Download as PDF, PPTX
![Demo: Ruby GCM
require
# currently, AES-256-GCM or AES-256-CTR-HMAC-SHA-256
mode =
key = mode.
nonce = mode.
cipher = mode.
!
aead = cipher.
# aead[1] = 'f'
plaintext = cipher.
puts](https://image.slidesharecdn.com/04cryptography-140105065513-phpapp01/85/Cryptography-48-320.jpg)
![Demo: Ruby GCM
require
# currently, AES-256-GCM or AES-256-CTR-HMAC-SHA-256
mode =
key = mode.
nonce = mode.
cipher = mode.
!
aead = cipher.
# aead[1] = 'f'
plaintext = cipher.
puts](https://image.slidesharecdn.com/04cryptography-140105065513-phpapp01/75/Cryptography-48-2048.jpg)
Uploaded byYnon Perek
Cryptography
This document discusses misusing cryptography. It begins with an agenda covering why cryptography is misused and how random number generators and crypto algorithms can be misused. It then discusses examples of what can go wrong, such as a game developer unintentionally allowing hackers to easily determine the secret code protecting scores. The document emphasizes that cryptography is complex and should not be casually misused, as failures can result in compromises like hacked systems and lost jobs. It provides recommendations for proper cryptographic practices.
Cryptography
- 1. (Mis)using Cryptography ! Slides by: YnonPerek http://ynonperek.com ynon@ynonperek.com
- 2.
- 3. What can gowrong ?
- 4. What can gowrong ? n n (2011) A small internet company writes a facebook game for Bezeq - winner gets an iPad Developer had a problem
- 5. What can gowrong ? n After the game ends, he wanted to send the score back to the server 0000000: 4e7a 1400 0000 0100 1212 33F1 5b62 4b5f Nz.......q.3[bK_" 0000010: 16ea 0b5c ff7b b6d4 7c78 f2f4 7a70 00ce ....{..|x..zp.." 0000020: c700 7cd1 93e3 8b44 e31a 32 ..|....D..2" score
- 6. What Would YouDo ?
- 7. Who Are YouAfraid Of ?
- 8. What can gowrong ? n To protect score from tampering, the developer added a secret code that only he knew how to calculate after the score 0000000: 4e7a 1400 0000 0100 1212 33F1 5b62 4b5f Nz.......q.3[bK_" 0000010: 16ea 0b5c ff7b b6d4 7c78 f2f4 7a70 00ce ....{..|x..zp.." 0000020: c700 7cd1 93e3 8b44 e31a 32 ..|....D..2" Secret Code
- 9. What can gowrong ? n n The code is different to every score To change score, a hacker would need to understand how to calculate the code
- 10. What can gowrong ? n n Hackers easily found the rules for calculating auth code Game broken. Developer unemployed
- 11. Why You ShouldCare n Cryptography isn’t magic n Misuse leads to failure
- 12. The Problem SSH /SSL / TLS Stream Cipher MD5 GCM ECB Mode Block Cipher RC4 RNG DH SHA1 / SHA2 / SHA3 Digital Signature Rainbow Tables RSA
- 13. The Problem n It’s Complicated n Toobusy to read spec
- 14. Misusing Crypto Algorithms Rolling Your Own UsingThe Wrong Algorithm Encryption Tamper Proofing Future Proofing
- 15. Home Grown Crypto n n n Cryptoprimitives are tested by experts Don’t grow your own Only use primitives you fully understand
- 16. What We Need n Fingerprint n SymmetricEncryption n Tamper Proofing
- 17. Fingerprinting n A fingerprint issomething storable that represents something big
- 18. Fingerprinting n n Digital fingerprint iskept using a Hash function H(data) = unique fingerprint Occaecat nulla retro, before they sold out swag nesciunt in ut sriracha jean shorts commodo aliqua velit id fugiat. Tofu plaid Pinterest, eiusmod aesthetic selvage semiotics dreamcatcher aliquip locavore farm-to-table meggings master cleanse odio Bushwick. Biodiesel Williamsburg yr direct trade, pickled dreamcatcher ethnic keffiyeh. Cliche Brooklyn nihil commodo helvetica dolor. Church-key fanny pack hashtag VHS. Ullamco consequat nostrud incididunt typewriter asymmetrical. Retro aute four loko pickled tattooed Neutra. H(...) 46a03c37c1d9b9a79a192aa84e3b9475
- 19. Fingerprint n A Collision isan event of two different data having the same finger print
- 20. Fingerprint Risks n Server indexesdata by fingerprint n Adversary creates collisions to break the server
- 21.
