cryptography 1 three methods: symmetric key asymmetric key hashing

1

CryptographyThree methods:

Symmetric keyAsymmetric keyHashing

2

Symmetric Key Encryption• Encryption of almost everything

Data at rest: disk encryption, files, data basesData in motion: SSL/TLS, IPsec

• Today’s standardsAdvanced Encryption Standard: AES-128 and AES-256Processor hardware acceleration for

Galois/Counter Mode (GCM)< 1% performance impact

• SDP/PA use AES-256 for Single Packet Authorization TLS communication

• Shared key encryptionThe same key used to encrypt, also decryptsMust be kept secret !!!Very difficult to transmit a secret across an untrusted network

3

Asymmetric Key (a.k.a. Public Key) Cryptography• Purpose

Exchange secrets over an untrusted networkSecretly (encrypted) and with integrity (signed)

• Only encrypts small pieces of dataMessage must be smaller than the asymmetric key

• Only used for 2 thingsEncrypt symmetric keys (common for data at rest)Encrypt hashes (together known as a “signature”)

• Today’s standardsDiffie-Hellman, RSA (PKCS#1), Digital Signature Standard (DSS)

• SDP/PA use asymmetric key encryption for:Encrypting keys on diskExchanging symmetric keys & creating signatures for the TLS handshakeGenerating and validating X.509 certificates

4

Hash (a.k.a. Message Authentication Code or MAC)

• Converts an arbitrarily long message into a single numberThe number is “Unique”– typical values are 2256, 2384, 2512

2256 = 1157920892373160000000000000000000000000000000000000000000000000000000000000000

Approx. # atoms in observable universe

• Cannot be reversedOnce converted to a hash, cannot be convert back into the messageRe-hash the message and compare hashesSame hash means same message

• Today’s standardsSecure Hash Algorithm 1 (SHA-1) – widely used, considered insecureSHA-2 family of hashes, typical use: 256, 384, 512-bitSHA-3 released Aug 5, 2015Message Digest 5 (MD5) – considered cryptographically broken

• SDP/PA use hashing for:One Time Password (OTP) and GMAC of Single Packet Authorization (SPA)Integrity of TLS handshakeX.509 certificates (prior to being encrypted with asymmetric keys)Derivation of TLS symmetric keys and Initialization Vectors (IV)

Key Derivation Function (KDF)Km = create master keyK1 = H[Km]K2 = H[K1]K3 = H[K2]K4 = H[K3]

5

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Cryptography• Only 3 methods

Symmetric key encryptionAsymmetric key encryptionHashing (MAC)

• Almost always used in combination

• ExampleMethod for SSL/TLS connection

TLS suitecypher suite

Generateasymmetric keys

Exchange asymmetric keys

Authentication via asymmetric & hashing

Symmetric key encryption

Symmetric key & hashing Hash

6

Symmetric Key Encryptionwith Message Authentication

7

Symmetric Key Encryption

EkPT

UntrustedNetwork

Dk PTCypher Text (CT)

