SlideShare a Scribd company logo
How do I create my own crypto?
Crypto pitfalls
misc
Cryptography for Software and Web Developers
Part 3: Don’t do this yourself
Hanno B¨ock
2014-05-28
1 / 13
How do I create my own crypto?
Crypto pitfalls
misc
How do I create my own super-secure crypto protocol?
Just don’t!
2 / 13
How do I create my own crypto?
Crypto pitfalls
misc
Example: RSA
Sidechannels
Zombie vulnerabilities
Secure blocks, insecure system
If you ever heard an introduction to crypto you might have
learned about RSA like this
M = Message, (N, e) = public key, (N, d) = private key
Encrypt(M) = Me mod N, Decrypt(M) = Md mod N
Don’t do this! This so-called textbook-RSA is completely
insecure
Real RSA: You need padding and for encryption you use some
hybrid between RSA and symmetric encryption like AES
3 / 13
How do I create my own crypto?
Crypto pitfalls
misc
Example: RSA
Sidechannels
Zombie vulnerabilities
Secure blocks, insecure system
Sidechannels are all attacks where you don’t directly target
the crypto, but some kind of ”information” you get otherwise
Most popular: timing
But also: noise, power usage, radiation, cache behavior
(virtualization!), ...
Hard to prevent
4 / 13
How do I create my own crypto?
Crypto pitfalls
misc
Example: RSA
Sidechannels
Zombie vulnerabilities
Secure blocks, insecure system
Zombie vulnerabilities: you already killed them but they come
back
Padding oracle (2002), came back as timing vulnerability in
2013 (Lucky Thirteen)
Bleichenbacher Million Message attack (1998) against RSA
PKCS #1 1.5 comes back every now and then, last time in
Java and OpenSSL
5 / 13
How do I create my own crypto?
Crypto pitfalls
misc
Example: RSA
Sidechannels
Zombie vulnerabilities
Secure blocks, insecure system
”We use 256 bit AES, so we are secure”, ”We use elliptic
curves, so we are secure”, ”we use [insert buzzword here], so
we are secure”
You can create insecure systems out of secure building blocks
Lucky Thirteen again: RSA, AES, CBC and HMAC are all
fine. But TLS sticks them together in an insecure way
6 / 13
How do I create my own crypto?
Crypto pitfalls
misc
Crypto is complex
Don’t do it
What to use
But remember: Updates
Kerkhoff’s principle
API messup
Conclusions
Cryptography is complex
To write secure crypto code you need to have a pretty good
knowledge of the research of the past 20 years
randomness, timing, sidechannels, blinding, padding, ...
If someone wants to sell you the latest and greatest new
crypto solution, ask: Who in your team has lots of experience
in crypto?
7 / 13
How do I create my own crypto?
Crypto pitfalls
misc
Crypto is complex
Don’t do it
What to use
But remember: Updates
Kerkhoff’s principle
API messup
Conclusions
Unless you *really* know what you are doing the best advice
is: Never do your own crypto.
And I mean on all layers: Algorithms, protocols, software.
If you implement your own crypto it will be insecure. Not
”may”. It will.
8 / 13
How do I create my own crypto?
Crypto pitfalls
misc
Crypto is complex
Don’t do it
What to use
But remember: Updates
Kerkhoff’s principle
API messup
Conclusions
Re-use something existing like TLS, OpenPGP or CMS with a
well-established software. (OpenSSL is bad, but it is still
amongst the best you can get for this task)
If this is not a webpage but your own app/software: You can
avoid almost all problems of TLS by not relying on the CA
system and by using TLS 1.2 with just one or two secure
cipher suites.
Or use a fool-proof library like NaCl.
9 / 13
How do I create my own crypto?
Crypto pitfalls
misc
Crypto is complex
Don’t do it
What to use
But remember: Updates
Kerkhoff’s principle
API messup
Conclusions
If you use other people’s software: You need an update
strategy
Happens far too often: ”Great, it’s open source, we can
modify the code and adjust it to our needs.”
Yes, you can. However, then you may have to re-do that on
every security update.
(Not just in crypto, I see this a lot with web apps.)
10 / 13
How do I create my own crypto?
Crypto pitfalls
misc
Crypto is complex
Don’t do it
What to use
But remember: Updates
Kerkhoff’s principle
API messup
Conclusions
”The security of a cryptosystem should depend solely on the
secrecy of the key and the private randomizer” (Wikipedia)
Or in other words: Security by obscurity is not a good idea
There are countless people out there who’ll say: ”We know
’security by obscurity’ is bad, but in our case it’s different.”
Pretty clear security red flag.
11 / 13
How do I create my own crypto?
Crypto pitfalls
misc
Crypto is complex
Don’t do it
What to use
But remember: Updates
Kerkhoff’s principle
API messup
Conclusions
The problem with crypto implementations: Sometimes their
API encourages misuse.
You want to verify a certificate. What does that mean? It’s
syntactically correct? It contains a valid signature? By
someone special or by anyone? And most important of all:
What does this certificate certify after all?
Very popular bug: Yeah, this is a valid certificate. For
evilhacker.org? That’s fine, we’ll grab our updates from there.
12 / 13
How do I create my own crypto?
Crypto pitfalls
misc
Crypto is complex
Don’t do it
What to use
But remember: Updates
Kerkhoff’s principle
API messup
Conclusions
Never invent your own crypto algorithms. Never invent your
own crypto protocols. Never write your own crypto code.
Don’t believe in security by obscurity.
Even when using crypto APIs you should understand what
you’re doing and be aware what you’re checking.
13 / 13

