Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cryptography

3,972 views

Published on

密碼學中的錯誤

Published in: Technology
  • Dating direct: ❶❶❶ http://bit.ly/2ZDZFYj ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ♥♥♥ http://bit.ly/2ZDZFYj ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Cryptography

  1. 1. yllan, 2015
  2. 2. • @yllan • hypo https://hypo.cc/ • SOLDA https://solda.io/ •
  3. 3. Q: AES
  4. 4. • • • / • key • key
  5. 5. Encryption
  6. 6. Encryption System • Block Cipher • • DES, AES, RSA, … • block padding block • Block Mode: ECB / CBC / GCM / ……
  7. 7. Don’t Use ECB mode! Block 1 Block 2 Block N… Cipher 1 Cipher 2 Cipher N…
  8. 8. ECB: Cut & Paste Cookie: auth=AES-ECB(username) Cookie: auth=AES-ECB(1234567890123456admin)
  9. 9. ECB: Byte-by-Byte • Oracle(m)=AES-ECB(m‖secret, key) AES-ECB(123456789012345secret, key) AES-ECB(123456789012345*secret, key) AES-ECB(123456789012345ssecret, key) AES-ECB(12345678901234secret, key) AES-ECB(12345678901234s*secret, key) AES-ECB(12345678901234sesecret, key) AES-ECB(1234567890123secret, key) A block: 16-bytes
  10. 10. CBC
  11. 11. comment=hello ,%20MOPCON. %26admin=true &admin=true
  12. 12. comment=hello ,%20MOPCON. %26admin=true &admin=true comment=hello ?SDA(*H@*(#$& %2&admin=true &⊕6
  13. 13. CBC Padding Oracle • PKCS7 Padding • xxxxxxxxxx01 • xxxxxxxxx0202 • xxxxxxxx030303
  14. 14. if (!bytes.takeRight(bytes.last) .forAll(_ == bytes.last)) { throw Exception(“Padding invalid!”) }
  15. 15. 030303
  16. 16. 030303 ⊕01
  17. 17. 030302 ⊕01
  18. 18. 030302 ⊕01
  19. 19. 030303 ⊕02
  20. 20. 030301 ⊕02 valid padding!
  21. 21. 030301 ⊕02 valid padding!last byte ⊕ 02 = 01, last byte = 03
  22. 22. 030303 valid padding!last byte ⊕ 02 = 01, last byte = 03
  23. 23. ??040404 ⊕??070707
  24. 24. Authentication (Signing)
  25. 25. (Crypto) Hash • MD5, SHA1, SHA2, SHA3…… • input n output • One-Way: H(x) x • 2nd Pre-Image Resistance: y H(x) = H(y) • Collision Free: x ≠ y H(x) = H(y)
  26. 26. Hash ≠ Authentication
  27. 27. • user=yllan&rating=5&album=12345 • MD5(secretalbum12345rating5useryllan) • • Length Extension Attack
  28. 28. Length Extension Attack • ????user=yllan&rating=5 • ????user=yllan&rating=5…&admin=true
  29. 29. data data paddata 1 length0…0 64bytes 64bytes 64bytes
  30. 30. data paddatadata 64bytes 64bytes 64bytes v1: 0x67452301 v2: 0xEFCDAB89 v3: 0x98BADCFE v4: 0x10325476 v5: 0xC3D2E1F0
  31. 31. data paddatadata 64bytes 64bytes 64bytes v1: 0xAAAAAAAA v2: 0xBBBBBBBB v3: 0xCCCCCCCC v4: 0xDDDDDDDD v5: 0xEEEEEEEE
  32. 32. data paddatadata 64bytes 64bytes 64bytes v1: 0xFFFFFFFF v2: 0xFFFFFFFF v3: 0xFFFFFFFF v4: 0xFFFFFFFF v5: 0xFFFFFFFF
  33. 33. data paddatadata 64bytes 64bytes 64bytes v1: 0x00000000 v2: 0x11111111 v3: 0x22222222 v4: 0x33333333 v5: 0x44444444 SHA1: 0x0000000011111111222222223333333344444444
  34. 34. ? ??? 64bytes 64bytes 64bytes SHA1: 0x0000000011111111222222223333333344444444
  35. 35. ? ??? 64bytes 64bytes 64bytes SHA1: 0x0000000011111111222222223333333344444444 v1: 0x00000000 v2: 0x11111111 v3: 0x22222222 v4: 0x33333333 v5: 0x44444444
  36. 36. ? ??? ytes 64bytes 64bytes v1: 0x00000000 v2: 0x11111111 v3: 0x22222222 v4: 0x33333333 v5: 0x44444444 PadExtension
  37. 37. ? ??? ytes 64bytes 64bytes v1: 0x55555555 v2: 0x66666666 v3: 0x77777777 v4: 0x88888888 v5: 0x99999999 SHA1: 0x5555555566666666777777778888888899999999 PadExtension
  38. 38. ? ??? ytes 64bytes 64bytes v1: 0x55555555 v2: 0x66666666 v3: 0x77777777 v4: 0x88888888 v5: 0x99999999 SHA1: 0x5555555566666666777777778888888899999999 PadExtension
  39. 39. MAC • Message Authentication Code • HMAC-SHA256(message, secret) • m, MACk(m) n, MACk(n)
  40. 40. Side Channel Attack
  41. 41. Comparison public static boolean isEqual(byte digesta[], byte digestb[]) { if (digesta.length != digestb.length) return false; for (int i = 0; i < digesta.length; i++) { if (digesta[i] != digestb[i]) { return false; } } return true; } Java 6u15: MessageDigest.isEqual
  42. 42. Constant Time Comparison ( ) public static boolean isEqual(byte[] a, byte[] b) { if (a.length != b.length) { return false; } int result = 0; for (int i = 0; i < a.length; i++) { result |= a[i] ^ b[i]; } return result == 0; }
  43. 43. Side Channel • • • • HEARTBLEED
  44. 44. • bcrypt()
  45. 45. • RSA/DES library… Orz
  46. 46. Q & A
  47. 47. 1 2 3 4 5 6 7 8 9 10……

×