Upload
carmella-tyler
View
233
Download
2
Tags:
Embed Size (px)
Citation preview
1
CryptographyThree methods:
Symmetric keyAsymmetric keyHashing
2
Symmetric Key Encryption• Encryption of almost everything
Data at rest: disk encryption, files, data basesData in motion: SSL/TLS, IPsec
• Today’s standardsAdvanced Encryption Standard: AES-128 and AES-256Processor hardware acceleration for
Galois/Counter Mode (GCM)< 1% performance impact
• SDP/PA use AES-256 for Single Packet Authorization TLS communication
• Shared key encryptionThe same key used to encrypt, also decryptsMust be kept secret !!!Very difficult to transmit a secret across an untrusted network
3
Asymmetric Key (a.k.a. Public Key) Cryptography• Purpose
Exchange secrets over an untrusted networkSecretly (encrypted) and with integrity (signed)
• Only encrypts small pieces of dataMessage must be smaller than the asymmetric key
• Only used for 2 thingsEncrypt symmetric keys (common for data at rest)Encrypt hashes (together known as a “signature”)
• Today’s standardsDiffie-Hellman, RSA (PKCS#1), Digital Signature Standard (DSS)
• SDP/PA use asymmetric key encryption for:Encrypting keys on diskExchanging symmetric keys & creating signatures for the TLS handshakeGenerating and validating X.509 certificates
4
Hash (a.k.a. Message Authentication Code or MAC)
• Converts an arbitrarily long message into a single numberThe number is “Unique”– typical values are 2256, 2384, 2512
2256 = 1157920892373160000000000000000000000000000000000000000000000000000000000000000
Approx. # atoms in observable universe
• Cannot be reversedOnce converted to a hash, cannot be convert back into the messageRe-hash the message and compare hashesSame hash means same message
• Today’s standardsSecure Hash Algorithm 1 (SHA-1) – widely used, considered insecureSHA-2 family of hashes, typical use: 256, 384, 512-bitSHA-3 released Aug 5, 2015Message Digest 5 (MD5) – considered cryptographically broken
• SDP/PA use hashing for:One Time Password (OTP) and GMAC of Single Packet Authorization (SPA)Integrity of TLS handshakeX.509 certificates (prior to being encrypted with asymmetric keys)Derivation of TLS symmetric keys and Initialization Vectors (IV)
Key Derivation Function (KDF)Km = create master keyK1 = H[Km]K2 = H[K1]K3 = H[K2]K4 = H[K3]
5
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Cryptography• Only 3 methods
Symmetric key encryptionAsymmetric key encryptionHashing (MAC)
• Almost always used in combination
• ExampleMethod for SSL/TLS connection
TLS suitecypher suite
Generateasymmetric keys
Exchange asymmetric keys
Authentication via asymmetric & hashing
Symmetric key encryption
Symmetric key & hashing Hash
6
Symmetric Key Encryptionwith Message Authentication
7
Symmetric Key Encryption
EkPT
UntrustedNetwork
Dk PTCypher Text (CT)
8
6 3 5 6
Symmetric Key Encryption & Block Cyphers
EkPT
UntrustedNetwork
Dk PTCypher Text (CT)
0 0 0 0 0 1 0 1 0 0 1 1PT
0 1 2 3
1 1 0 0 1 1 1 0 1 1 1 0CT
1 1 0 0 1 0 1 1 1 1 0 1XOR
9
1 1 0 0 1 1 1 0 1 1 1 0CT
6 3 5 6
Symmetric Key Encryption & Block Cyphers
EkPT
UntrustedNetwork
Dk PTCypher Text (CT)
0 0 0 0 0 1 0 1 0 0 1 1PT
0 1 2 3
1 1 0 0 1 0 1 1 1 1 0 1XOR
1 1 0 0 1 1 1 0 1 1 1 0CT
6 3 5 6
1 1 0 0 1 0 1 1 1 1 0 1XOR
0 0 0 0 0 1 0 1 0 0 1 1PT
0 1 2 3
1 1 0 0 1 1 0 1 1 1 01CT
10
Symmetric Key Encryption & Message Authentication
6 3 5 6
EkPT
UntrustedNetwork