More Related Content

Similar to Crypto workshop part 3 - Don't do this yourself

How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureOSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
NETWAYS
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureOSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
NETWAYS
 
Secure encryption in a wiretapped future
Secure encryption in a wiretapped futureSecure encryption in a wiretapped future
Secure encryption in a wiretapped future
Michael Renner
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
ThreatReel Podcast
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course Storyboard
Jim Piechocki
 
Cryptography for developers
Cryptography for developersCryptography for developers
Cryptography for developers
Kai Koenig
 
Discussion Question Contrast file encryption and volume encryptio.docx
Discussion Question Contrast file encryption and volume encryptio.docxDiscussion Question Contrast file encryption and volume encryptio.docx
Discussion Question Contrast file encryption and volume encryptio.docx
JeniceStuckeyoo
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
Alex Payne
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
Introduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSecIntroduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSec
YashSomalkar
 
Top 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk FactorsTop 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk Factors
Maxim Kozlovsky
 
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era  - Davi...Situational Awareness, Botnet and Malware Detection in the Modern Era  - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Codemotion
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeat
Robert Leong
 
Honeypots
HoneypotsHoneypots
Honeypots
Jyoti Nagargoje
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
ratnalajaggu
 
Breaking ssl
Breaking sslBreaking ssl
Breaking ssl
Vinayak Raghuvamshi
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
abnmi
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
Cyber Security Alliance
 

Similar to Crypto workshop part 3 - Don't do this yourself (20)

How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureOSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureOSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
 
Secure encryption in a wiretapped future
Secure encryption in a wiretapped futureSecure encryption in a wiretapped future
Secure encryption in a wiretapped future
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course Storyboard
 
Cryptography for developers
Cryptography for developersCryptography for developers
Cryptography for developers
 
Discussion Question Contrast file encryption and volume encryptio.docx
Discussion Question Contrast file encryption and volume encryptio.docxDiscussion Question Contrast file encryption and volume encryptio.docx
Discussion Question Contrast file encryption and volume encryptio.docx
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Introduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSecIntroduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSec
 
Top 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk FactorsTop 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk Factors
 
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era  - Davi...Situational Awareness, Botnet and Malware Detection in the Modern Era  - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeat
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Breaking ssl
Breaking sslBreaking ssl
Breaking ssl
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
 

More from hannob

The Fuzzing Project - 32C3
The Fuzzing Project - 32C3The Fuzzing Project - 32C3
The Fuzzing Project - 32C3
hannob
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)
hannob
 
Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLS
hannob
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Crypto
hannob
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?
hannob
 
Papierlos
PapierlosPapierlos
Papierlos
hannob
 
Gehackte Webapplikationen und Malware
Gehackte Webapplikationen und MalwareGehackte Webapplikationen und Malware
Gehackte Webapplikationen und Malware
hannob
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
Stromsparen
StromsparenStromsparen
Stromsparen
hannob
 
Wirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak OilWirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak Oil
hannob
 

More from hannob (10)

The Fuzzing Project - 32C3
The Fuzzing Project - 32C3The Fuzzing Project - 32C3
The Fuzzing Project - 32C3
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)
 
Some tales about TLS
Some tales about TLSSome tales about TLS
Some tales about TLS
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Crypto
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?
 
