Crypto storage
Upcoming SlideShare
Loading in...5
×
 

Crypto storage

on

  • 1,169 views

You don't need to (and probably shouldn't) write your own cryptographic storage implementation. Using the public-domain aescrypt library means you don't have to...but how does it work? In this ...

You don't need to (and probably shouldn't) write your own cryptographic storage implementation. Using the public-domain aescrypt library means you don't have to...but how does it work? In this presentation I examine the aescrypt file format and explain what it does and why.

Statistics

Views

Total Views
1,169
Views on SlideShare
1,143
Embed Views
26

Actions

Likes
0
Downloads
12
Comments
0

1 Embed 26

http://coderwall.com 26

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can’t test for that in your app. If you can’t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can’t test for that in your app. If you can’t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can’t test for that in your app. If you can’t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can’t test for that in your app. If you can’t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can’t test for that in your app. If you can’t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • Yes, so there is the NSFileProtection encryption. However, the ability to use that to actually protect data depends on the user having a passcode lock enabled, and you can’t test for that in your app. If you can’t enforce that all of your users comply with a particular passcode policy, you must implement your own protection mechanism.\n
  • The main problem with creating any new crypto format is the chance that you’ll introduce new vulnerabilities by misusing the crypto primitives, even if those primitives themselves are bug-free. Sidestep that risk and reduce development time by choosing an existing solution: but notice that solutions like GPG and OpenPGP have licensing restrictions that are incompatible with the app stores.\n
  • The main problem with creating any new crypto format is the chance that you’ll introduce new vulnerabilities by misusing the crypto primitives, even if those primitives themselves are bug-free. Sidestep that risk and reduce development time by choosing an existing solution: but notice that solutions like GPG and OpenPGP have licensing restrictions that are incompatible with the app stores.\n
  • The main problem with creating any new crypto format is the chance that you’ll introduce new vulnerabilities by misusing the crypto primitives, even if those primitives themselves are bug-free. Sidestep that risk and reduce development time by choosing an existing solution: but notice that solutions like GPG and OpenPGP have licensing restrictions that are incompatible with the app stores.\n
  • The main problem with creating any new crypto format is the chance that you’ll introduce new vulnerabilities by misusing the crypto primitives, even if those primitives themselves are bug-free. Sidestep that risk and reduce development time by choosing an existing solution: but notice that solutions like GPG and OpenPGP have licensing restrictions that are incompatible with the app stores.\n
  • This basically just exists to let you know you’re looking at the correct kind of file.\n
  • Don’t spend too much time on this slide, you cretin :-P\n
  • Don’t spend too much time on this slide, you cretin :-P\n
  • Don’t spend too much time on this slide, you cretin :-P\n
  • Remember not to leak any information in the metadata that should be a secret. For example: keeping photographs of a protest confidential may not be enough for a user if the photo timestamp and geolocation make their attendance public.\n
  • Remember not to leak any information in the metadata that should be a secret. For example: keeping photographs of a protest confidential may not be enough for a user if the photo timestamp and geolocation make their attendance public.\n
  • Remember not to leak any information in the metadata that should be a secret. For example: keeping photographs of a protest confidential may not be enough for a user if the photo timestamp and geolocation make their attendance public.\n
  • Remember not to leak any information in the metadata that should be a secret. For example: keeping photographs of a protest confidential may not be enough for a user if the photo timestamp and geolocation make their attendance public.\n
  • \n
  • \n
  • \n
  • The point of the HMAC is to provide integrity checking. There’s no real attack against AES in the case of tampered ciphertext - you can replace real data with garbage, but you can’t replace real data with other real data. The point of this HMAC is that it’s the quickest way to verify that the key was recovered correctly.\n
  • Notice that this is one of two choices: PKCS#7 padding is the other option.\n
  • \n

Crypto storage Crypto storage Presentation Transcript

  • Cryptographic storagefor people in a hurry Graham Lee Smartphone security boffin, Fuzzy Aliens Ltd. fuzzyaliens.com
  • Cryptographic storagefor people in a hurry Graham Lee Smartphone security boffin, Fuzzy Aliens Ltd.
  • From App to Crap
  • From App to Crap
  • Nut[the problem]shell
  • Nut[the problem]shell• Want to store data
  • Nut[the problem]shell• Want to store data• But it must be secret
  • Nut[the problem]shell• Want to store data• But it must be secret • if the phone is stolen
  • Nut[the problem]shell• Want to store data• But it must be secret • if the phone is stolen • if the iTunes backup is stolen
  • Nut[the problem]shell• Want to store data• But it must be secret • if the phone is stolen • if the iTunes backup is stolen• It must be tamper-proof
  • Nut[the problem]shell• Want to store data• But it must be secret • if the phone is stolen • if the iTunes backup is stolen• It must be tamper-proof• …to some extent
  • Solution: aescrypt
  • Solution: aescrypt• Unencumbered (public domain) format and freeware implementation at http:// aescrypt.org
  • Solution: aescrypt• Unencumbered (public domain) format and freeware implementation at http:// aescrypt.org• Not just you using it
  • Solution: aescrypt• Unencumbered (public domain) format and freeware implementation at http:// aescrypt.org• Not just you using it• Mac, iOS, more
  • Solution: aescrypt• Unencumbered (public domain) format and freeware implementation at http:// aescrypt.org• Not just you using it• Mac, iOS, more• Let’s start at byte 0 :-)
  • ‘AES0020’• Magic number• Tells you the version of the crypto format
  • Meet a Data
  • Metadata
  • Metadata• Arbitrary ‘extensions’ section
  • Metadata• Arbitrary ‘extensions’ section• Creator ID, creation date…
  • Metadata• Arbitrary ‘extensions’ section• Creator ID, creation date…• …as long as that stuff isn’t a secret
  • What’s our vector, Victor? // We will use an initialization vector comprised of thecurrent time // process ID, and random data, all hashed togetherwith SHA-256. source: wikipedia
  • You can’t come in here unless you say “Swordfish” // Hash the IV and password 8192 times memset(digest, 0, 32); memcpy(digest, IV, 16); for(i=0; i<8192; i++) { sha256_starts( &sha_ctx); sha256_update( &sha_ctx, digest, 32); sha256_update( &sha_ctx, (unsigned char*)passwd, (unsigned long)passlen); sha256_finish( &sha_ctx, digest); }
  • Cutty say e cant HANG!
  • Cutty say e cant HANG! • The key we just derived is not used to encrypt the plaintext file • Instead, it’s used to encrypt a key, which is itself used to encrypt the file. • …why?
  • Irony: Eminem tribute actsinging “the real slim shady”…16 Octets - Initialization Vector (IV) used for encrypting the IV and symmetric key that is actually used to encrypt the bulk of the plaintext file.48 Octets - Encrypted IV and 256-bit AES key used to encrypt the bulk of the file 16 octets - initialization vector 32 octets - encryption key32 Octets - HMACnn Octets - Encrypted message (2^64 octets max) 1 Octet - File size modulo 16 in least significant bit positions32 Octets - HMAC…
  • Filler material…16 Octets - Initialization Vector (IV) used for encrypting the IV and symmetric key that is actually used to encrypt the bulk of the plaintext file.48 Octets - Encrypted IV and 256-bit AES key used to encrypt the bulk of the file 16 octets - initialization vector 32 octets - encryption key32 Octets - HMACnn Octets - Encrypted message (2^64 octets max) 1 Octet - File size modulo 16 in least significant bit positions32 Octets - HMAC…
  • To the Question Pit! @iamleeg
  • To the Question Pit! @iamleeg fuzzyaliens.com