SWE 681 / ISA 681 Secure Software Design & Programming: Lecture 7: Cryptography Dr. David A. Wheeler 2014-06-29 Outline • • • • Introduction Basic crypto algorithms Storing passwords (salted hashes) Basic protocols 2 Cryptography & Cryptanalysis • Cryptography = the science (or art) of transforming intelligible data to an unintelligible form, and its inverse transformation – Means “Secret writing” • Cryptanalysis = the science (or art) of undoing the cryptographic transformation without (exact) knowledge of how that transformation was initially executed • We’ll focus on cryptography (defense), emphasizing how to counter cryptanalysis (attack) 3 What cryptography is… and is not • Cryptography is a set of tools that can help develop secure software – Important component in some cases • Cryptography won’t solve most security issues – Cryptography is not the same as developing secure software – “If you think cryptography is the answer to your problem, then you don’t know what your problem is” – Peter Neumann 4 Danger, Will Robinson • Never, never, never, never, never, never, never create your cryptographic algorithm or protocol – Specialist training: PhD in math + 10+ years experience to create new approaches – Even then, the odds are good you’ll get it wrong – Reuse what’s been done • Be very cautious; tiny implementation errors of crypto algorithms, or in how they are invoked, often become massive vulnerabilities – Reuse good implementations where practical 8 April 2015 5 Enigma • Nazi Germany used the “Enigma” machine widely • Ally cryptanalysis broke it & got extremely valuable intelligence (“Ultra”) • Value debated, but Winston Churchill told King George VI, “It was thanks to Ultra that we won the war” Source: NSA (via Wikipedia) 6 Some common basic types of cryptographic algorithms • Symmetric (secret/shared key) encryption/decryption – Algorithm examples: DES*, 3DES, AES • Key exchange – Algorithm examples: Diffie-Hellman, Curve25519 • Asymmetric (public key) encryption/decryption – Algorithm examples: RSA, elliptic curve family • Cryptographic (one-way) hash (aka “digital fingerprint”) – Algorithm examples: MD5*, SHA-1*, SHA-512, SHA-3 • Cryptographic pseudo-random number generator (PRNG) * These are examples; do not use these algorithms in future systems 7 Symmetric (secret/shared key) encryption/decryption • Symmetric encryption/decryption algorithms use the same value (“key”) to encrypt and later decrypt Secret key Plaintext Encrypt Ciphertext (encrypted text) Decrypt Plaintext 8 Data Encryption Standard (DES) • • • • • • 1973: NIST solicited for a DES 1974: NIST second solicitation, IBM responded 1975: Algorithm published 1976: NIST Workshop, adequate “10-15 years” 1977: DES standardized (FIPS) Has held up relatively well over time – Do need to avoid weak/semi-weak keys • Slow in software • Big problem: Key only 56 variable bits – 64 bit key, but every 8th bit is odd parity (beware: may use known key if don’t give correct parity!) – Easily broken with modern computers/hardware – Do not use DES for security today 9 Triple DES • Uses DES 3 times, with 3 keys K1…K3: – ciphertext = E(K3, D(K2, E(K1, plaintext))) – plaintext = D(K1, E(K2, D(K3, ciphertext))) • Each DES key 56 bits, full key length 3x56=168 bits – Effective key length strength is 112 bits due to a “man in the middle” attack – Just like DES, keys must have correct parity & avoid weak keys • Relatively secure, but slow • Defined, as Triple Data Encryption Algorithm, in: – NIST Special Publication 800-67 Revision 1 – ISO/IEC 18033-3:2005 Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers 10 Advanced Encryption Standard (AES) • Replaced DES – DES key too short, 3DES too slow • Developed through open international competition run by NIST – Required algorithms & sample implementation – Forbid patents (so anyone can use) – Competition was a fantastic success • 15 candidates; Rijdael won & became AES – U.S. FIPS PUB 197 • A simple-to-understand detailed description is at: http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html 11 AES (2) • Rijndael algorithm allows block and key sizes of any multiple of 32 bits, 128…256 bits • AES is a limited variant of Rijndael with block size=128, key sizes = 128, 192, or 256 bits – Algorithm internally repeats; as key lengthens, number of iterations increases – 128bit key=> 10 cycles, 192bit => 12, 256bit => 14 • Much faster than 3DES, longer keys 12 Key exchange • Communicate partial