Dk PTCypher Text (CT)
0 0 0 0 0 1 0 1 0 0 1 1PT
0 1 2 3
1 1 0 0 1 0 1 1 1 1 0 1XOR
1 1 0 0 1 1 1 0 1 1 1 0CT
6 3 5 6
1 1 0 0 1 0 1 1 1 1 0 1XOR
0 0 0 0 0 1 0 1 0 0 1 1PT
0 1 2 3
1 1 0 0 1 1 0 1 1 1 01CT
EkPT
UntrustedNetwork
Dk PTCypher Text (CT)
11
0 2
1 5
2 6
3 4
4 3
5 1
6 7
7 0
1 1 0 0 1 1 1 0 1 0 1 1CT
Symmetric Key Encryption & Message Authentication
EkPT
UntrustedNetwork
Dk PTCypher Text (CT)
FunctionHi
Hi-1
Func
6 3 5 6
Input XOR out Hash6 6 73 4 35 6 76 1 5
6
5
1 1 0 0 1 1 1 0 1 0 1 1CT
6
6 3 5 6
Input XOR Hash6 6 73 4 35 6 76 1 5
XOR
6
0
6
7
12
Galois/Counter Mode (GCM) and GMAC
13
Galois/Counter Mode (GCM) and GMAC
Ek
PT1
CT1
GHASHm+1 GHASHm+n
Ek
PTn
CTn len(PT)
GHASH
Ek
IV || 032
TAG
Ek is the encryption algorithm and key, which is AES 256PT is Plain Text that gets encrypted into Cypher Text (CT)All blocks are 128 bits in lengthIV is a 96-bit Initialization Vector, which is a nonce1st counter block is the IV followed by the 32-bit number “1”The output is the Cypher Text and the TagAD is Additional Data (that does not get encrypted)
Ek
0128
GHASH0
ADm
GHASHm
AD1
GHASH1
1 nIV || 1 IV || n
len(AD) || len(PT)
14
Asymmetric Key Cryptography(Public Key)
15
• Algorithms generate 2 keysPrivate key is kept private, public key is sharedElliptic curve keys are hundreds of bitsRSA keys are thousand bitsMessage smaller than the key
• 2 usesEncrypt a symmetric key
Alice encrypt the symmetric key with Bob’s public keySo Bob can decrypt with his private key
Encrypt a hash (MAC)Alice encrypt the hash with Alice’s private keySo Bob can decrypt it with Alice’s public key
UntrustedNetwork
Asymmetric Key Cryptography
m
Message
For example:Symmetric key
me mod n
Encryption
“e” is Bob’spublic key
c
Cypher Text
cd mod n
Decryption
“d” is Bob’sPrivate key
m
Message
Math Example (RSA)
Alice Bob
Concerns:1. How does Alice know it’s Bob’s key?
Answer: Public Key Infrastructure
2. If the conversation is recordedAnd if Bob’s private key is compromisedThen attacker can decrypt messageSolution: Perfect Forward Secrecy
(me)d ≡ me*d ≡ m1 ≡ m (mod n)
16
Perfect Forward Secrecy• Compromise of long term key
Does not compromise past keys
• Thought exercise/analogyDiffie-Hellman Ephemeral (DHE)But with buckets of paint*
• Thought exercise/small numbersAlso from WikipediaRemember this is not RSA math
• Perfect Forward SecrecyNot encrypted key sent to anotherRandom keys, neither knows both
Alice Bob
Both agree on a common color
Both choose a secret color
Each separately blends their secret color with the common color
+
=
+
=
+
=
Each separately blends their secret color with the other’s blended color
Both arrive at the same common blended color
(a common secret)
+
=
Exchange
Blends
Each now has the other’s blended color
* Wikipedia “Diffie–Hellman key exchange” https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
g = common # = 5p = modulus = 23
a = 6 b = 15
A = 5^6 mod 23 = 8 B = 5^15 mod 23 = 19
819
19^6 mod 23 = 2 8^15 mod 23 = 2
17
Asymmetric Key Summary• 2 uses of asymmetric key
Encrypt symmetric key (using receiver’s public)Encrypt hashes (using sender’s private)
• RSA math(me)d ≡ me*d ≡ m1 ≡ m (mod n)Crypto of symmetric keys and hashes
• Diffie-Hellman analogyPaint buckets(ga)b (mod n) ≡ (gb)a (mod n)Perfect Forward SecrecyBecomes basis for pre-master key
18
Public Key Infrastructure (PKI)
19
Public Key Infrastructure (PKI)• What is it used for?
