2. About
me
ì Miguel
Ibarra
ì PHP
developer
since
2000
ì Actually,
coding
since
1986
ì Projects
from
simple
web
pages
to
GRP’s
ì SoLware
Engineer
@
Tiempo
Development
ì Webservices,
security
and
cryptography
fan
4. I
can
has
ur
data?
ì Today,
informa*on
assets
can
be
more
valuable
than
physical
assets…
ì Lost
your
USB
s*ck
lately?
ì Data
theL
is
becoming
an
every-‐day
issue
and
concern…
6. I
can
has
ur
data?
ì linkedin.com
ì 6th
June
2012
ì More
than
6
million
passwords
ì eharmony.com
ì 6th
June
2012
ì More
than
1.5
million
passwords
ì last.fm
ì 7th
June
2012
ì ?
Million
passwords
ì yahoo.com
ì 12th
June
2012
ì 443K
passwords
ì Sql
injec*on
ì Passwords
in
plain
text…
10. I
can
has
ur
data?
ì Public
web
applica*ons
expose
an
authen,cated
and
authorized
connec,on
to
DBMS
servers
ì DBMS
have
their
own
authen*ca*on
and
authoriza*on
systems
ì Applica*ons
that
use
such
DBMS
need
creden*als
to
connect
to
DB
servers
ì This
type
of
apps
can
have
their
own
auth
procedures
ì They
can
be
vulnerable
11. I
can
has
ur
data?
ì It
does
not
maeer
if
your
DBMS
is
behind
a
firewall
and/or
private
network
User
Public
network
Web
server
Private
network
DBMS
Server
17. Protecting
your
data
–
Password
Hashing
ì Hash
ì Algorithm
that
maps
data
of
variable
length
to
data
of
fixed
length
ì One
way
func*on
ì Output
cannot
be
reversed
using
an
efficient
algorithm
ì Also
called
‘pseudo-‐random
func*on’
ì Output
indis*nguishable
from
true
random
data
ì Popular
hashing
algorithms
ì md5
ì sha1
18. Protecting
your
data
–
Password
Hashing
ì Hash
proper*es
ì Output
yields
a
fixed
length
result
ì md5(‘1’)
=
‘c4ca4238a0b923820dcc509a6f75849’
ì md5(‘Hello
world’)
=
‘3e25960a79dbc69b674cd4ec67a72c62’
ì The
slightest
change,
totally
different
results
ì md5(‘Hello
World’)
=
‘b10a8db164e0754105b7a99be72e3fe5’
22. Protecting
your
data
–
Password
Hashing
ì Again,
cannot
revert
a
hash
using
an
efficient
algorithm
ì …
but
can
be
cracked…
ì Crack
<>
Hack
Hash
Algorithm
Data
23. Protecting
your
data
–
Password
Hashing
ì Brute
force
aeack
ì Generate
hashes
from
a
dic*onary
ì Common
words
ì Generate
character
combina*ons
ì Exhaus*ve
search
ì Generated
hash
=
target
hash?
ì Bingo
ì Inneficient,
but…
ì CPU
power
is
growing
(mul*ple
cores)
ì GPU
can
be
used
too
(thousands
of
cores)
ì Cloud
systems
24. ì
ATI
HD
5970
String
consis*ng
of
a-‐z|A-‐Z|0-‐9
Algorithm
Speed
8
chars
9
chars
10
chars
md5
5600
million
h/s
10
hours
27
days
4.5
years
sha1
2300
million
h/s
26
hours
68
days
11.5
years
25. Protecting
your
data
–
Password
Hashing
ì Hash
database
aeack
ì Query
a
database
with
pregenerated
hashes
ì Several
sites
offer
this
service,
free
ì Google.com
ì hep://bit.ly/15O4SLN
26. Protecting
your
data
–
Password
Hashing
ì Gesng
a
hash
through
sql
injec*on
ì Live
demonstra*on
31. Password
salting
ì Salt
has
to
be
stored
in
clear
text
as
to
authen*cate
a
user
ì if(
hash(<provided
password>
+
<salt
field>)
==
<password
field>
)
then
ì User
creden*als
are
valid
32. Password
salting
ì Hash
database
aeack
becomes
improbable
ì If
hash
remains
unknown,
brute
force
aeack
becomes
improbable
ì Total
characters:
42
ì Calcula*ons
per
second:
4
billion
ì Possible
combina*ons:
522
duovigin*llion
ì Total
