Published on

Published in: Technology, Education
1 Comment
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. (Mis)using Cryptography ! Slides by: Ynon Perek
  2. 2. Agenda n Why n Misusing Crypto Algorithms n Misusing RNG
  3. 3. What can go wrong ?
  4. 4. What can go wrong ? n n (2011) A small internet company writes a facebook game for Bezeq - winner gets an iPad Developer had a problem
  5. 5. What can go wrong ? n After the game ends, he wanted to send the score back to the server 0000000: 4e7a 1400 0000 0100 1212 33F1 5b62 4b5f  Nz.......q.3[bK_" 0000010: 16ea 0b5c ff7b b6d4 7c78 f2f4 7a70 00ce  ....{..|x..zp.." 0000020: c700 7cd1 93e3 8b44 e31a 32              ..|....D..2" score
  6. 6. What Would You Do ?
  7. 7. Who Are You Afraid Of ?
  8. 8. What can go wrong ? n To protect score from tampering, the developer added a secret code that only he knew how to calculate after the score 0000000: 4e7a 1400 0000 0100 1212 33F1 5b62 4b5f  Nz.......q.3[bK_" 0000010: 16ea 0b5c ff7b b6d4 7c78 f2f4 7a70 00ce  ....{..|x..zp.." 0000020: c700 7cd1 93e3 8b44 e31a 32              ..|....D..2" Secret Code
  9. 9. What can go wrong ? n n The code is different to every score To change score, a hacker would need to understand how to calculate the code
  10. 10. What can go wrong ? n n Hackers easily found the rules for calculating auth code Game broken. Developer unemployed
  11. 11. Why You Should Care n Cryptography isn’t magic n Misuse leads to failure
  12. 12. The Problem SSH / SSL / TLS Stream Cipher MD5 GCM ECB Mode Block Cipher RC4 RNG DH SHA1 / SHA2 / SHA3 Digital Signature Rainbow Tables RSA
  13. 13. The Problem n It’s Complicated n Too busy to read spec
  14. 14. Misusing Crypto Algorithms Rolling Your Own Using The Wrong Algorithm Encryption Tamper Proofing Future Proofing
  15. 15. Home Grown Crypto n n n Crypto primitives are tested by experts Don’t grow your own Only use primitives you fully understand
  16. 16. What We Need n Fingerprint n Symmetric Encryption n Tamper Proofing
  17. 17. Fingerprinting n A fingerprint is something storable that represents something big
  18. 18. Fingerprinting n n Digital fingerprint is kept using a Hash function H(data) = unique fingerprint Occaecat nulla retro, before they sold out swag nesciunt in ut sriracha jean shorts commodo aliqua velit id fugiat. Tofu plaid Pinterest, eiusmod aesthetic selvage semiotics dreamcatcher aliquip locavore farm-to-table meggings master cleanse odio Bushwick. Biodiesel Williamsburg yr direct trade, pickled dreamcatcher ethnic keffiyeh. Cliche Brooklyn nihil commodo helvetica dolor. Church-key fanny pack hashtag VHS. Ullamco consequat nostrud incididunt typewriter asymmetrical. Retro aute four loko pickled tattooed Neutra. H(...) 46a03c37c1d9b9a79a192aa84e3b9475
  19. 19. Fingerprint n A Collision is an event of two different data having the same finger print
  20. 20. Fingerprint Risks n Server indexes data by fingerprint n Adversary creates collisions to break the server
  21. 21. Fingerprint Gone Bad
  22. 22. Hash Functions n Use SHA-3 to prevent collisions n SHA-2 is also safe
  23. 23. Hash Functions n Avoid using for fingerprints: n n n MD4, MD5, CRC MD5 Collisions: Rethink SHA-1 Practical attacks expected ~2018
  24. 24. Quiz n What’s the difference between a Hash and a password verifier ?
  25. 25. Q&A Fingerprints
  26. 26. Encryption n Use When: n n Privileged parties need to read the data Adversaries must not understand anything about it
  27. 27. Encryption n Attack Types: n Cipher-text only n Known plaintext n Chosen plaintext n Chosen cipher-text
  28. 28. Encryption n Available Tools: n Stream Ciphers (RC4, Salsa20) n Block Ciphers (DES, AES, RC5, Blowfish)
  29. 29. Stream Cipher Cipher Seed Key Stream XOR Message Stream Cipher Stream
  30. 30. Bad Ciphers n Cipher(K, M1) = C1 n Cipher(K, M2) = C2 n K ^ M1 = C1 n K ^ M2 = C2 n K
  31. 31. Key Reuse Demo n Don’t re-use the key for different messages ! use use use use use my   my my   write_file write_file write_file
  32. 32. Quiz: Spot the bug public { paramArrayOfByte1 paramArrayOfByte2 ! ! } this this this this this paramArrayOfByte2 this this this this this
  33. 33. Quiz n n Diagram describes WEP encryption IV is 24bit, and unique per packet n Packet size = 1500 bytes n Where’s the bug ?
  34. 34. RC4 Cipher n Other issues n n n Key Scheduling (WEP) Cipher-text malleability Bottom line: Don’t run with scissors (
  35. 35. Salsa20 Cipher n Considered safe n Keep key a secret n Send IVs as plain-text n Demo: salsa20.rb
  36. 36. Quiz n n n Big company with millions of subscribers need to issue a unique key to each Keeping all the keys in the DB would take too much storage What would you suggest ?
  37. 37. Quiz n What’s an IV ? n What do you do with it ?