Create and distribute digital certificatesActs as a trusted 3rd partyEnables authentication over an untrusted network
• SDP/PA use it forMutual Authentication of:
Clients to ControllersClients to GatewaysGateways to ControllersBasically, all trust
Mutual trust, not just single-ended
• How does it work?
UntrustedNetwork
1. Private Key2. Public key / Certificate3. Trusted Root certificate
MutualAuthentication
Certificate Authority(Trusted 3rd
Party)
1. Private Key2. Public key / Certificate3. Trusted Root certificate
20
Root Cert
CA
Initialization of PKI Certificate Authority (CA)subj: Vidder
issuer: Vidder
----------------Signature
Vidder PublicHash
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
OCSP
CRLsubj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
Server Cert
21
Server Gets a Private Key and Certificatesubj: Vidder
issuer: Vidder
----------------Signature
Vidder Public
Root Cert
CA
subj: Serverissuer: Vidder
----------------Signature
Server PublicHash
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
OCSP
CRLsubj: Serverissuer: Vidder
----------------Signature
Server Public
Server Cert
subj: Serverissuer: Vidder
----------------Signature
Server Public
Server Cert
22
PKI Part of TLS
CA OCSP
CRL
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Serverissuer: Vidder
----------------Signature
Server Public
Server Cert
Serial #
Serial #Validity Time
----------------Signature
GoodHashSerial #
Validity Time
----------------Signature
Good
OCSP ResponseOCSP Response
Hash
Original Hash
Equal ?
Hash
Original Hash
Equal ?
Valid certifacateNot expiredNot revokedCert is trusted !!!
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
23
Client CertificateClient
Universal ID
Subject
Issuer
Serial #
Public Key
Rest of Cert
Hash for Signature
Signature(not Hashed)
Key Usagesee RFC 5280 pg. 29
Pinned to SDP
24
Is PKI Broken?• Is it broken? No
The technology is sound
• Is it broken in some other way? YesThe hundreds of certificate authorities should not be trusted
DigiNotar compromised – Google’s email service was compromised in IranRoot cert injection creates additional trusted websites
Sophisticated attack that undermines trustCertificate subject is a name, not an IP address
DNS spoofing can fool PKIRequires revocation checking
Enables DoS attack of the infrastructure
• Does Vidder fix it? YesDedicated PKI means only the SDP’s certificate authority is trustedAdditional root certs cannot be injected – the one and only root is encrypted on diskCertificate subject is an IP address, not a name – spoofing is not possibleOCSP responses are “stapled” – defeating DoS attacks
UntrustedNetwork
1. Private Key2. Public key / Certificate3. Trusted Root certificate
MutualAuthentication
Certificate Authority(Trusted 3rd
Party)
1. Private Key2. Public key / Certificate3. Trusted Root certificate
25
PKI Summary• PKI’s purpose is to
Create and distribute digital certificatesAct as a trusted 3rd partyEnables authentication over an untrusted network
• PKI consists of a root cert and certs derived from itEveryone inherently trusts the root
• Certificates can be cryptographically provenSigning proves the certificated hasn’t been alteredSignature: encrypts the hash with issuer’s private keyCreates a chain of trust that must be validated
• The public implementation of PKI is “broken”But the technology is notSDP’s implementation fixes the breakage
UntrustedNetwork
1. Private Key2. Public key / Certificate3. Trusted Root certificate
MutualAuthentication
Certificate Authority(Trusted 3rd
Party)
1. Private Key2. Public key / Certificate3. Trusted Root certificate
26
SDP Device Authentication1. SPA2. Mutual TLS3. Fingerprint
27
SDP Device AuthenticationSingle Packet Authorization (SPA)
28
