This document provides a summary of a presentation on encryption. It discusses why encryption is important for compliance with regulations like PCI DSS and HIPAA. It covers different encryption techniques like block ciphers and stream ciphers. It describes how protocols like TLS work and how certain ciphers like RC4 have been broken over time. It discusses attacks like BEAST and ways crypto failures can occur. It emphasizes that encryption is difficult and recommends following best practices around key management and the challenges of real-world implementation.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Eric Brandwine, AWS Senior Principal Security Engineer
December 1, 2016
Encryption
It Was the Best of Controls,
It Was the Worst of Controls
SAC306

2. A tale of two
ciphers
datasets

3. What is this talk?

7. Why Encrypt?
PCI:DSS Requirement 3: Protection at rest
PCI:DSS Requirement 4: Encrypt on the network
"A covered entity must, in accordance with §164.306…
Implement a mechanism to encrypt and decrypt electronic
protected health information.” (45 CFR § 164.312(a)(2)(iv))
Etc., etc., etc.

8. Encryption is
HARD

9. Encryption is
EXPENSIVE

10. Encryption is
worth it
(sometimes)

11. MATH
+ + =
A recipe

12. MATH
+ + =
Unbreaking an egg

13. How I thought crypto failed

14. How crypto actually fails

15. Primitives, Modes, and Protocols
MATH
+ + = Super_Secret_Message
S u p e r _ S e
E n c r y p t e
Block
Cipher
c r e t _ M e s
d _ C i p h e r
Block
Cipher
…

16. TLS as a protocol
Arbitrarily bad
network
(The Internet)
Confidentiality
Server authentication
Tamper evidence
Replay protection
…

17. A leak!
MATH
+ + = Awfully_Awfully_Secret
A w f u l l y _
E n c r y p t e
Block
Cipher
A w f u l l y _
E n c r y p t e
Block
Cipher
…

18. A big pile of crypto
Primitive
Protocol
Mode
Primitive
Protocol
Mode
Primitive
Mode

19. We believe

20. Crypto here and crypto there

21. Encryption in transit

22. A tale of one cipher
Super_Secret_Message
S u p e r _ S e
E n c r y p t e
Stream
Cipher
c r e t _ M e s
d _ C i p h e r
K e y s t r e a m _ b y t e s _
⨁ ⨁⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁
RC4

23. RC4 timeline
1987: Created by Rivest at RSA
1994: Anonymously leaked
1995: Included in SSL
1999: RFC 2246, TLS 1.0
Use RC4,
don't use RC4,
I don't care

24. A wild BEAST appears
Browser Exploit Against SSL/TLS

25. Cipher Block Chaining
E n c r y p t e
Block
Cipher
d _ C i p h e r
Block
Cipher
…
Awfully_Awfully_Secret
A w f u l l y _ A w f u l l y _
⨁ ⨁IV

26. Chosen Plaintext Attack
x ⨁ A ⨁ A = x
Ci = AES(k, Ci-1 ⨁ Pi)
We want to decrypt Ci, and obtain Pi.
Pick m as a guess for Pi.
Let Pj = Cj-1 ⨁ Ci-1⨁ m
Cj = AES(k, Cj-1 ⨁ Pj)
Cj = AES(k, Cj-1 ⨁ Cj-1⨁ Ci-1 ⨁ m)
Cj = AES(k, Ci-1 ⨁ m)
Thus, m = Pi iff Cj = Ci

27. Blockwise Chosen Boundary Attack
POST /A HTTP 1.1rnCookie: SessionID=XXXX
POST /AAAAAA HTTP 1.1rnCookie: SessionID=XXXX
Let m = ‘P 1.1rnCookie: a’
Let m = ‘P 1.1rnCookie: b’
Let m = ‘P 1.1rnCookie: S’
…
POST /AAAAA HTTP 1.1rnCookie: SessionID=XXXX
Let m = ‘ 1.1rnCookie: Sa’
…
Cj ≠ Ci
Cj ≠ Ci
Cj = Ci