  38. 38. Block Ciphers ! ! ! n Encrypt block to another block n Recommended cipher: AES
  39. 39. Block Modes Input Blocks Output
  40. 40. ECB Mode
  41. 41. Avoid ECB Mode Cleartext ECB Mode
  42. 42. CBC Mode
  43. 43. CBC Problems
  44. 44. Padding Oracle n Conditions for the attack: n valid padding + valid value = Success message n valid padding + invalid value = Error message n invalid padding + valid value = Exception
  45. 45. In The Wild n (CVE-2010-3332) Microsoft .NET Framework … provides detailed error codes during decryption attempts
  46. 46. Avoid CBC Mode n n n CBC Mode does not authenticate ciphertext Risk: Padding Oracles Read More: http:// labs/2010/9/14/ automated-paddingoracle-attacks-withpadbuster.html
  47. 47. Symmetric Encryption n Use AES in GCM mode n Implemented in OpenSSL >= 1 n With random IV n And key taken from a PBKDF2
  48. 48. Demo: Ruby GCM require   # currently, AES-256-GCM or AES-256-CTR-HMAC-SHA-256 mode   =   key    = mode. nonce  = mode. cipher = mode. ! aead      = cipher. # aead[1] = 'f' plaintext = cipher.   puts
  49. 49. Symmetric Encryption n n n C# title=Security.Cryptography.AuthenticatedAesC ng Java master/src/test/java/name/stadig/gcm/ Ruby
  50. 50. Quiz n Why is it considered harmful to decrypt a message from an external source ?
  51. 51. Quiz n What’s a nonce ? n What is its role in the encryption process ?
  52. 52. Q&A Symmetric Encryption
  53. 53. Tamper Proofing Server Please keep this data and don’t change it Client
  54. 54. Tamper Proofing n Use a special hash function (called HMAC) n Protects against changing message AND hash
  55. 55. Tamper Proofing OpenSSL command line to generate HMAC (one line) n echo ! openssl dgst
  56. 56. Bad Cryptography n What’s the difference between: n n echo -hmac echo
  57. 57. Other Languages n n n .NET Ruby openssl/rdoc/OpenSSL/HMAC.html Perl
  58. 58. Tamper Proofing FAIL n Flickr API (2009) auth/? ! api_key=44fefa051fc1c61f5e76f27 e620f51d5& ! extra=/login& ! perms=write& ! api_sig=38d39516d896f879d403bd3 27a932d9e
  59. 59. Demo: Hash Extension n n n Calculate: original_md5 = MD5(secret + message) Create a new message: newmessage = message + new_text Create a new MD5 based on original_md5 AND newmessage (without using secret)
  60. 60. Bug Spotting n The following are considered weak and should be avoided: n RC4 n MD4, MD5 n DES, 3DES (or TripleDES) n ECB (For any block cipher)
  61. 61. Bad Crypto n (2008) Fake X.509 due to MD5 collisions n MD5 Considered harmful today
  62. 62. Bad Crypto
  63. 63. Bad Crypto n (2009) Adobe upgrades from MD5 to SHA-256 n Accidentally removing the KDF
  64. 64. Bad Crypto n n n (2011) Breaking XML Encryption CBC + Wrong padding + Server leaking info Result: Hacked
  65. 65. Quiz n Which hash function is not vulnerable to length extension attack ?
  66. 66. Q&A Crypto Primitives
  67. 67. Random Numbers
  68. 68. Real RNG n True randomness n Expensive and slow
  69. 69. Pseudo RNG 840 511 737 277 ?
  70. 70. Pseudo RNG n Start with an initial seed n Generate random numbers
  71. 71. Pseudo RNG n Given a sequence, can you find the seed ? n PRNG -> it depends n CSRNG -> you can’t
  72. 72. RNG n Use CSPRNG for n Use PRNG for n Demo Cracking Python RNG:
  73. 73. Demo CS PRNG use my Toy PRNG my
  74. 74. Other Languages n Java -> n .NET -> System.Security.Cryptography.RNGCryptoServiceProvider n Ruby -> SecureRandom
  75. 75. Bug Spotting sub      }
  76. 76. Recent Bug n n 2006-2008 Debian used a broken CS-RNG Developer commented out important parts of RNG code
  77. 77. Dual_EC_DRBG
  78. 78. Dual_EC_DRBG n Dual elliptic curve deterministic random bit generator n Published in 2007, suspected with a backdoor n Proved by snowden’s papers
  79. 79. Dual_EC_DRBG n Full story 2013/09/the-many-flaws-of-dualecdrbg.html
  80. 80. Public Keys (PKI)
  81. 81. In The Box n Certificate Authority (CA) n Digital Certificates (Private & Public key) n Key Distribution Server n Desktop and Server software
  82. 82. Demo: PGP n n Started by Phil Zimmerman 1991 PKI for all
  83. 83. PGP Today n n GNU took over to provide patent-free implementation Called GPG (Gnu Privacy Guard)
  84. 84. GPG Components n Certificate Authority n Each user creates his own certificated. n Allow Web Of Trust
  85. 85. GPG Components n Digital Certificates n Supported algorithms: RSA, DSA, ElGamal n Key length: 1024-8192 n Recommended: 2048 bits
  86. 86. GPG Components n Key Distribution Server n Can build your own or use the default n Distribute keys
  87. 87. GPG Components n Desktop and Server software n Linux, Windows and Mac n
  88. 88. GPG Demo n Creating Key-pair n Search for keys n Encrypt / Decrypt n Sign / Verify
  89. 89. Q&A Public Keys
  90. 90. Crypto Takeaways n Crypto’s hard: Don’t grow your own crypto
  91. 91. Crypto Takeaways n Crypto’s hard: But lazy is not an option n Choose the right tool for the job
  92. 92. Think About Tomorrow n n Today’s algorithms may fail tomorrow Keep future in mind when designing code
  93. 93. Thanks For Listening n Ynon Perek n n n Pictures From: n Wikipedia (Public Domain) n n