This document provides a summary of a presentation on encryption. It discusses why encryption is important for compliance with regulations like PCI DSS and HIPAA. It covers different encryption techniques like block ciphers and stream ciphers. It describes how protocols like TLS work and how certain ciphers like RC4 have been broken over time. It discusses attacks like BEAST and ways crypto failures can occur. It emphasizes that encryption is difficult and recommends following best practices around key management and the challenges of real-world implementation.
7. Why Encrypt?
PCI:DSS Requirement 3: Protection at rest
PCI:DSS Requirement 4: Encrypt on the network
"A covered entity must, in accordance with §164.306…
Implement a mechanism to encrypt and decrypt electronic
protected health information.” (45 CFR § 164.312(a)(2)(iv))
Etc., etc., etc.
15. Primitives, Modes, and Protocols
MATH
+ + = Super_Secret_Message
S u p e r _ S e
E n c r y p t e
Block
Cipher
c r e t _ M e s
d _ C i p h e r
Block
Cipher
…
16. TLS as a protocol
Arbitrarily bad
network
(The Internet)
Confidentiality
Server authentication
Tamper evidence
Replay protection
…
17. A leak!
MATH
+ + = Awfully_Awfully_Secret
A w f u l l y _
E n c r y p t e
Block
Cipher
A w f u l l y _
E n c r y p t e
Block
Cipher
…
18. A big pile of crypto
Primitive
Protocol
Mode
Primitive
Protocol
Mode
Primitive
Mode
22. A tale of one cipher
Super_Secret_Message
S u p e r _ S e
E n c r y p t e
Stream
Cipher
c r e t _ M e s
d _ C i p h e r
K e y s t r e a m _ b y t e s _
⨁ ⨁⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁
RC4
23. RC4 timeline
1987: Created by Rivest at RSA
1994: Anonymously leaked
1995: Included in SSL
1999: RFC 2246, TLS 1.0
Use RC4,
don't use RC4,
I don't care
24. A wild BEAST appears
Browser Exploit Against SSL/TLS
25. Cipher Block Chaining
E n c r y p t e
Block
Cipher
d _ C i p h e r
Block
Cipher
…
Awfully_Awfully_Secret
A w f u l l y _ A w f u l l y _
⨁ ⨁IV
26. Chosen Plaintext Attack
x ⨁ A ⨁ A = x
Ci = AES(k, Ci-1 ⨁ Pi)
We want to decrypt Ci, and obtain Pi.
Pick m as a guess for Pi.
Let Pj = Cj-1 ⨁ Ci-1⨁ m
Cj = AES(k, Cj-1 ⨁ Pj)
Cj = AES(k, Cj-1 ⨁ Cj-1⨁ Ci-1 ⨁ m)
Cj = AES(k, Ci-1 ⨁ m)
Thus, m = Pi iff Cj = Ci
27. Blockwise Chosen Boundary Attack
POST /A HTTP 1.1rnCookie: SessionID=XXXX
POST /AAAAAA HTTP 1.1rnCookie: SessionID=XXXX
Let m = ‘P 1.1rnCookie: a’
Let m = ‘P 1.1rnCookie: b’
Let m = ‘P 1.1rnCookie: S’
…
POST /AAAAA HTTP 1.1rnCookie: SessionID=XXXX
Let m = ‘ 1.1rnCookie: Sa’
…
Cj ≠ Ci
Cj ≠ Ci
Cj = Ci
28. Assume the cookie is 16 characters, one full block.
Guessing the entire cookie at once:
2128 guesses (worst case)
= 340,282,366,920,938,463,463,374,607,431,768,211,456
Guessing the entire cookie one byte at a time:
16 * 28 guesses (worst case)
= 4,096
That’s 2116 times faster or just
0.0000000000000000000000000000000012%
as many guesses
29. The short version
If:
I can cause your client to make requests
JavaScript
I can control block alignment
I can sniff the resulting TLS traffic
There is a repeated field worth stealing
Cookies
Then:
I can guess byte-wise rather than block-wise
30. RC4 timeline
1987: Created by Rivest at RSA
1994: Anonymously leaked
1995: Included in SSL
1999: RFC 2246, TLS 1.0
2011: BEAST
Use RC4,
don't use RC4,
I don't care
Use RC4!!!
31. But….
If:
I can cause your client to make requests
JavaScript
I can control block alignment
I can sniff the resulting TLS traffic
There is a repeated field worth stealing
Cookies
Then:
I can guess byte-wise rather than block-wise
34. RC4 timeline
1987: Created by Rivest at RSA
1994: Anonymously leaked
1995: Included in SSL
1999: RFC 2246, TLS 1.0
2011: BEAST
2013: Statistical biases
2015: RFC7465, Nope!
Use RC4,
don't use RC4,
I don't care
Use RC4!!!
Oh my, no way!
35. IoT, the Internet of Television
I like RC4, AES, and 3DES
In that order.
Cool! Let's use AES
'cause RC4 is broken
LIES!
43. Diffie-Hellman in S3
Every webserver thread creates a new prime at startup
>> 10k primes in use at any time
We fingerprint the ClientHello and alter our response
Browsers are not offered DHE
SSL Labs gets a different view than your browser
51. This one, not so much
Data
Encryption
Standard
1975: Published
1976: Approved as a standard
1977: FIPS
1992: Differential cryptanalysis
1998: First public break
1998: Break in 58 hours
1999: Break in 22 hours
2006: COPACOBANA: 9 days, $10,000
65. Rules of Crypto
Rule #1: Don’t do it unless you’re an expert
Rule #2: You’re not an expert
Rule #3: You’re going to screw it up, even if you are an
expert