herein is subject to change without notice. Crypto manifesto 2015 Alvaro Munoz, Principal Security Researcher Yekaterina O’Neil, Principal Security Researcher #HPProtect
herein is subject to change without notice. A few terms • Entropy • Pseudo-random number generator (PRNG) • Hash function • Password-based key derivation function (PBKDF) • Asymmetric encryption • Symmetric encryption • Password-based encryption (PBE) • Mode of operation • Padding • Digital signature • Protocol • Ciphersuite
herein is subject to change without notice. Attacks on SSL 2011 2012 2013 2014 2015 September BEAST September POODLE September CRIME August BREACH April Heartbleed March FREAK May Logjam
herein is subject to change without notice. Common themes • Attacks on SSL and TLS • Require man-in-the-middle • Exploit protocols that use cryptography known to be broken for many years – Export ciphers – RC4 stream cipher – Block ciphers in CBC mode • Exploit protocols’ backwards compatibility with broken versions for interoperability with legacy systems • Result in ability to extract plaintext from encrypted sessions
herein is subject to change without notice. POODLE • POODLE = Padding Oracle on Downgraded Legacy Encryption • CVE-2014-3566 • September 2014 • SSL 3.0 uses: – RC4 stream cipher or a block cipher in – CBC mode with – Non-deterministic padding – Not covered by Message Authentication Code (MAC) à integrity of padding cannot be fully verified at decryption • Allows to steal “secure” HTTP cookies or HTTP Authorization header contents using BEAST techniques • On average, requires 256 SSL 3.0 requests in order to reveal one byte of encrypted message
herein is subject to change without notice. Padding Oracle attack in action Attacker Server Pi = D(Ci ) Ci-1 Padding Cn = xxxxxxxxxxxxxxxx15 We want to know Pi [15] Attacker replaces Cn with Ci Fail? Yes No D(Ci )[15] Cn-1 [15] = 15 Pi [15] = 15 Cn-1 [15] Ci-1 [15]
herein is subject to change without notice. Standards • Elaine Barker and Allen Roginsky. “Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths”. NIST Special Publication 800-131A, 2011. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf • Payment Card Industry (PCI) Data Security Standard (DSS). “Requirements and Security Assessment Procedures”. Version 3.0, November 2013. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf • Payment Card Industry (PCI) Data Security Standard (DSS). “Requirements and Security Assessment Procedures”. Version 3.1, April 2015. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions • Cryptographic hashes and password-based encryption • Digital signatures • Encryption • Key management
herein is subject to change without notice. 25 CSPRNG PRNG 12345601110110111001001000101011101010010101010100010010 100010110101111110010101010101010000101010101010101110 12345601110110111001001000101011101010010101010100010010 100010110101111110010101010101010000101010101010101110
herein is subject to change without notice. 26 CSPRNG PRNG 12345611111000101000001111100011101010100001111010101111 010101011000001010101000010010010010010101010100001010 12345601110110111001001000101011101010010101010100010010 100010110101111110010101010101010000101010101010101110
herein is subject to change without notice. Example: Weak entropy source • CWE-332: Insufficient Entropy in PRNG • A PRNG is as strong as its entropy • Low entropy means seed is predictable • If seed is predictable, PRNG internal state will also be and so the generated sequence • Weak entropy sources: – Non-hardware sources of randomness • System clock • System/input/output buffers • User/system/hardware/network serial numbers or addresses and timing • User controlled input • PIDs
herein is subject to change without notice. Categories of flaws related to: • Seeds and entropy sources • Password management and key derivation functions – Password Management: Lack of Key Derivation Function • Cryptographic hashes and password-based encryption • Digital signatures • Encryption • Key management
herein is subject to change without notice. Example: Insecure PBE count • CWE-916: Use of Password Hash With Insufficient Computational Effort • Again: a system is as strong as its weakest link • Weakest links: – Hardcoded salt – Not unique-per-user salt – Predictable salt – Low iteration count
herein is subject to change without notice. Example: Missing required step • CWE-325: Missing Required Cryptographic Step • Signing and encryption processes are implemented as s sequence of steps in certain libraries • Missing required steps can compromise your crypto • Use libraries that abstract developers from algorithm details and internal steps • Crypto should be straight forward for developers
herein is subject to change without notice. Example: Insecure initializationvector • CWE-329: Not Using a Random IV with CBC Mode • IV is not secret, its sent with ciphertext • IVs should be random • IVs should not be reused • IVs should not be controlled by user • Insecure IVs: – IV = key – All zeros – Anything hardcoded – Default values when initialization step is not performed • Eg: PyCryptoAPI does not require an IV and if not passed, it defaults to 0. – def AES ( key , mode , IV = 0) – User controlled values
herein is subject to change without notice. D(k, 0) ^ c[0] 50 D(k,⋅) D(k,⋅) D(k, c[0]) ^ k D(k, c[0]) ^ 0 ⊕ ⊕ D(k,⋅) ⊕ c[0] 0 c[0] IV=Key D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = Key To recover the key, just XOR the first and third unencrypted bytes: p’[0] ^ p’[2] = D(k, c[0]) ^ k ^ D(k, c[0]) ^ 0 = k
herein is subject to change without notice. Example: Insecure mode of operation • CWE-327: Use of a Broken or Risky Cryptographic Algorithm • Modes of Operation: – ECB • Yep, you can see penguins in ECB mode, but there is much more than that – Byte-at-a-time ECB decryption – Cut-and-paste attack – CTR (Stream mode) • Stream ciphers are ok for communication, but not good for storage. If you use the same section of stream cipher twice, you have 0 security. As long as there is a fresh IV and you're not reading/writing to/from same file, you're ok. – CBC • Bit Flipping Attacks • Padding Oracles
herein is subject to change without notice. Some concluding thoughts • Trusting “lower layers” to “do the right thing” is not always a valid assumption • What are possible approaches to dealing with such risk? • Open-source vs. proprietary crypto