- 22. Hash Functions n Use SHA-3to prevent collisions n SHA-2 is also safe
- 23. Hash Functions n Avoid usingfor fingerprints: n n n MD4, MD5, CRC MD5 Collisions: http://www.win.tue.nl/hashclash/rogue-ca/ Rethink SHA-1 Practical attacks expected ~2018
- 24. Quiz n What’s the differencebetween a Hash and a password verifier ?
- 25.
- 26. Encryption n Use When: n n Privileged partiesneed to read the data Adversaries must not understand anything about it
- 27. Encryption n Attack Types: n Cipher-text only n Knownplaintext n Chosen plaintext n Chosen cipher-text
- 28. Encryption n Available Tools: n Stream Ciphers(RC4, Salsa20) n Block Ciphers (DES, AES, RC5, Blowfish)
- 29. Stream Cipher Cipher Seed KeyStream XOR Message Stream Cipher Stream
- 30. Bad Ciphers n Cipher(K, M1)= C1 n Cipher(K, M2) = C2 n K ^ M1 = C1 n K ^ M2 = C2 n K
- 31. Key Reuse Demo n Don’tre-use the key for different messages ! use use use use use my my my write_file write_file write_file
- 32. Quiz: Spot thebug public { paramArrayOfByte1 paramArrayOfByte2 ! ! } this this this this this paramArrayOfByte2 this this this this this
- 33. Quiz n n Diagram describes WEP encryption IVis 24bit, and unique per packet n Packet size = 1500 bytes n Where’s the bug ?
- 34. RC4 Cipher n Other issues n n n KeyScheduling (WEP) Cipher-text malleability Bottom line: Don’t run with scissors ( www.youtube.com/watch?v=A6CP7wRLE3E
- 35. Salsa20 Cipher n Considered safe n Keepkey a secret n Send IVs as plain-text n Demo: salsa20.rb
- 36. Quiz n n n Big company with millionsof subscribers need to issue a unique key to each Keeping all the keys in the DB would take too much storage What would you suggest ?
- 37. Quiz n What’s an IV? n What do you do with it ?
- 38. Block Ciphers ! ! ! n Encrypt blockto another block n Recommended cipher: AES
- 39.
- 40.
- 41.
- 42.
- 43.
- 44. Padding Oracle n Conditions forthe attack: n valid padding + valid value = Success message n valid padding + invalid value = Error message n invalid padding + valid value = Exception
- 45. In The Wild n (CVE-2010-3332)Microsoft .NET Framework … provides detailed error codes during decryption attempts
- 46. Avoid CBC Mode n n n CBCMode does not authenticate ciphertext Risk: Padding Oracles Read More: http:// blog.gdssecurity.com/ labs/2010/9/14/ automated-paddingoracle-attacks-withpadbuster.html
- 47. Symmetric Encryption n Use AESin GCM mode n Implemented in OpenSSL >= 1 n With random IV n And key taken from a PBKDF2
- 48. Demo: Ruby GCM require #currently, AES-256-GCM or AES-256-CTR-HMAC-SHA-256 mode = key = mode. nonce = mode. cipher = mode. ! aead = cipher. # aead[1] = 'f' plaintext = cipher. puts
- 49.
- 50. Quiz n Why is itconsidered harmful to decrypt a message from an external source ?