Papierlos
PapierlosPapierlos
Papierlos
 
Gehackte Webapplikationen und Malware
Gehackte Webapplikationen und MalwareGehackte Webapplikationen und Malware
Gehackte Webapplikationen und Malware
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
 
Stromsparen
StromsparenStromsparen
Stromsparen
 
Wirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak OilWirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak Oil
 

Recently uploaded

Web development Platform Constraints.pptx
Web development Platform Constraints.pptxWeb development Platform Constraints.pptx
Web development Platform Constraints.pptx
ssuser2f6682
 
How Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital TransformationHow Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital Transformation
Sweet Potato Tec
 
Saint Louis University diploma
Saint Louis University diplomaSaint Louis University diploma
Saint Louis University diploma
eufdev
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
Bangladesh Network Operators Group
 
Trump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination ShirtTrump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination Shirt
exgf28
 
Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...
APNIC
 
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECTUse of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
Edward Blurock
 
Digital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade communityDigital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade community
Piotr Siuda
 
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In IndiaLordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
exchangeid32
 
optimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluationoptimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluation
ManojKumarr75
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
pdfsubmission50
 
IPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security ConsiderationsIPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security Considerations
Bangladesh Network Operators Group
 
Software Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical ImplementationsSoftware Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical Implementations
Bangladesh Network Operators Group
 
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptxDraya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
ashishkumarrana9
 
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdfHow-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
Dolphin Data Lab
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
samyanvichadda
 
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
shamrisumri
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
adelewhite125
 
Best CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web DevelopersBest CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web Developers
Shrestha Raaz
 
Network Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptxNetwork Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptx
cossykin19
 

Recently uploaded (20)

Web development Platform Constraints.pptx
Web development Platform Constraints.pptxWeb development Platform Constraints.pptx
Web development Platform Constraints.pptx
 
How Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital TransformationHow Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital Transformation
 
Saint Louis University diploma
Saint Louis University diplomaSaint Louis University diploma
Saint Louis University diploma
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
 
Trump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination ShirtTrump Assassination Shirt Trump Assassination Shirt
Trump Assassination Shirt Trump Assassination Shirt
 
Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...
 
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECTUse of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
 
Digital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade communityDigital ethnography of the Polish darknet drug trade community
Digital ethnography of the Polish darknet drug trade community
 
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In IndiaLordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
 
optimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluationoptimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluation
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
 
IPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security ConsiderationsIPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security Considerations
 
Software Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical ImplementationsSoftware Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical Implementations
 
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptxDraya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
 
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdfHow-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
 
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
 
Best CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web DevelopersBest CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web Developers
 
Network Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptxNetwork Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptx
 

