View
0
Download
0
Category
Preview:
Citation preview
MostCommonCryptographyMistakes
3/8/2016
Youfellvic+mtooneoftheclassicblunders!
#8:KeyRe-use
• Don’tusesamekeyforbothdirecEons.– Risk:replayaHacks
• Don’tre-usesamekeyforbothencrypEonandauthenEcaEon.
#7:CarefulwithConcatenaEon
• Commonmistake:Hash(S||T)– “builEn”||“securely”=“built”||“insecurely”
AmazonWebServices
hHp://amazon.com/set?u=daw&n=David&t=U&m=…
MAC(K,”udawnDavidtU”)
AmazonWebServices
hHp://amazon.com/set?u=daw&n=DavidtAq&t=U&m=…
MAC(K,”udawnDavidtAqtU”)
hHp://amazon.com/set?u=daw&n=David&t=A&qt=U&m=…
#7:CarefulwithConcatenaEon
• Commonmistake:Hash(S||T)– “builEn”||“securely”=“built”||“insecurely”
• Fix:Hash(len(S)||S||T)• Makesureinputstohash/MACareuniquelydecodable
#5:Don’tEncryptwithoutAuth
• Commonmistake:encrypt,butnoauthenEcaEon– AchecksumdoesnotprovideauthenEcaEon
• Ifyou’reencrypEng,youprobablywantauthenEcatedencrypEon– Encrypt-then-authenEcate:Ek1(M),Fk2(Ek1(M))– Or,useadedicatedAEmode:GCM,EAX,…
EncryptwithoutAuthHallofShame
• ASP.NET(x2)• XMLencrypEon• AmazonEC2• JavaServerFaces• RubyonRails• OWASPESAPI• IPSEC• WEP• SSH2
#4:BeCarefulwithRandomness
• Commonmistake:usepredictablerandomnumbergenerator(e.g.,togeneratekeys)
• SoluEon:Useacrypto-qualityPRNG.– /dev/urandom,CryptGenRandom,…
NetscapeNavigator
charchall[16],k[16];srand(getpid()+time(NULL)+getppid());for(inti=0;i<16;i++)chal[i]=rand();for(inti=0;i<16;i++)chal[i]=rand();
NetscapeNavigator1.1
R,{K}KS,{M}K,…
certSClient Server
where(R,K)=hash(microseconds,x)x=seconds+pid+(ppid<<12)
NetscapeNavigator1.1
R,{K}KS,{M}K,…
certSClient Server
where(R,K)=hash(microseconds,x)x=seconds+pid+(ppid<<12)
A7ack:Eavesdroppercanguessx(≈10bits)andmicroseconds(20bits),anduseRtocheckguess.
BadPRNGs=brokencrypto
• Netscapeserver’sprivatekeys(≈32bits)• Kerberosv4’ssessionkeys(≈20bits)• X11MIT-MAGIC-COOKIE1(8bits)• Linuxvtun(≈1bit)• PlanetPokersite(≈18bits)• DebianOpenSSL(15bits)• CryptoAG–NSAspikedtheirPRNG• Dual_EC_DRBG–backdoorthatonlyNSAcanuse
#3:PassphrasesMakePoorKeys
• Commonmistake:GeneratecryptokeyasHash(passphrase)
• Problem:≈20bitsofentropy;evenwithaslowhash,thisisnotnearlyenough.Human-generatedsecretsjustdon’thaveenoughentropy.
• Example:Bitcoinbrainwallets• SoluEon:Cryptokeysshouldberandom.
#2:BeSecureByDefault
• Commonmistake:SecurityisopEonal,orconfigurable,ornegoEable
• Fix:ThereisonemodeofoperaEon,anditissecure.NohumanconfiguraEonneeded.– e.g.,Skype
#2:BewareRollbackAHacks
• Commonmistake:SecurityisnegoEable,andaHackercanpersuadeyoutofallbacktoinsecurecrypto
ACASESTUDY
M⊕RC4(K)
SodoI.Here’sanonce:R
Isupport128-bitcrypto
MSPoint-to-PointEncrypEon(MPPE)
Client Server
Ifbothendpointssupport128-bitcrypto:
whereK=hash(password||R)
M⊕RC4(K)
SodoI.Here’sanonce:R
Isupport128-bitcrypto
MSPoint-to-PointEncrypEon(MPPE)
Client Server
Ifbothendpointssupport128-bitcrypto:
whereK=hash(password||R)
A7ack1:Eavesdroppercantrydic+onarysearchonpassword,givensomeknownplaintext.
