Using Cryptography Wrongly Can Lead to Security Failures
•
3 recomendaciones•2,856 vistas
This document discusses misusing cryptography. It begins with an agenda covering why cryptography is misused and how random number generators and crypto algorithms can be misused. It then discusses examples of what can go wrong, such as a game developer unintentionally allowing hackers to easily determine the secret code protecting scores. The document emphasizes that cryptography is complex and should not be casually misused, as failures can result in compromises like hacked systems and lost jobs. It provides recommendations for proper cryptographic practices.
Recomendados
Más contenido relacionado
Similar a Using Cryptography Wrongly Can Lead to Security Failures
Similar a Using Cryptography Wrongly Can Lead to Security Failures (20)
Más de Ynon Perek
Más de Ynon Perek (20)
Último
Último (20)
Using Cryptography Wrongly Can Lead to Security Failures
- 1. (Mis)using Cryptography ! Slides by: Ynon Perek http://ynonperek.com ynon@ynonperek.com
- 3. What can go wrong ?
- 4. What can go wrong ? n n (2011) A small internet company writes a facebook game for Bezeq - winner gets an iPad Developer had a problem
- 5. What can go wrong ? n After the game ends, he wanted to send the score back to the server 0000000: 4e7a 1400 0000 0100 1212 33F1 5b62 4b5f Nz.......q.3[bK_" 0000010: 16ea 0b5c ff7b b6d4 7c78 f2f4 7a70 00ce ....{..|x..zp.." 0000020: c700 7cd1 93e3 8b44 e31a 32 ..|....D..2" score
- 6. What Would You Do ?
- 7. Who Are You Afraid Of ?
- 8. What can go wrong ? n To protect score from tampering, the developer added a secret code that only he knew how to calculate after the score 0000000: 4e7a 1400 0000 0100 1212 33F1 5b62 4b5f Nz.......q.3[bK_" 0000010: 16ea 0b5c ff7b b6d4 7c78 f2f4 7a70 00ce ....{..|x..zp.." 0000020: c700 7cd1 93e3 8b44 e31a 32 ..|....D..2" Secret Code
- 9. What can go wrong ? n n The code is different to every score To change score, a hacker would need to understand how to calculate the code
- 10. What can go wrong ? n n Hackers easily found the rules for calculating auth code Game broken. Developer unemployed
- 11. Why You Should Care n Cryptography isn’t magic n Misuse leads to failure
- 12. The Problem SSH / SSL / TLS Stream Cipher MD5 GCM ECB Mode Block Cipher RC4 RNG DH SHA1 / SHA2 / SHA3 Digital Signature Rainbow Tables RSA
- 13. The Problem n It’s Complicated n Too busy to read spec
- 14. Misusing Crypto Algorithms Rolling Your Own Using The Wrong Algorithm Encryption Tamper Proofing Future Proofing
- 15. Home Grown Crypto n n n Crypto primitives are tested by experts Don’t grow your own Only use primitives you fully understand
- 16. What We Need n Fingerprint n Symmetric Encryption n Tamper Proofing
- 17. Fingerprinting n A fingerprint is something storable that represents something big
- 18. Fingerprinting n n Digital fingerprint is kept using a Hash function H(data) = unique fingerprint Occaecat nulla retro, before they sold out swag nesciunt in ut sriracha jean shorts commodo aliqua velit id fugiat. Tofu plaid Pinterest, eiusmod aesthetic selvage semiotics dreamcatcher aliquip locavore farm-to-table meggings master cleanse odio Bushwick. Biodiesel Williamsburg yr direct trade, pickled dreamcatcher ethnic keffiyeh. Cliche Brooklyn nihil commodo helvetica dolor. Church-key fanny pack hashtag VHS. Ullamco consequat nostrud incididunt typewriter asymmetrical. Retro aute four loko pickled tattooed Neutra. H(...) 46a03c37c1d9b9a79a192aa84e3b9475
- 19. Fingerprint n A Collision is an event of two different data having the same finger print
- 20. Fingerprint Risks n Server indexes data by fingerprint n Adversary creates collisions to break the server
- 22. Hash Functions n Use SHA-3 to prevent collisions n SHA-2 is also safe
- 23. Hash Functions n Avoid using for fingerprints: n n n MD4, MD5, CRC MD5 Collisions: http://www.win.tue.nl/hashclash/rogue-ca/ Rethink SHA-1 Practical attacks expected ~2018
- 24. Quiz n What’s the difference between a Hash and a password verifier ?
- 25. Q&A Fingerprints
- 26. Encryption n Use When: n n Privileged parties need to read the data Adversaries must not understand anything about it
- 27. Encryption n Attack Types: n Cipher-text only n Known plaintext n Chosen plaintext n Chosen cipher-text
- 28. Encryption n Available Tools: n Stream Ciphers (RC4, Salsa20) n Block Ciphers (DES, AES, RC5, Blowfish)
- 29. Stream Cipher Cipher Seed Key Stream XOR Message Stream Cipher Stream
- 30. Bad Ciphers n Cipher(K, M1) = C1 n Cipher(K, M2) = C2 n K ^ M1 = C1 n K ^ M2 = C2 n K
- 31. Key Reuse Demo n Don’t re-use the key for different messages ! use use use use use my my my write_file write_file write_file
- 32. Quiz: Spot the bug public { paramArrayOfByte1 paramArrayOfByte2 ! ! } this this this this this paramArrayOfByte2 this this this this this
- 33. Quiz n n Diagram describes WEP encryption IV is 24bit, and unique per packet n Packet size = 1500 bytes n Where’s the bug ?
