Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro@ itcamp14#
Cryptography: you're doing it wrong!
108 frequent mistakes in implementing crypto
Attila-Mihály Balázs
gpanther@grey-panther.net

Huge thanks to our sponsors & partners!

Agenda
• Who am I?
• Reason 0
• Reason 1
• Reason 2
• Reason 3
• Reason 4
• Reason 5
• Reason 6
• Reason 7
• Resources
• Q&A

Who am I?
Attila-Mihály Balázs
• Reverse Engineer
• Developer
• Technologist
• Not a cryptographer !!!
gpanther@grey-panther.net
https://grey-panther.net

TL;DR
Choose widely used technologies
• Data in motion: TLS (SSL)
• Client side certificates
• Windows AD comes with it
• Data at rest:
• Bitlocker, NTFS encrpytion,
CryptProtectData
• gpgme, encrypted archives (7z),
keyczar-dotnet
• Password store: use PBKDF2

Purpose of this talk
Scare the s*** out of you!

Scare the pants off of you!

You are not smart enough to do crypto!

Scenario
Alice Bob
Eve
Mallory

Scenario
Eve
Authenticate
Token
Token
Mallory

Don't implement your own crypto !!!
• Primitives: block ciphers, stream ciphers,
hash functions
• Cryptographic protocols (systems) – ie.
“transmit data over an (untrusted) network
between participants who never met
previously and ensure the data secrecy and
integrity in the presence of passive and/or
active attackers”

Implementation
Token
RijndaelManaged RMCrypto = new RijndaelManaged();
byte[] Key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
byte[] IV = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
CryptoStream CryptStream = new CryptoStream(
NetStream, RMCrypto.CreateEncryptor(Key, IV),
CryptoStreamMode.Write);
StreamWriter SWriter = new StreamWriter(CryptStream);
SWriter.WriteLine("Hello World!");
http://msdn.microsoft.com/en-us/library/as0w18af%28v=vs.110%29.aspx

Legal stuff I need to tell you
Software on Documentation Portals. Software accessible on the Documentation Portals is
made available by the designated publisher under the associated license terms. If Software is
accessible on the Documentation Portals without license terms, then subject subsection (c)
below you may use it to design, develop, and test your programs. If any such Software without
license terms is marked as “sample” or “example,” then you may use it under the terms of the
Microsoft Limited Public License.
http://msdn.microsoft.com/en-us/cc300389.aspx#D
3(C) If you distribute any portion of the software, you must retain all copyright, patent,
trademark, and attribution notices that are present in the software.
3(D) If you distribute any portion of the software in source code form, you may do so only under
this license by including a complete copy of this license with your distribution. If you distribute
any portion of the software in compiled or object code form, you may only do so under a license
that complies with this license.
3(F) Platform Limitation- The licenses granted in sections 2(A) & 2(B) extend only to the
software or derivative works that you create that run on a Microsoft Windows operating system
product.

Reason 0: Replay Attacks
Token
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
SWriter.WriteLine("access-level=admin|username=bruce");

Reason 0: Replay Attacks
Token
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
SWriter.WriteLine("ip=65.55.58.201|expires=1400488925|"
+ "access-level=admin|username=bruce");

Choices, choices, choices

Choices, choices, choices
• Algorithm: symmetric, Rinjadel (AES)
• Block size: 128 bit (16 bytes)
• Operation mode: CBC
• Padding: PKCS7
• Key: 128 bit (16 bytes)
• Key derivation ??
• IV == Key ?? Fixed ??