information so communicating parties establish shared secret without exposure (parties might not authenticate!) Alice Shared & unrevealed key Communication Bob Shared & unrevealed key 13 Diffie-Hellman key exchange • Aka “Diffie–Hellman–Merkle” key exchange • First published in 1976 • Allows two parties, without prior knowledge, to jointly establish a shared secret key over an insecure communications channel – Key can then be used to encrypt subsequent communications using a symmetric key cipher – Does not authenticate (vulnerable to man-in-the-middle) by itself, but other mechanisms can be used to address this • Used in Transport Layer Security (TLS) ephemeral modes (EDH or DHE) to provide perfect forward secrecy – Perfect forward secrecy = each session generates random public keys without using a deterministic algorithm. Thus, if a session key is compromised, newer & older session keys are not 14 Diffie-Hellman illustrated • Alice and Bob exchange their secret colors (representing numbers) via public transport only as a mix • Original version of D-H uses multiplicative group of integers modulo p Credit: https://en.wikipedia.org/ wiki/Diffie%E2%80%93Hellman_key_exchan ge as of 2014-04-16 15 Curve25519 • Developed by D. J. Bernstein • Intended to be “a state-of-the-art Diffie-Hellman function” – “Given a user's 32-byte secret key, Curve25519 computes the user's 32-byte public key.” – “Given user's 32-byte secret key and another user's 32-byte public key, Curve25519 computes a 32-byte secret shared by the two users. This secret can then be used to authenticate and encrypt messages between the two users.” • Based on elliptic-curve cryptography • Ed25519 is a related public-key elliptic-curve signature system • More info: “Curve25519: new Diffie-Hellman speed records” by Daniel J. Bernstein, http://cr.yp.to/ecdh.html 16 Asymmetric (public key) encryption/decryption • Asymmetric encryption/decryption algorithms use two different values (“keys”) to encrypt and later decrypt Decryption key Encryption key Plaintext Encrypt Ciphertext (encrypted text) Decrypt Plaintext 17 RSA • Named after Rivest, Shamir, & Adleman • Public key crypto based on difficulty of factoring into prime numbers – Public key & private key – Encryption & decryption raise “message” by large exponent • Patent released/expired in 2000 • Don’t use RSA keys < 1024 bits; 2048+ better – On August 14, 2012, Microsoft issued update to Windows XP & later to block RSA keys <1024 bits 18 Elliptic curve cryptography (ECC) • Algorithms based on elliptic curves presume it’s infeasible to find the discrete logarithm of a random elliptic curve element, w.r.t. a publicly known base point – This is “elliptic curve discrete logarithm problem” (ECDLP) – Smaller key size for equivalent protection, e.g., 256 ECC key ~ 3072 bit RSA key – Developed in 1985 by Neal Koblitz and Victor Miller – Very general approach, many algorithms based on ECC – Intro: http://arstechnica.com/security/2013/10/a-relativelyeasy-to-understand-primer-on-elliptic-curve-cryptography/ • Several ECC algorithms included in NSA’s suite B (a suite of encryption algorithms) 19 Issue: Elliptic Curve Cryptography (ECC) & patents • Patent concerns are primary inhibitor of ECC use – ECC application may in some cases be inhibited in US by patents (Certicom) – Often unclear what’s covered (typical software patent problem) – RSA claims: “ECC… have no general patents, though some newer elliptic curve algorithms and certain efficient implementation techniques may be covered by patents… it is the implementation technique that is patented, not the prime or representation, and there are alternative, compatible implementation techniques that are not covered by the patents…” • http://web.archive.org/web/20130524001754/http://www.rsa.com/rsalabs/node.asp?id=2325 – IETF RFC 6090 (released 2011) describes the fundamental ECC algorithms as defined seminal references from 1994 and earlier, with the goal of allowing patent-free implementation… but patent holders can always sue anyway • US government has a license for national security uses – That doesn’t help the rest of us! – All parties have to agree before they can use a crypto algorithm – http://www.nsa.gov/business/programs/elliptic_curve.shtml • Yet another example of how software patents put computer users & software developers at risk & inhibit innovation 20 Asymmetric often used with symmetric algorithms • Asymmetric algorithms tend to be slow • When