M⊕RC4(K)
SodoI.Here’sanonce:R
Isupport128-bitcrypto
MSPoint-to-PointEncrypEon(MPPE)
Client Server
Ifbothendpointssupport128-bitcrypto:
whereK=hash(password||R)
A7ack2:Ac+vea7ackercantamperwithpacketsbyflippingbits,sincethereisnoMAC.
M⊕RC4(K)
SodoI.Here’sanonce:R
Isupport128-bitcrypto
Client Server
whereK=hash(password||R)
A7ack3:Badguycanreplayapriorsession,sinceclientdoesn’tcontributeanonce.
M⊕RC4(K)
SodoI.Here’sanonce:R
Isupport128-bitcrypto
Client BadGuy
M⊕RC4(K)
SodoI.Here’sanonce:R
Isupport128-bitcrypto
Client Server
whereK=hash(password||R)
A7ack4:Badguycanreplayandreversemessagedirec+on,sincesamekeyusedinbothdirec+ons.
M⊕RC4(K)
SodoI.Here’sanonce:R
Isupport128-bitcrypto
Client BadGuy
M⊕RC4(K)
Idon’t.Use40-bitcrypto
Isupport128-bitcrypto
MSPoint-to-PointEncrypEon(MPPE)
Client Server
Ifoneendpointdoesn’tsupport128-bitcrypto:
whereK=hash(uppercase(password))
M⊕RC4(K)
Idon’t.Use40-bitcrypto
Isupport128-bitcrypto
MSPoint-to-PointEncrypEon(MPPE)
Client Server
Ifoneendpointdoesn’tsupport128-bitcrypto:
whereK=hash(uppercase(password))
A7ack1:Eavesdroppercantrydic+onarysearchonpassword,givensomeknownplaintext.
M⊕RC4(K)
Idon’t.Use40-bitcrypto
Isupport128-bitcrypto
MSPoint-to-PointEncrypEon(MPPE)
Client Server
Ifoneendpointdoesn’tsupport128-bitcrypto:
whereK=hash(uppercase(password))
A7ack2:Dic+onarysearchcanbespedupwithprecomputedtable(givenknownplaintext).
M⊕RC4(K)
Idon’t.Use40-bitcrypto
Isupport128-bitcrypto
MSPoint-to-PointEncrypEon(MPPE)
Client
whereK=hash(uppercase(password))
A7ack3:Imposterservercandowngradeclientto40-bitcrypto,thencrackpassword.
BadGuy
M⊕RC4(K)Idon’t.Use40-bit
Isupport128-bit
MSPoint-to-PointEncrypEon(MPPE)
Client Server
whereK=hash(uppercase(password)),K’=hash(password||R)
A7ack4:Man-in-the-middlecandowngradecryptostrengthevenifbothclient+serversupport128-bitcrypto,thencrackpassword.
BadGuy
M’⊕RC4(K’)
SodoI.Nonce:RIsupport128-bit
#1:Don’tRollYourOwn
• Don’tdesignyourowncryptoalgorithm• UseaEme-honored,well-testedsystem– Fordataintransit:TLS,SSH,IPSEC– Fordataatrest:GnuPG
#0:CryptoAin’tMagic
“IfyouthinkcryptographyisthesoluEontoyourproblem,thenyoudon’tunderstandcryptographyandyoudon’tunderstandyourproblem.”
–RogerNeedham
Meta-Lessons
• Cryptographyishard.• Hireanexpert,oruseanexisEngsystem(e.g.,SSL,SSH,GnuPG).
• But:MostvulnerabiliEesareinapplicaEonsandsovware,notincryptoalgorithms.
BONUSMATERIAL
#8:TrafficAnalysisisSEllPossible
• EncrypEondoesn’thidesender,recipient,length,orEmeofmessage.(“meta-data”)
SSH
{l}K
(handshake;keyexchange)Client Server
{l}K’{s}K{s}K’
{\n}K{\nfoobar\n$}K’
SSH{\n}K
Client Server
{\nPassword:}K’{q}K{p}K
{l}K
{e}K
{4}K{\n}K
{\nLastlogin:…\n$\n}K’
SSH{\n}K
Client Server
{\nPassword:}K’{q}K{p}K
{l}K
{e}K
{4}K{\n}K
{\nLastlogin:…\n$\n}K’
Revealslengthofpassword.
