SlideShare a Scribd company logo

When Crypto Attacks! (Yahoo 2009)

Nate Lawson
Nate Lawson

In-depth list of attacks against various crypto implementations. Developers seem to have gotten the message not to design their own ciphers. Now, we're trying to get the message out that you shouldn't be implementing your own crypto protocols or constructions, using low-level crypto libraries. Instead, developers should work at a higher level, using libraries like GPGME, Keyczar, or cryptlib. If you do end up designing/implementing your own construction, getting it reviewed by a third party is an expensive but vital task.

EducationTechnology
1 of 26
Download to read offline
When Crypto Attacks! Nate Lawson June 9, 2009 Yahoo! Security Week
My background • Root Labs founder – Design and analyze security products – Focused on: • Embedded and kernel security • Software protection, DRM • Crypto and protocols • Cryptography Research – Reviewed numerous products for flaws – Co-designed Blu-ray disc content protection layer • Infogard Labs – Review crypto products for the FIPS 140 program • IBM/ISS – Original developer of RealSecure IDS 2
We all use AES-CBC • Crypto is deceptively simple and attractive – Block ciphers, public key, etc. make sense conceptually – Books like Applied Cryptography make it accessible – Proofs of security, brute-force strength claims are appealing • Of course, no one implements their own ciphers – Most got the message that custom ciphers are bad – Many low-level crypto libraries to choose from • Java crypto API, BouncyCastle • Microsoft CryptoAPI, .NET Cryptography • OpenSSL, Crypto++ • Only remaining decision is 256 vs. 128 bit keys? 3
If you’re typing “A.E.S.”, you’re doing it wrong • Crypto is extremely fragile – Review is 2x the development cost • If you design it, you don’t get to review it also – Can’t be secured by testing – When it fails, you get to change out root private keys CRYPTO FAIL! 4
How to avoid implementing crypto • What to do instead – Use SSL for transport – Use GPG for protecting data at rest (GPGME lib) • If your design doesn’t seem to fit that model, rework it until it does • If you can’t, use a high-level library – GPGME (LGPL) – Keyczar (Apache) – Gutmann cryptolib (commercial) • Don’t use low-level libraries directly – OpenSSL, Crypto++ – Java crypto, BouncyCastle – .NET System.Security.Cryptography 5
Warning signs: bad crypto ahead • Obvious confusion – Using a MAC to “sign” data – “Decrypting” a signature to verify it – Multiple names/terms for the same field/operation – Overly focused on salts as a key security feature – The words “rainbow tables” • Arguments why non-standard usage is ok, based on… – Key size – Lack of attacker knowledge – A blog post 6
Warning signs: bad crypto ahead • Encrypting multiple blocks with RSA • Insistence that the IV must be kept secret • Spec diagrams from Wikipedia http://en.wikipedia.org/wiki/HMAC 7
How to fix Javascript crypto • Don’t do it; it makes no sense – Where did the browser get the code from? • The webserver – Over? • SSL (we hope) – And the keys that the Javascript uses? • Um, the same webserver • You have SSL on the client and server, use it – Anything you roll yourself is going to be worse – Remove the words “Javascript crypto” from your vocabulary (ahem, Meebo) 8
“Maybe they want to sign something, without having to upload it to the server, say. Or maybe they just don't want to burden the server with tons of crypto. There's lots of good reasons to do crypto without reinventing SSL.“ -- Dave Aitel on Javascript crypto 9
Upgrading encryption on-the-fly • Fixing an old, broken cookie scheme – Old: CBC-encrypted cookie but no integrity protection – New: + HMAC protection of encrypted cookie • Bright idea: “We’ll upgrade user cookies!” – Decrypt the data, check length of result – Detect old cookie based on version field – Set new version, encrypt with new key, add HMAC – Return it to the user 10
Bad PRNG or no seeding • Default “random” PRNGs not a good choice – Cryptographic generator has different requirements • Constantly re-seeded with new entropy • Impossible to guess or even perturb internal state – Don’t use: • Python random (use random.SystemRandom) • java.util.Random (use java.security.SecureRandom) • .NET System.Random (use System.Security.Cryptography. RandomNumberGenerator) • Cold boot case – Server just rebooted and you’re already getting requests • Is there enough entropy? • Are you replaying IVs, challenge values, etc.? – Wait, who in your company is responsible for this? 11
DSA fails if random value known • If the random challenge value k is known, it reveals your entire private key • DSA signature (r, s) is: r = gk mod p mod q s = k-1 (H(m) + x*r) mod q • If you know k, you can calculate x as follows: x = ((s * k) – H(m)) * r-1 mod q • Remember that Debian PRNG bug? – Every DSA key used on a vulnerable system for a single signature is forever compromised • Surprise! – Knowledge of only a few bits of k and multiple signatures is sufficient – Hidden number problem (Boneh, others) 12
Block cipher modes of operation • If you know ECB from CBC, give yourself a hand • Now the following – OFB, CFB, CTR • Stream cipher constructions • Bitwise malleability • Fatal if counter or output reused – CCM, EAX, GCM, OCB • Authenticated encryption • Provide integrity protection + encryption • Fatal if IV reused • Decipher this one – “TDEA Electronic Code Book (TECB) Mode” – Seen in: docs for USB flash key 13
