cargo cult security ujug sep2015
Post on 13-Apr-2017
326 Views
Preview:
TRANSCRIPT
Cargo Cult Security- Utah Java User Group 2015
https://github.com/disaacson/cargo-cult-security
by Derrick Isaacson
Richard Feynman
Cargo Cult Programming
Ritualistic inclusion of code or patterns that are unnecessary for the task at hand.
• Design patterns• Factory• Wrapper
• Dependency injection• Cryptography• Encryption• Hashing
The Big Picture
Crypto Primitives & GoalsHash MAC
HMACSymmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data AuthenticationNon-repudiation
Confidentiality
Trust
Classic EncryptionHash MAC
HMACSymmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data AuthenticationNon-repudiation
Confidentiality
Trust
PlaintextCiphertext Cipher
Symmetric Key Cryptography(Private-key Cryptography)
• Blowfish• Twofish• Serpent• AES (Rijndael)• CAST5• RC4• 3DES• IDEA
HTTPS (TLS)SSH (SSL)LUKS Disk EncryptionKeePass
Anti-pattern: Authentication
/private_image?secure_id=573146feb41e
Anti-pattern: Authentication
/private_image?secure_id=573146feb41e
import javax.crypto.*
public static String getPrivateURL(String plainTextId) {
Cipher cipher = Cipher.getInstance("Blowfish/OFB/NoPadding"); cipher.init(Cipher.ENCRYPT_MODE, key, initVector);
byte[] cipherBytes = cipher.doFinal(plainTextId.getBytes());
return bytesToHex(cipherBytes);}
String plainTextId = "100000";String cipherTextId = Auth.getPrivateURL(plainTextId);
/private_image?secure_id=573146feb41epublic static String getSecretImg(String cipherTextId) { cipher = Cipher.getInstance("Blowfish/OFB/NoPadding"); cipher.init(Cipher.DECRYPT_MODE, key, initVector);
byte[] plainBytes = cipher.doFinal(hexToBytes(cipherTextId));
String plainTextId = new String(plainBytes, "UTF-8"); return getImage(plainTextId);}
573146feb41e
100000
Team Photo
/private_image?secure_id=573146feb41e/private_image?secure_id=573146feb41fpublic static String getSecretImg(String cipherTextId) { cipher = Cipher.getInstance("Blowfish/OFB/NoPadding"); cipher.init(Cipher.DECRYPT_MODE, key, initVector);
byte[] plainBytes = cipher.doFinal(hexToBytes(cipherTextId));
String plainTextId = new String(plainBytes, "UTF-8"); return new String(plainBytes, "UTF-8");}
573146feb41f
100001
Attack Plan
Crypto Primitives & GoalsHash MAC
HMACSymmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data AuthenticationNon-repudiation
Confidentiality
Trust
Message Authentication Codes
HMAC(key, message)
HMAC: RFC 2104
• HMAC-MD5• HMAC-SHA1• HMAC-SHA256
Message MAC
HMAC
SecretKeySpec signingKey = new SecretKeySpec(key.getBytes(), "HmacSHA1");
Mac mac = Mac.getInstance("HmacSHA1"); mac.init(signingKey);
byte[] hmacBytes = mac.doFinal(message.getBytes());
return bytesToHex(hmacBytes);
Anti-pattern: Authentication 2
/private_image?user_id=3d90e
http://aes.online-domain-tools.com/
224 search space with a valid URL density of
String plainTextId = “834";String cipherTextId = Auth.getPrivateURL(plainTextId);
public static String getPrivateURL(String plainTextId) {
Cipher cipher = Cipher.getInstance("Blowfish/OFB/NoPadding"); cipher.init(Cipher.ENCRYPT_MODE, key, initVector);
byte[] cipherBytes = cipher.doFinal(plainTextId.getBytes());
return bytesToHex(cipherBytes);}
Crypto Primitives & GoalsHash MAC
HMACSymmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data AuthenticationNon-repudiation
Confidentiality
Trust
Anti-pattern: Bank Deposit
cipher = Cipher.getInstance(“AES/CBC/NoPadding");…return cipher.doFinal(plainText.getBytes());
msg[45] = (byte)(msg[45] ^ “0".getBytes()[0] ^ "t".getBytes()[0]);
cipher = Cipher.getInstance(“AES/CBC/NoPadding");…return cipher.doFinal(cipherText);
Or…
Replay it 1000 times
Crypto Primitives & GoalsHash MAC
HMACSymmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data AuthenticationNon-repudiation
Confidentiality
Trust
Encryption Parameters
Cipher (AES, Blowfish, …) Secret keyData to encryptCBC, ECB, OFB, …Initialization Vector
Cipher cipher = Cipher.getInstance(“AES/ECB/NoPadding");cipher.init(Cipher.ENCRYPT_MODE, key, initVector);
Anti-pattern: Encryption Modes
cipher = Cipher.getInstance(“AES/ECB/NoPadding");
Cipher-block Chaining Mode