8

6 3 5 6

Symmetric Key Encryption & Block Cyphers

EkPT

UntrustedNetwork


0 0 0 0 0 1 0 1 0 0 1 1PT

0 1 2 3

1 1 0 0 1 1 1 0 1 1 1 0CT

1 1 0 0 1 0 1 1 1 1 0 1XOR

9

1 1 0 0 1 1 1 0 1 1 1 0CT

6 3 5 6

Symmetric Key Encryption & Block Cyphers

EkPT

UntrustedNetwork


0 0 0 0 0 1 0 1 0 0 1 1PT

0 1 2 3

1 1 0 0 1 0 1 1 1 1 0 1XOR

1 1 0 0 1 1 1 0 1 1 1 0CT

6 3 5 6

1 1 0 0 1 0 1 1 1 1 0 1XOR

0 0 0 0 0 1 0 1 0 0 1 1PT

0 1 2 3

1 1 0 0 1 1 0 1 1 1 01CT

10

Symmetric Key Encryption & Message Authentication

6 3 5 6

EkPT

UntrustedNetwork


0 0 0 0 0 1 0 1 0 0 1 1PT

0 1 2 3

1 1 0 0 1 0 1 1 1 1 0 1XOR

1 1 0 0 1 1 1 0 1 1 1 0CT

6 3 5 6

1 1 0 0 1 0 1 1 1 1 0 1XOR

0 0 0 0 0 1 0 1 0 0 1 1PT

0 1 2 3

1 1 0 0 1 1 0 1 1 1 01CT

EkPT

UntrustedNetwork


11

0 2

1 5

2 6

3 4

4 3

5 1

6 7

7 0

1 1 0 0 1 1 1 0 1 0 1 1CT

Symmetric Key Encryption & Message Authentication

EkPT

UntrustedNetwork


FunctionHi

Hi-1

Func

6 3 5 6

Input XOR out Hash6 6 73 4 35 6 76 1 5

6

5

1 1 0 0 1 1 1 0 1 0 1 1CT

6

6 3 5 6

Input XOR Hash6 6 73 4 35 6 76 1 5

XOR

6

0

6

7

12

Galois/Counter Mode (GCM) and GMAC

13

Galois/Counter Mode (GCM) and GMAC

Ek

PT1

CT1

GHASHm+1 GHASHm+n

Ek

PTn

CTn len(PT)

GHASH

Ek

IV || 032

TAG

Ek is the encryption algorithm and key, which is AES 256PT is Plain Text that gets encrypted into Cypher Text (CT)All blocks are 128 bits in lengthIV is a 96-bit Initialization Vector, which is a nonce1st counter block is the IV followed by the 32-bit number “1”The output is the Cypher Text and the TagAD is Additional Data (that does not get encrypted)

Ek

0128

GHASH0

ADm

GHASHm

AD1

GHASH1

1 nIV || 1 IV || n

len(AD) || len(PT)

14

Asymmetric Key Cryptography(Public Key)

15

• Algorithms generate 2 keysPrivate key is kept private, public key is sharedElliptic curve keys are hundreds of bitsRSA keys are thousand bitsMessage smaller than the key

• 2 usesEncrypt a symmetric key

Alice encrypt the symmetric key with Bob’s public keySo Bob can decrypt with his private key

Encrypt a hash (MAC)Alice encrypt the hash with Alice’s private keySo Bob can decrypt it with Alice’s public key

UntrustedNetwork

Asymmetric Key Cryptography

m

Message

For example:Symmetric key

me mod n

Encryption

“e” is Bob’spublic key

c

Cypher Text

cd mod n

Decryption

“d” is Bob’sPrivate key

m

Message

Math Example (RSA)

Alice Bob

Concerns:1. How does Alice know it’s Bob’s key?

Answer: Public Key Infrastructure

2. If the conversation is recordedAnd if Bob’s private key is compromisedThen attacker can decrypt messageSolution: Perfect Forward Secrecy

(me)d ≡ me*d ≡ m1 ≡ m (mod n)

16

Perfect Forward Secrecy• Compromise of long term key

Does not compromise past keys

• Thought exercise/analogyDiffie-Hellman Ephemeral (DHE)But with buckets of paint*

• Thought exercise/small numbersAlso from WikipediaRemember this is not RSA math

• Perfect Forward SecrecyNot encrypted key sent to anotherRandom keys, neither knows both

Alice Bob

Both agree on a common color

Both choose a secret color

Each separately blends their secret color with the common color

+

=

+

=

+

=

Each separately blends their secret color with the other’s blended color

Both arrive at the same common blended color

(a common secret)

+

=

Exchange

Blends

Each now has the other’s blended color

* Wikipedia “Diffie–Hellman key exchange” https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

g = common # = 5p = modulus = 23

a = 6 b = 15

A = 5^6 mod 23 = 8 B = 5^15 mod 23 = 19

819

19^6 mod 23 = 2 8^15 mod 23 = 2

17

Asymmetric Key Summary• 2 uses of asymmetric key

Encrypt symmetric key (using receiver’s public)Encrypt hashes (using sender’s private)

• RSA math(me)d ≡ me*d ≡ m1 ≡ m (mod n)Crypto of symmetric keys and hashes

• Diffie-Hellman analogyPaint buckets(ga)b (mod n) ≡ (gb)a (mod n)Perfect Forward SecrecyBecomes basis for pre-master key

18

Public Key Infrastructure (PKI)

19

Public Key Infrastructure (PKI)• What is it used for?

Create and distribute digital certificatesActs as a trusted 3rd partyEnables authentication over an untrusted network

• SDP/PA use it forMutual Authentication of:

Clients to ControllersClients to GatewaysGateways to ControllersBasically, all trust

Mutual trust, not just single-ended

• How does it work?