Reason 1: bit flipping attacks
http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

1 ⊕ 1 == 0, 1 ⊕ 0 == 1
0 ⊕ 1 == 1, 0 ⊕ 0 == 0

access-level=user|username=gpantherlaccess-level-admin
|: 01111100b =: 00111101b
l: 01101100b -: 00101101b
access-level=use****************her|access-level=admin

Reason 2: padding oracle
=admin
=adminx9x9x9x9x9x9x9x9x9

CryptographicException: Padding is invalid and cannot be removed.

guessed ⊕ original ⊕ plaintext = 0x01
a ⊕ a = 0
a ⊕ b = b ⊕ a
plaintext = 0x01 ⊕ guessed ⊕ original

Reason 3: Poorly chosen IV
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
SWriter.WriteLine("access-level=admin|username=bruce");

IV == Key
C0 = EK(P0 ⊕ IV)
C1 = EK(P1 ⊕ C0)
C2 = EK(P2 ⊕ C1)
…
P0 = DK(C0)⊕ IV DK(EK(P0 ⊕ IV))⊕ IV = P0 ⊕ IV ⊕ IV = P0
P1 = DK(C1)⊕ C0 DK(EK(P1 ⊕ C0))⊕ C0 = P1 ⊕ C0 ⊕ C0 = P1
…
DK(C0 0 C0)
DK(C0)⊕ IV = A
DK(0) ⊕ C0
DK(C0)⊕ 0 = DK(C0) = B
A ⊕ B = DK(C0)⊕ IV ⊕ DK(C0) = IV = Key

IV == Constant → choosen plain text attack / encryption oracle
username=gpanther|access-level=user
username=gpanther|access-level=admin
68e4ed21f7bc5ac64405cdd8269b3b74fa19b951f0b521757e94…
68e4ed21f7bc5ac64405cdd8269b3b74e06a42679cb7b34ca8a1…

Reason 4: Key derivation
Human password → key bits
Very bad: truncate/pad to 16 bytes
Very bad: use (first 16 bytes of) MD5(passw)
Very bad: use SHA1(password)
Bad: use SHA1(salt + password)
Bad: use SHA1(per user salt + password)
Good: use PBKDF2(password)*. Tune it.
Good: use scrypt(password). Tune it.
* Rfc2898DeriveBytes

Reason 5: hash extension attacks
Eve
Authenticate
Token
Token
Mallory
"ip=127/8|expires=1400488925|access-level=admin|username=bruce|<signature>"

Cryptographic hash function:
• H(x) = h
• h is fast to compute
• h is of fixed size
• Given h, it is impractical to generate x
H(<secret key><data>) = <hash>
<data><hash>

Cryptographic hash functions are completely deterministic!
adc83b19 e793491b 1c6ea0fd 8b46cd9f 32e592fc
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
Given x and H(x) it is trivial* to compute:
• H(x + d) for arbitrary d
• H(x[0:k]) for arbitrary k
Use HMAC

Reason 6: HMAC timing attack (side channel attacks)
In = "<data><signature>";
Data, Sig = In.split();
CalcSig = HMAC(Data);
/* Wrong!!! Do not use!!! */
for(i=0; i<SIG_LEN; i++) {
if (Sig[i] != CalcSig[i]) {
return False;
}
}
return True;

<data>00XXXXXXXXXXXXXXXXXXXXXXXXXXXX
…
<data>ad00XXXXXXXXXXXXXXXXXXXXXXXXXX
…

In = "<data><signature>";
Data, Sig = In.split();
CalcSig = HMAC(Data);
Int result = 0;
for(i=0; i< SIG_LEN; i++) {
result |= Sig[i] ^ CalcSig[i];
}
return result == 0;

Reason 7: C.R.I.M.E. attack (side channels redux)
Query
EK(C(Query + Response))
Mallory
Query

Resources
• Matasano crypto challenge
http://www.matasano.com/articles/crypto-challenges/
• Applied Cryptography
https://www.udacity.com/course/cs387
• Cryptography Engineering
https://www.schneier.com/book-ce.html
• Crypto 101
https://www.crypto101.io/

Q & A

Cryptography - You're doing it wrong! (Attila Balazs)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cryptography - You're doing it wrong! (Attila Balazs)

Similar to Cryptography - You're doing it wrong! (Attila Balazs) (20)

More from ITCamp

More from ITCamp (20)

Recently uploaded

Recently uploaded (20)

Cryptography - You're doing it wrong! (Attila Balazs)