SlideShare una empresa de Scribd logo

How to defend from an attacker armed with a mathematician

Antonio Sanso
Antonio Sanso

Diffie-Hellman key exchange is one of the most common public-key cryptographic methods in use in the Internet. It is a fundamental building block for IPsec, SSH, and TLS. Diffie-Hellman key exchange allows two parties to agree on a shared secret in the presence of an eavesdropper. Since the security of Diffie-Hellman relies crucially on the group parameters, implementations can be vulnerable to an attacker who provides maliciously generated parameters that change the properties of the group. In January 2016 we found a vulnerability affecting OpenSSL leveraging indeed this kind of attack (CVE-2016-0701). The research made while studying OpenSSL code base also highlighted a semi-mysterious RFC (RFC 5114 – “Additional Dif e-Hellman Groups for Use with IETF Standards”) originating from Defense contractor BBN. The mathematical property of the groups introduced in RFC 5114 were of particular interest since made OpenSSL particularly susceptibleto a Key Recovery Attack.

Internet
1 de 35
Descargar para leer sin conexión
How to defend from an attacker armed with a mathematician Antonio Sanso (@asanso) Senior Software Engineer Adobe Research Switzerland
Who is this guy, BTW? { Senior Software Engineer Adobe Research Switzerland { Internet Bug Bounty, Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty, Microsoft Honor Roll { Found vulnerabilities in OpenSSL , Google Chrome, Apple Safari { Co-Author of “OAuth 2 in Action” { Obsessed by prime numbers ★
TLS (Transport Layer Security)
TLS TLS Flow (highly simplified) asymmetric crypto (e.g. RSA/DH) + Client Server m m = premaster key symmetric crypto (e.g. AES)
TLS TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 Key Exchange Cipher MAC or PRF
+ Key Exchange Client Server m = premaster key
Math Ahead !! {Addition {Multiplication {Exponentiation {Modular arithmetic
Public key cryptography
One way functions x f(x ) easy extremely hard
Discrete log problem y = gx (mod p) EASY! Example p = 17 g = 3 x = 4 y = 34 (mod 17) = ? y = 34 = 81 (mod 17) = 13
Discrete log problem dlogg y HARD! How much hard? Trivial alg. O(p) We need do find 0 < x < p-1 s.t. gx= y (mod p) Example p = 17 g = 3 y = 10 x = ?? x = 0 y = 30 = 1 (mod 17) x = 1 y = 31 = 3 (mod 17) x = 2 y = 32 = 9 (mod 17) x = 3 y = 33 = 10 (mod 17) ★
Discrete log problem p = 218473595898882084755067249171622650635714019853253703676313 617811140296530259568151576053281904111410441606898157413193 811965329798715000389798623091587382509451185549616268241523 075366058726165028842888780624670527776052278467097818506147 927484588389513422048126018381129378053717826003801060205228 844064528238188244556839820428829281834311945931891714310663 711385102529796485135530787625845961474274568372896230088793 648294777051836361493041209989486542781338740267111884943117 708835148893633513800645204134596026961413539494079718100718 483541278687259340578110522855117260709519548286257619847978 31079801857828431
Discrete log problem
+ Key Exchange Client Server g,p yb g, p yb = gb (mod p) Ephemeral Random b TLS_DHE_RSA_WITH_AES_128….
+ Key Exchange Client Server g,p yb,g, p yb = gb (mod p)ya = ga (mod p) ya
+ Key Exchange Client Server m = premaster key yb ya m = gba (mod p) (yb)a = (gb)a = gba (mod p) m = gab (mod p) (ya)b = (ga)b = gab (mod p) yb = gb (mod p) ya = ga (mod p) ★
OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)
Server g,p yb g, p yb = gb (mod p) ya OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) ★
Attack Requirement #1 (Static ephemeral keys) Server g,p m = premaster key yb g, p yb = gb (mod p) By default NOT ephemeral SSL_OP_SINGLE_DH_USE wasn’t set ★
Server g,p yb,g, p yb = gb (mod p)ya = ga (mod p) ya Attack Requirement #2 (Not verifying the incoming value) m = gab (mod p) (ya)b = (ga)b = gab (mod p) ★
Discrete log problem What about p? Which prime number should I choose? OBSERVATION: (p-1) is always even { Safe prime ==> (p -1)/2 is also prime (many RFCs) { Or at least == > (p -1)/2 should not be a product of small primes
RFC 5114 - O(224) p = 2048 bit g = >>2 q = 224 p -1 /2 = 2 * 3 * 3 * 5 * 43 * 73 * 157 * 387493 * 605921 * 5213881177 * 3528910760717 * 83501807020473429349 * C489 (where C489 is a 489 digit composite number with no small factors). ★
Attack Requirement #3 (Product of small primes) RFC 5114 m = premaster key yb g, p yb = ga (mod p)
Attack succeeded!! RFC 5114 m = premaster key yb g, p yb = gb (mod p) By default NOT ephemeral ★ ya = ga (mod p) ya So we can compute: { b mod (2) { b mod (3) { … { b mod (5213881177) Finally we can combine the result using the Chinese Remainder Theorem (CRT)!!
History of RFC 5114 ...a semi-mysterious RFC 5114 – Additional Diffie- Hellman Groups document. It introduces new MODP groups not with higher sizes, but just with different primes. … no one really wanted these, but no one really objected to it either, so the document (originating from Defense contractor BBN) made it to RFC status.
References { https://www.openssl.org/news/secadv/20160503.txt { http://blog.intothesymmetry.com/2016/01/openssl-key-recovery-attack- on-dh-small.htmlMultiplication { http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.44.5296 { http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl- allows-attackers-to-decrypt-https-traffic/
Questions?
Additional material
Discrete log function Primitive root (generator) Example p = 17 Generator g = 3 {30,31,32,33,34,35,36, … } ==> {1, 3, 9, 10, 13, 5, 15, …}
OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) Server g,p yb g, p yb = ga (mod p) Choose B s.t. ord(B) is small ya = gaB (mod p) (yb)aBj = gbaBj ya (ya)b = (gaB)b = gabBb (mod p) 0 < j < ord(B) == > small B = j mod (ord(B)) ★
RFC 5114 p -1 /2 = 2 * 3 * 3 * 5 * 43 * 73 * 157 * 387493 * 605921 * 5213881177 * 3528910760717 * 83501807020473429349 * C489 (where C489 is a 489 digit composite number with no small factors). • ∃ gi s.t. q = 2 • ∃ gi s.t. q = 3 • ∃ gi s.t. q = 5 • … from O(224) to O(44)
OpenSSL Key Recovery Attack on DH small subgroups - Validation Server g,p yb g, p yb = ga (mod p) Choose B s.t. ord(B) is small ya = gaB (mod p) ya VALIDATION Check that ya q (mod p) = 1 ★
Chinese Remainder Theorem (CRT) b = l (mod ord(B1)) b = m (mod ord(B2)) b = n (mod ord(B3)) We can find a unique solution mod(ord(B1) * ord(B2) * ord(B3)) ★
“Trap door” one way functions x f(x ) easy extremely hard easy given t t

