SlideShare a Scribd company logo

How to defend from an attacker armed with a mathematician

Download as PPTX, PDF
Antonio Sanso
Antonio Sanso

Diffie-Hellman key exchange is one of the most common public-key cryptographic methods in use in the Internet. It is a fundamental building block for IPsec, SSH, and TLS. Diffie-Hellman key exchange allows two parties to agree on a shared secret in the presence of an eavesdropper. Since the security of Diffie-Hellman relies crucially on the group parameters, implementations can be vulnerable to an attacker who provides maliciously generated parameters that change the properties of the group. In January 2016 we found a vulnerability affecting OpenSSL leveraging indeed this kind of attack (CVE-2016-0701). The research made while studying OpenSSL code base also highlighted a semi-mysterious RFC (RFC 5114 – “Additional Dif e-Hellman Groups for Use with IETF Standards”) originating from Defense contractor BBN. The mathematical property of the groups introduced in RFC 5114 were of particular interest since made OpenSSL particularly susceptibleto a Key Recovery Attack.

1 of 35
How to defend from an attacker armed with a mathematician Antonio Sanso (@asanso) Senior Software Engineer Adobe Research Switzerland
Who is this guy, BTW? { Senior Software Engineer Adobe Research Switzerland { Internet Bug Bounty, Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty, Microsoft Honor Roll { Found vulnerabilities in OpenSSL , Google Chrome, Apple Safari { Co-Author of “OAuth 2 in Action” { Obsessed by prime numbers ★
TLS (Transport Layer Security)
TLS TLS Flow (highly simplified) asymmetric crypto (e.g. RSA/DH) + Client Server m m = premaster key symmetric crypto (e.g. AES)
TLS TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 Key Exchange Cipher MAC or PRF
+ Key Exchange Client Server m = premaster key
Math Ahead !! {Addition {Multiplication {Exponentiation {Modular arithmetic
Public key cryptography
One way functions x f(x ) easy extremely hard
Discrete log problem y = gx (mod p) EASY! Example p = 17 g = 3 x = 4 y = 34 (mod 17) = ? y = 34 = 81 (mod 17) = 13
Discrete log problem dlogg y HARD! How much hard? Trivial alg. O(p) We need do find 0 < x < p-1 s.t. gx= y (mod p) Example p = 17 g = 3 y = 10 x = ?? x = 0 y = 30 = 1 (mod 17) x = 1 y = 31 = 3 (mod 17) x = 2 y = 32 = 9 (mod 17) x = 3 y = 33 = 10 (mod 17) ★
Discrete log problem p = 218473595898882084755067249171622650635714019853253703676313 617811140296530259568151576053281904111410441606898157413193 811965329798715000389798623091587382509451185549616268241523 075366058726165028842888780624670527776052278467097818506147 927484588389513422048126018381129378053717826003801060205228 844064528238188244556839820428829281834311945931891714310663 711385102529796485135530787625845961474274568372896230088793 648294777051836361493041209989486542781338740267111884943117 708835148893633513800645204134596026961413539494079718100718 483541278687259340578110522855117260709519548286257619847978 31079801857828431
Discrete log problem
+ Key Exchange Client Server g,p yb g, p yb = gb (mod p) Ephemeral Random b TLS_DHE_RSA_WITH_AES_128….
+ Key Exchange Client Server g,p yb,g, p yb = gb (mod p)ya = ga (mod p) ya
+ Key Exchange Client Server m = premaster key yb ya m = gba (mod p) (yb)a = (gb)a = gba (mod p) m = gab (mod p) (ya)b = (ga)b = gab (mod p) yb = gb (mod p) ya = ga (mod p) ★
OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)
Server g,p yb g, p yb = gb (mod p) ya OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) ★
Attack Requirement #1 (Static ephemeral keys) Server g,p m = premaster key yb g, p yb = gb (mod p) By default NOT ephemeral SSL_OP_SINGLE_DH_USE wasn’t set ★
Server g,p yb,g, p yb = gb (mod p)ya = ga (mod p) ya Attack Requirement #2 (Not verifying the incoming value) m = gab (mod p) (ya)b = (ga)b = gab (mod p) ★
Discrete log problem What about p? Which prime number should I choose? OBSERVATION: (p-1) is always even { Safe prime ==> (p -1)/2 is also prime (many RFCs) { Or at least == > (p -1)/2 should not be a product of small primes
RFC 5114 - O(224) p = 2048 bit g = >>2 q = 224 p -1 /2 = 2 * 3 * 3 * 5 * 43 * 73 * 157 * 387493 * 605921 * 5213881177 * 3528910760717 * 83501807020473429349 * C489 (where C489 is a 489 digit composite number with no small factors). ★
Attack Requirement #3 (Product of small primes) RFC 5114 m = premaster key yb g, p yb = ga (mod p)
Attack succeeded!! RFC 5114 m = premaster key yb g, p yb = gb (mod p) By default NOT ephemeral ★ ya = ga (mod p) ya So we can compute: { b mod (2) { b mod (3) { … { b mod (5213881177) Finally we can combine the result using the Chinese Remainder Theorem (CRT)!!
History of RFC 5114 ...a semi-mysterious RFC 5114 – Additional Diffie- Hellman Groups document. It introduces new MODP groups not with higher sizes, but just with different primes. … no one really wanted these, but no one really objected to it either, so the document (originating from Defense contractor BBN) made it to RFC status.
References { https://www.openssl.org/news/secadv/20160503.txt { http://blog.intothesymmetry.com/2016/01/openssl-key-recovery-attack- on-dh-small.htmlMultiplication { http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.44.5296 { http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl- allows-attackers-to-decrypt-https-traffic/
Questions?
Additional material
Discrete log function Primitive root (generator) Example p = 17 Generator g = 3 {30,31,32,33,34,35,36, … } ==> {1, 3, 9, 10, 13, 5, 15, …}
OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) Server g,p yb g, p yb = ga (mod p) Choose B s.t. ord(B) is small ya = gaB (mod p) (yb)aBj = gbaBj ya (ya)b = (gaB)b = gabBb (mod p) 0 < j < ord(B) == > small B = j mod (ord(B)) ★
RFC 5114 p -1 /2 = 2 * 3 * 3 * 5 * 43 * 73 * 157 * 387493 * 605921 * 5213881177 * 3528910760717 * 83501807020473429349 * C489 (where C489 is a 489 digit composite number with no small factors). • ∃ gi s.t. q = 2 • ∃ gi s.t. q = 3 • ∃ gi s.t. q = 5 • … from O(224) to O(44)
OpenSSL Key Recovery Attack on DH small subgroups - Validation Server g,p yb g, p yb = ga (mod p) Choose B s.t. ord(B) is small ya = gaB (mod p) ya VALIDATION Check that ya q (mod p) = 1 ★
Chinese Remainder Theorem (CRT) b = l (mod ord(B1)) b = m (mod ord(B2)) b = n (mod ord(B3)) We can find a unique solution mod(ord(B1) * ord(B2) * ord(B3)) ★
“Trap door” one way functions x f(x ) easy extremely hard easy given t t

