crypto 101: encryption, codebreaking, ssl and bitcoin
TRANSCRIPT
SESSION ID:
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
BAS-M06
Benjamin HVF Labs@BenjaminJun
Some material adapted from Ivan Ristic, Qualys (RSAC 2011)
`
2
Crypto 101
Cryptography is the art and science of keeping messages secure.
Cryptography building blocksCryptographic protocols
SSL / TLSBitcoin
Attacks on cryptography
`
3
Security \si-ˈkyu̇r-ə-tē\
Cryptography terms ConfidentialityIntegrityAuthenticationAccess controlNon-repudiation
the state of being free from danger or threat
Other Criteria InteroperabilityPerformanceUsability
`
#RSAC
Crypto Building Blocks
`
5
Encryption
Obfuscation that is fast when you know the secrets, but impossible or slow when you don’t.
Scytale300BC
Image credit: Luringen, Sobebunny, R Booth
Enigma Machine1920s
Jefferson Wheel (M94)1900s
`
6
Symmetric encryption
Use shared key to encrypt/decryptAlgorithm does not need to be secretKey must be agreed and communicated in advance
Convenient and fastExamples: RC4, 3DES, AES
`
Asymmetric encryption
Two related keys: one private, one public Anyone with the public key can encrypt the messageOnly the private key holder can decrypt messageEnables encryption, key exchange, and authentication
Examples: RSA, Diffie-Hellman, ElGamal, DSA, Elliptic curve (ECDH / ECDSA)Significantly slower than symmetric encryption
`
8
Authentication
Confirm data integrity and message origin
Mark of the Fisherman (1200AD)
British Museum, flikr:favoritethings
Egyptian signet ring (500BC)
US nuclear “football” (present day)
On death, Cardinal Camerlengo to destroy
Keys roll at noon on inauguration day
`
9
Digital signatures
Asymmetric cryptography can authenticate messagesOnly the private key holder can generate a signatureAnyone with the public key can validate the signatureSignatures protect digital certificates from modification or forgery
sign verifySigneddocumen
t
`
10
Digital certificates
Digital ID can include public/private keypair
Digital certificate conveys identityCredential holder info (name, address, etc.) Identity’s public keyValidity periodDigital signature of Certificate Authority (CA)
Authentication has 3 stepsCA signature confirms data is authentic, vouched forDo we approve of data in the certificate?Identity keypair validated to confirm ID holder has the private key
`
11
Randomness matters
Random numbers at heart of cryptoUsed for key generationWeak keys = weak encryption
Random number generatorsTrue random (TRNG) – truly randomPseudorandom (PRNG) – look random
PRNGs fine if properly seeded, properly designed
NIST SP 800-90A, Rev 1 Dual_EC_DRBG January 2012
60
10.3 DRBG Mechanisms Based on Number Theoretic Problems
A DRBG can be designed to take advantage of number theoretic problems (e.g., the discrete logarithm problem). If done correctly, such a generator’s properties of randomness and/or unpredictability will be assured by the difficulty of finding a solution to that problem. This section specifies a DRBG mechanism that is based on the elliptic curve discrete logarithm problem.
10.3.1 Dual Elliptic Curve Deterministic RBG (Dual_EC_DRBG)
Dual_EC_DRBG is based on the following hard problem, sometimes known as the “elliptic curve discrete logarithm problem” (ECDLP): given points P and Q on an elliptic curve of order n, find a such that Q aP.
Dual_EC_DRBG uses an initial seed that is 2 * security_strength bits in length to initiate the generation of outlen-bit pseudorandom strings by performing scalar multiplications on two points in an elliptic curve group, where the curve is defined over a field approximately 2m in size. For all the NIST curves given in this Recommendation, m is at least twice the security_strength, and never less than 256. Throughout this DRBG mechanism specification, m will be referred to as seedlen; the term “seedlen” is appropriate because the internal state of Dual_EC_DRBG is used as a “seed” for the random block it produces. Figure 13 depicts the Dual_EC_DRBG.
The instantiation of this DRBG mechanism requires the selection of an appropriate elliptic curve and curve points specified in Appendix A.1 for the desired security strength. The seed used to determine the initial value (s) of the DRBG mechanism shall have at least security_strength bits of entropy. Further requirements for the seed are provided in Section 8.6. This DRBG mechanism uses the derivation function specified in Section 10.4.1 during instantiation and reseeding.
The maximum security strength that can be supported by the Dual_EC_DRBG is the security strength of the curve used; the security strengths for the curves are provided in [SP 800-57].
seed
0
Instant. orreseed only
+ (x (t*P)) (x (s*Q))t
P Q
s r
If additional input = Null
ExtractBits
PseudorandomBits
[Optional]additional input
Figure 13: Dual_EC_DRBG
NIST SP 800-90A, Rev 1 January 2012
77
Appendix A: (Normative) Application-Specific Constants
A.1 Constants for the Dual_EC_DRBG
The Dual_EC_DRBG requires the specifications of an elliptic curve and two points on the elliptic curve. One of the following NIST approved curves with associated points shall be used in applications requiring certification under [FIPS 140]. More details about these curves may be found in [FIPS 186]. If alternative points are desired, they shall be generated as specified in Appendix A.2.
