Cargo Cult Security
https://github.com/disaacson/cargo-cult-security
by Derrick Isaacson
http://en.wikipedia.org/wiki/Cargo_cult
Richard Feynman
Cargo Cult Programming
Ritualistic inclusion of code or patterns that are
unnecessary for the task at hand.
• Design patte...
The Big Picture
Crypto Primitives & Goals
Hash

Data Integrity

Data
Authentication

Non-repudiation

Confidentiality

Trust

MAC
HMAC

Sy...
Anti-pattern: Authentication
$plainTextId = '100000';
echo '<h4>"Secure" URL for image ' . $plainTextId . '.</h4>';
$crypt...
private_image.php?secure_id=573146feb41e

$cryptTextId = $_GET["secure_id"];

573146feb41e

$plainTextId = rtrim(mcrypt_de...
private_image.php?secure_id=573146feb41e
private_image.php?secure_id=573146feb41f
$cryptTextId = $_GET["secure_id"];

5731...
Crypto Primitives & Goals
Hash

Data Integrity

Data
Authentication

Non-repudiation

Confidentiality

Trust

MAC
HMAC

Sy...
Anti-pattern: Integrity

$aes = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');
…

return mcrypt_generic...
Crypto Primitives & Goals
Hash

Data Integrity

Data
Authentication

Non-repudiation

Confidentiality

Trust

MAC
HMAC

Sy...
HMAC
$plainTextId = '100000';
$hmac = hash_hmac("sha256", $key, $plainTextId);
$secretImageUrl = "…?id=". $plainTextId . "...
Crypto Primitives & Goals
Hash

Data Integrity

Data
Authentication

Non-repudiation

Confidentiality

Trust

MAC
HMAC

Sy...
Encryption Parameters
mcrypt_encrypt(
MCRYPT_BLOWFISH,
$key,
$plainText,
MCRYPT_MODE_CBC,
$iv);

Creates cipher text
Ciphe...
Anti-pattern: Encryption Modes
$plainImageData = file_get_contents($file);
$cryptText = mcrypt_encrypt(MCRYPT_BLOWFISH, $k...
Cipher-block Chaining Mode
$plainImageData = file_get_contents($file);
$cryptText = mcrypt_encrypt(MCRYPT_BLOWFISH, $key,
...
Encryption Parameters
mcrypt_encrypt(
MCRYPT_BLOWFISH,
$key,
$plainText,
MCRYPT_MODE_CBC,
$iv);

Creates cipher text
Ciphe...
Anti-pattern: Initialization
Vector
$plainText = “Hold";
$cryptText = mcrypt_encrypt(MCRYPT_BLOWFISH, $key,
$plainText, MC...
Modes and IVs
• Cipher-block chaining prevents patterns within
messages
• Correct IV prevents patterns across messages
Generating Keys &
Initialization Vectors
$key = “koicy37m8ao2nl07";
$iv = rand();
$cypherText = mcrypt_encrypt(MCRYPT_RIJN...
Anti-pattern:
Values

Random

<form action="">
<label>Donation amount</label>
<input type="text" value="10.00">
<?php
$csr...
Finding Linear Congruential
Seed
Random random = new Random();
long v1 = random.nextInt();
long v2 = random.nextInt();
for...
Anti-pattern: Psuedo-random
Session IDs
<?php
$uid = "12345678";
$sessionId = md5($uid . rand() . microtime());
setCookie(...
HMACs and Secure Random
<form action="">
<label>Donation amount</label>
<input type="text" value="10.00">
<?php
$csrfToken...
No Cargo Cult Security!
1.
2.
3.
4.

Identify true security goal.
Find correct crypto primitive.
Spend some time to learn ...
Crypto Primitives & Goals
Hash

MAC
HMAC

Symmetric
Key Crypto

Asymmetric
Key Crypto

Digital
Signature

Digital
Certific...
Crypto Primitives & Goals
Hash

Data Integrity

Data
Authentication

Non-repudiation

Confidentiality

Trust

MAC
HMAC

Sy...
Questions?
derrick@lucidchart.com
https://github.com/disaacson/cargo-cult-security
References
1.

http://en.wikipedia.org/wiki/Cargo_cult

2.

http://neurotheory.columbia.edu/~ken/cargo_cult.html

3.

http...
Cargo Cult Security 2014_01_18
Upcoming SlideShare
Loading in …5
×

Cargo Cult Security 2014_01_18

20,074 views

Published on

See common anti-patterns for securing web applications and how to correct them. Learn how to differentiate between authentication, authorization, secrecy, integrity, non-repudiation, and other security goals.

Examples include how:
* a theoretical "secret" banking request is corrupted to pad an attacker's bank account,
* an insecure "session" authentication token is attacked, and
* a "random" XSRF value gives a false sense of security.

