cryptography - you're doing it wrong! (attila balazs)

Post on 13-May-2015

177 Views

Category:

Technology

4 Downloads

Preview:

Click to see full reader

DESCRIPTION

Do you use crypto in your app? Then you're doing it wrong! This presentation explores 10 ways crypto code gleaned from the Internet is wrong and insecure and what you can do to prevent the attacks.

TRANSCRIPT

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Cryptography: you're doing it wrong!

108 frequent mistakes in implementing crypto

Attila-Mihály Balázs

gpanther@grey-panther.net

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Huge thanks to our sponsors & partners!

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Agenda

• Who am I?

• Reason 0

• Reason 1

• Reason 2

• Reason 3

• Reason 4

• Reason 5

• Reason 6

• Reason 7

• Resources

• Q&A

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Who am I?

Attila-Mihály Balázs

• Reverse Engineer

• Developer

• Technologist

• Not a cryptographer !!!

gpanther@grey-panther.net

https://grey-panther.net

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

TL;DR

Choose widely used technologies • Data in motion: TLS (SSL)

• Client side certificates

• Windows AD comes with it

• Data at rest:

• Bitlocker, NTFS encrpytion,

CryptProtectData

• gpgme, encrypted archives (7z),

keyczar-dotnet

• Password store: use PBKDF2

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Purpose of this talk

Scare the s*** out of you!

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Purpose of this talk

Scare the pants off of you!

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Purpose of this talk

You are not smart enough to do crypto!

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Scenario

Alice Bob

Eve

Mallory

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Scenario

Eve

Authenticate

Token Token

Mallory

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Don't implement your own crypto !!!

• Primitives: block ciphers, stream ciphers,

hash functions

• Cryptographic protocols (systems) – ie.

“transmit data over an (untrusted) network

between participants who never met

previously and ensure the data secrecy and

integrity in the presence of passive and/or

active attackers”

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Implementation

Token

RijndaelManaged RMCrypto = new RijndaelManaged();

byte[] Key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

byte[] IV = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

CryptoStream CryptStream = new CryptoStream(

NetStream, RMCrypto.CreateEncryptor(Key, IV),

CryptoStreamMode.Write);

StreamWriter SWriter = new StreamWriter(CryptStream);

SWriter.WriteLine("Hello World!");

http://msdn.microsoft.com/en-us/library/as0w18af%28v=vs.110%29.aspx

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Legal stuff I need to tell you

Software on Documentation Portals. Software accessible on the Documentation Portals is

made available by the designated publisher under the associated license terms. If Software is

accessible on the Documentation Portals without license terms, then subject subsection (c)

below you may use it to design, develop, and test your programs. If any such Software without

license terms is marked as “sample” or “example,” then you may use it under the terms of the

Microsoft Limited Public License.

http://msdn.microsoft.com/en-us/cc300389.aspx#D

3(C) If you distribute any portion of the software, you must retain all copyright, patent,

trademark, and attribution notices that are present in the software.

3(D) If you distribute any portion of the software in source code form, you may do so only under

this license by including a complete copy of this license with your distribution. If you distribute

any portion of the software in compiled or object code form, you may only do so under a license

that complies with this license.

3(F) Platform Limitation- The licenses granted in sections 2(A) & 2(B) extend only to the

software or derivative works that you create that run on a Microsoft Windows operating system

product.

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 0: Replay Attacks

Token

RijndaelManaged RMCrypto = new RijndaelManaged();

byte[] Key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

byte[] IV = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

CryptoStream CryptStream = new CryptoStream(

NetStream, RMCrypto.CreateEncryptor(Key, IV),

CryptoStreamMode.Write);

StreamWriter SWriter = new StreamWriter(CryptStream);

SWriter.WriteLine("access-level=admin|username=bruce");

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 0: Replay Attacks

Token

RijndaelManaged RMCrypto = new RijndaelManaged();

byte[] Key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

byte[] IV = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

CryptoStream CryptStream = new CryptoStream(

NetStream, RMCrypto.CreateEncryptor(Key, IV),

CryptoStreamMode.Write);

StreamWriter SWriter = new StreamWriter(CryptStream);

SWriter.WriteLine("ip=65.55.58.201|expires=1400488925|"

+ "access-level=admin|username=bruce");

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Choices, choices, choices

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Choices, choices, choices

• Algorithm: symmetric, Rinjadel (AES)

• Block size: 128 bit (16 bytes)

• Operation mode: CBC

• Padding: PKCS7

• Key: 128 bit (16 bytes)

• Key derivation ??

• IV == Key ?? Fixed ??

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 1: bit flipping attacks

http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 1: bit flipping attacks

1 ⊕ 1 == 0, 1 ⊕ 0 == 1

0 ⊕ 1 == 1, 0 ⊕ 0 == 0

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 1: bit flipping attacks

access-level=user|username=gpantherlaccess-level-admin

|: 01111100b =: 00111101b

l: 01101100b -: 00101101b

access-level=use****************her|access-level=admin

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 2: padding oracle

=admin

=admin\x9\x9\x9\x9\x9\x9\x9\x9\x9

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 2: padding oracle

CryptographicException: Padding is invalid and cannot be removed.