UntrustedNetwork

1. Private Key2. Public key / Certificate3. Trusted Root certificate

MutualAuthentication

Certificate Authority(Trusted 3rd

Party)


20

Root Cert

CA

Initialization of PKI Certificate Authority (CA)subj: Vidder

issuer: Vidder

----------------Signature

Vidder PublicHash

subj: Vidderissuer: Vidder

----------------Signature

Vidder Public

OCSP

CRLsubj: Vidderissuer: Vidder

----------------Signature

Vidder Public

Root Cert

Server Cert

21

Server Gets a Private Key and Certificatesubj: Vidder

issuer: Vidder

----------------Signature

Vidder Public

Root Cert

CA

subj: Serverissuer: Vidder

----------------Signature

Server PublicHash


----------------Signature

Vidder Public

Root Cert

OCSP

CRLsubj: Serverissuer: Vidder

----------------Signature

Server Public

Server Cert


----------------Signature

Server Public

Server Cert

22

PKI Part of TLS

CA OCSP

CRL


----------------Signature

Vidder Public

Root Cert


----------------Signature

Server Public

Server Cert

Serial #

Serial #Validity Time

----------------Signature

GoodHashSerial #

Validity Time

----------------Signature

Good

OCSP ResponseOCSP Response

Hash

Original Hash

Equal ?

Hash

Original Hash

Equal ?

Valid certifacateNot expiredNot revokedCert is trusted !!!


----------------Signature

Vidder Public

Root Cert

23

Client CertificateClient

Universal ID

Subject

Issuer

Serial #

Public Key

Rest of Cert

Hash for Signature

Signature(not Hashed)

Key Usagesee RFC 5280 pg. 29

Pinned to SDP

24

Is PKI Broken?• Is it broken? No

The technology is sound

• Is it broken in some other way? YesThe hundreds of certificate authorities should not be trusted

DigiNotar compromised – Google’s email service was compromised in IranRoot cert injection creates additional trusted websites

Sophisticated attack that undermines trustCertificate subject is a name, not an IP address

DNS spoofing can fool PKIRequires revocation checking

Enables DoS attack of the infrastructure

• Does Vidder fix it? YesDedicated PKI means only the SDP’s certificate authority is trustedAdditional root certs cannot be injected – the one and only root is encrypted on diskCertificate subject is an IP address, not a name – spoofing is not possibleOCSP responses are “stapled” – defeating DoS attacks

UntrustedNetwork




Party)


25

PKI Summary• PKI’s purpose is to

Create and distribute digital certificatesAct as a trusted 3rd partyEnables authentication over an untrusted network

• PKI consists of a root cert and certs derived from itEveryone inherently trusts the root

• Certificates can be cryptographically provenSigning proves the certificated hasn’t been alteredSignature: encrypts the hash with issuer’s private keyCreates a chain of trust that must be validated

• The public implementation of PKI is “broken”But the technology is notSDP’s implementation fixes the breakage

UntrustedNetwork




Party)


26

SDP Device Authentication1. SPA2. Mutual TLS3. Fingerprint

27

SDP Device AuthenticationSingle Packet Authorization (SPA)

28

Attacks on SSL/TLSName Date Attack Unauthorized Authorized UsersSSLstrip Feb 2009 http to https SPA No httpDigiNotar Sept 2011 MitM forged certs SPA Pinned certsTHC-SSL-DOS Oct 2011 DoS attack on SSL SPA Device deletedBEAST Apr 2012 Java Applet oracle SPA Client-basedCRIME Sept 2012 MitM SPDY compressing oracle SPA No compressionLucky 13 Feb 2013 MitM CBC padding oracle SPA GCMTIME Mar 2013 Browser JavaScript timing oracle SPA Client-basedRC4 biases Mar 2013 MitM RC4 oracle SPA No cypher negotiationBREACH Aug 2013 Website redirect, compression SPA No redirect or compressiongoto fail Feb 2014 MitM counterfeit key via coding error SPA Pinned dedicated certTriple Handshake Mar 2014 Server MitM on client cert SPA Pinned dedicated certHeartbleed Apr 2014 OpenSSL bug SPA Not single-ended SSLBERserk Sept 2014 MitM PKCS#1.5 padding SPA Not Mozilla NSSPoodle Oct 2014 MitM SSLv3 oracle SPA No cypher negotiationPoodle++ Dec 2014 MitM JavaScript timing oracle SPA Client-basedFREAK Mar 2015 MitM negotiation 512 bit key SPA No key negotiationBar-mitzvah Mar 2015 View RC4 SPA No RC4logjam May 2015 MitM downgrade to 512 bit key SPA No suite negotiation