Correct principles and patterns are analyzed and compared with common incorrect ones.

Published in: Technology, Education
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
20,074
On SlideShare
0
From Embeds
0
Number of Embeds
190
Actions
Shares
0
Downloads
9
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide
  • “The term &quot;cargo cult&quot; has been used metaphorically to describe an attempt to recreate successful outcomes by replicating circumstances associated with those outcomes, although those circumstances are either unrelated to the causes of outcomes or insufficient to produce them by themselves.”http://en.wikipedia.org/wiki/Cargo_cult
  • Use CBC (cipher-block chaining) mode instead of ECB (electronic codebook) mode to hide patterns.
  • Cargo Cult Security 2014_01_18

    1. 1. Cargo Cult Security https://github.com/disaacson/cargo-cult-security by Derrick Isaacson
    2. 2. http://en.wikipedia.org/wiki/Cargo_cult
    3. 3. Richard Feynman
    4. 4. Cargo Cult Programming Ritualistic inclusion of code or patterns that are unnecessary for the task at hand. • Design patterns • Factory • Wrapper • Dependency injection • Cryptography • Encryption • Hashing
    5. 5. The Big Picture
    6. 6. Crypto Primitives & Goals Hash Data Integrity Data Authentication Non-repudiation Confidentiality Trust MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates
    7. 7. Anti-pattern: Authentication $plainTextId = '100000'; echo '<h4>"Secure" URL for image ' . $plainTextId . '.</h4>'; $cryptTextId = bin2hex(mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plainTextId, MCRYPT_MODE_OFB, $initializationVector)); $secretImageUrl = "…?secure_id=". $cryptTextId; echo '<a href="'. $secretImageUrl .'">'.$secretImageUrl.'</a>';
    8. 8. private_image.php?secure_id=573146feb41e $cryptTextId = $_GET["secure_id"]; 573146feb41e $plainTextId = rtrim(mcrypt_decrypt(MCRYPT_BLOWFISH, $key, hex2bin($cryptTextId), MCRYPT_MODE_OFB, $initializationVector)); 100000 $imageData = file_get_contents("img/". $plainTextId); echo '<img src="data:image/png;base64,„ . base64_encode($imageData).'">„; Team Photo
    9. 9. private_image.php?secure_id=573146feb41e private_image.php?secure_id=573146feb41f $cryptTextId = $_GET["secure_id"]; 573146feb41f $plainTextId = rtrim(mcrypt_decrypt(MCRYPT_BLOWFISH, $key, hex2bin($cryptTextId), MCRYPT_MODE_OFB, $initializationVector)); 100001 $imageData = file_get_contents("img/" . $plainTextId); echo '<img src="data:image/png;base64,„ . base64_encode($imageData).'">„; attack plan
    10. 10. Crypto Primitives & Goals Hash Data Integrity Data Authentication Non-repudiation Confidentiality Trust MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates
    11. 11. Anti-pattern: Integrity $aes = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, ''); … return mcrypt_generic($aes, $data); $cipher [45] = chr(ord($cipher [45]) ^ ord(".") ^ ord ("0")); $aes = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, ''); … return mdecrypt_generic($aes, $data);
    12. 12. Crypto Primitives & Goals Hash Data Integrity Data Authentication Non-repudiation Confidentiality Trust MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates
    13. 13. HMAC $plainTextId = '100000'; $hmac = hash_hmac("sha256", $key, $plainTextId); $secretImageUrl = "…?id=". $plainTextId . "&hmac=" . $hmac; echo '<a href="'. $secretImageUrl .'">' . $secretImageUrl . '</a>'; $plainTextId = $_GET["id"]; $signature = $_GET["hmac"]; $hmac = hash_hmac("sha256", $key, $plainTextId); if ($hmac == $signature) { $imageData = file_get_contents("img/" . $plainTextId . ".jpg"); echo '<img src="data:image/png;base64,'. base64_encode($imageData) .'">'; } else { echo '<h4 class="error">Permission Denied!</h4>'; } Permission Denied!
    14. 14. Crypto Primitives & Goals Hash Data Integrity Data Authentication Non-repudiation Confidentiality Trust MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates
    15. 15. Encryption Parameters mcrypt_encrypt( MCRYPT_BLOWFISH, $key, $plainText, MCRYPT_MODE_CBC, $iv); Creates cipher text Cipher (AES, Blowfish, …) Secret key Data to encrypt CBC, ECB, OFB, … Initialization Vector
    16. 16. Anti-pattern: Encryption Modes $plainImageData = file_get_contents($file); $cryptText = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plainImageData, MCRYPT_MODE_ECB, $initializationVector); file_put_contents($file . ".encrypted.data", $cryptText);
