Crypto storage

1,025 views
958 views

Published on

You don't need to (and probably shouldn't) write your own cryptographic storage implementation. Using the public-domain aescrypt library means you don't have to...but how does it work? In this presentation I examine the aescrypt file format and explain what it does and why.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,025
On SlideShare
0
From Embeds
0
Number of Embeds
29
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can’t test for that in your app. If you can’t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can’t test for that in your app. If you can’t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can’t test for that in your app. If you can’t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can’t test for that in your app. If you can’t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can’t test for that in your app. If you can’t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can’t test for that in your app. If you can’t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • The main problem with creating any new crypto format is the chance that you’ll introduce new vulnerabilities by misusing the crypto primitives, even if those primitives themselves are bug-free. Sidestep that risk and reduce development time by choosing an existing solution: but notice that solutions like GPG and OpenPGP have licensing restrictions that are incompatible with the app stores.\n
  • The main problem with creating any new crypto format is the chance that you’ll introduce new vulnerabilities by misusing the crypto primitives, even if those primitives themselves are bug-free. Sidestep that risk and reduce development time by choosing an existing solution: but notice that solutions like GPG and OpenPGP have licensing restrictions that are incompatible with the app stores.\n
  • The main problem with creating any new crypto format is the chance that you’ll introduce new vulnerabilities by misusing the crypto primitives, even if those primitives themselves are bug-free. Sidestep that risk and reduce development time by choosing an existing solution: but notice that solutions like GPG and OpenPGP have licensing restrictions that are incompatible with the app stores.\n
  • The main problem with creating any new crypto format is the chance that you’ll introduce new vulnerabilities by misusing the crypto primitives, even if those primitives themselves are bug-free. Sidestep that risk and reduce development time by choosing an existing solution: but notice that solutions like GPG and OpenPGP have licensing restrictions that are incompatible with the app stores.\n
  • This basically just exists to let you know you’re looking at the correct kind of file.\n
  • Don’t spend too much time on this slide, you cretin :-P\n
  • Don’t spend too much time on this slide, you cretin :-P\n
  • Don’t spend too much time on this slide, you cretin :-P\n
  • Remember not to leak any information in the metadata that should be a secret. For example: keeping photographs of a protest confidential may not be enough for a user if the photo timestamp and geolocation make their attendance public.\n
  • Remember not to leak any information in the metadata that should be a secret. For example: keeping photographs of a protest confidential may not be enough for a user if the photo timestamp and geolocation make their attendance public.\n
  • Remember not to leak any information in the metadata that should be a secret. For example: keeping photographs of a protest confidential may not be enough for a user if the photo timestamp and geolocation make their attendance public.\n
  • Remember not to leak any information in the metadata that should be a secret. For example: keeping photographs of a protest confidential may not be enough for a user if the photo timestamp and geolocation make their attendance public.\n
  • \n
  • \n
  • \n
  • The point of the HMAC is to provide integrity checking. There’s no real attack against AES in the case of tampered ciphertext - you can replace real data with garbage, but you can’t replace real data with other real data. The point of this HMAC is that it’s the quickest way to verify that the key was recovered correctly.\n
  • Notice that this is one of two choices: PKCS#7 padding is the other option.\n
  • \n
  • Crypto storage

    1. 1. Cryptographic storagefor people in a hurry Graham Lee Smartphone security boffin, Fuzzy Aliens Ltd. fuzzyaliens.com
    2. 2. Cryptographic storagefor people in a hurry Graham Lee Smartphone security boffin, Fuzzy Aliens Ltd.
    3. 3. From App to Crap
    4. 4. From App to Crap
    5. 5. Nut[the problem]shell
    6. 6. Nut[the problem]shell• Want to store data
    7. 7. Nut[the problem]shell• Want to store data• But it must be secret
    8. 8. Nut[the problem]shell• Want to store data• But it must be secret • if the phone is stolen
    9. 9. Nut[the problem]shell• Want to store data• But it must be secret • if the phone is stolen • if the iTunes backup is stolen
    10. 10. Nut[the problem]shell• Want to store data• But it must be secret • if the phone is stolen • if the iTunes backup is stolen• It must be tamper-proof
    11. 11. Nut[the problem]shell• Want to store data• But it must be secret • if the phone is stolen • if the iTunes backup is stolen• It must be tamper-proof• …to some extent
    12. 12. Solution: aescrypt
    13. 13. Solution: aescrypt• Unencumbered (public domain) format and freeware implementation at http:// aescrypt.org
    14. 14. Solution: aescrypt• Unencumbered (public domain) format and freeware implementation at http:// aescrypt.org• Not just you using it
    15. 15. Solution: aescrypt• Unencumbered (public domain) format and freeware implementation at http:// aescrypt.org• Not just you using it• Mac, iOS, more
    16. 16. Solution: aescrypt• Unencumbered (public domain) format and freeware implementation at http:// aescrypt.org• Not just you using it• Mac, iOS, more• Let’s start at byte 0 :-)
    17. 17. ‘AES0020’• Magic number• Tells you the version of the crypto format
    18. 18. Meet a Data
    19. 19. Metadata
    20. 20. Metadata• Arbitrary ‘extensions’ section
    21. 21. Metadata• Arbitrary ‘extensions’ section• Creator ID, creation date…
    22. 22. Metadata• Arbitrary ‘extensions’ section• Creator ID, creation date…• …as long as that stuff isn’t a secret
    23. 23. What’s our vector, Victor? // We will use an initialization vector comprised of thecurrent time // process ID, and random data, all hashed togetherwith SHA-256. source: wikipedia
    24. 24. You can’t come in here unless you say “Swordfish” // Hash the IV and password 8192 times memset(digest, 0, 32); memcpy(digest, IV, 16); for(i=0; i<8192; i++) { sha256_starts( &sha_ctx); sha256_update( &sha_ctx, digest, 32); sha256_update( &sha_ctx, (unsigned char*)passwd, (unsigned long)passlen); sha256_finish( &sha_ctx, digest); }
    25. 25. Cutty say e cant HANG!
    26. 26. Cutty say e cant HANG! • The key we just derived is not used to encrypt the plaintext file • Instead, it’s used to encrypt a key, which is itself used to encrypt the file. • …why?
    27. 27. Irony: Eminem tribute actsinging “the real slim shady”…16 Octets - Initialization Vector (IV) used for encrypting the IV and symmetric key that is actually used to encrypt the bulk of the plaintext file.48 Octets - Encrypted IV and 256-bit AES key used to encrypt the bulk of the file 16 octets - initialization vector 32 octets - encryption key32 Octets - HMACnn Octets - Encrypted message (2^64 octets max) 1 Octet - File size modulo 16 in least significant bit positions32 Octets - HMAC…
    28. 28. Filler material…16 Octets - Initialization Vector (IV) used for encrypting the IV and symmetric key that is actually used to encrypt the bulk of the plaintext file.48 Octets - Encrypted IV and 256-bit AES key used to encrypt the bulk of the file 16 octets - initialization vector 32 octets - encryption key32 Octets - HMACnn Octets - Encrypted message (2^64 octets max) 1 Octet - File size modulo 16 in least significant bit positions32 Octets - HMAC…
    29. 29. To the Question Pit! @iamleeg
    30. 30. To the Question Pit! @iamleeg fuzzyaliens.com

    ×