used to encrypt, often used with symmetric algorithm – Sender creates single-use “shared” key using cryptographically secure pseudo-random number generator – Shared key encrypted using asymmetric algorithm – Receiver receives & decrypts shared key – Rest of data is encrypted with (faster) symmetric algorithm using this single-use key 21 Cryptographic (one-way) hash function • Cryptographic (one-way) hash function takes arbitrary-length data & generates fixed-length hash (“fingerprint”) so infeasible to: – Create another message with a given hash value (“preimage resistance”) – Create another (modified?) message with same hash as first message (“second preimage resistance”) – Create any two messages with same hash (“collision resistance”) Message Hash Cryptographic hash (fingerprint, digest) – fixed width 22 Cryptographic Hash • Overall goal: Adversary can’t replace or modify data without changing fingerprint • Some uses: – Verifying integrity – just store fingerprint, verify by recomputing to ensure unchanged/expected – Digital signing – Use private key to “encrypt” fingerprint; anyone can use public key to verify – File id – e.g., CM systems – Creating “random” values – Password storage (“salted hashes”) 23 Cryptographic hash algorithms: MD5, SHA-1, SHA-2 • MD5: Was widely used, but now broken • SHA-1: Many moved to it, still widely used – Cryptanalysis work in 2004 found important weaknesses – Recommendation: gradually move from it • SHA-2 – Family: SHA-224, SHA-256, SHA-384, SHA-512 – Technical similarities with SHA-1 raised concerns 24 Cryptographic hash algorithms: SHA-3 • NIST announced on November 2, 2007 a public competition to develop a new cryptographic hash algorithm, SHA-3 • NIST received sixty-four entries from cryptographers around the world by October 31, 2008 • NIST announced Keccak as the winner of the SHA-3 competition on October 2, 2012 25 Lifecycles of popular crytographic hashes (Valerie Aurora) 1 9 9 0 Function 1 9 9 1 1 9 9 2 1 9 9 3 1 9 9 4 1 9 9 5 1 9 9 6 1 9 9 7 1 9 9 8 1 9 9 9 2 0 0 0 2 0 0 1 Snefru MD4 MD5 MD2 2 0 0 2 2 0 0 3 2 0 0 4 2 0 0 5 2 0 0 6 2 0 0 7 2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2 In 2004 Xiaoyun Wang et al. published “Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD.” RIPEMD-128 is only 128-bit, “irresponsible based on sheer digest length” because at best it’s 2^64 complexity to break RIPEMD HAVAL-128 SHA-0 SHA-1 RIPEMD-128 RIPEMD-160 SHA-2 family SHA-3 (Keccak) Key: Unbroken Weakened Broken Deprecated Source: “Lifecycles of popular crytographic hashes”, Valerie Aurora, http://valerieaurora.org/hash.html 26 Reactions to stages in the life cycle of cryptographic hash functions Stage Expert reaction Programmer reaction Non-expert ("slashdotter") reaction Initial proposal Skepticism, don't recommend use in practice Wait to hear from the experts before adding to OpenSSL SHA-what? Peer reviewal Moderate effort to find holes and garner an easy publication Used by a particularly adventurous developers for specific purposes Name-drop the hash at cocktail parties to impress other geeks General acceptance Top-level researchers begin serious work on finding a weakness (and international fame) Even Microsoft is using the hash function now Flame anyone who suggests the function may be broken in our lifetime Minor weakness discovered Massive downloads of turgid preprints from arXiv, calls for new hash functions Start reviewing other hash functions for replacement Long semi-mathematical posts comparing the complexity of the attack to the number of protons in the universe Serious weakness discovered Tension-filled CRYPTO rump sessions! A full break is considered inevitable Migrate to new hash functions immediately, where necessary Point out that no actual collisions have been found First collision found Uncork the champagne! Interest in the details of the construction, but no surprise Gather around a co-worker's computer, comparing the colliding inputs and running the hash function on them Explain why a simple collision attack is still useless, it's really the second pre-image attack that counts Meaningful collisions generated on home computer How adorable! I'm busy trying to break this new hash function, though Send each other colliding X.509 certificates as pranks Tell people at parties that you always knew it would be broken Collisions generated by hand Memorize as fun party trick for next faculty mixer Boggle Try to remember how to do long