Recommended

Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015
Antonio Sanso
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli
 
Node.JS security
Node.JS securityNode.JS security
Node.JS security
Deepu S Nath
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet
 
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackVelocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attack
Cosimo Streppone
 
Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hacking
Philip Young
 
Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?
Eduard Trayan
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get Stung
Barry Dorrans
 

Recommended

Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015
Antonio Sanso
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli
 
Node.JS security
Node.JS securityNode.JS security
Node.JS security
Deepu S Nath
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet
 
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackVelocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attack
Cosimo Streppone
 
Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hacking
Philip Young
 
Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?
Eduard Trayan
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get Stung
Barry Dorrans
 
Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016
Philip Young
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
Otto Kekäläinen
 
Tackling Legacy Code November 2015
Tackling Legacy Code November 2015Tackling Legacy Code November 2015
Tackling Legacy Code November 2015
Tomas Malmsten
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
n|u - The Open Security Community
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
JosephTesta9
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
Axilis
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the Enterprise
Adam Baldwin
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101
Seravo
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
Nicolas Corrarello
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Saumil Shah
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
Leonardo Rifeli
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs Security
Jason Ross
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
Emily Stark
 
Improving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingImproving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP Profiling
Otto Kekäläinen
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
Tinashe Makuti
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
Drew Fustini
 
Nodevember 2015
Nodevember 2015Nodevember 2015
Nodevember 2015
Adam Baldwin
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
snyff
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
Ravishankar Somasundaram
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Cracking
n|u - The Open Security Community
 

More Related Content

What's hot

Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016
Philip Young
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
Otto Kekäläinen
 
Tackling Legacy Code November 2015
Tackling Legacy Code November 2015Tackling Legacy Code November 2015
Tackling Legacy Code November 2015
Tomas Malmsten
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
n|u - The Open Security Community
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
JosephTesta9
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
Axilis
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the Enterprise
Adam Baldwin
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101
Seravo
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
Nicolas Corrarello
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Saumil Shah
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
Leonardo Rifeli
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs Security
Jason Ross
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
Emily Stark
 
Improving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingImproving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP Profiling
Otto Kekäläinen
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
Tinashe Makuti
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
Drew Fustini
 
Nodevember 2015
Nodevember 2015Nodevember 2015
Nodevember 2015
Adam Baldwin
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
snyff
 

What's hot (20)

Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
 
Tackling Legacy Code November 2015
Tackling Legacy Code November 2015Tackling Legacy Code November 2015
Tackling Legacy Code November 2015
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the Enterprise
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs Security
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
 