28. Assume the cookie is 16 characters, one full block.
Guessing the entire cookie at once:
2128 guesses (worst case)
= 340,282,366,920,938,463,463,374,607,431,768,211,456
Guessing the entire cookie one byte at a time:
16 * 28 guesses (worst case)
= 4,096
That’s 2116 times faster or just
0.0000000000000000000000000000000012%
as many guesses

29. The short version
If:
I can cause your client to make requests
JavaScript
I can control block alignment
I can sniff the resulting TLS traffic
There is a repeated field worth stealing
Cookies
Then:
I can guess byte-wise rather than block-wise

30. RC4 timeline
1987: Created by Rivest at RSA
1994: Anonymously leaked
1995: Included in SSL
1999: RFC 2246, TLS 1.0
2011: BEAST
Use RC4,
don't use RC4,
I don't care
Use RC4!!!

31. But….
If:
I can cause your client to make requests
JavaScript
I can control block alignment
I can sniff the resulting TLS traffic
There is a repeated field worth stealing
Cookies
Then:
I can guess byte-wise rather than block-wise

32. Defense in depth
Includes timestamp!

33. The end approaches

34. RC4 timeline
1987: Created by Rivest at RSA
1994: Anonymously leaked
1995: Included in SSL
1999: RFC 2246, TLS 1.0
2011: BEAST
2013: Statistical biases
2015: RFC7465, Nope!
Use RC4,
don't use RC4,
I don't care
Use RC4!!!
Oh my, no way!

35. IoT, the Internet of Television
I like RC4, AES, and 3DES
In that order.
Cool! Let's use AES
'cause RC4 is broken
LIES!

37. Don't fly blind
2015-05-13T23:39:43.945958Z my-loadbalancer
192.168.131.39:2817 10.0.0.1:80 0.000086 0.001048 0.001337
200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1"
"curl/7.38.0" DHE-RSA-AES128-SHA TLSv1.2

38. We've got a logjam

39. Diffie Hellman key agreement

40. Tackling the discrete log problem
512 bit: 50 core-years 35 core-minutes
768 bit: 36.5k core-years 2 core-days
1024 bit: 45M core-years 30 core-days

41. Meet SSL Labs

43. Diffie-Hellman in S3
Every webserver thread creates a new prime at startup
>> 10k primes in use at any time
We fingerprint the ClientHello and alter our response
Browsers are not offered DHE
SSL Labs gets a different view than your browser

44. https://github.com/awslabs/s2n

45. The bathtub curve of change
Howscaryisit?
How often does it happen?

46. Encryption at rest

47. MATH
+ + =
Our recipe

48. MATH
Following the recipe

49. This is a human

50. She's a beauty! Low, low miles!

51. This one, not so much
Data
Encryption
Standard
1975: Published
1976: Approved as a standard
1977: FIPS
1992: Differential cryptanalysis
1998: First public break
1998: Break in 58 hours
1999: Break in 22 hours
2006: COPACOBANA: 9 days, $10,000

52. MATH
+ + =
Another recipe
MORE
MATH

53. Keys are sensitive
Ciphertext is sensitive

54. Keep your ciphertext close

55. MATH
Oblivious clients

56. Keys in the network

57. Keys on disk

58. Keys are long term sensitive
Ciphertext is long term sensitive

60. How we do this in S3
S3
Storage
Backend
S3 Web
AWS KMS

61. Encryption is HARD
Encryption is EXPENSIVE
Encryption is worth it
(sometimes)

62. In theory, there's no
difference between theory
and practice.
In practice, there is.

63. Thank you!

64. Remember to complete
your evaluations!

65. Rules of Crypto
Rule #1: Don’t do it unless you’re an expert
Rule #2: You’re not an expert
Rule #3: You’re going to screw it up, even if you are an
expert