division by hand Assumed to be weak but no one bothers to break No one is getting a publication out of breaking this What's this crypto library function for? Update Pokemon Wikipedia pages Source: “Lifecycles of popular crytographic hashes”, Valerie Aurora, http://valerieaurora.org/hash.html 27 Cryptographic algorithms are often (eventually) broken • Cryptanalysis is an active field – Sometimes advances lead to weakening/break in algorithms… even ones considered secure before – Lifecycles of cryptographic hashes good illustration • Make sure you can change algorithms! – Designs should not assume that crypto algorithms never change • Best to have at least two algorithms implemented – So you can switch away from “broken” one 28 RSA & DH: Some concerns • Concerns about RSA & Diffie-Hellman (DH) raised at Black Hat 2013 – RSA and DH underpinned by difficulty of “discrete logarithm problem” – French academic Antoine Joux published two papers suggesting an algorithm to break it could be found before long – “Our conclusion is there is a small but definite chance that RSA and classic Diffie-Hellman will not be usable for encryption purposes in four to five years” - Alex Stamos, chief technology officer, Artemis – “The RSA protocol that is the foundation of security on the Internet is likely to be broken in the very near future,” Philippe Courtot, CEO of Qualys – http://www.technologyreview.com/news/517781/math-advances-raise-theprospect-of-an-internet-security-crisis/). • Elliptic Curve Cryptography (ECC) techniques available – May be inhibited in US by Certicom patents (patents vs. security), as noted earlier • No evidence NIST will start a new public key crypto competition – why?!? 29 Use what you check (Android “Master Key”) • CVE-2013-4787 / Android bug 8219321 – Reported to Google by Jeff Forristal (Rain Forest Puppy) – Packages are really “zip” archive files – Special zip files can be created where >1 file can exist in a directory with same name – One is checked for its fingerprint… but a different one is actually installed • App stores can check for such malformed zip files 30 Cryptographic pseudo-random number generator (PRNG) • Many algorithms depend on secret keys or “nonce” that won’t be reused • A great way to get these is to generate a random number (if enough bits) • Software fundamentally deterministic – Where can, use hardware for truly random value helpful – But can’t always use them, or just them, or trust them • Pseudo-random number generators create “random” data – So attackers cannot determine past/future values 31 Use cryptographic PRNG for crypto • Many “random” functions are easily predicted by an attacker – Often implemented as linear congruential generator (LCG) – E.G., Java Random() • Must use cryptographically secure PRNG (CSPRNG) for crypto and security-related tasks - not ones easily predicted – Java: SecureRandom() – Linux/Unix: read from /dev/random • Read /dev/urandom if you just can’t wait, but urandom will return data even if it has poor randomness • Many algorithms exist to implement CSPRNGs. Examples: – Yarrow, Fortuna, ANSI X9.17 (which can use any block cipher, e.g., AES) – NIST SP 800-90A’s Hash_DRBG, HMAC_DRBG, and CTR_DRBG (do not use the removed algorithm Dual_EC_DRBG) • Be careful seeding them; ensure seed can’t be guessed – Time-of-day (current or boot) is easy to guess 32 Dual_EC_DRBG Controversy • Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) – – – – • • Was part of NIST SP 800-90A (1 of 4 algorithms) Three orders of magnitude slower than other 3 Brown raised concerns in 2006 Dan Shumow and Niels Ferguson re-raised concerns in 2007 Edward Snowden’s leaks excerpted by The New York Times led to strong suspicions that this algorithm was subverted (kleptographic attack/backdoor) RSA used Dual_EC_DRBG as default algorithm in its BSAFE and Data Protection Manager products – Surprising choice given its poor performance & the re-raised concerns in 2007 – Reuters reported on 2013-12-20 a $10 million deal between RSA and NSA to set Dual_EC_DRBG as the default CSPRNG in BSAFE • http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 – RSA Security categorically denies that it entered into a secret contract with NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries; much debate • • https://blogs.rsa.com/news-media/rsa-response/ and http://arstechnica.com/security/2013/12/rsaissues-non-denying-denial-of-nsa-deal-to-favor-flawed-crypto-code/ “NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used…. Effective immediately, NIST Special Publication 800-90A is being re-issued as a draft for public comment..” 