Crypto defenses & real-world system threats - Duo Security

Transcript

1. Crypto Defenses and Real-World System Threats Kenneth White @KennWhite Duo

   Security, April 13, 2017

2. Focus Legends, myths, and the oral tradition Threats, threat modeling,

   and snake oil Emerging work Parting thoughts

3. Cognitive Science/Computational Neuroscience ML & signal processing Safety-critical system development

   Mission system ops & network defense Offense Applied crypto engineering Open Crypto Audit Project (opencryptoaudit.org) My weird path

4. Legends, myths, and the oral tradition

5. We are a misunderstood people

6. None
7. None

8. We are a misunderstood people

9. None
10. None

11. Humans are the hard part

12. None
13. None

14. Not all threats are properly modeled

15. None
16. None

17. Sometimes the product people aren’t helping

18. None
19. None
20. None

21. Good UI is crucial

22. None

23. “Periodic reminder: Insecure software is almost always a management decision.”

    — @halvar6lake
24. None

25. Sometimes we have a failure to communicate

26. None
27. None

28. Things you might not know

29. None
30. None
31. None
32. None

33. What is this “Threat Model” of which you speak?

34. Step 1: Know your adversary

35. None

36. Step 1: Know your adversary

37. None

38. Step 1: Know your adversary

39. None

40. Modeling user behavior is key

41. None

42. Consider the limits of mitigation

43. None
44. None

45. Sometimes the payoff is totally worth the risk

46. Sometimes the payoff is totally worth the risk

47. Know your adversary

48. None

49. Your threat is probably not my threat.

50. None

51. Your threat is probably not my threat.

52. Credit: Geoffrey Moore, Frankie Leon

53. Snake Oil: Beware the naked man offering the shirt off

    his back
54. None

55. Snake Oil: Beware the naked man offering the shirt off

    his back

56. “Battle-tested, military-grade encryption”

57. None
58. None

59. Humans will always game the system

60. Humans will always game the system

61. None
62. None
63. None
64. None
65. None

66. Re-learning History

67. None
68. None
69. None
70. None

71. “All versions of Windows”

72. Re-learning History

73. Re-learning History Deserialization Exploits

74. Java Deserializa,on RCEs are Everywhere https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet

75. Java Deserializa,on RCEs are Everywhere https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With- Deserialization-Vulnerabilities.pdf Matthias Kaiser

76. Re-learning History: Deserialization Exploits Java Deserializa,on RCEs are Everywhere

77. None

78. Praetorian Root Cause of Compromise Analysis Vectors commonly used by

    a>ackers to compromise internal networks aAer achieving ini,al access Data set includes 100 separate penetra@on test engagements spanning 75 unique organiza@ons https://www.praetorian.com/downloads/report/How%20to%20Dramatically%20Improve %20Corporate%20IT%20Security%20Without%20Spending%20Millions%20-%20Praetorian.pdf
79. None

80. I was told there would be crypto.

81. — Maciej Ceglowski, on the Matasano CryptoPals Challenges The crypto

    problem

82. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules

83. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

    Memory Encryption Data-in-Use Encryption Hardware Security Modules

84. Network Transport Encryption SSL, TLS, IPsec, ssh Data exposure (confidentiality)

    Network intercept (passive & active) Credential theft (authentication) Identity theft (authorization) Authenticated cipher suites (integrity) Past session decrypt (long-lived key capture) Data-in-Motion compliance
85. None
86. None
87. None
88. None
89. None

90. Network Transport Encryption SSL, TLS, IPsec, ssh Data Exposure (confidentiality)

    Network intercept (passive & active) Credential theft (authentication) Identity theft (authorization) Authenticated cipher suites (integrity) Past session decrypt (long-lived key capture) Data-in-Motion Compliance

91. The Problem with Unauthenticated Block Modes

92. The Problem with Unauthenticated Block Modes “Our new blinky box

    is awesome! It has AES 256!”

93. The Problem with Unauthenticated Block Modes “My new vehicle is

    awesome! It has a V6!”

94. The Problem with Unauthenticated Block Modes

95. The Problem with Unauthenticated Block Modes

96. Real-world Endpoint SSL/TLS

97. Real-world Endpoint SSL/TLS §  Apache §  Nginx §  HAProxy § 

    Go §  AWS ELB & CloudFront §  CloudFlare §  CDNs

98. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA

99. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA

100. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

     TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA

101. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

     TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)

102. CBC is a problem

103. CBC is a problem

104. CBC is a problem

105. CBC is a problem

106. CBC is a problem

107. CBC is a problem Though maybe not your (biggest) problem

108. CBC is a problem Though maybe not your (biggest) problem

     “We show that a network attacker who can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic” — SWEET32 team