Recomendados

Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015Antonio Sanso
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...Tom Limoncelli
 
Node.JS security
Node.JS securityNode.JS security
Node.JS securityDeepu S Nath
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet
 
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackVelocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackCosimo Streppone
 
Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hackingPhilip Young
 
Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Eduard Trayan
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 

Recomendados

Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015Antonio Sanso
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...Tom Limoncelli
 
Node.JS security
Node.JS securityNode.JS security
Node.JS securityDeepu S Nath
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet
 
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackVelocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackCosimo Streppone
 
Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hackingPhilip Young
 
Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Eduard Trayan
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 
Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip Young
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
Tackling Legacy Code November 2015
Tackling Legacy Code November 2015Tackling Legacy Code November 2015
Tackling Legacy Code November 2015Tomas Malmsten
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpressn|u - The Open Security Community
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...JosephTesta9
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversAxilis
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseAdam Baldwin
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverhannob
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureNicolas Corrarello
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2Leonardo Rifeli
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs SecurityJason Ross
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets MalloryEmily Stark
 
Improving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingImproving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingOtto Kekäläinen
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Tinashe Makuti
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!Drew Fustini
 
Nodevember 2015
Nodevember 2015Nodevember 2015
Nodevember 2015Adam Baldwin
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesRavishankar Somasundaram
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Crackingn|u - The Open Security Community
 

Más contenido relacionado

La actualidad más candente

Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip Young
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
Tackling Legacy Code November 2015
Tackling Legacy Code November 2015Tackling Legacy Code November 2015
Tackling Legacy Code November 2015Tomas Malmsten
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...JosephTesta9
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversAxilis
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseAdam Baldwin
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverhannob
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureNicolas Corrarello
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs SecurityJason Ross
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets MalloryEmily Stark
 
Improving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingImproving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingOtto Kekäläinen
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Tinashe Makuti
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 

La actualidad más candente (20)

Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
 
Tackling Legacy Code November 2015
Tackling Legacy Code November 2015Tackling Legacy Code November 2015
Tackling Legacy Code November 2015
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the Enterprise
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs Security
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
 