- 51. Quiz n What’s a nonce? n What is its role in the encryption process ?
- 52.
- 53. Tamper Proofing Server Please keepthis data and don’t change it Client
- 54. Tamper Proofing n Use aspecial hash function (called HMAC) n Protects against changing message AND hash
- 55. Tamper Proofing OpenSSL commandline to generate HMAC (one line) n echo ! openssl dgst
- 56. Bad Cryptography n What’s thedifference between: n n echo -hmac echo
- 57.
- 58. Tamper Proofing FAIL n FlickrAPI (2009) http://www.flickr.com/services/ auth/? ! api_key=44fefa051fc1c61f5e76f27 e620f51d5& ! extra=/login& ! perms=write& ! api_sig=38d39516d896f879d403bd3 27a932d9e
- 59. Demo: Hash Extension n n n Calculate: original_md5= MD5(secret + message) Create a new message: newmessage = message + new_text Create a new MD5 based on original_md5 AND newmessage (without using secret)
- 60. Bug Spotting n The followingare considered weak and should be avoided: n RC4 n MD4, MD5 n DES, 3DES (or TripleDES) n ECB (For any block cipher)
- 61. Bad Crypto n (2008) FakeX.509 due to MD5 collisions n MD5 Considered harmful today
- 62.
- 63. Bad Crypto n (2009) Adobeupgrades from MD5 to SHA-256 n Accidentally removing the KDF
- 64. Bad Crypto n n n (2011) BreakingXML Encryption CBC + Wrong padding + Server leaking info Result: Hacked
- 65. Quiz n Which hash functionis not vulnerable to length extension attack ?
- 66.
- 67.
- 68.
- 69.
- 70. Pseudo RNG n Start withan initial seed n Generate random numbers
- 71. Pseudo RNG n Given asequence, can you find the seed ? n PRNG -> it depends n CSRNG -> you can’t
- 72. RNG n Use CSPRNG for n UsePRNG for n Demo Cracking Python RNG: https://github.com/fx5/not_random
- 73.
- 74. Other Languages n Java -> java.security.SecureRandom n .NET-> System.Security.Cryptography.RNGCryptoServiceProvider n Ruby -> SecureRandom
- 75.
- 76. Recent Bug n n 2006-2008 Debianused a broken CS-RNG Developer commented out important parts of RNG code
- 77.
- 78. Dual_EC_DRBG n Dual elliptic curvedeterministic random bit generator n Published in 2007, suspected with a backdoor n Proved by snowden’s papers
- 79.
- 80.
- 81. In The Box n CertificateAuthority (CA) n Digital Certificates (Private & Public key) n Key Distribution Server n Desktop and Server software
- 82. Demo: PGP n n Started byPhil Zimmerman 1991 PKI for all
- 83. PGP Today n n GNU tookover to provide patent-free implementation Called GPG (Gnu Privacy Guard)
- 84. GPG Components n Certificate Authority n Eachuser creates his own certificated. n Allow Web Of Trust
- 85. GPG Components n Digital Certificates n Supportedalgorithms: RSA, DSA, ElGamal n Key length: 1024-8192 n Recommended: 2048 bits
- 86. GPG Components n Key DistributionServer n Can build your own or use the default n Distribute keys
- 87. GPG Components n Desktop andServer software n Linux, Windows and Mac n http://www.gnupg.org/
- 88. GPG Demo n Creating Key-pair n Searchfor keys n Encrypt / Decrypt n Sign / Verify
- 89.
- 90. Crypto Takeaways n Crypto’s hard:Don’t grow your own crypto
- 91. Crypto Takeaways n Crypto’s hard:But lazy is not an option n Choose the right tool for the job
- 92. Think About Tomorrow n n Today’salgorithms may fail tomorrow Keep future in mind when designing code
- 93. Thanks For Listening n YnonPerek n n n http://ynonperek.com ynon@ynonperek.com Pictures From: n Wikipedia (Public Domain) n 123rf.com n Stockfresh.com