33 PRNG failure example: iOS 7 early_random() • Many Apple iOS vulnerability countermeasures depend on randomness that cannot be predicted by attacker – Many randomness-gathering mechanisms not available early in boot process – Apple provides early_random() PRNG (pseudo-random number generator) • iOS 7 update changed algorithm… to a horrifically-bad linear congruential generator (LCG) algorithm! – Trivial to brute-force, and then determine previous/later values. It can only produce 2^19 unique outputs, with a maximum period of 2^17, far below 2^64 output space – “An unprivileged attacker, even when confined by the most restrictive sandbox, can recover arbitrary outputs from the generator and consequently bypass all the exploit mitigations that rely on the early random PRNG” • More info: – “Revisiting iOS Kernel (In)Security: Attacking the early random() PRNG” by Tarjei Mandt, Azimuth Security http://mista.nu/research/early_randompaper.pdf - presented at CanSecWest 2014 – http://www.theregister.co.uk/2014/03/16/ios_7_has_weak_random_number _generator/ 34 Crypto algorithm: Simple, stream, and block-level • “Simple” algorithms work symbol-at-a-time – Read a byte, determine what to translate that to • Block-level algorithms – Group symbols together into blocks – Replace sequence of blocks • Later byte in same block changes encoding of this byte – Many modern algorithms work this way • Stream algorithms – Work bit-at-a-time 35 Notes about block algorithms • Block encryption algorithms can be used in a number of different modes, including: – Electronic code book (ECB) • Same block of data returns the same result – Cipher block chaining (CBC) • Same block of data returns different result, depending on past blocks in the same stream • Never use ECB mode; CBC is far better than ECB – Returning same block each time often reveals too much • Many modes require an “initialization vector” (IV) – Need not be secret, but must be unpredictable – Create new IV each session; don’t reuse IVs 36 Storing passwords: Things to avoid • Never store passwords as clear text (see Sony) – Attackers can masquerade as any user on your system & many others (password reuse) • Storing as hashes helps, but not much – Attackers can precalculate hashes of likely passwords, then compare – Attackers can easily see who has same passwords 37 Storing passwords: Basics of salted hashes • Store salted hashes of passwords – – – – Hash(user “salt” + user password) for that user Since different users have different salts, precompute fails Attacker can’t easily see if two users use same passwords Salts need to have enough random bits (NIST SP 800-132 requires 128+ bits) • Use cryptographically secure pseudo-random number generator – Use secure hash functions (SHA-512, not SHA-1 or MD5) • On user log in, just repeat process – See if the result is the same as stored salted hash • Prevents social engineering “can you tell me my password?” – because you can’t easily do it • Can make even stronger with key derivation functions… 38 Key Derivation Functions • “Key derivation functions” computes a derived key – Repeatedly uses cryptographic hash, cipher, or HMAC + original data + salt to generate derived key – Doing it repeatedly makes it intentionally slow, thus making password cracking more difficult (“key stretching”) • PBKDF2 (Password-Based Key Derivation Function 2) common – RSA Laboratories' Public-Key Cryptography Standards (PKCS) #5 v2.0 – Also RFC 2898 – “Recommendation for Password-Based Key Derivation” NIST Special Publication 800-132 • Alternative function: bcrypt (counters hardware/GPU) • Can use “HMAC” instead of cryptographic hash directly – use special key known just to server as part of hash – Hide this key, even from attackers who “own” system – Counters offline attack.. but only if you can prevent getting that key 39 Beware of client hashing password • Usual approach: Client sends normal password over encrypted channel • Usually wrong for only client to create & send salted hash – If attacker modifies/replaces client, modified client can just repeat the hashed value on server & get in Client Server stores hash(salt+Sent) Client • Okay to hash on both sides – Hashing on client end means that attacker-controlled server can’t see client’s original password (bonus!) – Hashing on server