cipher = Cipher.getInstance(“AES/CBC/NoPadding");
Encryption Parameters
Cipher (AES, Blowfish, …) Secret keyData to encryptCBC, ECB, OFB, …Initialization Vector
Cipher cipher = Cipher.getInstance(“AES/ECB/NoPadding");cipher.init(Cipher.ENCRYPT_MODE, key, initVector);
May 20th 1942Message interceptedIsland “AF”
June 3rd 1942Battle of Midway
Anti-pattern: Initialization Vector
plainText = “Hold";
cryptText = cipher.doFinal(plainText.getBytes());
• Monday: “a8b8f95c4684b3f3”• Tuesday: “a8b8f95c4684b3f3”• Wednesday: “a8b8f95c4684b3f3”• Thursday: “a8b8f95c4684b3f3”• Friday: “10f32c937a1284db”
Modes and IVs• Cipher-block chaining prevents patterns within
messages• Correct IV prevents patterns across messages
Generating Keys & Initialization Vectorskey = “koicy37m8ao2nl07";iv = new java.util.Random().nextLong();
• How many bits of key entropy can be contained in 16 alphanumeric characters?• 96 bits• ~0.00000002% of possible search space
• What initialization vector is really used here?• “\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0”!• Warning: The IV parameter must be as long as the blocksize in …
• Use• javax.crypto• SecretKey key = KeyGenerator.getInstance("AES").generateKey();• IvParameterSpec iv = new javax.crypto.spec.IvParameterSpec(secureRandBytes);
Anti-pattern: Random Values<form action=""> <label>Donation amount</label> <input type="text" value="10.00"> <%
Long csrfToken = new java.lang.Random().nextLong();
setCookie("csrfToken", csrfToken); print(String.format("<input type=\"hidden\" value=%s\">“, csrfToken); %> <input type="submit" value="Submit"></form>
Finding Linear Congruential Seed
Random random = new Random();long v1 = random.nextInt();long v2 = random.nextInt();
for (int i = 0; i < 65536; i++) { long seed = v1 * 65536 + i; if (((seed * multiplier + addend) & mask) >>> 16) == v2) { System.out.println("Seed found: " + seed); break; }}
Anti-pattern: Psuedo-random Session IDs<% uid = "12345678";
sessionId = md5(uid + rand.nextLong() + System.currentTimeMillis());
setCookie(“session_id", sessionId);%>
Really < 20 bits of entropy.A modern GPU can calculate that in a second!9,12
HMACs and Secure Random<form action=""> <label>Donation amount</label> <input type="text" value="10.00"> <% Long csrfToken = new java.security.SecureRandom().nextLong();
setCookie("csrfToken", csrfToken); print(String.format("<input type=\"hidden\" value=%s\">“, csrfToken)); %> <input type="submit" value="Submit"></form>
Do not use sessions! Use HMACs!Seriously.
No Cargo Cult Security!1. Identify true security goal.2. Find correct crypto primitive.3. Spend some time to learn about it.4. Write as little of your own crypto code as possible.
Crypto Primitives & GoalsHash MAC
HMACSymmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data AuthenticationNon-repudiation
Confidentiality
Trust
Crypto Primitives & GoalsHash MAC
HMACSymmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data AuthenticationNon-repudiation
Confidentiality
Trust
Questions?
derrick@lucidchart.com
https://github.com/disaacson/cargo-cult-security
References1. http://en.wikipedia.org/wiki/Cargo_cult2. http://neurotheory.columbia.edu/~ken/cargo_cult.html3. http://en.wikipedia.org/wiki/Post_hoc_ergo_propter_hoc4. http://en.wikipedia.org/wiki/Cargo_cult_programming5. http://www.slideshare.net/javagroup2006/data-security-essentials-java-one-20136. http://www.scs.stanford.edu/10au-cs144/notes/7. http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/8. http://security.stackexchange.com/questions/18033/how-insecure-are-phps-rand-functions9. http://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks_files/paper.pdf10. http://security.stackexchange.com/questions/17988/how-insecure-are-non-cryptographic-random-number-generators11. http://jazzy.id.au/default/2010/09/20/cracking_random_number_generators_part_1.html12. http://thepasswordproject.com/oclhashcat_benchmarking13. http://www.php.net/manual/en/function.openssl-random-pseudo-bytes.php14. http://blowfish.online-domain-tools.com/15. https://github.com/disaacson/cargo-cult-security16. http://tools.ietf.org/html/rfc2104
top related