Counter duplication in CTR mode • You painstakingly made sure to not duplicate the counter on the client – Using a counter and saving its state in a variable – You even persisted it to disk in case of a reboot • Or force a renegotiation if you have that option • What about the server? – If using a shared key, you have keystream reuse if the server’s counter overlaps the client's 14
Integrity protection with only a hash • Goal: prevent modification of a cookie • Solution – Send SHA1(key || data) – User can’t create the checksum because they don’t know the secret, right? • Length extension attack – See SHA1 init and final operations below: • Use HMAC instead Initialize variables: – Other ad-hoc constructions h0 = 0x67452301 also vulnerable h1 = 0xEFCDAB89 h2 = 0x98BADCFE h3 = 0x10325476 h4 = 0xC3D2E1F0 … Produce the final hash value: return (h0 || h1 || h2 || h3 || h4) 15
Padding error oracle with CBC encryption • Plaintext is HMACed, padded to block size, CBC- encrypted – Example for AES, message length 14 bytes • Block = p[0], … p[13], 0x01, 0x01 • Server returns two different errors – Padding_Incorrect: pad byte was wrong value for specified total length – Integrity_Failure: padding valid but message modified • Now you can decrypt bytes – Set a block with different guesses for last byte – If correct guess, you’ll get Integrity_Failure error – Repeat for other bytes • Seen in: OpenSSL (Bodo Moeller) 16
Lack of structure in signed data • You have to know exactly what you’re signing! – Think of signed data as a command, typed into a global root shell, on every cluster in your company • Amazon Web Services v1 – Allowed the client to sign a URL 1. Split the query string using '&' and '=' delimeters 2. Concatenate all the key/value pairs into a single string (key1 || value1 || key2 || value2) 3. Protect it with HMAC-SHA1(key, data) • No structure in data means the following are equivalent – …?GoodKey1=GoodValue1BadKey2BadValue2 – …?GoodKey1=GoodValue1&BadKey2=BadValue2 • Seen in: many SSO (single sign-on) designs 17
Padding is not something to ignore • PKCS#1 pads messages to be signed as follows – SigData = 00 01 FF … FF 00 <SHA1-OID> <SHA1-HASH> – Then, signature is RSA-Exp(PrivKey, SigData) • Signature verification seems simple – Process the sig with RSA-Exp(PubKey, SigData) – Find the hash and compare to the hash of the message • Now attacker can create forgeries – For 2048 bit key and 160-bit SHA hash, there are 21888 inputs that will match – With small public key, straightforward algebra to calculate a colliding signature • Every bit of padding data must be strictly checked • Seen in: OpenSSL (+Opera, Konqueror), Firefox, Nintendo Wii 18
Bare (no hash) signatures • Just use RSA directly, why hash first? – Remember warning about lack of structure? • Attack – Choose some small primes – Multiply them together to form your message – Get it signed – Now forge messages composed of any combination of those primes • Fun fact: same property that allows blinding • Seen in: embedded microcontroller 19
“Encrypting” with RSA private key • Example – Device has an RSA public key to verify signature on firmware updates – Idea: keep the public key secret and use it to decrypt the updates also • RSA is incompatible with block cipher thinking – You can’t “encrypt” with a private key and keep the public key secret – An attacker can always figure out the public key (e, n) from observing two signatures for e in [3, 5, 7, … 65537]: n ~= GCD(sig1e – m1, sig2e – m2) if m1e mod n == sig1: break 20
Comparing hash string mistakes • Verifying an RSA signature – RSA-Exp(PubKey, SigData) – Verify all the padding data as you should – return (0 == strncmp(userHash, myHash, 20)); • Attack – Create 256 messages, each slightly different – Once SHA-1(message) == {00, …}, you win! • Seen in: Wii (tmbinc) 21
SRP parameter validation • SRP gives secure password-based key agreement • Seems easy, right? • Like all public-key crypto, very sensitive to choice of values 22
SRP parameter validation bug • What if client sends A=0? • Hmm, server does (A * foobar)baz = 0 – And there are other bad parameters with similar results • Seen in: samhain host integrity tool (Ptacek) 23
I probably ran out of time here • DH small subgroup confinement attack (Tor, IKE) – Sending magic values lets you choose the server’s key (similar to SRP attack) • Encrypting a CRC for an integrity check (SSH v1) • Fault injection during RSA signing (Pay TV smart card glitching) • Timing and other side channel attacks – Guessing correct HMAC by time-to-reject (Keyczar, Xbox360) – Instruction/data and branch predictor cache leaks (everyone) 24
Conclusion • Crypto is brittle (easy to mess up) – And when it fails, the results are spectacular • So don’t build your own crypto – Use SSL for transport – Use GPG for protecting data at rest (GPGME lib) • If your design doesn’t seem to fit that model, rework it until it does • If you can’t, use a high-level library – Keyczar or cryptolib • Always get a third-party review of any crypto code – If you had to design your own (i.e., directly using a low- level library), much more extensive review required 25
Contact info For more detailed articles on these topics, please see my blog linked at: http://rootlabs.com Questions? Nate Lawson nate@rootlabs.com 26