Reveals+mebetweenkeystrokes.Thisleakspar+alinforma+onaboutthepassword!
LessonsSummarized
• Don’tdesignyourowncryptoalgorithm.• UseauthenEcatedencrypEon(don’tencryptwithoutauthenEcaEng).
• Usecrypto-qualityrandomnumbers.• Don’tderivecryptokeysfrompassphrases.• Besecurebydefault.• BecarefulwithconcatenaEon.• Don’tre-usenonces/IVs.Don’tre-usekeysformulEplepurposes.
• EncrypEondoesn’tpreventtrafficanalysis(“metadata”).
#7:Don’tre-usenonces/IVs
• Re-usinganonceorIVleadstocatastrophicsecurityfailure.
Creditcardnumbersinadatabase
AverBase64decoding
Encryptedcreditcardnumbers
Encryptedcreditcardnumbers
ASCII:…,‘3’=0x33,‘4’=0x34,‘5’=0x35,…
Encryptedcreditcardnumbers
ASCII:‘0’=0x30,…,‘7’=0x37,‘8’=0x38,‘9’=0x39
#7:Don’tre-usenonces/IVs
• Re-usinganonceorIVleadstocatastrophicsecurityfailure.
WEP
• EarlymethodforencrypEngWifi:WEP(WiredEquivalentPrivacy)– Shareasinglecryptographickeyamongalldevices– Encryptallpacketssentovertheair,usingthesharedkey– UseachecksumtopreventinjecEonofspoofedpackets
(encrypted traffic)
WEP-ALiHleMoreDetail
• WEPusestheRC4streamciphertoencryptaTCP/IPpacket(P)byxor-ingitwithkeystream(RC4(K,IV))
IV,P⊕RC4(K,IV)
ARiskofKeystreamReuse
• InsomeimplementaEons,IVsrepeat.– Ifwesendtwociphertexts(C,C’)usingthesameIV,thenthexorof
plaintextsleaks(P⊕P’=C⊕C’),whichmightrevealbothplaintexts
�Lesson:Don’tre-usenonces/IVs
IV,P⊕RC4(K,IV)
IV,P’⊕RC4(K,IV)
WEP--EvenMoreDetail
IV
RC4 key
IV encrypted packet
original unencrypted packet checksum
AHack#2:SpoofedPackets
• AHackerscaninjectforged802.11traffic– LearnZ=RC4(K,IV)usingpreviousaHack– SincetheCRCchecksumisunkeyed,youcanthencreatevalid
ciphertextsthatwillbeacceptedbythereceiver
IV,(P,CRC(P))⊕Z
AHack#3:PacketModificaEon
• CRCislinear⇒CRC(P⊕Δ)=CRC(P)⊕CRC(Δ)⇒themodifiedpacket(P⊕Δ)hasavalidchecksum
�AHackercantamperwithpacket(P)withoutbreakingRC4
(P,CRC(P))⊕RC4(K)
(P,CRC(P))⊕RC4(K)⊕(Δ,CRC(Δ))
AHack#4:InducEveLearning
• LearnZ1..n=RC4(K,IV)1..nusingpreviousaHack• ThenguessZn+1;verifyguessbysendingapingpacket((P,
CRC(P)))oflengthn+1andwatchingforaresponse• Repeat,forn=1,2,…,unElallofRC4(K,IV)isknown
(P,CRC(P))⊕(Z1..n,0)
(P,CRC(P))⊕(Z1..n,1)
(P,CRC(P))⊕(Z1..n,255)
:
(pong)
Credits:Arbaugh,etal.
AHack#5:ReacEonAHacks
• TCPACKnowledgementreturnedbyrecipient⇔TCPchecksumonmodifiedpacket(P⊕0x00010001)isvalid⇔wt(P&0x00010001)=1
�AHackercanrecoverplaintext(P)withoutbreakingRC4
P⊕RC4(K) P⊕RC4(K)⊕0x00010001
(ACK)
Recommended