end means that attacker-controlled client can’t use stored hash to log in to this or other servers (usual purpose for hashed passwords) Sent=password Sent=hash(salt+ password) Server stores Sent Client Sent=hash(salt+ password) Server stores hash(salt+Sent) 40 What should you use? • Crypto algorithms often broken over time; support switching algorithms* • Shared-secret encryption – do not use DES (key is too short) – For now, use (at least) AES – Support at least 3DES as alternate (slow, but secure due to decades of attack) • Hashing (“fingerprinting”) – do not use MD5 – Move smartly away from weakening SHA-1 – SHA-2’s SHA-256 or SHA-512 are useful & widely available, but some concerns – Consider (also) using SHA-3; at least make it easy to switch to SHA-3 • Public key – Usually RSA (patents expired); again, make it easy to switch – Elliptic key cryptography has smaller key sizes, but patent issues lurk • Randomness - do not use most “random” functions (easily guessed by attacker) – Use cryptographic PRNGs, e.g., Linux /dev/random, Java SecureRandom() 8 April 2015 * Have I said this before? 41 Keeping secrets • Often need passwords/keys for program – E.G., for database system, external sites • • • • Don’t build into source… store separately Minimize what processes have secret Minimize time keeping secrets Erase securely ASAP – This is harder than you’d think! – Lock into memory with mlock() / VirtualLock() – Ensure that garbage collector won’t make extra copies, and will really get rid of it • SecureString in .NET • Haven’t found good way in Java; String worst, char[] arrays better – Overwrite… and make sure compiler doesn’t “optimize away” the overwrite! 42 Digital certificates • Electronic document (file) that binds a public key with an identity (person/organization) • Typically has other information • Usual format: X.509 • Can be signed by others; often in a chain, leading back to some root certificate(s) • Some root certificates built into web browsers, providing a place to start 43 Cryptographic protocols • Build on crypto algorithms to create confidentiality & integrity – Secure Socket Layer (SSL) / Transport Layer Security (TLS) – “https:”; officially TLS is new name – Internet Protocol Security (IPSec) – often used for Virtual Private Networks – SSH: Secures remote terminals – Kerberos: Single-sign-on/authentication over network (Windows uses proprietary variant) 44 SSL/TLS cert validation often implemented incorrectly • Common errors: – Failure to verify chain-of-trust – Failure verify hostname (certs only valid for given hostname or pattern!) – Failure to deal with certification revocation & X.509 extensions (key usage limits, name constraints, etc.) • Cause: Confusing APIs in SSL/TLS & data transport libraries – OpenSSL SSL_connect: Return value signals some errors, but if “OK” must then check “verify result” flags – Java SSLSocketFactory doesn’t always verify hostname – cURL: if CURLOPT_SSL_VERIFYHOST=true, hostname check disabled • • • • Always test code with abnormal certs (unknown, wrong host, etc.) In test environment add self-signed certs/CAs to keystore; don’t disable Read API docs carefully, explicitly set options, carefully check results Read “The most dangerous code in the world: Validating SSL certificates in non-browser software” by Goergiev et al, 2012 45 Public Key Infrastructure (PKI) / Certificate Authority (CA) Issues (1) • Most protocols authenticate the server (destination) by checking certificates – How can you be sure that the certificate belongs to that server? – Accepting a wrong one leads to man-in-the-middle attack – “PKI” provides certificates, e.g., from 1+ certificate authorities (CAs) • Unfortunately, many CAs untrustworthy – Summary: “Defcon 19: Moxie Marlinspike - SSL And The Future Of Authenticity” http://www.youtube.com/watch?v=xIiklPyS8MU – Throw away “bad” CAs = can’t access most of the Internet – Some organizations even self-subvert! • TLS/SSL still helpful, but greatly weakened because of this – Originally designed vs. passive attacks, authenticity was “a bit of a hand wave” • No easy solution, and not enough people working to solve it – In some scenarios “certificate pinning” & DNSSEC can help 46 Public Key Infrastructure (PKI) / Certificate Authority (CA) Issues (2) • Need to revoke compromised certificates, but… • Currently-available revocation mechanisms broken – Certificate Revocation List (CRL)(: Client downloads revocation list. Slow, attacker