109. CBC is a problem Though maybe not your (biggest) problem

     “We show that a network attacker who can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic” — SWEET32 team

110. Getting good data can be hard

111. Getting good data can be hard The report’s most glaring

     flaw is the assertion that the TLS FREAK vulnerability is among the top 10 most exploited on the Internet. No experienced security practitioner believes that FREAK is widely exploited.” — Dan Guido

112. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

     TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)

113. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

     TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)

114. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

     TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)

115. Real-world Endpoint SSL/TLS PROTOCOL SSL v1 SSL v2 SSL v3

     TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH/E MAC MD5 SHA-1 SHA-256 SHA-384 Poly1305 MODE ECB CBC GCM OCB CERT ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)

116. TLS 1.3 RFC Draft (v. 19, March 2017)

117. TLS 1.3 RFC Draft (v. 19, March 2017) MUST implement

     cipher suite: TLS_AES_128_GCM_SHA256 SHOULD implement cipher suites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 MUST support cer@ficate digital signatures: rsa_pkcs1_sha256 rsa_pss_sha256 ecdsa_secp256r1_sha256 MUST support key exchange with curve: secp256r1 (NIST P-256) SHOULD support key exchange with curve: X25519

118. TLS 1.3 RFC Draft (v. 19, March 2017) MUST implement

     cipher suite: TLS_AES_128_GCM_SHA256 SHOULD implement cipher suites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 MUST support cer@ficate digital signatures: rsa_pkcs1_sha256 rsa_pss_sha256 ecdsa_secp256r1_sha256 MUST support key exchange with curve: secp256r1 (NIST P-256) SHOULD support key exchange with curve: X25519

119. My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

     associated data (AEAD) mode of opera,on ciphers •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange –  Cer,ficate type –  Symmetric cipher –  Mode of opera,on (if block cipher) –  Message authen,cator construc,on

120. My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

     associated data (AEAD) mode of opera,on ciphers (ChaCha20/Poly1305, AES-GCM…) •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange (e.g. Ephemeral Ellip@c Curve Diffie Hellman) –  Cer,ficate type (e.g., ECDSA or RSA) –  Symmetric cipher (e.g., ChaCha20, AES 128) –  Mode of opera,on (if block cipher, e.g. GCM) –  Message authen,cator construc,on or PRF (e.g., SHA256)

121. My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

     associated data (AEAD) mode of opera,on ciphers •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange –  Cer,ficate type –  Symmetric cipher –  Mode of opera,on (if block cipher) –  Message authen,cator construc,on or PRF Example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

122. My (point-in-time) Advice •  Prefer forward secret authen,cated encryp,on with

     associated data (AEAD) mode of opera,on ciphers •  If possible, explicitly declare server cipher suites (vs. wildcards): –  Key exchange –  Cer,ficate type –  Symmetric cipher –  Mode of opera,on (if block cipher) –  Message authen,cator construc,on or PRF Example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

123. My (point-in-time) Advice These five cipher suites provide broad support

     for browsers, Android and iOS mobile clients, Windows Server 2008 & 2012, and most web service endpoints: If ECDSA cer@ficates TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (0xcca9) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) If RSA cer@ficates TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 (0xcc14) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc029) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

124. TL;DR: h_ps://mozilla.github.io/server-side-tls/ssl-config-generator/

125. And now, a brief rant about VPN services.

126. VPNs provide: •  A shiAed trust endpoint – from tonys-sketchy-hotspot to,

     say, us-east-1c – from TOTES-LEGIT-FREE-WIFI to, say, duosec-mi- vpn

127. VPNs may provide: •  Data confiden,ality, via encryp,on – public networks/hotspots

     – cap,ve portals – untrusted/hos,le networks (airports, cafes, hotels)

128. VPNs do not guarantee: •  Anonymity •  Privacy (Certainly while

     using most browsers on the modern public web)

129. VPNs do not guarantee: •  Anonymity •  Privacy (Certainly while

     using most browsers on the modern public web)

130. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

     Memory Encryption Data-in-Use Encryption Hardware Security Modules

131. Disk/Volume Encryption (dmcrypt, BitLocker, FileVault) Media: Logical loss of control

     –  3rd party action, gov/civil capture, e-Discovery –  Co-tenant sandbox break (/dev/vg/*) –  Multi-tenant media reuse (new VMs on volume) Media: Physical loss of control –  Disk repurpose –  Disk/Server theft –  Server repurpose/retirement Content Repudiation Data-at-Rest Compliance Confidentiality from service provider –  Adversarial admin, incompetence, live VM motion

132. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

     Memory Encryption Data-in-Use Encryption Hardware Security Modules

133. Memory Encryption Co-tenant sandbox break (hypervisor host) Cold boot attacks

     Multi-tenant reuse (/dev/[k]mem/*) Live migration snapshots

134. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

     Memory Encryption Data-in-Use Encryption Hardware Security Modules

135. Data-in-Use Encryption (TDE, FPE, PPE) Local filesystem attack Blackbox custodian

     Rogue (weak) admin

136. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

     Memory Encryption Data-in-Use Encryption Hardware Security Modules

137. Hardware Security Modules Key theft Signature manipulation Token generation Key

     tampering

138. (Some) Crypto Defenses Network Transport Encryption Disk/Volume Encryption File Encryption

     Memory Encryption Data-in-Use Encryption Hardware Security Modules

139. Putting it all together

140. None
141. None
142. None

143. Then things got weird

144. None
145. None

146. Emerging Work

147. Verification & formal methods

148. None

149. Verification & formal methods

150. Verification & formal methods - DARPA drone project

151. Verification & formal methods - DARPA drone project - Signal

152. Verification & formal methods - DARPA drone project - Signal

     - Core network stacks - BoringSSL - s2n - CoreCrypto - SChannel

153. CyberUL Project - Peiter (Mudge) & Sarah Zatko

154. More goodness (lec as an exercise to the reader) iOS

     TLS Inspector tlsinspector.com Crypto Challenges cryptopals.com Nonce Disrespec,ng Adversaries eprint.iacr.org/2016/475.pdf Sco> Helme’s Security Headers securityheaders.io Mozilla TLS Observatory tls-observatory.services.mozilla.com Lucas Garron (Chrome Team) BadSSL.com Thomas Pornin’s BearSSL www.bearssl.org/BearSSL-BSidesEdinburgh2017.pdf George Tankersley’s Go CryptoPasta github.com/gtank/cryptopasta Bad AV www.sec.cs.tu-bs.de/pubs/2017-asiaccs.pdf Vault www.vaultproject.io

155. Some Parting Thoughts

156. Revisiting First Principles

157. Revisiting First Principles Security hygiene Trusted supply chain Root of

     trust Trust Signals

158. Revisiting First Principles Security hygiene Trusted supply chain Root of

     trust Trust Signals
159. None
160. None
161. None

162. Humans will always game the system

163. None

164. This stuff is hard

165. None
166. None
167. None

168. I don’t care what anything was designed to do. I

     care about what it can do.

169. I don’t care what anything was designed to do. I

     care about what it can do.
170. None

171. fin

172. Ques,ons? Twi>er: @kennwhite OCAP: opencryptoaudit.org/people

173. Refs TLS Maturity Model https://blog.qualys.com/ssllabs/2015/06/08/introducing-tls-maturity-model Malver,sing on track for record

     year http://www.cyphort.com/malvertising-on-pace-for-a-record-breaking-year/ A>acks on SSL: A Comprehensive study of BEAST, CRIME, TIME, BREACH, LUCKY 13 & RC4 Biases https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/ssl_attacks_survey.pdf DARPA Drone Project https://www.wired.com/2016/09/computer-scientists-close-perfect-hack-proof-code/ A Formal Analysis of the Signal Messaging Protocol https://eprint.iacr.org/2016/1013.pdf

174. Refs The Million Dollar Dissident: NSO Group’s iPhone Zero-Days (deserializa,on)

     https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso- group-uae/ iPhone 6 kernel exploit analysis (deserializa,on) http://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability- explained.html Matasano Crypto Challenges https://cryptopals.com/ https://blog.pinboard.in/2013/04/the_matasano_crypto_challenges/ Keys Under Doormats (problems with large-scale escrow) https://dspace.mit.edu/handle/1721.1/97690

175. Refs Weak Diffie-Hellman and the Logjam A>ack https://weakdh.org/ Qualys SSL

     Labs https://www.ssllabs.com/ssltest/ Bulletproof SSL & TLS https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ Mirage TLS Interac,ve Server (pre>y rad) https://tls.openmirage.org/ Adam Langley: Matching primi,ve strengths https://www.imperialviolet.org/2014/05/25/strengthmatching.html

176. Refs House Oversight final report on OPM breach https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach- How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-

     Generation.pdf NIST 2016 draA guidance on authen,ca,on (depreca,ng arbitrary 90 day password rota,on) https://pages.nist.gov/800-63-3/sp800-63b.html GCHQ (UK Intel) guidance on passwords (depreca,ng arbitrary 90 day password rota,on) https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/ 458857/Password_guidance_-_simplifying_your_approach.pdf Peiter (Mudge) & Sarah Zatko’s Cyber UL https://theintercept.com/2016/07/29/a-famed-hacker-is-grading-thousands-of- programs-and-may-revolutionize-software-in-the-process/