    17. 17. Cipher-block Chaining Mode $plainImageData = file_get_contents($file); $cryptText = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plainImageData, MCRYPT_MODE_CBC, $initializationVector); file_put_contents($file . ".encrypted.data", $cryptText);
    18. 18. Encryption Parameters mcrypt_encrypt( MCRYPT_BLOWFISH, $key, $plainText, MCRYPT_MODE_CBC, $iv); Creates cipher text Cipher (AES, Blowfish, …) Secret key Data to encrypt CBC, ECB, OFB, … Initialization Vector
    19. 19. Anti-pattern: Initialization Vector $plainText = “Hold"; $cryptText = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plainText, MCRYPT_MODE_CBC, md5($key)); • • • • • Monday: “a8b8f95c46” Tuesday: “a8b8f95c46” Wednesday: “a8b8f95c46” Thursday: “a8b8f95c46” Friday: “10f32c937a1284db”
    20. 20. Modes and IVs • Cipher-block chaining prevents patterns within messages • Correct IV prevents patterns across messages
    21. 21. Generating Keys & Initialization Vectors $key = “koicy37m8ao2nl07"; $iv = rand(); $cypherText = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $plainText, MCRYPT_MODE_CBC, $iv); • How many bits of key entropy can be contained in 16 alphanumeric characters? • 96 bits! • ~0.00000002% of possible search space • What initialization vector is really used here? • “0000000000000000”! • PHP Warning: mcrypt_decrypt(): The IV parameter must be as long as the blocksize in /home/derrick/…/CBC.php on line 27 • Use • $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); • mcrypt_create_iv($size);
    22. 22. Anti-pattern: Values Random <form action=""> <label>Donation amount</label> <input type="text" value="10.00"> <?php $csrfToken = rand(); setCookie("csrfToken", $csrfToken); echo "<input type="hidden" value="$csrfToken">“; ?> <input type="submit" value="Submit"> </form>
    23. 23. Finding Linear Congruential Seed Random random = new Random(); long v1 = random.nextInt(); long v2 = random.nextInt(); for (int i = 0; i < 65536; i++) { long seed = v1 * 65536 + i; if (((seed * multiplier + addend) & mask) >>> 16) == v2) { System.out.println("Seed found: " + seed); break; } }
    24. 24. Anti-pattern: Psuedo-random Session IDs <?php $uid = "12345678"; $sessionId = md5($uid . rand() . microtime()); setCookie(“session_id", $sessionId); ?> Really only ~20 bits of entropy. A modern GPU can calculate that in a second!9,12
    25. 25. HMACs and Secure Random <form action=""> <label>Donation amount</label> <input type="text" value="10.00"> <?php $csrfToken = openssl_random_pseudo_bytes(32); setCookie("csrfToken", bin2hex($csrfToken)); echo "<input type="hidden" value="$csrfToken">“; ?> <input type="submit" value="Submit"> </form> Do not use sessions! Use HMACs! Seriously.
    26. 26. No Cargo Cult Security! 1. 2. 3. 4. Identify true security goal. Find correct crypto primitive. Spend some time to learn about it. Write as little of your own crypto code as possible.
    27. 27. Crypto Primitives & Goals Hash MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates Data Integrity Data Authentication Non-repudiation Confidentiality Trust https://oracleus.activeevents.com/2013/connect/sessionDetail.ww?SESSION_ID=6325
    28. 28. Crypto Primitives & Goals Hash Data Integrity Data Authentication Non-repudiation Confidentiality Trust MAC HMAC Symmetric Key Crypto Asymmetric Key Crypto Digital Signature Digital Certificates
    29. 29. Questions? derrick@lucidchart.com https://github.com/disaacson/cargo-cult-security
    30. 30. References 1. http://en.wikipedia.org/wiki/Cargo_cult 2. http://neurotheory.columbia.edu/~ken/cargo_cult.html 3. http://en.wikipedia.org/wiki/Post_hoc_ergo_propter_hoc 4. http://en.wikipedia.org/wiki/Cargo_cult_programming 5. https://oracleus.activeevents.com/2013/connect/sessionDetail.ww?SESSION_ID=6325 6. http://www.scs.stanford.edu/10au-cs144/notes/ 7. http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/ 8. http://security.stackexchange.com/questions/18033/how-insecure-are-phps-rand-functions 9. http://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks_files/paper.pdf 10. http://security.stackexchange.com/questions/17988/how-insecure-are-non-cryptographic-random-numbergenerators 11. http://jazzy.id.au/default/2010/09/20/cracking_random_number_generators_part_1.html 12. http://thepasswordproject.com/oclhashcat_benchmarking 13. http://www.php.net/manual/en/function.openssl-random-pseudo-bytes.php 14. https://github.com/disaacson/cargo-cult-security

    ×