Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cryptography Pitfalls at LASCON 2016

John Downey
November 03, 2016

Cryptography Pitfalls at LASCON 2016

John Downey

November 03, 2016
Tweet

More Decks by John Downey

Other Decks in Programming

Transcript

  1. The views expressed in this presentation are my own, and

    not those of PayPal or any of its affiliates. @jtdowney 7
  2. You have probably seen the door to a bank vault,

    at least in the movies. You know, 10-inch-thick, hardened steel, with huge bolts to lock it in place. It certainly looks impressive. We often find the digital equivalent of such a vault door installed in a tent. The people standing around it are arguing over how thick the door should be, rather than spending their time looking at the tent. — Cryptography Engineering by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno @jtdowney 15
  3. • For data in transit • Use TLS (née SSL),

    SSH, or VPN/IPsec • For data at rest • Use GnuPG • Data to be signed • Use GnuPG @jtdowney 16
  4. • Avoid low level libraries • OpenSSL • PyCrypto •

    Bouncy Castle • Use a high level library • NaCL/libsodium (C, Ruby, etc) • Keyczar (Python and Java) @jtdowney 17
  5. Pitfalls 1. Not using a cryptographically strong random number generator

    2. Broken random number generators 3. Not using random data when it is required @jtdowney 20
  6. Pitfalls 1. Not using a cryptographically strong random number generator

    2. Broken random number generators 3. Not using random data when it is required @jtdowney 23
  7. Don't add uninitialised data to the random number generator. This

    stop valgrind from giving error messages in unrelated code. (Closes: #363516) @jtdowney 27
  8. /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */

    MD_Update(&m,buf,j); /* We know that line may cause programs such as purify and valgrind to complain about use of uninitialized data. The problem is not, it's with the caller. Removing that line will make sure you get really bad randomness and thereby other problems such as very insecure keys. */ @jtdowney 28
  9. Pitfalls 1. Not using a cryptographically strong random number generator

    2. Broken random number generators 3. Not using random data when it is required @jtdowney 33
  10. Recommendations • Use a cryptographically strong random number generator •

    Unix-like • Read from /dev/urandom • Windows • RandomNumberGenerator in System.Security.Cryptography (.NET) • CryptGenRandom (Windows) @jtdowney 35
  11. mission = """ USCYBERCOM plans, coordinates, integrates, synchronizes and conducts

    activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. """ md5(mission) # => 9EC4C12949A4F31474F299058CE2B22A @jtdowney 43
  12. Message Authentication Code (MAC) tag = MAC(key, value) • Takes:

    • key - shared secret • value - value to protected integrity of • Returns: • tag - value that represents the integrity @jtdowney 47
  13. Length Extension Attacks secret = "my-secret-key" value = "buy 10

    units at $1" signature = sha256(secret + value) @jtdowney 49
  14. Length Extension Attacks secret = "my-secret-key" value = "buy 10

    units at $1<garbage>actually make that at $0" signature = sha256(secret + value) @jtdowney 50
  15. Length Extension Attacks secret = "my-secret-key" value = "buy 10

    units at $1" signature = hmac_sha256(secret, value) @jtdowney 51
  16. Recommendations • Use SHA-256 (SHA-2 family) • Choose HMAC-SHA-256 if

    you want a signature • Stop using MD5 • Don't use SHA-1 in new projects • Phase it out for uses that require collision resistance @jtdowney 54
  17. Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for

    block ciphers 3. Not using authenticated encryption @jtdowney 56
  18. Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for

    block ciphers 3. Not using authenticated encryption @jtdowney 60
  19. AES - primitive ciphertext = AES_Encrypt(key, plaintext) plaintext = AES_Decrypt(key,

    ciphertext) • Function over: • key - 128, 192, or 256 bit value • plaintext - 128 bit value • ciphertext - 128 bit value @jtdowney 61
  20. ECB Encrypt while (remaining blocks) { block = ... #

    next 16 byte (128 bit chunk) ouput.append(AES_Encrypt(key, block)) } @jtdowney 62
  21. Pitfalls 1. Using old/weak algorithms 2. Using ECB mode for

    block ciphers 3. Not using authenticated encryption @jtdowney 65
  22. Recommendations • Prefer to use box/secret box from NaCL/libsodium •

    Stop using DES • Stop building your own on top of AES • Stop encrypting without protecting integrity @jtdowney 71
  23. What if you have to use AES • Do not

    use ECB mode • Be sure to use authenticated encryption • GCM mode would be a good first choice • Verify the tag/MAC first • Still easy to mess up in a critical way @jtdowney 72
  24. Pitfalls 1. Not verifying the certificate chain or hostname 2.

    Misconfigured server settings 3. Using a broken library @jtdowney 74
  25. Hostname verification • Check that you got the certificate for

    who you intended to connect to • Hostname verification is protocol dependent • OpenSSL doesn't have it built in @jtdowney 79
  26. Pitfalls 1. Not verifying the certificate chain or hostname 2.

    Misconfigured server settings 3. Using a broken library @jtdowney 80
  27. Pitfalls 1. Not verifying the certificate chain or hostname 2.

    Misconfigured server settings 3. Using a broken library @jtdowney 85
  28. Recommendations • Do ensure you're validating connections • Lean on

    a framework/library if possible • But check that it also does the right thing • Setup and automated test to validate this setting (badssl.com) @jtdowney 88
  29. The authenticity of host 'apollo.local (10.0.2.56)' can't be established. RSA

    key fingerprint is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Are you sure you want to continue connecting (yes/no)? @jtdowney 90
  30. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 04:63:c1:ba:c7:31:04:12:14:ff:b6:c4:32:cf:44:ec. Please contact your system administrator. @jtdowney 91
  31. Recommendations • Think about what organizations you really trust •

    Investigate certificate pinning for your apps @jtdowney 95
  32. Recommendations • Follow the PQCrypto discussion • Stay away from

    PQCrypto until the industry starts to standardize • Hope that researchers are moving fast enough @jtdowney 100
  33. Images • https://flic.kr/p/6eagaw • https://flic.kr/p/4KWhKn • https://flic.kr/p/9F2BCv • https://flic.kr/p/486xYS •

    https://flic.kr/p/7Ffppm • https://flic.kr/p/8TuJD9 • https://flic.kr/p/4iLJZt • https://flic.kr/p/4pGZuz • https://flic.kr/p/48w7wP • https://flic.kr/p/8aZWNE • https://flic.kr/p/5NRHp • https://flic.kr/p/7p7raq • https://flic.kr/p/aZEE1Z • https://flic.kr/p/7WtwAz • https://flic.kr/p/6AN9mM • https://flic.kr/p/6dt62u • https://flic.kr/p/4ZqwyB • https://flic.kr/p/Bqewr • https://flic.kr/p/ecdhVE • https://flic.kr/p/AV1Nd @jtdowney 105