PrecisionAccess defeats all recent attacks on SSL/TLSby both Unauthorized and Authorized users

Single Packet Authorization (SPA)• History:

Invented >10 years agoCommonly used for super user ssh access to servers Mitigates attacks by unauthorized users

• SPA in the Software Defined Perimeter SpecBased on RFC 4226, "HOTP”

HMAC-based One-Time PasswordUsed for hardware/software one time password tokens

SPA occurs before TLS (SSL) connectionMitigates DoS & other TLS attacks by unauthorized users

29

• SPA = UID, CTR, OTP, GMACEach client has a UID, Seed, CTR, and EK

UID = Universal ID of SDP ClientCTR = hashed with seed to create OTPOTP = One-Time PasswordGMAC = signature of UID, CTR, and OTP for data authenticationSeed = shared secret for OTPEK = shared key for GMAC AES-256

OTP = HMAC[seed || CTR] GMAC = EK [UID || OTP || CTR]UID, OTP, CTR, & GMAC are sent as clear text. Counter is increment to mitigate playback attacks

• Highly efficient rejectionDefeats DoS & other attacks on SSL

UID OTPCounter GMAC

32-bit 64-bit 32-bit 128-bit

30

SDP Device Authenticationmutual TLS

Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384• EC:

Elliptic Curve cryptographySmaller keys / faster math than RSA cryptography

• DHE:Diffie-Hellman key exchange algorithmGenerates the pre-master keys of GCMEphemeral keys per session for Perfect Forward SecrecyBut not client or server authentication

• RSA: Public/private key pair with an X.509 certificate Client and server authentication Vidder’s implementation:

Certificates “pinned” to a trusted root certificateNot the hundreds of (possibly compromised) roots browsers trust

Employs OCSP stapling (RFC 6066)Forwards the OCSP response with TLS Server helloReduces the load on the OCSP responderMitigates a DoS attack of the OCSP responder

Mutual TLSAuthentication of the client to server & server to client

31

• AES256-GCM: Advanced Encryption Standard (NIST FIPS 197) Symmetric key encryption 256-bit key, 128-bit cipher block sizeGalois/Counter Mode

Encryption with simultaneously data authentication PC’s and servers implement GCM in hardware Negligible performance impact

• SHA384: Secure Hash Algorithm (member of SHA-2)Generates a 384 bit hashKey Derivation Function (KDF) for generating keys from master

32

SDP Device Authenticationmutual TLS Handshake Deep Dive for:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

33

Root Cert

CA

Controller’s PKI Certificate Authority (CA) Initializationsubj: Vidder

issuer: Vidder

----------------Signature

Vidder PublicHash


----------------Signature

Vidder Public

OCSP

CRLsubj: Vidderissuer: Vidder

----------------Signature

Vidder Public

Root Cert

PA

PA

Controller Cert

34

Controller Initializationsubj: Vidder

issuer: Vidder

----------------Signature

Vidder Public

Root Cert

CA

subj: Ctrlissuer: Vidder

----------------Signature

Ctrl PublicHash


----------------Signature

Vidder Public

Root Cert

OCSP

CRLsubj: Ctrlissuer: Vidder

----------------Signature

Ctrl Public

Controller Cert


----------------Signature

Vidder Public

Root Cert


----------------Signature

Ctrl Public

Controller Cert

PA

35

Mutual TLS: Client Initializationsubj: Vidder

issuer: Vidder

----------------Signature

Vidder Public

Root Cert

CA

subj: Clientissuer: Vidder

----------------Signature

Client PublicHash


----------------Signature

Vidder Public

Root Cert

OCSP

CRL


----------------Signature

Vidder Public

Root Cert


----------------Signature

Client Public

Client Cert


----------------Signature

Client Public

Client Cert


----------------Signature

Vidder Public

Root Cert


----------------Signature

Ctrl Public

Controller Cert

Private key put in Certificate Store as Non-Exportable

PA


----------------Signature

Vidder Public

Root Cert

36

Mutual TLS: Client Hello


----------------Signature

Ctrl Public

Controller Cert

CA OCSP

CRL


----------------Signature

Vidder Public

Root Cert


----------------Signature

Client Public

Client Cert


----------------Signature

Vidder Public

Root Cert


----------------Signature

Ctrl Public

Controller Cert

Client HelloHighest SSL version,Ciphers supported,Session Id = 0,Client RNDOCSP status

