Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crypto defenses & real-world system threats - D...

Crypto defenses & real-world system threats - Duo Security

Kenn White

April 13, 2017
Tweet

More Decks by Kenn White

Other Decks in Technology

Transcript

  1. Focus Legends, myths, and the oral tradition Threats, threat modeling,

    and snake oil Emerging work Parting thoughts
  2. Cognitive Science/Computational Neuroscience ML & signal processing Safety-critical system development

    Mission system ops & network defense Offense Applied crypto engineering Open Crypto Audit Project (opencryptoaudit.org) My weird path
  3. Praetorian Root Cause of Compromise Analysis Vectors commonly used by

    a>ackers to compromise internal networks aAer achieving ini,al access Data set includes 100 separate penetra@on test engagements spanning 75 unique organiza@ons https://www.praetorian.com/downloads/report/How%20to%20Dramatically%20Improve %20Corporate%20IT%20Security%20Without%20Spending%20Millions%20-%20Praetorian.pdf
  4. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  5. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  6. Network Transport Encryption SSL, TLS, IPsec, ssh Data exposure (confidentiality)

    Network intercept (passive & active) Credential theft (authentication) Identity theft (authorization) Authenticated cipher suites (integrity) Past session decrypt (long-lived key capture) Data-in-Motion compliance
  7. Network Transport Encryption SSL, TLS, IPsec, ssh Data Exposure (confidentiality)

    Network intercept (passive & active) Credential theft (authentication) Identity theft (authorization) Authenticated cipher suites (integrity) Past session decrypt (long-lived key capture) Data-in-Motion Compliance
  8. Real-world Endpoint SSL/TLS §  Apache §  Nginx §  HAProxy § 

    Go §  AWS ELB & CloudFront §  CloudFlare §  CDNs
  9. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA
  10. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA
  11. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA
  12. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  13. CBC is a problem Though maybe not your (biggest) problem

    “We show that a network attacker who can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic” — SWEET32 team
  14. CBC is a problem Though maybe not your (biggest) problem

    “We show that a network attacker who can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic” — SWEET32 team
  15. Getting good data can be hard The report’s most glaring

    flaw is the assertion that the TLS FREAK vulnerability is among the top 10 most exploited on the Internet. No experienced security practitioner believes that FREAK is widely exploited.” — Dan Guido
  16. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  17. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  18. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  19. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  20. TLS 1.3 RFC Draft (v. 19, March 2017) MUST implement

    cipher suite: TLS_AES_128_GCM_SHA256 SHOULD implement cipher suites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 MUST support cer@ficate digital signatures: rsa_pkcs1_sha256 rsa_pss_sha256 ecdsa_secp256r1_sha256 MUST support key exchange with curve: secp256r1 (NIST P-256) SHOULD support key exchange with curve: X25519
  21. TLS 1.3 RFC Draft (v. 19, March 2017) MUST implement

    cipher suite: TLS_AES_128_GCM_SHA256 SHOULD implement cipher suites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 MUST support cer@ficate digital signatures: rsa_pkcs1_sha256 rsa_pss_sha256 ecdsa_secp256r1_sha256 MUST support key exchange with curve: secp256r1 (NIST P-256) SHOULD support key exchange with curve: X25519
  22. My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

    associated data (AEAD) mode of opera,on ciphers •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange –  Cer,ficate type –  Symmetric cipher –  Mode of opera,on (if block cipher) –  Message authen,cator construc,on
  23. My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

    associated data (AEAD) mode of opera,on ciphers (ChaCha20/Poly1305, AES-GCM…) •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange (e.g. Ephemeral Ellip@c Curve Diffie Hellman) –  Cer,ficate type (e.g., ECDSA or RSA) –  Symmetric cipher (e.g., ChaCha20, AES 128) –  Mode of opera,on (if block cipher, e.g. GCM) –  Message authen,cator construc,on or PRF (e.g., SHA256)
  24. My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

    associated data (AEAD) mode of opera,on ciphers •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange –  Cer,ficate type –  Symmetric cipher –  Mode of opera,on (if block cipher) –  Message authen,cator construc,on or PRF Example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  25. My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

    associated data (AEAD) mode of opera,on ciphers •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange –  Cer,ficate type –  Symmetric cipher –  Mode of opera,on (if block cipher) –  Message authen,cator construc,on or PRF Example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  26. My (point-in-time) Advice These five cipher suites provide broad support

    for browsers, Android and iOS mobile clients, Windows Server 2008 & 2012, and most web service endpoints: If ECDSA cer@ficates TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (0xcca9) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) If RSA cer@ficates TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 (0xcc14) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc029) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
  27. VPNs provide: •  A shiAed trust endpoint – from tonys-sketchy-hotspot to,

    say, us-east-1c – from TOTES-LEGIT-FREE-WIFI to, say, duosec-mi- vpn
  28. VPNs may provide: •  Data confiden,ality, via encryp,on – public networks/hotspots