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 2: padding oracle

guessed ⊕ original ⊕ plaintext = 0x01

a ⊕ a = 0

a ⊕ b = b ⊕ a

plaintext = 0x01 ⊕ guessed ⊕ original

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 3: Poorly chosen IV

RijndaelManaged RMCrypto = new RijndaelManaged();

byte[] Key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

byte[] IV = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

CryptoStream CryptStream = new CryptoStream(

NetStream, RMCrypto.CreateEncryptor(Key, IV),

CryptoStreamMode.Write);

StreamWriter SWriter = new StreamWriter(CryptStream);

SWriter.WriteLine("access-level=admin|username=bruce");

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 3: Poorly chosen IV

IV == Key

C0 = EK(P0 ⊕ IV)

C1 = EK(P1 ⊕ C0)

C2 = EK(P2 ⊕ C1)

P0 = DK(C0)⊕ IV DK(EK(P0 ⊕ IV))⊕ IV = P0 ⊕ IV ⊕ IV = P0

P1 = DK(C1)⊕ C0 DK(EK(P1 ⊕ C0))⊕ C0 = P1 ⊕ C0 ⊕ C0 = P1

DK(C0 0 C0)

DK(C0)⊕ IV = A

DK(0) ⊕ C0

DK(C0)⊕ 0 = DK(C0) = B

A ⊕ B = DK(C0)⊕ IV ⊕ DK(C0) = IV = Key

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 3: Poorly chosen IV

IV == Constant → choosen plain text attack / encryption oracle

username=gpanther|access-level=user

username=gpanther|access-level=admin

68e4ed21f7bc5ac64405cdd8269b3b74fa19b951f0b521757e94…

68e4ed21f7bc5ac64405cdd8269b3b74e06a42679cb7b34ca8a1…

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 4: Key derivation

Human password → key bits

Very bad: truncate/pad to 16 bytes

Very bad: use (first 16 bytes of) MD5(passw)

Very bad: use SHA1(password)

Bad: use SHA1(salt + password)

Bad: use SHA1(per user salt + password)

Good: use PBKDF2(password)*. Tune it.

Good: use scrypt(password). Tune it.

* Rfc2898DeriveBytes

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 5: hash extension attacks

Eve

Authenticate

Token Token

Mallory

"ip=127/8|expires=1400488925|access-level=admin|username=bruce|<signature>"

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 5: hash extension attacks

Cryptographic hash function:

• H(x) = h

• h is fast to compute

• h is of fixed size

• Given h, it is impractical to generate x

H(<secret key><data>) = <hash>

<data><hash>

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 5: hash extension attacks

Cryptographic hash function:

• H(x) = h

• h is fast to compute

• h is of fixed size

• Given h, it is impractical to generate x

H(<secret key><data>) = <hash>

<data><hash>

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 5: hash extension attacks

Cryptographic hash functions are completely deterministic!

adc83b19 e793491b 1c6ea0fd 8b46cd9f 32e592fc

adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

Given x and H(x) it is trivial* to compute:

• H(x + d) for arbitrary d

• H(x[0:k]) for arbitrary k

Use HMAC

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 6: HMAC timing attack (side channel attacks)

In = "<data><signature>";

Data, Sig = In.split();

CalcSig = HMAC(Data);

/* Wrong!!! Do not use!!! */

for(i=0; i<SIG_LEN; i++) {

if (Sig[i] != CalcSig[i]) {

return False;

}

}

return True;

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 6: HMAC timing attack (side channel attacks)

<data>00XXXXXXXXXXXXXXXXXXXXXXXXXXXX

<data>01XXXXXXXXXXXXXXXXXXXXXXXXXXXX

<data>02XXXXXXXXXXXXXXXXXXXXXXXXXXXX

<data>ad00XXXXXXXXXXXXXXXXXXXXXXXXXX

<data>ad01XXXXXXXXXXXXXXXXXXXXXXXXXX

<data>ad02XXXXXXXXXXXXXXXXXXXXXXXXXX

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 6: HMAC timing attack (side channel attacks)

In = "<data><signature>";

Data, Sig = In.split();

CalcSig = HMAC(Data);

Int result = 0;

for(i=0; i< SIG_LEN; i++) {

result |= Sig[i] ^ CalcSig[i];

}

return result == 0;

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 7: C.R.I.M.E. attack (side channels redux)

Query

EK(C(Query + Response))

Mallory

Query

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Resources

• Matasano crypto challenge http://www.matasano.com/articles/crypto-challenges/

• Applied Cryptography https://www.udacity.com/course/cs387

• Cryptography Engineering https://www.schneier.com/book-ce.html

• Crypto 101 https://www.crypto101.io/

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

TL;DR

Choose widely used technologies • Data in motion: TLS (SSL)

• Client side certificates

• Windows AD comes with it

• Data at rest:

• Bitlocker, NTFS encrpytion,

CryptProtectData

• gpgme, encrypted archives (7z),

keyczar-dotnet

• Password store: use PBKDF2

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Q & A

top related