Recommended

TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flaw
Nate Lawson
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)
Nate Lawson
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-Hash
Ankit Mehta
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012
Martin Kobetic
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Ontico
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NoSuchCon
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0
Philippe Bogaerts
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 

Recommended

TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flaw
Nate Lawson
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)
Nate Lawson
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-Hash
Ankit Mehta
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012
Martin Kobetic
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Ontico
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NoSuchCon
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0
Philippe Bogaerts
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat Security Conference
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get it
E Hacking
 
Content Caching with NGINX and NGINX Plus
Content Caching with NGINX and NGINX PlusContent Caching with NGINX and NGINX Plus
Content Caching with NGINX and NGINX Plus
Kevin Jones
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControl
Severalnines
 
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Positive Hack Days
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
Kevin Jones
 
Ntlm Unsafe
Ntlm UnsafeNtlm Unsafe
Ntlm Unsafe
Guang Ying Yuan
 
WordPress Performance Tuning
WordPress Performance TuningWordPress Performance Tuning
WordPress Performance Tuning
Javier Arturo Rodríguez
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminsky
Dan Kaminsky
 
Web acceleration mechanics
Web acceleration mechanicsWeb acceleration mechanics
Web acceleration mechanics
Alexander Krizhanovsky
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
Scalable Architecture 101
Scalable Architecture 101Scalable Architecture 101
Scalable Architecture 101
ConFoo
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
Jeremy Brown
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
Giuseppe Trotta
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile Applications
Masabi
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
Denish Patel
 
Usenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyUsenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a Proxy
Leif Hedstrom
 
ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)
Nate Lawson
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Nate Lawson
 

More Related Content

What's hot

BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat Security Conference
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get it
E Hacking
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControl
Severalnines
 
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Positive Hack Days
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminsky
Dan Kaminsky
 
Web acceleration mechanics
Web acceleration mechanicsWeb acceleration mechanics
Web acceleration mechanics
Alexander Krizhanovsky
 
Scalable Architecture 101
Scalable Architecture 101Scalable Architecture 101
Scalable Architecture 101
ConFoo
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
Jeremy Brown
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 

What's hot (20)

BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get it
 
Content Caching with NGINX and NGINX Plus
Content Caching with NGINX and NGINX PlusContent Caching with NGINX and NGINX Plus
Content Caching with NGINX and NGINX Plus
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControl
 