    – cap,ve portals – untrusted/hos,le networks (airports, cafes, hotels)
  29. VPNs do not guarantee: •  Anonymity •  Privacy (Certainly while

    using most browsers on the modern public web)
  30. VPNs do not guarantee: •  Anonymity •  Privacy (Certainly while

    using most browsers on the modern public web)
  31. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  32. Disk/Volume Encryption (dmcrypt, BitLocker, FileVault) Media: Logical loss of control

    –  3rd party action, gov/civil capture, e-Discovery –  Co-tenant sandbox break (/dev/vg/*) –  Multi-tenant media reuse (new VMs on volume) Media: Physical loss of control –  Disk repurpose –  Disk/Server theft –  Server repurpose/retirement Content Repudiation Data-at-Rest Compliance Confidentiality from service provider –  Adversarial admin, incompetence, live VM motion
  33. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  34. Memory Encryption Co-tenant sandbox break (hypervisor host) Cold boot attacks

    Multi-tenant reuse (/dev/[k]mem/*) Live migration snapshots
  35. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  36. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  37. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules
  38. Verification & formal methods - DARPA drone project - Signal

    - Core network stacks - BoringSSL - s2n - CoreCrypto - SChannel
  39. More goodness (lec as an exercise to the reader) iOS

    TLS Inspector tlsinspector.com Crypto Challenges cryptopals.com Nonce Disrespec,ng Adversaries eprint.iacr.org/2016/475.pdf Sco> Helme’s Security Headers securityheaders.io Mozilla TLS Observatory tls-observatory.services.mozilla.com Lucas Garron (Chrome Team) BadSSL.com Thomas Pornin’s BearSSL www.bearssl.org/BearSSL-BSidesEdinburgh2017.pdf George Tankersley’s Go CryptoPasta github.com/gtank/cryptopasta Bad AV www.sec.cs.tu-bs.de/pubs/2017-asiaccs.pdf Vault www.vaultproject.io
  40. fin

  41. Refs TLS Maturity Model https://blog.qualys.com/ssllabs/2015/06/08/introducing-tls-maturity-model Malver,sing on track for record

    year http://www.cyphort.com/malvertising-on-pace-for-a-record-breaking-year/ A>acks on SSL: A Comprehensive study of BEAST, CRIME, TIME, BREACH, LUCKY 13 & RC4 Biases https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/ssl_attacks_survey.pdf DARPA Drone Project https://www.wired.com/2016/09/computer-scientists-close-perfect-hack-proof-code/ A Formal Analysis of the Signal Messaging Protocol https://eprint.iacr.org/2016/1013.pdf
  42. Refs The Million Dollar Dissident: NSO Group’s iPhone Zero-Days (deserializa,on)

    https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso- group-uae/ iPhone 6 kernel exploit analysis (deserializa,on) http://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability- explained.html Matasano Crypto Challenges https://cryptopals.com/ https://blog.pinboard.in/2013/04/the_matasano_crypto_challenges/ Keys Under Doormats (problems with large-scale escrow) https://dspace.mit.edu/handle/1721.1/97690
  43. Refs Weak Diffie-Hellman and the Logjam A>ack https://weakdh.org/ Qualys SSL

    Labs https://www.ssllabs.com/ssltest/ Bulletproof SSL & TLS https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ Mirage TLS Interac,ve Server (pre>y rad) https://tls.openmirage.org/ Adam Langley: Matching primi,ve strengths https://www.imperialviolet.org/2014/05/25/strengthmatching.html
  44. Refs House Oversight final report on OPM breach https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach- How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-

    Generation.pdf NIST 2016 draA guidance on authen,ca,on (depreca,ng arbitrary 90 day password rota,on) https://pages.nist.gov/800-63-3/sp800-63b.html GCHQ (UK Intel) guidance on passwords (depreca,ng arbitrary 90 day password rota,on) https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/ 458857/Password_guidance_-_simplifying_your_approach.pdf Peiter (Mudge) & Sarah Zatko’s Cyber UL https://theintercept.com/2016/07/29/a-famed-hacker-is-grading-thousands-of- programs-and-may-revolutionize-software-in-the-process/