*me
to
crack:
4
septendecillion
years*
ì According
to
heps://howsecureismypassword.net/
33. Password
salting
ì But
the
aeacker
could
modify
the
aeack
to
obtain
the
salt
field…
ì DEMO
ì The
aeacker
would
only
need
to
launch
a
brute
force
aeack
ì Generate
some
character
combina*on
string
ì Concatenate
salt
and
hash
ì Compare
hashes
35. Password
stretching
ì To
mi,gate
men*oned
aeack,
use
password
stretching
technique
ì Create
a
recursive
/
itera*ve
algorithm
that
calculates
a
hash
value
over
itself
thousand
(or
more)
*mes
36. Salt
Password
Hash
Salt
Password
Hash
Salt
Password
Hash
Algorithm
Hash
Algorithm
Thousands
of
*mes
37. Password
stretching
ì This
algorithm
should
iterate
enough
to
delay
each
calcula*on
by
1
second
ì In
order
to
crack
with
a
brute
force
aeack,
the
aeacker…
ì Should
know
the
exact
itera*on
count
ì +/-‐
1
itera*on
will
result
in
totally
different
hash
value
ì Should
wait
1
second
between
each
aeemp
ì This
makes
the
aeack
highly
improbable
38. Password
stretching
ì Several
standard
algorithms
for
password
stretching
ì PBKDF2
ì Bcrypt
ì Scrypt
ì …
40. I
can
still
has
ur
data…
ì We
give
it
away
freely…
ì Facebook
ì Twieer
ì Foursquare
ì If
it
is
free,
you
are
the
product
41. I
can
still
has
ur
data…
ì We
uninten*onally
give
it
away…
ì Phishing
scams
ì Social
engineering
ì Adware
/
Spyware
/
Browser
bars
/
Apps
ì Weak
passwords
ì Names
ì Birthdays
ì Phone
numbers
ì Common
passwords
42. I
can
still
has
ur
data…
ì It
is
forcibly/unlawfully
taken
from
us…
ì Extor*ons
/
black
mail
ì Unethical
prac*ces
ì banks
ì Government
spy
programs
ì NSA’s
PRISM
ì Communica*ons
Intercept
System
Mexico
ì Requested
by
USDoS
to
Mexican
Federal
Government
in
2007
ì Request
cancelled
in
2012…
ì Unknown
sponsored
spy
programs
ì Rumored
FinFisher
program
probably
running
in
networks
belonging
to
Uninet,
Iusacell
and
Televisa
44. Cryptography
101
ì Krypto
ì Hidden
ì Graphos
ì Script
ì Tecnique
to
modify
a
linguis*cal
or
caligrafical
presenta*on
of
a
message
ì Ruled
by
an
algorithm
ì Must
allow
forward
and
backward
process
50. Cryptography
101
ì Today,
cryptography
is
performed
by
an
automated
algorithm:
Cipher
ì Short
name
for
pseudo-‐random
permuta*on
ì Takes
an
input
ì Applies
a
reversible
algorithm
ì Outputs
data
indis*nguishable
from
a
truly
random
data
stream
ì Result
space
is
equal
to
message
space
ì No
collisions
52. Cryptography
101
ì Modern
algorithms
use
a
‘key’
ì They
key
is
used
to
transform
a
message
into
a
pseudo-‐random
string
ì This
is
called
‘cipher’
ì This
pseudo-‐random
string
can
be
transformed
back
to
the
original
message
only
with
this
key
ì ‘decipher’
55. Symetric
ciphers
ì The
same
key
is
used
to
cipher
and
decipher
ì The
2
endpoints
must
agree
on
this
key
ì Security
relies
mainly
in
this
key
ì Key
must
be
improbably
guessed
ì Key
space
has
to
be
large…
57. 1
1
0
0
0
0
0
1
0
1
0
1
0
0
0
0
1
0
0
1
0
0
0
1
1
0
0
1
0
0
0
1
0
1
0
1
0
0
0
0
Data
to
cipher
Random
key
Ciphered
data
Data
to
decipher
Random
key
Original
data
58. Symetric
ciphers
ì Ciphered
data
is
impossible
to
decipher
without
the
key
by
an
efficient
algorithm
ì This
is,
no
exhaus*ve
search
for
the
key
ì Is
very
simple
ì Key
length
must
be
the
same
as