Improving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingImproving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP Profiling
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
 
Nodevember 2015
Nodevember 2015Nodevember 2015
Nodevember 2015
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 

Similar to How to defend from an attacker armed with a mathematician

Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
Ravishankar Somasundaram
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Cracking
n|u - The Open Security Community
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
OWASP Kyiv
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
Giovanni Bechis
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdb
Roman Podoliaka
 
Cryptography Attacks and Applications
Cryptography Attacks and ApplicationsCryptography Attacks and Applications
Cryptography Attacks and Applications
UTD Computer Security Group
 
Building a DSL with GraalVM (VoxxedDays Luxembourg)
Building a DSL with GraalVM (VoxxedDays Luxembourg)Building a DSL with GraalVM (VoxxedDays Luxembourg)
Building a DSL with GraalVM (VoxxedDays Luxembourg)
Maarten Mulders
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NoSuchCon
 
Debugging of (C)Python applications
Debugging of (C)Python applicationsDebugging of (C)Python applications
Debugging of (C)Python applications
Roman Podoliaka
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6
Wim Godden
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
Moabi.com
 
Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)
Maarten Mulders
 
Streaming huge databases using logical decoding
Streaming huge databases using logical decodingStreaming huge databases using logical decoding
Streaming huge databases using logical decoding
Alexander Shulgin
 
Rust Hack
Rust HackRust Hack
Rust Hack
Viral Parmar
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Research
 
Groovy On Trading Desk (2010)
Groovy On Trading Desk (2010)Groovy On Trading Desk (2010)
Groovy On Trading Desk (2010)
Jonathan Felch
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
Svetlin Nakov
 
Deuce STM - CMP'09
Deuce STM - CMP'09Deuce STM - CMP'09
Deuce STM - CMP'09
Guy Korland
 
PyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by examplePyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by example
YunWon Jeong
 
What's new in Python 3.11
What's new in Python 3.11What's new in Python 3.11
What's new in Python 3.11
Henry Schreiner
 

Similar to How to defend from an attacker armed with a mathematician (20)

Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Cracking
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdb
 
Cryptography Attacks and Applications
Cryptography Attacks and ApplicationsCryptography Attacks and Applications
Cryptography Attacks and Applications
 
Building a DSL with GraalVM (VoxxedDays Luxembourg)
Building a DSL with GraalVM (VoxxedDays Luxembourg)Building a DSL with GraalVM (VoxxedDays Luxembourg)
Building a DSL with GraalVM (VoxxedDays Luxembourg)
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
Debugging of (C)Python applications
Debugging of (C)Python applicationsDebugging of (C)Python applications
Debugging of (C)Python applications
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
 
Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)
 
Streaming huge databases using logical decoding
Streaming huge databases using logical decodingStreaming huge databases using logical decoding
Streaming huge databases using logical decoding
 
Rust Hack
Rust HackRust Hack
Rust Hack
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
 
Groovy On Trading Desk (2010)
Groovy On Trading Desk (2010)Groovy On Trading Desk (2010)
Groovy On Trading Desk (2010)
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
Deuce STM - CMP'09
Deuce STM - CMP'09Deuce STM - CMP'09
Deuce STM - CMP'09
 
PyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by examplePyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by example
 
What's new in Python 3.11
What's new in Python 3.11What's new in Python 3.11
What's new in Python 3.11
 

Recently uploaded

Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 

Recently uploaded (12)

Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 

How to defend from an attacker armed with a mathematician

  • 1. How to defend from an attacker armed with a mathematician Antonio Sanso (@asanso) Senior Software Engineer Adobe Research Switzerland
  • 2. Who is this guy, BTW? { Senior Software Engineer Adobe Research Switzerland { Internet Bug Bounty, Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty, Microsoft Honor Roll { Found vulnerabilities in OpenSSL , Google Chrome, Apple Safari { Co-Author of “OAuth 2 in Action” { Obsessed by prime numbers ★
  • 4. TLS TLS Flow (highly simplified) asymmetric crypto (e.g. RSA/DH) + Client Server m m = premaster key symmetric crypto (e.g. AES)
  • 7.
  • 10. One way functions x f(x ) easy extremely hard
  • 11. Discrete log problem y = gx (mod p) EASY! Example p = 17 g = 3 x = 4 y = 34 (mod 17) = ? y = 34 = 81 (mod 17) = 13
  • 12. Discrete log problem dlogg y HARD! How much hard? Trivial alg. O(p) We need do find 0 < x < p-1 s.t. gx= y (mod p) Example p = 17 g = 3 y = 10 x = ?? x = 0 y = 30 = 1 (mod 17) x = 1 y = 31 = 3 (mod 17) x = 2 y = 32 = 9 (mod 17) x = 3 y = 33 = 10 (mod 17) ★
  • 13. Discrete log problem p = 218473595898882084755067249171622650635714019853253703676313 617811140296530259568151576053281904111410441606898157413193 811965329798715000389798623091587382509451185549616268241523 075366058726165028842888780624670527776052278467097818506147 927484588389513422048126018381129378053717826003801060205228 844064528238188244556839820428829281834311945931891714310663 711385102529796485135530787625845961474274568372896230088793 648294777051836361493041209989486542781338740267111884943117 708835148893633513800645204134596026961413539494079718100718 483541278687259340578110522855117260709519548286257619847978 31079801857828431
  • 15. + Key Exchange Client Server g,p yb g, p yb = gb (mod p) Ephemeral Random b TLS_DHE_RSA_WITH_AES_128….
  • 16. + Key Exchange Client Server g,p yb,g, p yb = gb (mod p)ya = ga (mod p) ya
  • 17. + Key Exchange Client Server m = premaster key yb ya m = gba (mod p) (yb)a = (gb)a = gba (mod p) m = gab (mod p) (ya)b = (ga)b = gab (mod p) yb = gb (mod p) ya = ga (mod p) ★
  • 18. OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)
  • 19. Server g,p yb g, p yb = gb (mod p) ya OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) ★
  • 20. Attack Requirement #1 (Static ephemeral keys) Server g,p m = premaster key yb g, p yb = gb (mod p) By default NOT ephemeral SSL_OP_SINGLE_DH_USE wasn’t set ★
  • 21. Server g,p yb,g, p yb = gb (mod p)ya = ga (mod p) ya Attack Requirement #2 (Not verifying the incoming value) m = gab (mod p) (ya)b = (ga)b = gab (mod p) ★
  • 22. Discrete log problem What about p? Which prime number should I choose? OBSERVATION: (p-1) is always even { Safe prime ==> (p -1)/2 is also prime (many RFCs) { Or at least == > (p -1)/2 should not be a product of small primes
  • 23. RFC 5114 - O(224) p = 2048 bit g = >>2 q = 224 p -1 /2 = 2 * 3 * 3 * 5 * 43 * 73 * 157 * 387493 * 605921 * 5213881177 * 3528910760717 * 83501807020473429349 * C489 (where C489 is a 489 digit composite number with no small factors). ★
  • 24. Attack Requirement #3 (Product of small primes) RFC 5114 m = premaster key yb g, p yb = ga (mod p)
  • 25. Attack succeeded!! RFC 5114 m = premaster key yb g, p yb = gb (mod p) By default NOT ephemeral ★ ya = ga (mod p) ya So we can compute: { b mod (2) { b mod (3) { … { b mod (5213881177) Finally we can combine the result using the Chinese Remainder Theorem (CRT)!!
  • 26. History of RFC 5114 ...a semi-mysterious RFC 5114 – Additional Diffie- Hellman Groups document. It introduces new MODP groups not with higher sizes, but just with different primes. … no one really wanted these, but no one really objected to it either, so the document (originating from Defense contractor BBN) made it to RFC status.
  • 27. References { https://www.openssl.org/news/secadv/20160503.txt { http://blog.intothesymmetry.com/2016/01/openssl-key-recovery-attack- on-dh-small.htmlMultiplication { http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.44.5296 { http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl- allows-attackers-to-decrypt-https-traffic/
  • 30. Discrete log function Primitive root (generator) Example p = 17 Generator g = 3 {30,31,32,33,34,35,36, … } ==> {1, 3, 9, 10, 13, 5, 15, …}
  • 31. OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) Server g,p yb g, p yb = ga (mod p) Choose B s.t. ord(B) is small ya = gaB (mod p) (yb)aBj = gbaBj ya (ya)b = (gaB)b = gabBb (mod p) 0 < j < ord(B) == > small B = j mod (ord(B)) ★
  • 32. RFC 5114 p -1 /2 = 2 * 3 * 3 * 5 * 43 * 73 * 157 * 387493 * 605921 * 5213881177 * 3528910760717 * 83501807020473429349 * C489 (where C489 is a 489 digit composite number with no small factors). • ∃ gi s.t. q = 2 • ∃ gi s.t. q = 3 • ∃ gi s.t. q = 5 • … from O(224) to O(44)
  • 33. OpenSSL Key Recovery Attack on DH small subgroups - Validation Server g,p yb g, p yb = ga (mod p) Choose B s.t. ord(B) is small ya = gaB (mod p) ya VALIDATION Check that ya q (mod p) = 1 ★
  • 34. Chinese Remainder Theorem (CRT) b = l (mod ord(B1)) b = m (mod ord(B2)) b = n (mod ord(B3)) We can find a unique solution mod(ord(B1) * ord(B2) * ord(B3)) ★
  • 35. “Trap door” one way functions x f(x ) easy extremely hard easy given t t