Each of following curves is given by the equation:
y2 = x3- 3x + b (mod p)
Notation:
p - Order of the field Fp , given in decimal
n - Order of the Elliptic Curve Group, in decimal . a – (-3) in the above equation
b - Coefficient above
The x and y coordinates of the base point, i.e., generator G, are the same as for the point P.
A.1.1 Curve P-256
p = 11579208921035624876269744694940757353008614\ 3415290314195533631308867097853951
n = 11579208921035624876269744694940757352999695\ 5224135760342422259061068512044369
b = 5ac635d8 aa3a93e7 b3ebbd55 769886bc 651d06b0 cc53b0f6 3bce3c3e 27d2604b
Px = 6b17d1f2 e12c4247 f8bce6e5 63a440f2 77037d81 2deb33a0 f4a13945 d898c296
Py = 4fe342e2 fe1a7f9b 8ee7eb4a 7c0f9e16 2bce3357 6b315ece cbb64068 37bf51f5
Qx = c97445f4 5cdef9f0 d3e05e1e 585fc297 235b82b5 be8ff3ef ca67c598 52018192
Qy = b28ef557 ba31dfcb dd21ac46 e2a91e3c 304f44cb 87058ada 2cb81515 1e610046
NIST SP800-90A: Dual EC DRBG with NIST NSA*
constants
* NYT Snowden memos, September 2013
(don’t use these)
`
12
Hash functions
One-way transformation to generate data fingerprints for:
Digital signatures Integrity validationTokenization (e.g., storing passwords)
ExamplesMD5 considered brokenSHA-1 (160) some concernsSHA-2 (256) okKeccak and SHA-3
SHA2 (SHA-256) compression function
◆Desirable qualitiesPreimage resistance (one-wayness)Collision resistance and birthday
`
13
Stay humble
Don’t roll your own cryptoFailure modes subtle, catastrophicStandard crypto has been strongly vetted
Avoid unnecessary complexitySystem only as strong as its weakest linkComplexity = more stuff to go wrong
Never rely on obscurity“If I can barely understand it, then it must be strong!”Kerckhoffs's principle: only the key should be secure
Auguste Kerckhoffs (1835-1903)
`
#RSAC
Putting It All Together - SSL / TLS - Bitcoin
`
15
TLS
Transport Layer SecurityWorld’s most widely used cryptographic protocolFrom Netscape SSL3 (Kocher, 1995)
Security requirementsSecurely connect with someone you have never metData privacy, data integrity, no site impersonation, no man-in-middle
`
16
Getting to https
1. Webserver provides digital certificate to browser
• “Amazon.com’s passport”
2. TLS layer + browser “authenticates passport”
• Confirms data fields in cert • Confirms digital signature
3. TLS layer confirms that webserver holds private key
• Sends encrypted data that can only be decrypted w/private key
Cert. Authority signature
Amazon public RSA key
Amazon info
Certificate Authority info
`
17
TLS: Connection
TLS 1.2 protocol forsecure socket & session mgmt
Certificate check passed!
AES_128_GCM for bulk data• Symmetric crypto• AES128 block cipher (privacy)• Galois authentication
(integrity)
ECDHE_RSA for key exchange• Asymmetric crypto• Confidentiality: Elliptic curve
Diffie-Hellman• Authentication: RSA2048• “Perfect forward secrecy”
`
18
Bitcoin (1/2)
Peer-to-peer, decentralized currency
Not underwritten by any entity“Satoshi Nakamoto” paper (2008)
180K transactions/day (Jan ‘16)
$6.5B in circulation (Jan ’16)(US M0 Supply: $4,007B, Nov ‘15)
Diagrams from blockchain.info
Bitcoin: A Peer-to-Peer Electronic Cash System
Satoshi Nakamoto
www.bitcoin.org
Abstract. A purely peer-to-peer version of electronic cash would allow online
payments to be sent directly from one party to another without going through a
financial institution. Digital signatures provide part of the solution, but the main
benefits are lost if a trusted third party is still required to prevent double-spending.
We propose a solution to the double-spending problem using a peer-to-peer network.
The network timestamps transactions by hashing them into an ongoing chain of
hash-based proof-of-work, forming a record that cannot be changed without redoing
the proof-of-work. The longest chain not only serves as proof of the sequence of
events witnessed, but proof that it came from the largest pool of CPU power. As
long as a majority of CPU power is controlled by nodes that are not cooperating to
attack the network, they'll generate the longest chain and outpace attackers. The
network itself requires minimal structure. Messages are broadcast on a best effort
basis, and nodes can leave and rejoin the network at will, accepting the longest
proof-of-work chain as proof of what happened while they were gone.
