38
Premium community conference on Microsoft technologies itcampro @ itcamp14 # Cryptography: you're doing it wrong! 10 8 frequent mistakes in implementing crypto Attila-Mihály Balázs [email protected]

Cryptography - You're doing it wrong! (Attila Balazs)

  • Upload
    itcamp

  • View
    177

  • Download
    4

Embed Size (px)

DESCRIPTION

Do you use crypto in your app? Then you're doing it wrong! This presentation explores 10 ways crypto code gleaned from the Internet is wrong and insecure and what you can do to prevent the attacks.

Citation preview

Page 1: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Cryptography: you're doing it wrong!

108 frequent mistakes in implementing crypto

Attila-Mihály Balázs

[email protected]

Page 2: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Huge thanks to our sponsors & partners!

Page 3: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Agenda

• Who am I?

• Reason 0

• Reason 1

• Reason 2

• Reason 3

• Reason 4

• Reason 5

• Reason 6

• Reason 7

• Resources

• Q&A

Page 4: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Who am I?

Attila-Mihály Balázs

• Reverse Engineer

• Developer

• Technologist

• Not a cryptographer !!!

[email protected]

https://grey-panther.net

Page 5: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

TL;DR

Choose widely used technologies • Data in motion: TLS (SSL)

• Client side certificates

• Windows AD comes with it

• Data at rest:

• Bitlocker, NTFS encrpytion,

CryptProtectData

• gpgme, encrypted archives (7z),

keyczar-dotnet

• Password store: use PBKDF2

Page 6: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Purpose of this talk

Scare the s*** out of you!

Page 7: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Purpose of this talk

Scare the pants off of you!

Page 8: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Purpose of this talk

You are not smart enough to do crypto!

Page 9: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Scenario

Alice Bob

Eve

Mallory

Page 10: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Scenario

Eve

Authenticate

Token Token

Mallory

Page 11: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Don't implement your own crypto !!!

• Primitives: block ciphers, stream ciphers,

hash functions

• Cryptographic protocols (systems) – ie.

“transmit data over an (untrusted) network

between participants who never met

previously and ensure the data secrecy and

integrity in the presence of passive and/or

active attackers”

Page 12: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Implementation

Token

RijndaelManaged RMCrypto = new RijndaelManaged();

byte[] Key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

byte[] IV = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

CryptoStream CryptStream = new CryptoStream(

NetStream, RMCrypto.CreateEncryptor(Key, IV),

CryptoStreamMode.Write);

StreamWriter SWriter = new StreamWriter(CryptStream);

SWriter.WriteLine("Hello World!");

http://msdn.microsoft.com/en-us/library/as0w18af%28v=vs.110%29.aspx

Page 13: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Legal stuff I need to tell you

Software on Documentation Portals. Software accessible on the Documentation Portals is

made available by the designated publisher under the associated license terms. If Software is

accessible on the Documentation Portals without license terms, then subject subsection (c)

below you may use it to design, develop, and test your programs. If any such Software without

license terms is marked as “sample” or “example,” then you may use it under the terms of the

Microsoft Limited Public License.

http://msdn.microsoft.com/en-us/cc300389.aspx#D

3(C) If you distribute any portion of the software, you must retain all copyright, patent,

trademark, and attribution notices that are present in the software.

3(D) If you distribute any portion of the software in source code form, you may do so only under

this license by including a complete copy of this license with your distribution. If you distribute

any portion of the software in compiled or object code form, you may only do so under a license

that complies with this license.

3(F) Platform Limitation- The licenses granted in sections 2(A) & 2(B) extend only to the

software or derivative works that you create that run on a Microsoft Windows operating system

product.

Page 14: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 0: Replay Attacks

Token

RijndaelManaged RMCrypto = new RijndaelManaged();

byte[] Key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

byte[] IV = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

CryptoStream CryptStream = new CryptoStream(

NetStream, RMCrypto.CreateEncryptor(Key, IV),

CryptoStreamMode.Write);

StreamWriter SWriter = new StreamWriter(CryptStream);

SWriter.WriteLine("access-level=admin|username=bruce");

Page 15: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 0: Replay Attacks

Token

RijndaelManaged RMCrypto = new RijndaelManaged();

byte[] Key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

byte[] IV = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

CryptoStream CryptStream = new CryptoStream(

NetStream, RMCrypto.CreateEncryptor(Key, IV),

CryptoStreamMode.Write);

StreamWriter SWriter = new StreamWriter(CryptStream);

SWriter.WriteLine("ip=65.55.58.201|expires=1400488925|"

+ "access-level=admin|username=bruce");

Page 16: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Choices, choices, choices

Page 17: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Choices, choices, choices

• Algorithm: symmetric, Rinjadel (AES)

• Block size: 128 bit (16 bytes)

• Operation mode: CBC

• Padding: PKCS7

• Key: 128 bit (16 bytes)

• Key derivation ??

• IV == Key ?? Fixed ??

Page 18: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 1: bit flipping attacks

http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

Page 19: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 1: bit flipping attacks

1 ⊕ 1 == 0, 1 ⊕ 0 == 1

0 ⊕ 1 == 1, 0 ⊕ 0 == 0

Page 20: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 1: bit flipping attacks

access-level=user|username=gpantherlaccess-level-admin

|: 01111100b =: 00111101b

l: 01101100b -: 00101101b

access-level=use****************her|access-level=admin

Page 21: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 2: padding oracle

=admin

=admin\x9\x9\x9\x9\x9\x9\x9\x9\x9

Page 22: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 2: padding oracle

CryptographicException: Padding is invalid and cannot be removed.