Attacks on SSL/TLSName Date Attack Unauthorized Authorized UsersSSLstrip Feb 2009 http to https SPA No httpDigiNotar Sept 2011 MitM forged certs SPA Pinned certsTHC-SSL-DOS Oct 2011 DoS attack on SSL SPA Device deletedBEAST Apr 2012 Java Applet oracle SPA Client-basedCRIME Sept 2012 MitM SPDY compressing oracle SPA No compressionLucky 13 Feb 2013 MitM CBC padding oracle SPA GCMTIME Mar 2013 Browser JavaScript timing oracle SPA Client-basedRC4 biases Mar 2013 MitM RC4 oracle SPA No cypher negotiationBREACH Aug 2013 Website redirect, compression SPA No redirect or compressiongoto fail Feb 2014 MitM counterfeit key via coding error SPA Pinned dedicated certTriple Handshake Mar 2014 Server MitM on client cert SPA Pinned dedicated certHeartbleed Apr 2014 OpenSSL bug SPA Not single-ended SSLBERserk Sept 2014 MitM PKCS#1.5 padding SPA Not Mozilla NSSPoodle Oct 2014 MitM SSLv3 oracle SPA No cypher negotiationPoodle++ Dec 2014 MitM JavaScript timing oracle SPA Client-basedFREAK Mar 2015 MitM negotiation 512 bit key SPA No key negotiationBar-mitzvah Mar 2015 View RC4 SPA No RC4logjam May 2015 MitM downgrade to 512 bit key SPA No suite negotiation
PrecisionAccess defeats all recent attacks on SSL/TLSby both Unauthorized and Authorized users
Single Packet Authorization (SPA)• History:
Invented >10 years agoCommonly used for super user ssh access to servers Mitigates attacks by unauthorized users
• SPA in the Software Defined Perimeter SpecBased on RFC 4226, "HOTP”
HMAC-based One-Time PasswordUsed for hardware/software one time password tokens
SPA occurs before TLS (SSL) connectionMitigates DoS & other TLS attacks by unauthorized users
29
• SPA = UID, CTR, OTP, GMACEach client has a UID, Seed, CTR, and EK
UID = Universal ID of SDP ClientCTR = hashed with seed to create OTPOTP = One-Time PasswordGMAC = signature of UID, CTR, and OTP for data authenticationSeed = shared secret for OTPEK = shared key for GMAC AES-256
OTP = HMAC[seed || CTR] GMAC = EK [UID || OTP || CTR]UID, OTP, CTR, & GMAC are sent as clear text. Counter is increment to mitigate playback attacks
• Highly efficient rejectionDefeats DoS & other attacks on SSL
UID OTPCounter GMAC
32-bit 64-bit 32-bit 128-bit
30
SDP Device Authenticationmutual TLS
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384• EC:
Elliptic Curve cryptographySmaller keys / faster math than RSA cryptography
• DHE:Diffie-Hellman key exchange algorithmGenerates the pre-master keys of GCMEphemeral keys per session for Perfect Forward SecrecyBut not client or server authentication
• RSA: Public/private key pair with an X.509 certificate Client and server authentication Vidder’s implementation:
Certificates “pinned” to a trusted root certificateNot the hundreds of (possibly compromised) roots browsers trust
Employs OCSP stapling (RFC 6066)Forwards the OCSP response with TLS Server helloReduces the load on the OCSP responderMitigates a DoS attack of the OCSP responder
Mutual TLSAuthentication of the client to server & server to client
31
• AES256-GCM: Advanced Encryption Standard (NIST FIPS 197) Symmetric key encryption 256-bit key, 128-bit cipher block sizeGalois/Counter Mode
Encryption with simultaneously data authentication PC’s and servers implement GCM in hardware Negligible performance impact
• SHA384: Secure Hash Algorithm (member of SHA-2)Generates a 384 bit hashKey Derivation Function (KDF) for generating keys from master
32
SDP Device Authenticationmutual TLS Handshake Deep Dive for:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
33
Root Cert
CA
Controller’s PKI Certificate Authority (CA) Initializationsubj: Vidder
issuer: Vidder
----------------Signature
Vidder PublicHash
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
OCSP
CRLsubj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
PA
PA
Controller Cert
34
Controller Initializationsubj: Vidder
issuer: Vidder
----------------Signature
Vidder Public
Root Cert
CA
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl PublicHash
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
OCSP
CRLsubj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
PA
35
Mutual TLS: Client Initializationsubj: Vidder
issuer: Vidder
----------------Signature
Vidder Public
Root Cert
CA
subj: Clientissuer: Vidder
----------------Signature
Client PublicHash
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
OCSP
CRL
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Clientissuer: Vidder
----------------Signature
Client Public
Client Cert
subj: Clientissuer: Vidder
----------------Signature
Client Public
Client Cert
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
Private key put in Certificate Store as Non-Exportable
PA
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
36
Mutual TLS: Client Hello
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
CA OCSP
CRL
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Clientissuer: Vidder
