

  19. ASYMMETRIC MSG

  20. ASYMMETRIC

  21. ASYMMETRIC MSG

  22. MATH + SECURITY

  23. MATH + PROGRAMMING

  24. MATH + BUGS

  25. “Most codes were designed by dilettantes and amateurs with no

    grasp of the underlying mathematics. It really is quite pitiable.” ! —Neal Stephenson, Cryptonomicon
  26. SYMMETRIC

  27. AES

  28. AES It’s great!*

  29. AES It’s great!* *WARNING: Read all instructions before proceeding

  30. AES Plaintext AES Block Cipher 16-byte block Key 16/24/32-bytes (Random)

    Ciphertext 16-byte block
  31. HOW TO ENCRYPT >16 bytes?

  32. PHP Use Rijndael!

  33. None
  34. RIJNDAEL-256 Plaintext Rijndael Block Cipher 32-byte block Key 16/24/32-bytes (Random)

    Ciphertext 32-byte block
  35. HOW TO ENCRYPT >16 bytes?

  36. NAIVE SOLUTION

  37. ECB MODE

  38. None
  39. None
  40. None
  41. ECB MODE Key 16/24/32-bytes (Random) Plaintext ECB 16-byte block Ciphertext

    16-byte block Plaintext ECB 16-byte block Ciphertext 16-byte block Plaintext ECB 16-byte block Ciphertext 16-byte block Plaintext ECB 16-byte block Ciphertext 16-byte block
  42. PROBLEM

  43. PROBLEM ECB MODE LEAKS INFORMATION

  44. None
  45. None
  46. SOLUTION

  47. SOLUTION BLOCK CIPHER MODES OF OPERATION

  48. CBC CFB OFB CTR

  49. CBC CFB OFB CTR

  50. CTR MODE Key 16/24/32-bytes (Random) Counter 1 AES Random Pad

    16-byte block Counter 2 AES Random Pad 16-byte block Counter 3 AES Random Pad 16-byte block Counter 4 AES Random Pad 16-byte block ⊕ ⊕ ⊕ ⊕ ⊕ Plaintext 16-byte block Plaintext 16-byte block Plaintext 16-byte block Plaintext 16-byte block Ciphertext 16-byte block Ciphertext 16-byte block Ciphertext 16-byte block Ciphertext 16-byte block Nonce 16-bytes (Random)
  51. None
  52. None
  53. None
  54. SUCCESS! CONFIDENTIALITY

  55. PROBLEM

  56. PROBLEM REPEATING NONCES WILL LEAK INFORMATION

  57. SOLUTION

  58. SOLUTION DON’T DO THAT

  59. PROBLEM

  60. PROBLEM SUPPORT FOR CTR MODE IN RUBY OPENSSL IS SPOTTY

  61. SOLUTION

  62. SOLUTION USE CBC MODE

  63. PROBLEM

  64. PROBLEM ATTACKERS CAN CHANGE ENCRYPTED MESSAGES

  65. PROBLEM MALLEABILITY

  66. ATTACK AT DAWN CIPHERTEXT

  67. ATTACK AT DAWN CIPHERTEXT ⊕ DAWN ⊕ DUSK CIPHERTEXT CHANGE

  68. ATTACK AT DAWN CIPHERTEXT ⊕ DAWN ⊕ DUSK CIPHERTEXT CHANGE

    ATTACK AT DUSK
  69. SOLUTION USE A MESSAGE AUTHENTICATION CODE (MAC)

  70. SOLUTION AUTHENTICATED ENCRYPTION

  71. MAC Message MAC Function Arbitrary length Key 16/32-bytes (Random) MAC

    “tag” 32-bytes (or more)
  72. CMAC GMAC UMAC HMAC

  73. CMAC GMAC UMAC HMAC

  74. PROBLEM

  75. PROBLEM WHAT ORDER DO WE ENCRYPT/MAC?

  76. MAC-THEN-ENCRYPT PLAINTEXT CIPHERTEXT MAC Used by SSL/TLS

  77. ENCRYPT-THEN-MAC PLAINTEXT CIPHERTEXT MAC Used by IPSEC

  78. ENCRYPT-AND-MAC PLAINTEXT CIPHERTEXT MAC Used by SSH

  79. WHICH ONE GOT IT RIGHT?

  80. ENCRYPT-THEN-MAC PLAINTEXT CIPHERTEXT MAC Used by IPSEC

  81. WHY?

  82. MAC-THEN-ENCRYPT Used by SSL/TLS BEAST PADDING ORACLE

  83. ENCRYPT-AND-MAC Used by SSH CHOSEN CIPHERTEXT ATTACKS

  84. None
  85. REVIEW • AES-CBC! • Encrypt-Then-MAC! • HMAC

  86. None
  87. WHAT ELSE COULD GO WRONG?

  88. TIMING ATTACKS

  89. None
  90. PROBLEM THIS IS ALREADY GETTING CRAZY…

  91. PROBLEM …AND WE HAVEN’T EVEN TALKED ABOUT PUBLIC KEY CRYPTO!

  92. HOW CAN WE DO BETTER?

  93. BE MORE BORING

  94. NOT BORING Ruby OpenSSL A Bunch Of Crazy Code Written

    By Amateurs Crypto API
  95. BORING Crypto Library Written By Cryptographers Crypto API

  96. RbNaCl Ruby binding to the Networking and Cryptography Library by

    djb https://github.com/cryptosphere/rbnacl
  97. https://github.com/jedisct1/libsodium

  98. NaCl PRIMITIVES • Symmetric: SecretBox! • Asymmetric: Box! • And

    more!
  99. SYMMETRIC MSG SECRETBOX

  100. None
  101. SecretBox • Cipher: XSalsa20! • MAC: Poly1305

  102. WTF is XSalsa20? THAT’S NOT BORING!

  103. BORING!

  104. NOT BORING!

  105. ASYMMETRIC MSG BOX

  106. None
  107. Box • Diffie-Hellman: Curve25519! • Cipher: XSalsa20! • MAC: Poly1305

  108. DIFFIE-HELLMAN PUBLIC PRIVATE PRIVATE PUBLIC + + = = SHARED

    SECRET SHARED SECRET
  109. THAT’S ALL FOLKS!

  110. THAT’S ALL FOLKS! KEEP IT BORING!

  111. LINKS • RbNaCl: https://github.com/cryptosphere/rbnacl! • NaCl: http://nacl.cr.yp.to! • Libsodium: https://github.com!

    • Twitter: @bascule