A fictional tale about home-brewed cryptography. Casual developers' efforts to build a secure system for Alice and Bob company.

1. Cryptography
(under)engineering
fictional tale about home-brewed cryptography
h e l l o
? * > +
W O R L D

2. About me
Audrius Kovalenko | @slicklash
NOT Computer Security Expert
NOT Cryptographer
Just a developer

3. The most important bits
In the next 3 slides

4. Role of Cryptography
for user
Computer illiteracy
Security illiteracy
Negative feedback
click Run

5. Role of Cryptography
for developer
Good security = Prevention + Detection + Response

6. Role of Cryptography
for attacker
STUXNET
BadUSB
Expensive door lock
vs
Unguarded windows

7. Story mode
try to
Stretch your imagination
Forgive the folly
Enjoy

8. Startup company
New generation lasers
Breath taking technology
Need secure communication
Alice Bob

9. Adversary
Mallory

10. Agile team
Roy Moss

11. “soul 2 soul” app
architecture
rendezvous host
P2P

12. S2S 1.0
Handshake
Application
Alert
protocol
HELLO
HELLO
MSG 1
MSG 2
ERROR

13. Implementing secrecy
Todo In Progress Done
S2S - 101
Lorem ipsum dolor
sitamet,
consectetur
adipiscing elit.
Acceptance criteria:
should be secure

14. Ultra secure
blackbox
Plaintext Ciphertext Plaintext

15. Where is code?
in private repository

16. Where is code?
in private repository
Owned by Mallory

17. So how does it really work?

18. So how does it really work?
“oracle” does the magic

19. The Magic
“Coca-Cola” cipher
Bitwise XOR with repeating key
0xC0CAC01A
L O L A A l i c e
01001100 01001111 01001100 00100000 01000001 01101100 01101001 01100011 01100101
11000000 11001010 11000000 00011010 11000000 11001010 11000000 00011010 11000000
10001100 10000101 10001100 00111010 10000001 10100110 10101001 01111001 10100101

20. Refactoring secrecy
Todo In Progress Done
Acceptance criteria:
S2S - 101
Lorem ipsum dolor
sitamet,
consectetur
adipiscing elit.
should use a secure cipher

21. What is a secure cipher?
Kerckhoffs’ Principle (1883)
The security of the encryption scheme
must depend only on secrecy of the key,
and not on the secrecy of the algorithm.
A. Kercoffs

22. What is a secure cipher?
confusion and diffusion (1949)
C. Shannon

23. What is a secure cipher?
size matters
Key size Block size Birthday paradox
Time to crack1
56 bits ≈ 2s
64 bits ≈ 9 minutes
80 bits ≈ 413 days
128 bits ≈ 318 ✕ 1012 years
256 bits ≈ 7.9 ✕ 1042 universe ages
1 Naive calculations using
Tianhe-2 (33.86 petaflops)
Lookup table size2
32 bits 16 GiB
56 bits 458 752 TiB
64 bits 131 072 PiB
80 bits 10 240 ZiB
128 bits ≈ 4.5 ✕ 1015 YiB
2 Size in bytes = 2block size✕ (block size / 8)
Collisions after3
32 bits 65 536 messages
56 bits 268 435 456
64 bits 4 294 967 296
80 bits 1 099 511 627 776
128 bits 18446744073709551616
3 In the set of 2n elements,
after seeing 2n / 2 elements there is 50% chance
two elements will be the same

24. Cipher choice
what should we use?
2000 AES (Rijndael)
2003 Rabbit
2004 HC-128
2005 Salsa20
2008 ChaCha20

25. Cipher choice
the standard!
1 Rijndael animation
2000 AES (Rijndael)1
2003 Rabbit
2004 HC-128
2005 Salsa20
2008 ChaCha20 Still not broken

26. Message size > Block size
modes of operation
ECB CBC CTR

27. Refactoring secrecy
Todo In Progress Done
S2S - 101
Lorem ipsum dolor
sitamet,
consectetur
adipiscing elit.
Acceptance criteria:
should use AES cipher in CTR mode

28. S2S 1.1
S2S_WITH_AES_CTR_128
MSG 1
MSG 2
Alice and Bob: agree on 128 bit secret key
Startup: enter the key
Nonce: message number

29. S2S 1.1
S2S_WITH_AES_CTR_128
Alice and Bob: agree on 128 bit secret key
Startup: enter the key
Nonce: message number
Owned by Mallory
MSG 1
MSG 2