Page 23: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 2: padding oracle

guessed ⊕ original ⊕ plaintext = 0x01

a ⊕ a = 0

a ⊕ b = b ⊕ a

plaintext = 0x01 ⊕ guessed ⊕ original

Page 24: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 3: Poorly chosen IV

RijndaelManaged RMCrypto = new RijndaelManaged();

byte[] Key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

byte[] IV = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,

0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};

CryptoStream CryptStream = new CryptoStream(

NetStream, RMCrypto.CreateEncryptor(Key, IV),

CryptoStreamMode.Write);

StreamWriter SWriter = new StreamWriter(CryptStream);

SWriter.WriteLine("access-level=admin|username=bruce");

Page 25: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 3: Poorly chosen IV

IV == Key

C0 = EK(P0 ⊕ IV)

C1 = EK(P1 ⊕ C0)

C2 = EK(P2 ⊕ C1)

P0 = DK(C0)⊕ IV DK(EK(P0 ⊕ IV))⊕ IV = P0 ⊕ IV ⊕ IV = P0

P1 = DK(C1)⊕ C0 DK(EK(P1 ⊕ C0))⊕ C0 = P1 ⊕ C0 ⊕ C0 = P1

DK(C0 0 C0)

DK(C0)⊕ IV = A

DK(0) ⊕ C0

DK(C0)⊕ 0 = DK(C0) = B

A ⊕ B = DK(C0)⊕ IV ⊕ DK(C0) = IV = Key

Page 26: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 3: Poorly chosen IV

IV == Constant → choosen plain text attack / encryption oracle

username=gpanther|access-level=user

username=gpanther|access-level=admin

68e4ed21f7bc5ac64405cdd8269b3b74fa19b951f0b521757e94…

68e4ed21f7bc5ac64405cdd8269b3b74e06a42679cb7b34ca8a1…

Page 27: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 4: Key derivation

Human password → key bits

Very bad: truncate/pad to 16 bytes

Very bad: use (first 16 bytes of) MD5(passw)

Very bad: use SHA1(password)

Bad: use SHA1(salt + password)

Bad: use SHA1(per user salt + password)

Good: use PBKDF2(password)*. Tune it.

Good: use scrypt(password). Tune it.

* Rfc2898DeriveBytes

Page 28: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 5: hash extension attacks

Eve

Authenticate

Token Token

Mallory

"ip=127/8|expires=1400488925|access-level=admin|username=bruce|<signature>"

Page 29: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 5: hash extension attacks

Cryptographic hash function:

• H(x) = h

• h is fast to compute

• h is of fixed size

• Given h, it is impractical to generate x

H(<secret key><data>) = <hash>

<data><hash>

Page 30: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 5: hash extension attacks

Cryptographic hash function:

• H(x) = h

• h is fast to compute

• h is of fixed size

• Given h, it is impractical to generate x

H(<secret key><data>) = <hash>

<data><hash>

Page 31: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 5: hash extension attacks

Cryptographic hash functions are completely deterministic!

adc83b19 e793491b 1c6ea0fd 8b46cd9f 32e592fc

adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

Given x and H(x) it is trivial* to compute:

• H(x + d) for arbitrary d

• H(x[0:k]) for arbitrary k

Use HMAC

Page 32: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 6: HMAC timing attack (side channel attacks)

In = "<data><signature>";

Data, Sig = In.split();

CalcSig = HMAC(Data);

/* Wrong!!! Do not use!!! */

for(i=0; i<SIG_LEN; i++) {

if (Sig[i] != CalcSig[i]) {

return False;

}

}

return True;

Page 33: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 6: HMAC timing attack (side channel attacks)

<data>00XXXXXXXXXXXXXXXXXXXXXXXXXXXX

<data>01XXXXXXXXXXXXXXXXXXXXXXXXXXXX

<data>02XXXXXXXXXXXXXXXXXXXXXXXXXXXX

<data>ad00XXXXXXXXXXXXXXXXXXXXXXXXXX

<data>ad01XXXXXXXXXXXXXXXXXXXXXXXXXX

<data>ad02XXXXXXXXXXXXXXXXXXXXXXXXXX

Page 34: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 6: HMAC timing attack (side channel attacks)

In = "<data><signature>";

Data, Sig = In.split();

CalcSig = HMAC(Data);

Int result = 0;

for(i=0; i< SIG_LEN; i++) {

result |= Sig[i] ^ CalcSig[i];

}

return result == 0;

Page 35: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Reason 7: C.R.I.M.E. attack (side channels redux)

Query

EK(C(Query + Response))

Mallory

Query

Page 36: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Resources

• Matasano crypto challenge http://www.matasano.com/articles/crypto-challenges/

• Applied Cryptography https://www.udacity.com/course/cs387

• Cryptography Engineering https://www.schneier.com/book-ce.html

• Crypto 101 https://www.crypto101.io/

Page 37: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

TL;DR

Choose widely used technologies • Data in motion: TLS (SSL)

• Client side certificates

• Windows AD comes with it

• Data at rest:

• Bitlocker, NTFS encrpytion,

CryptProtectData

• gpgme, encrypted archives (7z),

keyczar-dotnet

• Password store: use PBKDF2

Page 38: Cryptography - You're doing it wrong! (Attila Balazs)

Premium community conference on Microsoft technologies itcampro @ itcamp14 #

Q & A