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
 
Ntlm Unsafe
Ntlm UnsafeNtlm Unsafe
Ntlm Unsafe
 
WordPress Performance Tuning
WordPress Performance TuningWordPress Performance Tuning
WordPress Performance Tuning
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminsky
 
Web acceleration mechanics
Web acceleration mechanicsWeb acceleration mechanics
Web acceleration mechanics
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Scalable Architecture 101
Scalable Architecture 101Scalable Architecture 101
Scalable Architecture 101
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile Applications
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
 
Usenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyUsenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a Proxy
 

Viewers also liked

Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Nate Lawson
 

Viewers also liked (11)

ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
 
Foundations of Platform Security
Foundations of Platform SecurityFoundations of Platform Security
Foundations of Platform Security
 
ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)
 
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
 
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS Optimization
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
 

Similar to When Crypto Attacks! (Yahoo 2009)

Scaling Rails with memcached
Scaling Rails with memcachedScaling Rails with memcached
Scaling Rails with memcached
elliando dias
 
Web 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web AppsWeb 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web Apps
adunne
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
amiable_indian
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-Middle
Tom Eston
 
From One to a Cluster
From One to a ClusterFrom One to a Cluster
From One to a Cluster
guestd34230
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
CODE BLUE
 
Make Your Life Easier With Maatkit
Make Your Life Easier With MaatkitMake Your Life Easier With Maatkit
Make Your Life Easier With Maatkit
MySQLConference
 

Similar to When Crypto Attacks! (Yahoo 2009) (20)

Scaling Rails with memcached
Scaling Rails with memcachedScaling Rails with memcached
Scaling Rails with memcached
 
Web 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web AppsWeb 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web Apps
 
Drizzle Talk
Drizzle TalkDrizzle Talk
Drizzle Talk
 
All The Little Pieces
All The Little PiecesAll The Little Pieces
All The Little Pieces
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get Stung
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits
 
Cryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use CasesCryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use Cases
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
Couch Db
Couch DbCouch Db
Couch Db
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationJust In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-Middle
 
From One to a Cluster
From One to a ClusterFrom One to a Cluster
From One to a Cluster
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Make Your Life Easier With Maatkit
Make Your Life Easier With MaatkitMake Your Life Easier With Maatkit
Make Your Life Easier With Maatkit
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHP
 
Messaging With ActiveMQ
Messaging With ActiveMQMessaging With ActiveMQ
Messaging With ActiveMQ
 

Recently uploaded

Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 

Recently uploaded (20)

Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Asian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptxAsian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 

When Crypto Attacks! (Yahoo 2009)