30. It’s the implementation, dummy!
day 2
MSG 1
MSG 2
day 1
MSG 1
MSG 2

31. Key reuse
MSG 1 MSG 1
Hi Bob K1
Howdy! K1

32. Key reuse
Hi Bob K1
Howdy! K1

33. Key reuse
Hi Bob K1
Howdy! K1

34. Key reuse
Hi Bob Howdy!

35. Key reuse
Hi Bob Howdy!
“Crib” drag attack Bob = dy!

36. Refactoring secrecy, again
Todo In Progress Done
S2S - 101
Lorem ipsum dolor
sitamet,
consectetur
adipiscing elit.
Acceptance criteria:
should use AES in CBC mode

37. S2S 1.2
S2S_WITH_AES_CBC_128
MSG 1
MSG 2
Alice and Bob: agree on 128 bit secret key
Startup: enter the key
IV: every message has random IV

38. Infrastructure
rendezvous host
ISP ISP

39. Infrastructure
rendezvous host
ISP
Owned by Mallory
ISP

40. Mallory-in-the-middle
message tampering
HELLO
HELLO
MSG 1
HELLO
HELLO
MSG 1

41. Homework
CBC padding oracle attacks
ERROR
2002 Serge Vaudenay
2010 ASP.NET, JSF
2011 BEAST
2013 Lucky 13
2014 POODLE

42. Preventing malleability
what should we use?
Still not broken
2002 SHA-256
2004 Whirlpool
2008 SHA-3 (Keccak)
2012 BLAKE2

43. Preventing malleability
what should we use?
Still not broken
2002 SHA-256
2004 Whirlpool
2008 SHA-3 (Keccak)
2012 BLAKE2
Nope!

44. Length extension attacks
1 Generated with HashPump
Merkle-Damgard construction
Data: id=123&action=view
Hashing: MD5(‘secret’ || data)
Signature: e691a507adce5689a47675a85d91da96
Desired: id=123&action=view&payload=1
New data1: id=123&action=viewx80x00x00x00x00x00x00x00x00
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
x00x00x00x00x00x00xc0x00x00 x00x00x00x00x00&payload=1
New signature: 2a1dc3230c636cc73d08085dda9bed36

45. “Safe” MACs
HMAC1
SHA-3
BLAKE2
1 Hash-based MAC is defined as H(key ∥ H(key ∥ message)), where H is secure hash function.

46. What to authenticate?
Source
Destination
Timestamp
Sequence No.
etc.
Horton’s Principle
Authenticate what is being meant,
not what is being said.

47. Fixing protocol
Todo In Progress Done
S2S - 101
Lorem ipsum dolor
sitamet,
consectetur
adipiscing elit.
Acceptance criteria:
HMAC-SHA-256 should be used as MAC

48. S2S 1.3
S2S_WITH_AES_CBC_128_SHA_2561
Alice and Bob: agree on 128 bit secret key
Startup: enter the key
IV: every message has random IV
MAC: every message is authenticated
1 Compact notation of HMAC-SHA-256
MSG 1
MSG 2

49. S2S 1.3
S2S_WITH_AES_CBC_128_SHA_2561
Owned by Mallory
MSG 1
MSG 2
Alice and Bob: agree on 128 bit secret key
Startup: enter the key
IV: every message has random IV
MAC: every message is authenticated
1 Compact notation of HMAC-SHA-256

50. Social engineering
Mallory learns
Big fans of

51. Social engineering
Mallory learns
Key: winter is coming

52. Entropy (randomness)
bits of security
Key space
16 bytes
128 bits
≈ 318 ✕ 1012 years*
Key: winter is coming
* Naive calculations using Tianhe-2 (33.86 petaflops)
Reduced space
set of characters = lowercase + space = 26 + 1 = 27
entropy per character = log2(27) ≈ 4.75
entropy of key = 4.75 ✕ 16 = 76
≈ 25 days*
Game of Thrones quotes
set of quotes = 638
entropy per quote = log2(638) ≈ 9.3
entropy of key = 9.1 ✕ 1 = 9.3
instant!

53. THE END
Years behind reinventing TLS
Switches to TextSecure
Nowhere to be seen

54. Cryptographic Misuse in
Android Applications
11,748 applications reviewed (2013)
https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf

55. Lessons learned
Cryptography is a hard subject
Broken because of implementation errors
Either stay away from crypto or seek help
When building a railway always do detection and response first
Understand your users
Do not put a burden on your users which they cannot carry

56. Not covered today
Asymmetric (Public Key) Cryptography
Digital Signatures
Key Exchange
“Perfect” Forward Secrecy & Ephemeral Keys
Elliptic Curve Cryptography

57. Books
“Zeal without knowledge - fire without light”
http://www.crypto-textbook.com

58. Resources
Matasano Crypto Challenges
http://cryptopals.com
Crypto Projects that Might not Suck
https://github.com/sweis/crypto-might-not-suck
A Few Thoughts on Cryptographic Engineering
http://blog.cryptographyengineering.com
Cryptographic competitions
http://competitions.cr.yp.to

59. QA