message
length
ì Security
measures
applied
while
securily
sharing
the
key
might
as
well
we
applied
to
the
unciphered
message
59. Symetric
ciphers
ì In
fact,
every
symetrical
cipher
weakest
link
is
the
key
ì An
aeacker,
instead
of
brute
forcing
the
key,
might
as
well
focus
on
incercep*ng
the
key
ì Popular
cipher
algorithms
ì DES
ì 3DES
ì AES
61. Asymetric
ciphers
ì Has
a
key
pair
ì Private
key:
only
the
owner
can
know
it
ì Public
key:
owner
can
share
it
freely
ì Message
ciphered
with
the
public
key
can
only
be
deciphered
with
the
private
key
ì Message
ciphered
with
the
private
key
can
be
deciphered
with
the
public
key
ì This
adds
a
message
authen*ca*on
mechanism
62. Asymetric
ciphers
ì Algorithms
are
based
on
prime
number
and
one
way
func*ons
ì Way
too
easy
to
mul*ply
to
prime
numbers
ì Factorizing
a
number
into
its
prime
factors
is
very
difficult
ì Usually
involves
very
large
prime
numbers
ì Hundreds
of
digits
63. Asymetric
ciphers
ì Asymetric
ciphers
require
more
processing
*me
ì Keys
are
required
to
be
large
ì As
today’s
standards,
2048
bits
ì Ciphered
message
is
bigger
than
the
original
message
ì Popular
algorithms
ì RSA
ì Hybrid
symetric/asymetric
algorithms
ì HTTPS/TLS
65. Just
encrypt
it
and
you
are
safe…
are
you?
ì Weakest
links
in
cryptography
ì Again,
the
key…
ì …
and
how
it
is
implemented
ì Aircrack
anyone?
ì WEP
algor*hm:
example
of
bad
crypto
implementa*on
66. Just
encrypt
it
and
you
are
safe…
are
you?
ì Common
cryptography
implementa*on
misconcep*on
C
Message
Key
Cipher
Message
67. Just
encrypt
it
and
you
are
safe…
are
you?
ì Do
not…
ì Use
a
short
key
ì Use
weak
random
data
to
generate
a
key
ì Use
directly
the
generated
key
ì Try
to
derive
the
key
first
ì PBKDF2
ì Pseudo-‐random
func*on
ì Use
the
same
key
to
cipher
iden*cal
messages
ì Informa*on
leak
ì Use
the
same
key
to
cipher
mul*ple
messages
ì WEP’s
Achilles’
heel
ì If
you
need
to,
use
nonces
ì Nonce
≃
salt
ì Nonce
is
included
with
the
message
ì Cipher
and
send…
ì Always
add
signature
verifica*on
mechanism
ì Hash-‐mac
ì Hash
with
a
key
ì Hash-‐mac
signature
included
in
message
68. ì
Do
not
use
weak
random
data
Random
data,
PHP
4’s
rand()
func*on
output
on
Windows
converted
to
bitmap
74. Encryption
in
databases
ì S*ll
informa*on
can
be
leaked
ì Suppose
the
2
users
share
the
same
phone
number,
the
aeacker
could
no*ce
this
since
data
was
ciphered
with
the
same
key
76. Tweakable
encryption
ì Remember,
do
not
use
the
same
key
to
cipher
mul*ple
messages…
ì Do
we
need
to
generate
a
new
key
for
each
record?
ì Say,
we
have
thousands
of
records,
do
we
need
thousand
keys?
ì NO
ì Use
a
tweak
77. Tweakable
encryption
ì Every
table
should
have
a
primary
key
ì So
the
values
inside
the
primary
key
must
be
unique
to
every
record
ì Use
the
master
key
+
primary
key
value,
then
hash
ì f(key,
pk
value)
=
hash(key
+
pk
value)
ì You’ll
have
an
unique
cipher
key
for
each
record
ì Now,
fields
with
the
same
plain
text
value
will
appear
to
be
completely
different
when
ciphered
78. Last
Words
ì Last
words…
ì Informa*on
privacy
is
YOUR
RIGHT
ì Do
you
consider
it
to
be
a
paranoid
idea…
ì …or
a
daily
life
concern?
ì First
informa*on
privacy
law
from
1890
US
ì Laws
cannot
keep
up
with
technology