Improving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingImproving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP Profiling
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
 
Nodevember 2015
Nodevember 2015Nodevember 2015
Nodevember 2015
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 

Similar a How to defend from an attacker armed with a mathematician

Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsOWASP Kyiv
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdbRoman Podoliaka
 
Building a DSL with GraalVM (VoxxedDays Luxembourg)
Building a DSL with GraalVM (VoxxedDays Luxembourg)Building a DSL with GraalVM (VoxxedDays Luxembourg)
Building a DSL with GraalVM (VoxxedDays Luxembourg)Maarten Mulders
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
Debugging of (C)Python applications
Debugging of (C)Python applicationsDebugging of (C)Python applications
Debugging of (C)Python applicationsRoman Podoliaka
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6Wim Godden
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...Moabi.com
 
Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)Maarten Mulders
 
Streaming huge databases using logical decoding
Streaming huge databases using logical decodingStreaming huge databases using logical decoding
Streaming huge databases using logical decodingAlexander Shulgin
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Research
 
Groovy On Trading Desk (2010)
Groovy On Trading Desk (2010)Groovy On Trading Desk (2010)
Groovy On Trading Desk (2010)Jonathan Felch
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 
Deuce STM - CMP'09
Deuce STM - CMP'09Deuce STM - CMP'09
Deuce STM - CMP'09Guy Korland
 
PyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by examplePyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by exampleYunWon Jeong
 
What's new in Python 3.11
What's new in Python 3.11What's new in Python 3.11
What's new in Python 3.11Henry Schreiner
 

Similar a How to defend from an attacker armed with a mathematician (20)

Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Cracking
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdb
 
Cryptography Attacks and Applications
Cryptography Attacks and ApplicationsCryptography Attacks and Applications
Cryptography Attacks and Applications
 
Building a DSL with GraalVM (VoxxedDays Luxembourg)
Building a DSL with GraalVM (VoxxedDays Luxembourg)Building a DSL with GraalVM (VoxxedDays Luxembourg)
Building a DSL with GraalVM (VoxxedDays Luxembourg)
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
Debugging of (C)Python applications
Debugging of (C)Python applicationsDebugging of (C)Python applications
Debugging of (C)Python applications
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
 
Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)
 
Streaming huge databases using logical decoding
Streaming huge databases using logical decodingStreaming huge databases using logical decoding
Streaming huge databases using logical decoding
 
Rust Hack
Rust HackRust Hack
Rust Hack
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
 
Groovy On Trading Desk (2010)
Groovy On Trading Desk (2010)Groovy On Trading Desk (2010)
Groovy On Trading Desk (2010)
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
Deuce STM - CMP'09
Deuce STM - CMP'09Deuce STM - CMP'09
Deuce STM - CMP'09
 
PyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by examplePyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by example
 
What's new in Python 3.11
What's new in Python 3.11What's new in Python 3.11
What's new in Python 3.11
 

Último

Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 

Último (9)

Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 

How to defend from an attacker armed with a mathematician

  • 1. How to defend from an attacker armed with a mathematician Antonio Sanso (@asanso) Senior Software Engineer Adobe Research Switzerland
  • 2. Who is this guy, BTW? { Senior Software Engineer Adobe Research Switzerland { Internet Bug Bounty, Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty, Microsoft Honor Roll { Found vulnerabilities in OpenSSL , Google Chrome, Apple Safari { Co-Author of “OAuth 2 in Action” { Obsessed by prime numbers ★
  • 4. TLS TLS Flow (highly simplified) asymmetric crypto (e.g. RSA/DH) + Client Server m m = premaster key symmetric crypto (e.g. AES)
  • 7.
  • 10. One way functions x f(x ) easy extremely hard
  • 11. Discrete log problem y = gx (mod p) EASY! Example p = 17 g = 3 x = 4 y = 34 (mod 17) = ? y = 34 = 81 (mod 17) = 13
  • 12. Discrete log problem dlogg y HARD! How much hard? Trivial alg. O(p) We need do find 0 < x < p-1 s.t. gx= y (mod p) Example p = 17 g = 3 y = 10 x = ?? x = 0 y = 30 = 1 (mod 17) x = 1 y = 31 = 3 (mod 17) x = 2 y = 32 = 9 (mod 17) x = 3 y = 33 = 10 (mod 17) ★
  • 13. Discrete log problem p = 218473595898882084755067249171622650635714019853253703676313 617811140296530259568151576053281904111410441606898157413193 811965329798715000389798623091587382509451185549616268241523 075366058726165028842888780624670527776052278467097818506147 927484588389513422048126018381129378053717826003801060205228 844064528238188244556839820428829281834311945931891714310663 711385102529796485135530787625845961474274568372896230088793 648294777051836361493041209989486542781338740267111884943117 708835148893633513800645204134596026961413539494079718100718 483541278687259340578110522855117260709519548286257619847978 31079801857828431
  • 15. + Key Exchange Client Server g,p yb g, p yb = gb (mod p) Ephemeral Random b TLS_DHE_RSA_WITH_AES_128….
  • 16. + Key Exchange Client Server g,p yb,g, p yb = gb (mod p)ya = ga (mod p) ya
  • 17. + Key Exchange Client Server m = premaster key yb ya m = gba (mod p) (yb)a = (gb)a = gba (mod p) m = gab (mod p) (ya)b = (ga)b = gab (mod p) yb = gb (mod p) ya = ga (mod p) ★
  • 18. OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)
  • 19. Server g,p yb g, p yb = gb (mod p) ya OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) ★
  • 20. Attack Requirement #1 (Static ephemeral keys) Server g,p m = premaster key yb g, p yb = gb (mod p) By default NOT ephemeral SSL_OP_SINGLE_DH_USE wasn’t set ★
  • 21. Server g,p yb,g, p yb = gb (mod p)ya = ga (mod p) ya Attack Requirement #2 (Not verifying the incoming value) m = gab (mod p) (ya)b = (ga)b = gab (mod p) ★
  • 22. Discrete log problem What about p? Which prime number should I choose? OBSERVATION: (p-1) is always even { Safe prime ==> (p -1)/2 is also prime (many RFCs) { Or at least == > (p -1)/2 should not be a product of small primes
  • 23. RFC 5114 - O(224) p = 2048 bit g = >>2 q = 224 p -1 /2 = 2 * 3 * 3 * 5 * 43 * 73 * 157 * 387493 * 605921 * 5213881177 * 3528910760717 * 83501807020473429349 * C489 (where C489 is a 489 digit composite number with no small factors). ★
  • 24. Attack Requirement #3 (Product of small primes) RFC 5114 m = premaster key yb g, p yb = ga (mod p)
  • 25. Attack succeeded!! RFC 5114 m = premaster key yb g, p yb = gb (mod p) By default NOT ephemeral ★ ya = ga (mod p) ya So we can compute: { b mod (2) { b mod (3) { … { b mod (5213881177) Finally we can combine the result using the Chinese Remainder Theorem (CRT)!!
  • 26. History of RFC 5114 ...a semi-mysterious RFC 5114 – Additional Diffie- Hellman Groups document. It introduces new MODP groups not with higher sizes, but just with different primes. … no one really wanted these, but no one really objected to it either, so the document (originating from Defense contractor BBN) made it to RFC status.
  • 27. References { https://www.openssl.org/news/secadv/20160503.txt { http://blog.intothesymmetry.com/2016/01/openssl-key-recovery-attack- on-dh-small.htmlMultiplication { http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.44.5296 { http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl- allows-attackers-to-decrypt-https-traffic/
  • 30. Discrete log function Primitive root (generator) Example p = 17 Generator g = 3 {30,31,32,33,34,35,36, … } ==> {1, 3, 9, 10, 13, 5, 15, …}
  • 31. OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) Server g,p yb g, p yb = ga (mod p) Choose B s.t. ord(B) is small ya = gaB (mod p) (yb)aBj = gbaBj ya (ya)b = (gaB)b = gabBb (mod p) 0 < j < ord(B) == > small B = j mod (ord(B)) ★
  • 32. RFC 5114 p -1 /2 = 2 * 3 * 3 * 5 * 43 * 73 * 157 * 387493 * 605921 * 5213881177 * 3528910760717 * 83501807020473429349 * C489 (where C489 is a 489 digit composite number with no small factors). • ∃ gi s.t. q = 2 • ∃ gi s.t. q = 3 • ∃ gi s.t. q = 5 • … from O(224) to O(44)
  • 33. OpenSSL Key Recovery Attack on DH small subgroups - Validation Server g,p yb g, p yb = ga (mod p) Choose B s.t. ord(B) is small ya = gaB (mod p) ya VALIDATION Check that ya q (mod p) = 1 ★
  • 34. Chinese Remainder Theorem (CRT) b = l (mod ord(B1)) b = m (mod ord(B2)) b = n (mod ord(B3)) We can find a unique solution mod(ord(B1) * ord(B2) * ord(B3)) ★
  • 35. “Trap door” one way functions x f(x ) easy extremely hard easy given t t