can prevent, hasn’t scaled with Internet – Online Certificate Status Protocol (OCSP): Client online query. Slow, attacker can prevent – OCSP Stapling: Server online query & provides to client. Attacker can prevent (by filtering out) – CRLSets: Blacklist of known bad certs. Attacker can prevent CRLSet download, only revokes a few (popular) certificates – Must-staple HTTP header.: Attacker can prevent – Short-lived certificates: Doesn’t scale, interferes with pinning – X.509 OCSP must-staple: No spec, not widely implemented 47 Public Key Infrastructure (PKI) / Certificate Authority (CA) Issues (3) • Interview with Kipp Hickman, designer of original SSL protocol: – “So, certificate authorities was the deal… Oh, that whole authenticity thing…” – “We were designing SSL to prevent passive attacks for the most part, you know.” – “We heard about this thing – the man-in-the-middle attack – and so we just threw that in at the end” – “Really, that whole thing with certificates, it was a bit of a hand wave. We didn’t think it was gonna work, we didn’t know”. Source: http://privacy-pc.com/articles/ssl-and-the-future-of-authenticity2-certificate-authorities.html • Rather disturbing comments for such a key protocol! • Later versions improved, but CAs & revocation still a big problem • Be prepared to change if solutions become available 48 Timing attacks: The problem • Many algorithms take a variable amount of time – E.G., array “is equal to?” usually stops on first unequal value • Attackers can get confidential info (like private keys) through this – Attackers perform act multiple times… – Use statistics to eliminate jitter; a shocking amount is removable! – E.G., for “is equal to” attacker can determine if he guessed first one correctly, then second one, then third one, … • Yes, it really works – 15-100μs accuracy across the Internet and 100ns over a local network [Crosby2009] – One example (finding 20 byte HMAC result): Keyczar used standard equality test, allowing attacker to find session value in < week with 10 req/s… “and all of a sudden I’m logged in as you” [Hale2009] – If attacker on same system or has shared resources (such as mobile apps or virtualized cloud), timing attack problems are even worse 49 Timing attacks: Solutions • Use timing-independent (sometimes called “constant-time”) algorithms – Not the same as O(1) algorithms!! • E.G., “is equal to” in Java [Lawson2010] [Hale2009]: public static boolean isEqual(byte[] a, byte[] b) { if (a.length != b.length) { return false; } // Omitting this is a bad bug int result = 0; for (int i = 0; i < a.length; i++) { // Note that we always examine everything result |= a[i] ^ b[i]; } return result == 0; } • Crypto library implementations have to worry about this broadly • Consider if you need timing-independent, especially when using crypto – In particular, use them when comparing hashed or encrypted values, or when doing anything with private keys – Timing attacks apply broadly, but “is equal to” is especially common issue – MessageDigest.equal() was fixed in Java SE 6 Update 17 50 Some introductory books on cryptography • Applied Cryptography by Bruce Schneier (1994 & 1996) – highly influential, incredibly researched, somewhat dated • Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone (2001) - newer, contents freely available at http://cacr.uwaterloo.ca/hac/ • Practical Cryptography by Niels Ferguson and Bruce Schneier (2003) – updated, shorter 51 Conclusions • Do not create your own crypto algorithm/protocol • Where possible, reuse existing implementations – At least reuse existing algorithms (after you make sure they’re okay via public sources!) • Support multiple algorithms, allow switch via configuration – Crypto algorithms are often broken – Making them configurable makes switch easy 52 Released under CC BY-SA 3.0 • This presentation is released under the Creative Commons AttributionShareAlike 3.0 Unported (CC BY-SA 3.0) license • You are free: – to Share — to copy, distribute and transmit the work – to Remix — to adapt the work – to make commercial use of the work • Under the following conditions: – Attribution — You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work) – Share Alike — If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one • These conditions can be waived by permission from the copyright holder – dwheeler at dwheeler dot com • Details at: http://creativecommons.org/licenses/by-sa/3.0/ • Attribute me as “David A. Wheeler” 53