PA


----------------Signature

Vidder Public

Root Cert

37

Mutual TLS: Server Hello


----------------Signature

Ctrl Public

Controller Cert

CA OCSP

CRL


----------------Signature

Vidder Public

Root Cert


----------------Signature

Client Public

Client Cert


----------------Signature

Vidder Public

Root Cert


----------------Signature

Ctrl Public

Controller Cert

Serial #


----------------Signature

GoodHash

Server HelloSelected SSL version,Selected Cipher,Session Id = RND,Server RND


----------------Signature

Good


Certificate request(Vidder root only)

Server Done

Server Key ExchangeβG

---------------Cr, Sr, βGHash

Random starting point “β”Calculate βG


---------------Cr, Sr, βGSignature

PA


----------------Signature

Ctrl Public

Controller Cert

Hash

Original Hash


---------------Cr, Sr, βGSignature


----------------Signature

Vidder Public

Root Cert

38

Mutual TLS: Client Verifies Server Cert


----------------Signature

Ctrl Public

Controller Cert

CA OCSP

CRL


----------------Signature

Vidder Public

Root Cert


----------------Signature

Client Public

Client Cert


----------------Signature

Vidder Public

Root Cert


----------------Signature

Ctrl Public

Controller Cert

Equal ?

Server HelloSelected SSL version,Selected Cipher,Session Id = RND,Server RND


----------------Signature

Good

OCSP Response

Hash

Original Hash

Equal ?

Certificate request(Vidder root only)

Server Done

HashCr, Sr, βGHash

Equal ?

Valid cert chainNot expiredNot revoked

βGController’s cert is trusted !!!


----------------Signature

Client Public

Client Cert

PA

39

Mutual TLS: Client Key, Client Cert, Verify Client


----------------Signature

Ctrl Public

Controller Cert

CA OCSP

CRL


----------------Signature

Vidder Public

Root Cert


----------------Signature

Client Public

Client Cert


----------------Signature

Vidder Public

Root Cert


----------------Signature

Client Public

Client Cert

Hash

Original Hash

Equal ?


----------------Signature

GoodHashSerial #

Validity Time

----------------Signature

Good



----------------Signature

Good

OCSP Response

Hash

Original Hash

Equal ?

Certificate Verify

All text HashSignature

HashSignature

Certificate Verify

All text Hash

Equal ?

Valid cert chainNot expiredNot revoked

αG

Client’s cert is trusted !!!

Random starting point “α”Calculate αGαG

Client is trusted !!!

Serial #

PA

40

Mutual TLS: Calculate Final ECDH Key, Derive Session Keys

Created βReceived αGECDH = β(αG)

Created αReceived βGECDH = α(βG)

Find point ECDH on the elliptic curvePremaster key (Kpm) = x coord of ECDH Master Key (Km) = PRF(Kpm, "master secret", Cr, Sr)Iterate PRF(Km, "key expansion", Sr, Cr) for AES keys: Client Key, Server Key, Client IV, Server IV

CA OCSP

CRL


----------------Signature

Ctrl Public

Controller Cert


----------------Signature

Vidder Public

Root Cert


----------------Signature

Client Public

Client Cert


----------------Signature

Vidder Public

Root Cert

PA


----------------Signature

Client Public

Client Cert

CA OCSP

CRL


----------------Signature

Ctrl Public

Controller Cert


----------------Signature

Vidder Public

Root Cert


----------------Signature

Client Public

Client Cert


----------------Signature

Vidder Public

Root Cert

41

Mutual TLS: Client Change Cipher Spec, Server Integrity Check

Equal ?

Change Cypher Spec

Certificate Verify


HashSignature

Certificate Verify

All text Hash

Equal ?

42

Mutual TLS: Server Change Cipher Spec, Client Integrity Check


----------------Signature

Client Public

Client Cert

CA OCSP

CRL


----------------Signature

Ctrl Public

Controller Cert


----------------Signature

Vidder Public

Root Cert


----------------Signature

Client Public

Client Cert


----------------Signature

Vidder Public

Root Cert

PA

Certificate Verify


HashSignature

Certificate Verify

All text Hash

Equal ?

Change Cypher Spec


----------------Signature

Ctrl Public

Controller Cert

cryptography 1 three methods: symmetric key asymmetric key hashing

Documents

key encryptionthe

long message

message digest

disk encryption

hk3 tls

tls handshakegenerating

diskexchanging symmetric

message authentication