----------------Signature
Client Public
Client Cert
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
Client HelloHighest SSL version,Ciphers supported,Session Id = 0,Client RNDOCSP status
PA
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
37
Mutual TLS: Server Hello
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
CA OCSP
CRL
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Clientissuer: Vidder
----------------Signature
Client Public
Client Cert
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
Serial #
Serial #Validity Time
----------------Signature
GoodHash
Server HelloSelected SSL version,Selected Cipher,Session Id = RND,Server RND
Serial #Validity Time
----------------Signature
Good
OCSP ResponseOCSP Response
Certificate request(Vidder root only)
Server Done
Server Key ExchangeβG
---------------Cr, Sr, βGHash
Random starting point “β”Calculate βG
Server Key ExchangeβG
---------------Cr, Sr, βGSignature
PA
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
Hash
Original Hash
Server Key ExchangeβG
---------------Cr, Sr, βGSignature
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
38
Mutual TLS: Client Verifies Server Cert
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
CA OCSP
CRL
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Clientissuer: Vidder
----------------Signature
Client Public
Client Cert
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
Equal ?
Server HelloSelected SSL version,Selected Cipher,Session Id = RND,Server RND
Serial #Validity Time
----------------Signature
Good
OCSP Response
Hash
Original Hash
Equal ?
Certificate request(Vidder root only)
Server Done
HashCr, Sr, βGHash
Equal ?
Valid cert chainNot expiredNot revoked
βGController’s cert is trusted !!!
subj: Clientissuer: Vidder
----------------Signature
Client Public
Client Cert
PA
39
Mutual TLS: Client Key, Client Cert, Verify Client
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
CA OCSP
CRL
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Clientissuer: Vidder
----------------Signature
Client Public
Client Cert
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Clientissuer: Vidder
----------------Signature
Client Public
Client Cert
Hash
Original Hash
Equal ?
Serial #Validity Time
----------------Signature
GoodHashSerial #
Validity Time
----------------Signature
Good
OCSP ResponseOCSP Response
Serial #Validity Time
----------------Signature
Good
OCSP Response
Hash
Original Hash
Equal ?
Certificate Verify
All text HashSignature
HashSignature
Certificate Verify
All text Hash
Equal ?
Valid cert chainNot expiredNot revoked
αG
Client’s cert is trusted !!!
Random starting point “α”Calculate αGαG
Client is trusted !!!
Serial #
PA
40
Mutual TLS: Calculate Final ECDH Key, Derive Session Keys
Created βReceived αGECDH = β(αG)
Created αReceived βGECDH = α(βG)
Find point ECDH on the elliptic curvePremaster key (Kpm) = x coord of ECDH Master Key (Km) = PRF(Kpm, "master secret", Cr, Sr)Iterate PRF(Km, "key expansion", Sr, Cr) for AES keys: Client Key, Server Key, Client IV, Server IV
CA OCSP
CRL
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Clientissuer: Vidder
----------------Signature
Client Public
Client Cert
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
PA
subj: Clientissuer: Vidder
----------------Signature
Client Public
Client Cert
CA OCSP
CRL
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Clientissuer: Vidder
----------------Signature
Client Public
Client Cert
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
41
Mutual TLS: Client Change Cipher Spec, Server Integrity Check
Equal ?
Change Cypher Spec
Certificate Verify
All text HashSignature
HashSignature
Certificate Verify
All text Hash
Equal ?
42
Mutual TLS: Server Change Cipher Spec, Client Integrity Check
subj: Clientissuer: Vidder
----------------Signature
Client Public
Client Cert
CA OCSP
CRL
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
subj: Clientissuer: Vidder
----------------Signature
Client Public
Client Cert
subj: Vidderissuer: Vidder
----------------Signature
Vidder Public
Root Cert
PA
Certificate Verify
All text HashSignature
HashSignature
Certificate Verify
All text Hash
Equal ?
Change Cypher Spec
subj: Ctrlissuer: Vidder
----------------Signature
Ctrl Public
Controller Cert