18. So how does it really work?
“oracle” does the magic
19. The Magic
“Coca-Cola” cipher
Bitwise XOR with repeating key
0xC0CAC01A
L O L A A l i c e
01001100 01001111 01001100 00100000 01000001 01101100 01101001 01100011 01100101
11000000 11001010 11000000 00011010 11000000 11001010 11000000 00011010 11000000
10001100 10000101 10001100 00111010 10000001 10100110 10101001 01111001 10100101
20. Refactoring secrecy
Todo In Progress Done
Acceptance criteria:
S2S - 101
Lorem ipsum dolor
sitamet,
consectetur
adipiscing elit.
should use a secure cipher
21. What is a secure cipher?
Kerckhoffs’ Principle (1883)
The security of the encryption scheme
must depend only on secrecy of the key,
and not on the secrecy of the algorithm.
A. Kercoffs
22. What is a secure cipher?
confusion and diffusion (1949)
C. Shannon
23. What is a secure cipher?
size matters
Key size Block size Birthday paradox
Time to crack1
56 bits ≈ 2s
64 bits ≈ 9 minutes
80 bits ≈ 413 days
128 bits ≈ 318 ✕ 1012 years
256 bits ≈ 7.9 ✕ 1042 universe ages
1 Naive calculations using
Tianhe-2 (33.86 petaflops)
Lookup table size2
32 bits 16 GiB
56 bits 458 752 TiB
64 bits 131 072 PiB
80 bits 10 240 ZiB
128 bits ≈ 4.5 ✕ 1015 YiB
2 Size in bytes = 2block size✕ (block size / 8)
Collisions after3
32 bits 65 536 messages
56 bits 268 435 456
64 bits 4 294 967 296
80 bits 1 099 511 627 776
128 bits 18446744073709551616
3 In the set of 2n elements,
after seeing 2n / 2 elements there is 50% chance
two elements will be the same
24. Cipher choice
what should we use?
2000 AES (Rijndael)
2003 Rabbit
2004 HC-128
2005 Salsa20
2008 ChaCha20
25. Cipher choice
the standard!
1 Rijndael animation
2000 AES (Rijndael)1
2003 Rabbit
2004 HC-128
2005 Salsa20
2008 ChaCha20 Still not broken
27. Refactoring secrecy
Todo In Progress Done
S2S - 101
Lorem ipsum dolor
sitamet,
consectetur
adipiscing elit.
Acceptance criteria:
should use AES cipher in CTR mode
28. S2S 1.1
S2S_WITH_AES_CTR_128
MSG 1
MSG 2
Alice and Bob: agree on 128 bit secret key
Startup: enter the key
Nonce: message number
29. S2S 1.1
S2S_WITH_AES_CTR_128
Alice and Bob: agree on 128 bit secret key
Startup: enter the key
Nonce: message number
Owned by Mallory
MSG 1
MSG 2
35. Key reuse
Hi Bob Howdy!
“Crib” drag attack Bob = dy!
36. Refactoring secrecy, again
Todo In Progress Done
S2S - 101
Lorem ipsum dolor
sitamet,
consectetur
adipiscing elit.
Acceptance criteria:
should use AES in CBC mode
37. S2S 1.2
S2S_WITH_AES_CBC_128
MSG 1
MSG 2
Alice and Bob: agree on 128 bit secret key
Startup: enter the key
IV: every message has random IV
42. Preventing malleability
what should we use?
Still not broken
2002 SHA-256
2004 Whirlpool
2008 SHA-3 (Keccak)
2012 BLAKE2
43. Preventing malleability
what should we use?
Still not broken
2002 SHA-256
2004 Whirlpool
2008 SHA-3 (Keccak)
2012 BLAKE2
Nope!
44. Length extension attacks
1 Generated with HashPump
Merkle-Damgard construction
Data: id=123&action=view
Hashing: MD5(‘secret’ || data)
Signature: e691a507adce5689a47675a85d91da96
Desired: id=123&action=view&payload=1
New data1: id=123&action=viewx80x00x00x00x00x00x00x00x00
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
x00x00x00x00x00x00xc0x00x00 x00x00x00x00x00&payload=1
New signature: 2a1dc3230c636cc73d08085dda9bed36
45. “Safe” MACs
HMAC1
SHA-3
BLAKE2
1 Hash-based MAC is defined as H(key ∥ H(key ∥ message)), where H is secure hash function.
46. What to authenticate?
Source
Destination
Timestamp
Sequence No.
etc.
Horton’s Principle
Authenticate what is being meant,
not what is being said.
47. Fixing protocol
Todo In Progress Done
S2S - 101
Lorem ipsum dolor
sitamet,
consectetur
adipiscing elit.
Acceptance criteria:
HMAC-SHA-256 should be used as MAC
48. S2S 1.3
S2S_WITH_AES_CBC_128_SHA_2561
Alice and Bob: agree on 128 bit secret key
Startup: enter the key
IV: every message has random IV
MAC: every message is authenticated
1 Compact notation of HMAC-SHA-256
MSG 1
MSG 2
49. S2S 1.3
S2S_WITH_AES_CBC_128_SHA_2561
Owned by Mallory
MSG 1
MSG 2
Alice and Bob: agree on 128 bit secret key
Startup: enter the key
IV: every message has random IV
MAC: every message is authenticated
1 Compact notation of HMAC-SHA-256
55. Lessons learned
Cryptography is a hard subject
Broken because of implementation errors
Either stay away from crypto or seek help
When building a railway always do detection and response first
Understand your users
Do not put a burden on your users which they cannot carry
57. Books
“Zeal without knowledge - fire without light”
http://www.crypto-textbook.com
58. Resources
Matasano Crypto Challenges
http://cryptopals.com
Crypto Projects that Might not Suck
https://github.com/sweis/crypto-might-not-suck
A Few Thoughts on Cryptographic Engineering
http://blog.cryptographyengineering.com
Cryptographic competitions
http://competitions.cr.yp.to