Crypto workshop part 3 - Don't do this yourself

  • 1. How do I create my own crypto? Crypto pitfalls misc Cryptography for Software and Web Developers Part 3: Don’t do this yourself Hanno B¨ock 2014-05-28 1 / 13
  • 2. How do I create my own crypto? Crypto pitfalls misc How do I create my own super-secure crypto protocol? Just don’t! 2 / 13
  • 3. How do I create my own crypto? Crypto pitfalls misc Example: RSA Sidechannels Zombie vulnerabilities Secure blocks, insecure system If you ever heard an introduction to crypto you might have learned about RSA like this M = Message, (N, e) = public key, (N, d) = private key Encrypt(M) = Me mod N, Decrypt(M) = Md mod N Don’t do this! This so-called textbook-RSA is completely insecure Real RSA: You need padding and for encryption you use some hybrid between RSA and symmetric encryption like AES 3 / 13
  • 4. How do I create my own crypto? Crypto pitfalls misc Example: RSA Sidechannels Zombie vulnerabilities Secure blocks, insecure system Sidechannels are all attacks where you don’t directly target the crypto, but some kind of ”information” you get otherwise Most popular: timing But also: noise, power usage, radiation, cache behavior (virtualization!), ... Hard to prevent 4 / 13
  • 5. How do I create my own crypto? Crypto pitfalls misc Example: RSA Sidechannels Zombie vulnerabilities Secure blocks, insecure system Zombie vulnerabilities: you already killed them but they come back Padding oracle (2002), came back as timing vulnerability in 2013 (Lucky Thirteen) Bleichenbacher Million Message attack (1998) against RSA PKCS #1 1.5 comes back every now and then, last time in Java and OpenSSL 5 / 13
  • 6. How do I create my own crypto? Crypto pitfalls misc Example: RSA Sidechannels Zombie vulnerabilities Secure blocks, insecure system ”We use 256 bit AES, so we are secure”, ”We use elliptic curves, so we are secure”, ”we use [insert buzzword here], so we are secure” You can create insecure systems out of secure building blocks Lucky Thirteen again: RSA, AES, CBC and HMAC are all fine. But TLS sticks them together in an insecure way 6 / 13
  • 7. How do I create my own crypto? Crypto pitfalls misc Crypto is complex Don’t do it What to use But remember: Updates Kerkhoff’s principle API messup Conclusions Cryptography is complex To write secure crypto code you need to have a pretty good knowledge of the research of the past 20 years randomness, timing, sidechannels, blinding, padding, ... If someone wants to sell you the latest and greatest new crypto solution, ask: Who in your team has lots of experience in crypto? 7 / 13
  • 8. How do I create my own crypto? Crypto pitfalls misc Crypto is complex Don’t do it What to use But remember: Updates Kerkhoff’s principle API messup Conclusions Unless you *really* know what you are doing the best advice is: Never do your own crypto. And I mean on all layers: Algorithms, protocols, software. If you implement your own crypto it will be insecure. Not ”may”. It will. 8 / 13
  • 9. How do I create my own crypto? Crypto pitfalls misc Crypto is complex Don’t do it What to use But remember: Updates Kerkhoff’s principle API messup Conclusions Re-use something existing like TLS, OpenPGP or CMS with a well-established software. (OpenSSL is bad, but it is still amongst the best you can get for this task) If this is not a webpage but your own app/software: You can avoid almost all problems of TLS by not relying on the CA system and by using TLS 1.2 with just one or two secure cipher suites. Or use a fool-proof library like NaCl. 9 / 13
  • 10. How do I create my own crypto? Crypto pitfalls misc Crypto is complex Don’t do it What to use But remember: Updates Kerkhoff’s principle API messup Conclusions If you use other people’s software: You need an update strategy Happens far too often: ”Great, it’s open source, we can modify the code and adjust it to our needs.” Yes, you can. However, then you may have to re-do that on every security update. (Not just in crypto, I see this a lot with web apps.) 10 / 13
  • 11. How do I create my own crypto? Crypto pitfalls misc Crypto is complex Don’t do it What to use But remember: Updates Kerkhoff’s principle API messup Conclusions ”The security of a cryptosystem should depend solely on the secrecy of the key and the private randomizer” (Wikipedia) Or in other words: Security by obscurity is not a good idea There are countless people out there who’ll say: ”We know ’security by obscurity’ is bad, but in our case it’s different.” Pretty clear security red flag. 11 / 13
  • 12. How do I create my own crypto? Crypto pitfalls misc Crypto is complex Don’t do it What to use But remember: Updates Kerkhoff’s principle API messup Conclusions The problem with crypto implementations: Sometimes their API encourages misuse. You want to verify a certificate. What does that mean? It’s syntactically correct? It contains a valid signature? By someone special or by anyone? And most important of all: What does this certificate certify after all? Very popular bug: Yeah, this is a valid certificate. For evilhacker.org? That’s fine, we’ll grab our updates from there. 12 / 13
  • 13. How do I create my own crypto? Crypto pitfalls misc Crypto is complex Don’t do it What to use But remember: Updates Kerkhoff’s principle API messup Conclusions Never invent your own crypto algorithms. Never invent your own crypto protocols. Never write your own crypto code. Don’t believe in security by obscurity. Even when using crypto APIs you should understand what you’re doing and be aware what you’re checking. 13 / 13