  • 1. When Crypto Attacks! Nate Lawson June 9, 2009 Yahoo! Security Week
  • 2. My background • Root Labs founder – Design and analyze security products – Focused on: • Embedded and kernel security • Software protection, DRM • Crypto and protocols • Cryptography Research – Reviewed numerous products for flaws – Co-designed Blu-ray disc content protection layer • Infogard Labs – Review crypto products for the FIPS 140 program • IBM/ISS – Original developer of RealSecure IDS 2
  • 3. We all use AES-CBC • Crypto is deceptively simple and attractive – Block ciphers, public key, etc. make sense conceptually – Books like Applied Cryptography make it accessible – Proofs of security, brute-force strength claims are appealing • Of course, no one implements their own ciphers – Most got the message that custom ciphers are bad – Many low-level crypto libraries to choose from • Java crypto API, BouncyCastle • Microsoft CryptoAPI, .NET Cryptography • OpenSSL, Crypto++ • Only remaining decision is 256 vs. 128 bit keys? 3
  • 4. If you’re typing “A.E.S.”, you’re doing it wrong • Crypto is extremely fragile – Review is 2x the development cost • If you design it, you don’t get to review it also – Can’t be secured by testing – When it fails, you get to change out root private keys CRYPTO FAIL! 4
  • 5. How to avoid implementing crypto • What to do instead – Use SSL for transport – Use GPG for protecting data at rest (GPGME lib) • If your design doesn’t seem to fit that model, rework it until it does • If you can’t, use a high-level library – GPGME (LGPL) – Keyczar (Apache) – Gutmann cryptolib (commercial) • Don’t use low-level libraries directly – OpenSSL, Crypto++ – Java crypto, BouncyCastle – .NET System.Security.Cryptography 5
  • 6. Warning signs: bad crypto ahead • Obvious confusion – Using a MAC to “sign” data – “Decrypting” a signature to verify it – Multiple names/terms for the same field/operation – Overly focused on salts as a key security feature – The words “rainbow tables” • Arguments why non-standard usage is ok, based on… – Key size – Lack of attacker knowledge – A blog post 6
  • 7. Warning signs: bad crypto ahead • Encrypting multiple blocks with RSA • Insistence that the IV must be kept secret • Spec diagrams from Wikipedia http://en.wikipedia.org/wiki/HMAC 7
  • 8. How to fix Javascript crypto • Don’t do it; it makes no sense – Where did the browser get the code from? • The webserver – Over? • SSL (we hope) – And the keys that the Javascript uses? • Um, the same webserver • You have SSL on the client and server, use it – Anything you roll yourself is going to be worse – Remove the words “Javascript crypto” from your vocabulary (ahem, Meebo) 8
  • 9. “Maybe they want to sign something, without having to upload it to the server, say. Or maybe they just don't want to burden the server with tons of crypto. There's lots of good reasons to do crypto without reinventing SSL.“ -- Dave Aitel on Javascript crypto 9
  • 10. Upgrading encryption on-the-fly • Fixing an old, broken cookie scheme – Old: CBC-encrypted cookie but no integrity protection – New: + HMAC protection of encrypted cookie • Bright idea: “We’ll upgrade user cookies!” – Decrypt the data, check length of result – Detect old cookie based on version field – Set new version, encrypt with new key, add HMAC – Return it to the user 10
  • 11. Bad PRNG or no seeding • Default “random” PRNGs not a good choice – Cryptographic generator has different requirements • Constantly re-seeded with new entropy • Impossible to guess or even perturb internal state – Don’t use: • Python random (use random.SystemRandom) • java.util.Random (use java.security.SecureRandom) • .NET System.Random (use System.Security.Cryptography. RandomNumberGenerator) • Cold boot case – Server just rebooted and you’re already getting requests • Is there enough entropy? • Are you replaying IVs, challenge values, etc.? – Wait, who in your company is responsible for this? 11
  • 12. DSA fails if random value known • If the random challenge value k is known, it reveals your entire private key • DSA signature (r, s) is: r = gk mod p mod q s = k-1 (H(m) + x*r) mod q • If you know k, you can calculate x as follows: x = ((s * k) – H(m)) * r-1 mod q • Remember that Debian PRNG bug? – Every DSA key used on a vulnerable system for a single signature is forever compromised • Surprise! – Knowledge of only a few bits of k and multiple signatures is sufficient – Hidden number problem (Boneh, others) 12
  • 13. Block cipher modes of operation • If you know ECB from CBC, give yourself a hand • Now the following – OFB, CFB, CTR • Stream cipher constructions • Bitwise malleability • Fatal if counter or output reused – CCM, EAX, GCM, OCB • Authenticated encryption • Provide integrity protection + encryption • Fatal if IV reused • Decipher this one – “TDEA Electronic Code Book (TECB) Mode” – Seen in: docs for USB flash key 13
  • 14. Counter duplication in CTR mode • You painstakingly made sure to not duplicate the counter on the client – Using a counter and saving its state in a variable – You even persisted it to disk in case of a reboot • Or force a renegotiation if you have that option • What about the server? – If using a shared key, you have keystream reuse if the server’s counter overlaps the client's 14
