go paranoid

Nisheed Meethalwww.nisheed.com7/Nov'13

Go Paranoid !!!

tl;dr ● security done wrong is worser than not done!● security is relative to the computational power the world

has at a given point in time!● go paranoid to survive!

Cryptology

Symmetric Enc. Algorithms

Asymmetric Enc. Algorithms

● Security through Obscurity

● Moore's law

● Ciphers are powerful enough

● Kerckhoff's Principle

Then what may mess things up?

1. Passive cryptanalysis2. Lawful Interception & Coercion3. Bad ciphers4. CA vulnerabilities5. Bad Keys and RNGs

The Key Exchange Mechanism &

Perfect Forward Secrecy

How does SSL/TLS work?

1. With RSA for key exchange

● Prime Factorization Problemeven though (n,e) are known to the adversary, dcan't be computed back since he can't calculate 'Ø = (p-1)(q-1)'

● Passive Cryptanalysis is possible if one gets thePrivate key.

RSA

● Good for signing and encryption● Bad for key exchange● Advance key computation● Patent expired in 2000

Key Terms:Extended Euclidian Algo., Fast exponentiation; Square and MultiplyGroup Cardinality, Cyclic Group

Ron Rivest, Adi Shamir and Leonard Adleman in 1977

● Prime Factorization Problemeven though (n,e) are known to the adversary, dcan't be computed back since he can't calculate 'Ø = (p-1)(q-1)'

● Passive Cryptanalysis is possible if one gets thePrivate key.

How does SSL/TLS work?

With Diffe-Hellman Key Exchange

● Discrete Logarithm Problem (in Zp*)even though α,p,A and B are known to theadversary, calculating 'a = log

α A mod p' is

practically impossible with 'p' being a large primenumber.

● No long term private key involved● The value of 'i' changes for every session● Ephemeral Session Key makes passive

cryptanalysis practically impossible

Ephemeral Diffe-Hellman

KE = Emphemeral Key

KM = Masking Key

if we know α, A and p, what's a ? given A = α a mod p

EDH

analogy

What next?

Slow and heavy forwireless/embedded devices?

Elliptic Curve Cryptography

● (Menezes-Qu-Vanston) Key Exchange algorithm● Related to Diffe-Hellman● Key-compromise impersonation resilience and unknown key-share resilience● Patented by Certicom

ECDHE ECMQV

ECDSA

● Discovered in 1985 by Victor Miller (IBM) and Neil Koblitz (University ofWashington)

● Some implementation patented by Certicom● OpenSSL ● Low computing power requirements● Reduced key length and hence fast● Use only standard curves (NIST recommended ones)

Applications:

T

Elliptic Curve Cryptography

● Discrete Logarithm Problem (on EC)

i. Start with a standard EC and a primitiveelement P.

ii. Decide on the integer private key 'a'.

iii. Hop the curve 'a' times from P and get thepoint A(a,b), which is the public key.

● A square root attack takes √P steps to fnd'a' out.

Key Terms:Scalar and Point multiplication; Double and Add, Group Cardinality, Cyclic Group, Primitive element,

Eg:-In the elliptic curve group defned by

y2 = x3 + 9x + 17 over F23,What is the discrete logarithm a of Q = (4,5) to the base P= (16,5)?

One (naive) way to fnd 'a' is to compute multiples of P untilQ is found. The frst few multiples of P are:P = (16,5) 2P = (20,20) 3P = (14,14) 4P = (19,20) 5P = (13,10) 6P = (7,3) 7P = (8,7) 8P = (12,17) 9P = (4,5)

Since 9P = (4,5) = Q, the discrete logarithm of Q to thebase P is a = 9.

In a real application, 'a' would be large enough such that itwould be infeasible to determine 'a' in this manner.

if we know A and P, what's a ? given A = aP

SSL Cipher checks

You can check the ciphers supported by an SSL site using the openssl tool.

exponent@~ > openssl s_client -connect yahoo.com:443---SSL handshake has read 1399 bytes and written 456 bytes---New, TLSv1/SSLv3, Cipher is AES256-SHAServer public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONESSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key:CAB7722C5ED37D00ACB35E983337CD4BF4C0B466642C2B933AF52991CA4A299DF7820DE8E27A005D51393602265831D8 Key-Arg : None Start Time: 1375166699 Timeout : 300 (sec) Verify return code: 21 (unable to verify the frst certifcate)---

Interpret the cipher suites supported

Look for phrase "Cipher is". Below is a sample cipher supported and how to interpret it.