- 34. RC4 Cipher n Other issues n n n Key Scheduling (WEP) Cipher-text malleability Bottom line: Don’t run with scissors ( www.youtube.com/watch?v=A6CP7wRLE3E
- 35. Salsa20 Cipher n Considered safe n Keep key a secret n Send IVs as plain-text n Demo: salsa20.rb
- 36. Quiz n n n Big company with millions of subscribers need to issue a unique key to each Keeping all the keys in the DB would take too much storage What would you suggest ?
- 37. Quiz n What’s an IV ? n What do you do with it ?
- 38. Block Ciphers ! ! ! n Encrypt block to another block n Recommended cipher: AES
- 40. ECB Mode
- 41. Avoid ECB Mode Cleartext ECB Mode
- 42. CBC Mode
- 43. CBC Problems
- 44. Padding Oracle n Conditions for the attack: n valid padding + valid value = Success message n valid padding + invalid value = Error message n invalid padding + valid value = Exception
- 45. In The Wild n (CVE-2010-3332) Microsoft .NET Framework … provides detailed error codes during decryption attempts
- 46. Avoid CBC Mode n n n CBC Mode does not authenticate ciphertext Risk: Padding Oracles Read More: http:// blog.gdssecurity.com/ labs/2010/9/14/ automated-paddingoracle-attacks-withpadbuster.html
- 47. Symmetric Encryption n Use AES in GCM mode n Implemented in OpenSSL >= 1 n With random IV n And key taken from a PBKDF2
- 48. Demo: Ruby GCM require # currently, AES-256-GCM or AES-256-CTR-HMAC-SHA-256 mode = key = mode. nonce = mode. cipher = mode. ! aead = cipher. # aead[1] = 'f' plaintext = cipher. puts
- 50. Quiz n Why is it considered harmful to decrypt a message from an external source ?
- 51. Quiz n What’s a nonce ? n What is its role in the encryption process ?
- 53. Tamper Proofing Server Please keep this data and don’t change it Client
- 54. Tamper Proofing n Use a special hash function (called HMAC) n Protects against changing message AND hash
- 55. Tamper Proofing OpenSSL command line to generate HMAC (one line) n echo ! openssl dgst
- 56. Bad Cryptography n What’s the difference between: n n echo -hmac echo
- 58. Tamper Proofing FAIL n Flickr API (2009) http://www.flickr.com/services/ auth/? ! api_key=44fefa051fc1c61f5e76f27 e620f51d5& ! extra=/login& ! perms=write& ! api_sig=38d39516d896f879d403bd3 27a932d9e
- 59. Demo: Hash Extension n n n Calculate: original_md5 = MD5(secret + message) Create a new message: newmessage = message + new_text Create a new MD5 based on original_md5 AND newmessage (without using secret)
- 60. Bug Spotting n The following are considered weak and should be avoided: n RC4 n MD4, MD5 n DES, 3DES (or TripleDES) n ECB (For any block cipher)
- 61. Bad Crypto n (2008) Fake X.509 due to MD5 collisions n MD5 Considered harmful today
- 62. Bad Crypto
- 63. Bad Crypto n (2009) Adobe upgrades from MD5 to SHA-256 n Accidentally removing the KDF
- 64. Bad Crypto n n n (2011) Breaking XML Encryption CBC + Wrong padding + Server leaking info Result: Hacked
- 65. Quiz n Which hash function is not vulnerable to length extension attack ?
- 67. Random Numbers
- 68. Real RNG n True randomness n Expensive and slow
- 70. Pseudo RNG n Start with an initial seed n Generate random numbers
- 71. Pseudo RNG n Given a sequence, can you find the seed ? n PRNG -> it depends n CSRNG -> you can’t
- 72. RNG n Use CSPRNG for n Use PRNG for n Demo Cracking Python RNG: https://github.com/fx5/not_random
- 74. Other Languages n Java -> java.security.SecureRandom n .NET -> System.Security.Cryptography.RNGCryptoServiceProvider n Ruby -> SecureRandom
- 76. Recent Bug n n 2006-2008 Debian used a broken CS-RNG Developer commented out important parts of RNG code
- 77. Dual_EC_DRBG
- 78. Dual_EC_DRBG n Dual elliptic curve deterministic random bit generator n Published in 2007, suspected with a backdoor n Proved by snowden’s papers
- 81. In The Box n Certificate Authority (CA) n Digital Certificates (Private & Public key) n Key Distribution Server n Desktop and Server software
- 82. Demo: PGP n n Started by Phil Zimmerman 1991 PKI for all
- 83. PGP Today n n GNU took over to provide patent-free implementation Called GPG (Gnu Privacy Guard)
- 84. GPG Components n Certificate Authority n Each user creates his own certificated. n Allow Web Of Trust
- 85. GPG Components n Digital Certificates n Supported algorithms: RSA, DSA, ElGamal n Key length: 1024-8192 n Recommended: 2048 bits
- 86. GPG Components n Key Distribution Server n Can build your own or use the default n Distribute keys
- 87. GPG Components n Desktop and Server software n Linux, Windows and Mac n http://www.gnupg.org/
- 88. GPG Demo n Creating Key-pair n Search for keys n Encrypt / Decrypt n Sign / Verify
- 89. Q&A Public Keys
- 90. Crypto Takeaways n Crypto’s hard: Don’t grow your own crypto
- 91. Crypto Takeaways n Crypto’s hard: But lazy is not an option n Choose the right tool for the job
- 92. Think About Tomorrow n n Today’s algorithms may fail tomorrow Keep future in mind when designing code
- 93. Thanks For Listening n Ynon Perek n n n http://ynonperek.com ynon@ynonperek.com Pictures From: n Wikipedia (Public Domain) n 123rf.com n Stockfresh.com