Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Cryptography: you're doing it wrong!
108 frequent mistakes in implementing crypto
Attila-Mihály Balázs
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Huge thanks to our sponsors & partners!
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Agenda
• Who am I?
• Reason 0
• Reason 1
• Reason 2
• Reason 3
• Reason 4
• Reason 5
• Reason 6
• Reason 7
• Resources
• Q&A
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Who am I?
Attila-Mihály Balázs
• Reverse Engineer
• Developer
• Technologist
• Not a cryptographer !!!
https://grey-panther.net
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
TL;DR
Choose widely used technologies • Data in motion: TLS (SSL)
• Client side certificates
• Windows AD comes with it
• Data at rest:
• Bitlocker, NTFS encrpytion,
CryptProtectData
• gpgme, encrypted archives (7z),
keyczar-dotnet
• Password store: use PBKDF2
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Purpose of this talk
Scare the s*** out of you!
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Purpose of this talk
Scare the pants off of you!
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Purpose of this talk
You are not smart enough to do crypto!
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Scenario
Alice Bob
Eve
Mallory
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Scenario
Eve
Authenticate
Token Token
Mallory
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Don't implement your own crypto !!!
• Primitives: block ciphers, stream ciphers,
hash functions
• Cryptographic protocols (systems) – ie.
“transmit data over an (untrusted) network
between participants who never met
previously and ensure the data secrecy and
integrity in the presence of passive and/or
active attackers”
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Implementation
Token
RijndaelManaged RMCrypto = new RijndaelManaged();
byte[] Key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
byte[] IV = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
CryptoStream CryptStream = new CryptoStream(
NetStream, RMCrypto.CreateEncryptor(Key, IV),
CryptoStreamMode.Write);
StreamWriter SWriter = new StreamWriter(CryptStream);
SWriter.WriteLine("Hello World!");
http://msdn.microsoft.com/en-us/library/as0w18af%28v=vs.110%29.aspx
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Legal stuff I need to tell you
Software on Documentation Portals. Software accessible on the Documentation Portals is
made available by the designated publisher under the associated license terms. If Software is
accessible on the Documentation Portals without license terms, then subject subsection (c)
below you may use it to design, develop, and test your programs. If any such Software without
license terms is marked as “sample” or “example,” then you may use it under the terms of the
Microsoft Limited Public License.
http://msdn.microsoft.com/en-us/cc300389.aspx#D
3(C) If you distribute any portion of the software, you must retain all copyright, patent,
trademark, and attribution notices that are present in the software.
3(D) If you distribute any portion of the software in source code form, you may do so only under
this license by including a complete copy of this license with your distribution. If you distribute
any portion of the software in compiled or object code form, you may only do so under a license
that complies with this license.
3(F) Platform Limitation- The licenses granted in sections 2(A) & 2(B) extend only to the
software or derivative works that you create that run on a Microsoft Windows operating system
product.
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 0: Replay Attacks
Token
RijndaelManaged RMCrypto = new RijndaelManaged();
byte[] Key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
byte[] IV = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
CryptoStream CryptStream = new CryptoStream(
NetStream, RMCrypto.CreateEncryptor(Key, IV),
CryptoStreamMode.Write);
StreamWriter SWriter = new StreamWriter(CryptStream);
SWriter.WriteLine("access-level=admin|username=bruce");
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 0: Replay Attacks
Token
RijndaelManaged RMCrypto = new RijndaelManaged();
byte[] Key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
byte[] IV = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
CryptoStream CryptStream = new CryptoStream(
NetStream, RMCrypto.CreateEncryptor(Key, IV),
CryptoStreamMode.Write);
StreamWriter SWriter = new StreamWriter(CryptStream);
SWriter.WriteLine("ip=65.55.58.201|expires=1400488925|"
+ "access-level=admin|username=bruce");
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Choices, choices, choices
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Choices, choices, choices
• Algorithm: symmetric, Rinjadel (AES)
• Block size: 128 bit (16 bytes)
• Operation mode: CBC
• Padding: PKCS7
• Key: 128 bit (16 bytes)
• Key derivation ??
• IV == Key ?? Fixed ??
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 1: bit flipping attacks
http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 1: bit flipping attacks
1 ⊕ 1 == 0, 1 ⊕ 0 == 1
0 ⊕ 1 == 1, 0 ⊕ 0 == 0
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 1: bit flipping attacks
access-level=user|username=gpantherlaccess-level-admin
|: 01111100b =: 00111101b
l: 01101100b -: 00101101b
access-level=use****************her|access-level=admin
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 2: padding oracle
=admin
=admin\x9\x9\x9\x9\x9\x9\x9\x9\x9
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 2: padding oracle
CryptographicException: Padding is invalid and cannot be removed.