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS : Transport Layer Security(It is the transport layer protocol used. other values can be SSLv3 etc.)[other possible values: SSL]

ECDHE : Elliptic Curve Diffe Hellman Ephemeral(Session key exchange algorithm)[other possible values: RSA, DH, DHE]

RSA : Rivest, Adleman and Shamir(PKI type of Certifcate )[other possible values: DSS]

AES256 : Advanced Encryption Standard 256 (bit key).(Algorithm used to encrypt the actual data)[other possible values: RC4, 3DES, DES]

CBC : Cypher Block Chaining(Mode in which the cipher algorithm works. CBC is diffcult to crack, but susceptible toBEAST/Luck13 attacks.)[other possible values: CBC3,CTR,GCM,ECB]

SHA : Secure Hash Algorithm(A hashing algorithm for data integrity)[other possible values: MD5]

Perfect Forward Secrecy

✔ Do not use RSA for Key exchange !

✔ Use DHE/ECDHE

✔ Off-The-Record (OTR) messaging protocol & Pond, TOR, Tails etc.

Passive Cryptanalysis

Lawful Interception&

Legal Coercion

✔ PIPA (Protect IP Act) May'11, SOPA (Stop Online Piracy Act) Oct'11

✔ What is about Edward Snowden & PRISM ?

✔ All major players like Google, Facebook, Yahoo, Twitter etc.

✔ Lavabit and Silent Mail ?

Lawful Interception & Legal Coercion

Bad Ciphers

Bad Ciphers

Prob: BEAST and Lucky13. These are CBC vulnerabilities.

Fix: The exploit attack impacts TLS 1.0/SSL 3.0, but does not work for TLS versions 1.1 and 1.2. So useTLS 1.2 with AES GCM suits. But the GCM mode is new and it is an arduous job to get every securitysystems (both at the server and the client sides) upgraded; So instead use RC4 which is a stream cipher and hence faster and CBC/IV-free. But the bad news isthat RC4 has got its own security problems (fxed string cipher entropy problem) when compared toblock ciphers like AES and DSA, but that is less devastating than what CBC mode offers.

SSLProtocol ALL -SSLv2SSLHonorCipherOrder OnSSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS

ssl_prefer_server_ciphers On;ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS;

Apache

Nginx

Bad Ciphers

Prob:CRIME attack. A vulnerability exposed by TLS compression. Exposes the site cookies on side-channelattacks.

Fix:Disable TLS compression. Most of the applications like Nginx and Apache have directives to disablecompression.

SSLCompression Off

Apache

export OPENSSL_NO_DEFAULT_ZLIB=1

RHEL

...and many more.

What if your CA's private key getscompromised?

CA Vulnerability

Recent Incidents (in last 2 years) :

1. Comodo ‐ hacker issued bad certs

2. Diginotar - hacker issued bad certs for MITM

3. Trustwave - issued sub CA to customer for MITM

4. Turktrust - issued sub CA by mistake, used for MITM

● Man-In-The-Middle and CA private key compromises leading to changein certifcate

● Require systems to detect a change in the certifcate during the SSLhand shake.

Certifcate Pinning

HPKP (HTTP Public Key Extension)● http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04● An extension to the HTTP protocol allowing webhost operators

to instruct user agents (UAs) to remember ("pin") the hosts'cryptographic identities for a given period of time.

TACK (Trust Assertions for Certifcate Keys)● http://tack.io/draft.html● Server sends his “tack” through TLS Extension● Client has seen the same (hostname, TSK) pair multiple times, the client will "activate" a

pin between the hostname and TSK for a period equal to the length of time the pair hasbeen observed for.

● Client pins to a server-chosen signing key, known as a "TACK signing key" or "TSK", whichsigns the server's TLS keys.

