See common anti-patterns for securing web applications and how to correct them. Learn how to differentiate between authentication, authorization, secrecy, integrity, non-repudiation, and other security goals.
Examples include how:
* a theoretical "secret" banking request is corrupted to pad an attacker's bank account,
* an insecure "session" authentication token is attacked, and
* a "random" XSRF value gives a false sense of security.
Correct principles and patterns are analyzed and compared with common incorrect ones.
Presented at OpenWest 2014
4. Cargo Cult Programming
Ritualistic inclusion of code or patterns that are
unnecessary for the task at hand.
• Design patterns
• Factory
• Wrapper
• Dependency injection
• Cryptography
• Encryption
• Hashing
6. Crypto Primitives & Goals
Hash MAC
HMAC
Symmetric
Key Crypto
Asymmetric
Key Crypto
Digital
Signature
Digital
Certificates
Data Integrity
Data
Authentication
Non-repudiation
Confidentiality
Trust
7. Classic Encryption
Hash MAC
HMAC
Symmetric
Key Crypto
Asymmetric
Key Crypto
Digital
Signature
Digital
Certificates
Data Integrity
Data
Authentication
Non-repudiation
Confidentiality
Trust
14. Crypto Primitives & Goals
Hash MAC
HMAC
Symmetric
Key Crypto
Asymmetric
Key Crypto
Digital
Signature
Digital
Certificates
Data Integrity
Data
Authentication
Non-repudiation
Confidentiality
Trust
17. Crypto Primitives & Goals
Hash MAC
HMAC
Symmetric
Key Crypto
Asymmetric
Key Crypto
Digital
Signature
Digital
Certificates
Data Integrity
Data
Authentication
Non-repudiation
Confidentiality
Trust
18. Anti-pattern: Authentication 2
$plainTextUserId = ‘834';
echo '<h4>"Secure" URL for image ' . $plainTextUserId .
'.</h4>';
$cryptTextId = bin2hex(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key,
$plainTextId, MCRYPT_MODE_OFB, $initializationVector));
$secretImageUrl = "…?secure_id=". $cryptTextId;
echo '<a href="'. $secretImageUrl .'">'.$secretImageUrl.'</a>';
private_image.php?secure_id=f3d90e
http://aes.online-domain-tools.com/
224 search space with a valid URL density of
1
16,777
19. HMAC for authentication
$authInfo = ‘uid=‘ . $userId ‘&ts=‘ . time();
// uid=123&ts=12345
$hmac = hash_hmac("sha256", $key, $authInfo);
$authToken = $authInfo . ‘&hmac=‘ . $hmac;
// uid=123&ts=12345&hmac=9a0b1c
// send token to user (e.g. set as a cookie)
$token = // read token (from cookie, Authorization header, …)
$message = // regenerate base message (uid=123&ts=12345)
$signature = $token["hmac"];
$validationHmac = hash_hmac("sha256", $key, $message);
if ($validationHmac == $signature) {
// let request through if timestamp is also recent enough
else {
// send back a 403 Forbidden
}
Login
Protected
service
20. Crypto Primitives & Goals
Hash MAC
HMAC
Symmetric
Key Crypto
Asymmetric
Key Crypto
Digital
Signature
Digital
Certificates
Data Integrity
Data
Authentication
Non-repudiation
Confidentiality
Trust
22. Crypto Primitives & Goals
Hash MAC
HMAC
Symmetric
Key Crypto
Asymmetric
Key Crypto
Digital
Signature
Digital
Certificates
Data Integrity
Data
Authentication
Non-repudiation
Confidentiality
Trust
23. Encryption Parameters
Creates cipher text
Cipher (AES, Blowfish, …)
Secret key
Data to encrypt
CBC, ECB, OFB, …
Initialization Vector
mcrypt_encrypt(
MCRYPT_BLOWFISH,
$key,
$plainText,
MCRYPT_MODE_CBC,
$iv);
30. Modes and IVs
• Cipher-block chaining prevents patterns within messages
• Correct IV prevents patterns across messages
31. Generating Keys & Initialization Vectors
$key = “koicy37m8ao2nl07";
$iv = rand();
$cypherText = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key,
$plainText, MCRYPT_MODE_CBC, $iv);
• How many bits of key entropy can be contained in 16 alphanumeric characters?
• 96 bits!
• ~0.00000002% of possible search space
• What initialization vector is really used here?
• “0000000000000000”!
• PHP Warning: mcrypt_decrypt(): The IV parameter must be as long as the
blocksize in /home/derrick/…/CBC.php on line 27
• Use
• $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128,
MCRYPT_MODE_CBC);
• mcrypt_create_iv($size);
33. Finding Linear Congruential Seed
Random random = new Random();
long v1 = random.nextInt();
long v2 = random.nextInt();
for (int i = 0; i < 65536; i++) {
long seed = v1 * 65536 + i;
if (((seed * multiplier + addend) & mask) >>> 16) == v2) {
System.out.println("Seed found: " + seed);
break;
}
}
34. Anti-pattern: Psuedo-random
Session IDs
<?php
$uid = "12345678";
$sessionId = md5($uid . rand() . microtime());
setCookie(“session_id", $sessionId);
?>
Really only ~20 bits of entropy.
A modern GPU can calculate that in a second!9,12
35. HMACs and Secure Random
<form action="">
<label>Donation amount</label>
<input type="text" value="10.00">
<?php
$csrfToken = openssl_random_pseudo_bytes(32);
setCookie("csrfToken", bin2hex($csrfToken));
echo "<input type="hidden" value="$csrfToken">“;
?>
<input type="submit" value="Submit">
</form>
Do not use sessions! Use HMACs!
Seriously.
36. No Cargo Cult Security!
1. Identify true security goal.
2. Find correct crypto primitive.
3. Spend some time to learn about it.
4. Write as little of your own crypto code as possible.
37. Crypto Primitives & Goals
Hash MAC
HMAC
Symmetric
Key Crypto
Asymmetric
Key Crypto
Digital
Signature
Digital
Certificates
Data Integrity
Data
Authentication
Non-repudiation
Confidentiality
Trust
38. Crypto Primitives & Goals
Hash MAC
HMAC
Symmetric
Key Crypto
Asymmetric
Key Crypto
Digital
Signature
Digital
Certificates
Data Integrity
Data
Authentication
Non-repudiation
Confidentiality
Trust