  • 15. Integrity protection with only a hash • Goal: prevent modification of a cookie • Solution – Send SHA1(key || data) – User can’t create the checksum because they don’t know the secret, right? • Length extension attack – See SHA1 init and final operations below: • Use HMAC instead Initialize variables: – Other ad-hoc constructions h0 = 0x67452301 also vulnerable h1 = 0xEFCDAB89 h2 = 0x98BADCFE h3 = 0x10325476 h4 = 0xC3D2E1F0 … Produce the final hash value: return (h0 || h1 || h2 || h3 || h4) 15
  • 16. Padding error oracle with CBC encryption • Plaintext is HMACed, padded to block size, CBC- encrypted – Example for AES, message length 14 bytes • Block = p[0], … p[13], 0x01, 0x01 • Server returns two different errors – Padding_Incorrect: pad byte was wrong value for specified total length – Integrity_Failure: padding valid but message modified • Now you can decrypt bytes – Set a block with different guesses for last byte – If correct guess, you’ll get Integrity_Failure error – Repeat for other bytes • Seen in: OpenSSL (Bodo Moeller) 16
  • 17. Lack of structure in signed data • You have to know exactly what you’re signing! – Think of signed data as a command, typed into a global root shell, on every cluster in your company • Amazon Web Services v1 – Allowed the client to sign a URL 1. Split the query string using '&' and '=' delimeters 2. Concatenate all the key/value pairs into a single string (key1 || value1 || key2 || value2) 3. Protect it with HMAC-SHA1(key, data) • No structure in data means the following are equivalent – …?GoodKey1=GoodValue1BadKey2BadValue2 – …?GoodKey1=GoodValue1&BadKey2=BadValue2 • Seen in: many SSO (single sign-on) designs 17
  • 18. Padding is not something to ignore • PKCS#1 pads messages to be signed as follows – SigData = 00 01 FF … FF 00 <SHA1-OID> <SHA1-HASH> – Then, signature is RSA-Exp(PrivKey, SigData) • Signature verification seems simple – Process the sig with RSA-Exp(PubKey, SigData) – Find the hash and compare to the hash of the message • Now attacker can create forgeries – For 2048 bit key and 160-bit SHA hash, there are 21888 inputs that will match – With small public key, straightforward algebra to calculate a colliding signature • Every bit of padding data must be strictly checked • Seen in: OpenSSL (+Opera, Konqueror), Firefox, Nintendo Wii 18
  • 19. Bare (no hash) signatures • Just use RSA directly, why hash first? – Remember warning about lack of structure? • Attack – Choose some small primes – Multiply them together to form your message – Get it signed – Now forge messages composed of any combination of those primes • Fun fact: same property that allows blinding • Seen in: embedded microcontroller 19
  • 20. “Encrypting” with RSA private key • Example – Device has an RSA public key to verify signature on firmware updates – Idea: keep the public key secret and use it to decrypt the updates also • RSA is incompatible with block cipher thinking – You can’t “encrypt” with a private key and keep the public key secret – An attacker can always figure out the public key (e, n) from observing two signatures for e in [3, 5, 7, … 65537]: n ~= GCD(sig1e – m1, sig2e – m2) if m1e mod n == sig1: break 20
  • 21. Comparing hash string mistakes • Verifying an RSA signature – RSA-Exp(PubKey, SigData) – Verify all the padding data as you should – return (0 == strncmp(userHash, myHash, 20)); • Attack – Create 256 messages, each slightly different – Once SHA-1(message) == {00, …}, you win! • Seen in: Wii (tmbinc) 21
  • 22. SRP parameter validation • SRP gives secure password-based key agreement • Seems easy, right? • Like all public-key crypto, very sensitive to choice of values 22
  • 23. SRP parameter validation bug • What if client sends A=0? • Hmm, server does (A * foobar)baz = 0 – And there are other bad parameters with similar results • Seen in: samhain host integrity tool (Ptacek) 23
  • 24. I probably ran out of time here • DH small subgroup confinement attack (Tor, IKE) – Sending magic values lets you choose the server’s key (similar to SRP attack) • Encrypting a CRC for an integrity check (SSH v1) • Fault injection during RSA signing (Pay TV smart card glitching) • Timing and other side channel attacks – Guessing correct HMAC by time-to-reject (Keyczar, Xbox360) – Instruction/data and branch predictor cache leaks (everyone) 24
  • 25. Conclusion • Crypto is brittle (easy to mess up) – And when it fails, the results are spectacular • So don’t build your own crypto – Use SSL for transport – Use GPG for protecting data at rest (GPGME lib) • If your design doesn’t seem to fit that model, rework it until it does • If you can’t, use a high-level library – Keyczar or cryptolib • Always get a third-party review of any crypto code – If you had to design your own (i.e., directly using a low- level library), much more extensive review required 25
  • 26. Contact info For more detailed articles on these topics, please see my blog linked at: http://rootlabs.com Questions? Nate Lawson nate@rootlabs.com 26