DNSSec● Chain of trust

http://tack.io/draft.html

CA Replacements

Convergence.io et. al.● An agile, distributed, and secure strategy for replacing

Certifcate Authorities● Firefox add-on, once activated, replaces the entire CA

infrastructure● User initiated● No more self signed certifcate warnings● Privacy with bounce notaries

Bad Key Selection&

RNGs

Bad Keys & RNGs

A study of RSA and DSA cryptographic keys in use on the Internet performed by computer scientistsat the University of California, San Diego and the University of Michigan.

● 5% of HTTPS hosts and nearly 10% of SSH hosts shared keys● compute the private keys from public information for 0.5% of HTTPS hosts and 1% of SSH hosts

Examples of bad randomness:● PGP database. [Lenstra et al. 2012]

2 factored RSA keys out of 700,000. Why?● Smartcards. [2012 Chou (slides in Chinese)]

Taiwan Citizen Digital Certicates smartcard certicates used for paying taxes, etc.Factored 103 (out of 2.26 million)

prng.seed()p = prng.random_prime()prng.add_randomness()q = prng.random_prime()N = p*q

Linux PRNGs, /dev/random and /dev/urandom

http://www.cs.ucsd.edu/

http://cse.umich.edu/

Bad Keys & RNGs➔ RNG entropy is diffcult to achieve➔ Collect entropy more aggressively➔ Natural entropy Sources for true randomness➔ True NRGs

Hardware RNGs (SSL Accelerator cards)= Transducer (noise conversion) + Amplifer + A-D converterSeeds faster cryptographic PRNGs

➔ Intels Ivy Bridge Entropy SourceEach Ivy Bridge die contains one hardware RNG, shared by all the cores. The RNG begins with an entropy source (ES) whose behavior is determined by unpredictable thermal noise.

➔ Mind your Ps & Qs -Nadia Heninger

Bruce Schneier - “I have no idea if the NSA convinced Intel to do this (reducing the entropy to enableeasy cryptanalysis) with the hardware random number generator it embedded into itsCPU chips, but I do know that it could. And I was always leery of Intel strongly pushingfor applications to use the output of its hardware RNG directly and not putting itthrough some strong software PRNG like Fortuna. And now Theodore Ts'o writes thisabout Linux: "I am so glad I resisted pressure from Intel engineers to let /dev/randomrely only on the RDRAND instruction."”

But again.. can we trust h/w RNGs ?

Hey.. you devels,Never ever implement your own crypto, use standardlibraries instead.

Whew !!

Hehe... did that help?

Of course.. thanks to our advanced Cryptology. now I know what to fx to be secure online.

Sure, but they don't fx the entire problem we have.

What?!!! come on...

Yeah, it is just 70% of the problems we have

What about the next 30%?

Fix yourself !Fix yourself !Ah!

Security Vs Privacy

Tempting enough?

✔ Watch yourself in the cyber mirror✔ Be careful while you show up and show off in the social networking

spree.✔ Investigate the exposure✔ Surprises from unverifed sources (lottery,dead bank account,job

offers etc.)✔ Electronic Frontier Foundation (https://www.eff.org)

Raise your web conscience

✔ A known good OS and browser combo✔ HTTPS Everywhere extension✔ Third party cookies and tracking✔ The onion router network to protect your anonymity✔ OpenDNS and parental controls✔ End-to-end encrypted mail services✔ Dark Mail Alliance and Email 3.0 (on XMPP)✔ Duck Duck Go, Tails, OTR, TrueCrypt, BleachBit etc.✔ GPG (http://pgp.mit.edu:11371/pks/lookup?op=get&[email protected])

http://epic.org/privacy/tools.html

Protect your privacy

https://www.eff.org/https-everywhere

http://en.wikipedia.org/wiki/HTTP_cookie#Privacy_and_third-party_cookies

http://www.opendns.com/

http://www.darkmail.info/

http://www.truecrypt.org/

http://bleachbit.sourceforge.net/

Go Paranoid !!!

“Only the paranoid survive”– Andrew S Grove, Ex-CEO Intel.