1. Introduction
Commerce on the Internet has come to rely almost exclusively on financial institutions serving as
trusted third parties to process electronic payments. While the system works well enough for
most transactions, it still suffers from the inherent weaknesses of the trust based model.
Completely non-reversible transactions are not really possible, since financial institutions cannot
avoid mediating disputes. The cost of mediation increases transaction costs, limiting the
minimum practical transaction size and cutting off the possibility for small casual transactions,
and there is a broader cost in the loss of ability to make non-reversible payments for non-
reversible services. With the possibility of reversal, the need for trust spreads. Merchants must
be wary of their customers, hassling them for more information than they would otherwise need.
A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties
can be avoided in person by using physical currency, but no mechanism exists to make payments
over a communications channel without a trusted party.
What is needed is an electronic payment system based on cryptographic proof instead of trust,
allowing any two willing parties to transact directly with each other without the need for a trusted
third party. Transactions that are computationally impractical to reverse would protect sellers
from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. In
this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed
timestamp server to generate computational proof of the chronological order of transactions. The
system is secure as long as honest nodes collectively control more CPU power than any
cooperating group of attacker nodes.
1
`
19
Bitcoin (2/2)Characteristic What happens Cryptography
Value creation Mined by searching for magic values KWh —> BTC!
Proof-of-work method uses SHA-256 hash function
Coin transfers Digital signatures ECDSA digital signature
Recordkeeping(no double-spending)
Distributed ledger with financial incentive for a “single view”
Block chain uses SHA-256 hash function
Backing entity NONE! Everything regulated by market forces + math!
Great technical resource: Bitcoin Developer Reference by Krzysztof Okupski
`
#RSAC
Attacks on Cryptography
`
21
Brute force
DES Keysearch Machine, 1998 Tests 90 billion keys/sec, average time to crack 56-bit DES: 5 days
(Cryptography Research, AWT, EFF)
US Navy Bombe, 1943 Contains 16 four-rotor Enigma equivalents to perform exhaustive key search.
`
22
Cryptanalysis
HDCP = “High bandwidth Digital Copy Protection”
Protects digital content, interoperabilityFast, offline, any-to-any negotiationEncryption and authentication
“Clever” key managementNo one device contains global secretHDCP master key published (2010)Unlicensed implementations cannot be revoked
A Cryptanalysis of the High-bandwidth Digital Content Protection System
(Crosby, Goldberg, Johnson, Song, Wagner)
image from www.hdmi.org
But keys from ~40 devices can
reveal the master key
`
23
Implementation: Side Channel (1/2)Simple EM attack with radio at distance of 10 feet
DevicesAntennas
Receiver ($350)
Digitizer, GNU Radio peripheral ($1000)
Signal Processing (demodulation, filtering)
Images from Cryptography Research
`
24
Implementation: Side Channel (2/2)Focus on Mpdp mod p calculation (Mqdq mod q similar)
For each bit i of secret dp perform “Square” if (bit i == 1) perform “Multiply” endif endfor
SM S S S S S S S SM S SM SM S S S SM SM S S S S S S S S SImages from Cryptography Research
`
25
Crypto necessary, but not sufficient
Game King poker (2014)Bug allows user to adjust bet
after hand played
Siemens Simatic S7-315Target of Stuxnet
Operation Olympic Games
http://www.wired.com/2014/10/cheating-video-poker/
`
#RSAC
Learn More!
`
27
Resources
Understanding Cryptography Christof Paar and Jan Pelzl(Springer, 2009)
Cryptography online course Dan Boneh, Stanford University
Dan$Boneh$
Genera7ng$keys:$a$toy$protocol$Alice$wants$a$shared$key$with$Bob.$$$$$Eavesdropping$security$only.$$Bob#(kB) $ $Alice#(kA) $ $ $ $TTP#
7cket$
kAB## kAB##
“Alice$wants$key$with$Bob”$
(E,D)$a$CPANsecure$cipher$
choose$$random$kAB$
Dan$Boneh$
Insecure$against$manNinNtheNmiddle$As$described,$the$protocol$is$insecure$against$acJve$aFacks$
Alice# Bob#MiTM#
`
28
How to apply what you have learned
In the first three months:Identify where cryptography is used in your organizationIdentify infrastructure required (key management, certificates)
Within six months: Know what crypto can do. Explain the different security properties. Know what crypto can’t do. Understand basic implementation security issues.
`
29
@ Benjamin Jun
Friday March 4, 10:10am
Our Road Ahead: Today’s Tech Developments, Tomorrow’s Security Challenges
Fireside chat with Benjamin Jun and Hugh ThompsonIndustry Experts EXP-F02
Questions?