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 2: padding oracle
guessed ⊕ original ⊕ plaintext = 0x01
a ⊕ a = 0
a ⊕ b = b ⊕ a
plaintext = 0x01 ⊕ guessed ⊕ original
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 3: Poorly chosen IV
RijndaelManaged RMCrypto = new RijndaelManaged();
byte[] Key = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
byte[] IV = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16};
CryptoStream CryptStream = new CryptoStream(
NetStream, RMCrypto.CreateEncryptor(Key, IV),
CryptoStreamMode.Write);
StreamWriter SWriter = new StreamWriter(CryptStream);
SWriter.WriteLine("access-level=admin|username=bruce");
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 3: Poorly chosen IV
IV == Key
C0 = EK(P0 ⊕ IV)
C1 = EK(P1 ⊕ C0)
C2 = EK(P2 ⊕ C1)
…
P0 = DK(C0)⊕ IV DK(EK(P0 ⊕ IV))⊕ IV = P0 ⊕ IV ⊕ IV = P0
P1 = DK(C1)⊕ C0 DK(EK(P1 ⊕ C0))⊕ C0 = P1 ⊕ C0 ⊕ C0 = P1
…
DK(C0 0 C0)
DK(C0)⊕ IV = A
DK(0) ⊕ C0
DK(C0)⊕ 0 = DK(C0) = B
A ⊕ B = DK(C0)⊕ IV ⊕ DK(C0) = IV = Key
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 3: Poorly chosen IV
IV == Constant → choosen plain text attack / encryption oracle
username=gpanther|access-level=user
username=gpanther|access-level=admin
68e4ed21f7bc5ac64405cdd8269b3b74fa19b951f0b521757e94…
68e4ed21f7bc5ac64405cdd8269b3b74e06a42679cb7b34ca8a1…
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 4: Key derivation
Human password → key bits
Very bad: truncate/pad to 16 bytes
Very bad: use (first 16 bytes of) MD5(passw)
Very bad: use SHA1(password)
Bad: use SHA1(salt + password)
Bad: use SHA1(per user salt + password)
Good: use PBKDF2(password)*. Tune it.
Good: use scrypt(password). Tune it.
* Rfc2898DeriveBytes
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 5: hash extension attacks
Eve
Authenticate
Token Token
Mallory
"ip=127/8|expires=1400488925|access-level=admin|username=bruce|<signature>"
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 5: hash extension attacks
Cryptographic hash function:
• H(x) = h
• h is fast to compute
• h is of fixed size
• Given h, it is impractical to generate x
H(<secret key><data>) = <hash>
<data><hash>
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 5: hash extension attacks
Cryptographic hash function:
• H(x) = h
• h is fast to compute
• h is of fixed size
• Given h, it is impractical to generate x
H(<secret key><data>) = <hash>
<data><hash>
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 5: hash extension attacks
Cryptographic hash functions are completely deterministic!
adc83b19 e793491b 1c6ea0fd 8b46cd9f 32e592fc
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
Given x and H(x) it is trivial* to compute:
• H(x + d) for arbitrary d
• H(x[0:k]) for arbitrary k
Use HMAC
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 6: HMAC timing attack (side channel attacks)
In = "<data><signature>";
Data, Sig = In.split();
CalcSig = HMAC(Data);
/* Wrong!!! Do not use!!! */
for(i=0; i<SIG_LEN; i++) {
if (Sig[i] != CalcSig[i]) {
return False;
}
}
return True;
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 6: HMAC timing attack (side channel attacks)
<data>00XXXXXXXXXXXXXXXXXXXXXXXXXXXX
<data>01XXXXXXXXXXXXXXXXXXXXXXXXXXXX
<data>02XXXXXXXXXXXXXXXXXXXXXXXXXXXX
…
<data>ad00XXXXXXXXXXXXXXXXXXXXXXXXXX
<data>ad01XXXXXXXXXXXXXXXXXXXXXXXXXX
<data>ad02XXXXXXXXXXXXXXXXXXXXXXXXXX
…
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 6: HMAC timing attack (side channel attacks)
In = "<data><signature>";
Data, Sig = In.split();
CalcSig = HMAC(Data);
Int result = 0;
for(i=0; i< SIG_LEN; i++) {
result |= Sig[i] ^ CalcSig[i];
}
return result == 0;
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Reason 7: C.R.I.M.E. attack (side channels redux)
Query
EK(C(Query + Response))
Mallory
Query
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Resources
• Matasano crypto challenge http://www.matasano.com/articles/crypto-challenges/
• Applied Cryptography https://www.udacity.com/course/cs387
• Cryptography Engineering https://www.schneier.com/book-ce.html
• Crypto 101 https://www.crypto101.io/
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
TL;DR
Choose widely used technologies • Data in motion: TLS (SSL)
• Client side certificates
• Windows AD comes with it
• Data at rest:
• Bitlocker, NTFS encrpytion,
CryptProtectData
• gpgme, encrypted archives (7z),
keyczar-dotnet
• Password store: use PBKDF2
Premium community conference on Microsoft technologies itcampro @ itcamp14 #
Q & A