«applied cryptanalysis everything else» by vladimir garbuz
TRANSCRIPT
![Page 1: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/1.jpg)
Applied Cryptanalysis:Everything else
Vladimir Garbuz
![Page 2: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/2.jpg)
Block ciphers
Intro•Operate on blocks of equal, identical size•Have different and clever modes of operation• Some of them can simulate a Stream cipher
•Has to have it’s input length divisible by block size• To achieve that, padding is used (e.g. PKCS7)
![Page 3: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/3.jpg)
Block ciphers
Modes of operation: ECB•Electronic CodeBook, the naive approach
![Page 4: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/4.jpg)
Block ciphersModes of operation: CBC
•Cipher block chaining, a more clever approach
![Page 5: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/5.jpg)
Block ciphers
Modes of operation: CBC•Bit flipping•Padding oracle attack• E.g. POODLE on SSLv3•And TLS 1.0-1.2 implementations
![Page 6: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/6.jpg)
Block ciphers
Modes of operation: CBC – Padding Oraclehttp://sampleapp/home?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
![Page 7: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/7.jpg)
Block ciphers
Modes of operation: CBC – Padding OracleRequest: http://sampleapp/home?UID=0000000000000000F851D6CC68FC9537
Response: 500 - Internal Server Error
![Page 8: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/8.jpg)
Block ciphers
Modes of operation: CBC – Padding OracleRequest: http://sampleapp/home?UID=0000000000000001F851D6CC68FC9537
Response: 500 - Internal Server Error
![Page 9: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/9.jpg)
Block ciphers
Modes of operation: CBC – Padding OracleRequest: http://sampleapp/home?UID=000000000000003CF851D6CC68FC9537
Response: 500 - Internal Server Error
X ⊕ 3C = 01X = 01 ⊕ 3CX = 3D3D 0F = ‘2’!⊕
3D Y = 02⊕Y = 3D 02⊕Y = 3F
![Page 10: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/10.jpg)
Block ciphers
Modes of operation: CBC – Padding OracleRequest: http://sampleapp/home?UID=000000000000003FF851D6CC68FC9537
Response: 500 - Internal Server Error
![Page 11: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/11.jpg)
Block ciphers
Modes of operation: CBC – Padding OracleRequest: http://sampleapp/home?UID=000000000000243FF851D6CC68FC9537
Response: 500 - Internal Server Error
![Page 12: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/12.jpg)
Block ciphers
Modes of operation: CTR
![Page 13: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/13.jpg)
Block ciphers
Modes of operation: CTR•Very parallelizable and simple•Still has many vulnerabilities…• Bit flipping works great• Counter must count•And nonces should NEVER be reused
![Page 14: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/14.jpg)
Hash
![Page 15: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/15.jpg)
Cryptographic hash
Basically a one way function With a finite number of possible digests And infinite possible inputs collision possibility
Cryptographic hashes have stronger properties, specifically it must be hard to: Modify a message without changing its hash
Avalanche effect is our friend Generate a message that has a given hash
Which makes it a one-way function Find two different messages with the same hash
Which provides collision resistance
![Page 16: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/16.jpg)
Cryptographic hash
Main problems they address
1. Password storage2. Key derivation3. Ensuring data integrity
1. Message authentication codes (MAC)2. Doing it right - HMAC
4. Proof of work
![Page 17: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/17.jpg)
Cryptographic hash
Password storage Never store passwords for verification in the clear Use salts with hashes to fight rainbow tables
Don’t reuse it with different passwords Don’t make it too short Get it with CSPRNG
Never use clear hash functions to hash passwords Wat?!
Yep! Go for a key derivation function! Wat?...
![Page 18: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/18.jpg)
Cryptographic hash
Key derivation functions Designed to be slooow, hard to parallelize And are used in password hashes storage Also used to increase entropy of an encryption key
Entropy of stuff you can type on a keyboard isn’t great Examples:
PBKDF2 from RSA – better than nothing bcrypt – pretty good, widely available scrypt – best! Not yet as available, but if it is – use it!
![Page 19: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/19.jpg)
Cryptographic hash
Ensuring data integrity Usual workflow:
Hash data to get it’s hash, send hash with data Receiver gets the data, computes its hash and
compares it with the hash transmitted E.g. you can see them next to sourcecode downloads…
This catches transmission errors but doesn’t work against an attacker modifying the message
![Page 20: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/20.jpg)
Cryptographic hash
Ensuring data integrityMessage Authentication Codes
MAC is a hash tag computed as F(message, key) And the key MUST be unpredictable and NOT short
Function F() could be any, e.g.:1. F(message, key) = key + message (the naive approach)2. F(message, key) = message + key (just a little better)3. F(message, key) = key + message + key (still bad)4. F(message, key) = weird pseudo-random transforms,
… But the right way is HMAC, always HMAC!
![Page 21: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/21.jpg)
Cryptographic hash
Breaking “key + message” MAC:Length extension attack
What’s vulnerable? Hash functions with Merkle–Damgård construction, e.g.
MD4, MD5, RIPEMD-160, WHIRLPOOL, SHA-0, SHA-1 and even SHA-2
Doesn’t work on other constructions - SHA-3, poly1305,... In this construction, the resulting hash is the internal
state of the function at the end of computation Which can (and will ) be used as the starting state of the
hash function
![Page 22: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/22.jpg)
Cryptographic hash
Breaking “key + message MAC”:Length extension attack
Hash of k+m is actually a hash of k+m+p, where p is some necessary, but easily predictable, padding
To illustrate this: H0(k) = Hk - here, H0 is the initial state of hash function Hk(m) = Hkm - Hk is its state after processing k Hkm (p) = Hkmp
Hkmp = H(k+m+p)
![Page 23: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/23.jpg)
Cryptographic hash
Breaking “key + message MAC”:Length extension attack
Since p is predictable and end state Hkmp is known We chose any arbitrary m´ Set the hash function’s initial state to Hkmp And make it process the bytes of message m´Hkmp(m´) = Hkmpm´
Curiously, this is EXACTLY what happens when you hash m+p+m´ under a known key!
Now, our hash is forged but will check out as valid!
![Page 24: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/24.jpg)
Cryptographic hash
Ensuring data integrityThe right way: HMAC
Introduced in 1996 Thus, widely available So effective, even broken functionsproduce secure tags with it! (e.g. MD5)
Still, not a reason to ever use MD5or any other broken hash function!
![Page 25: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/25.jpg)
Cryptographic hash
Proof of work The basic idea – something must be hard to compute but
easy to check if the computation is right Make the client find a string whose hash matches a mask
E.g. whose SHA-1 starts with the phrase “JEEZUZ” in ASCII Get the text, compute it’s SHA-1 and check if it matches Although, choose the mask randomly for each client If it’s not enough, throttle the connection down by larger mask
Very useful to deter DoS or password bruteforce
By the way, that’s what Bitcoin is based on
![Page 26: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/26.jpg)
Cryptographic hash
Vulnerable, but still used, hash functions MD4 MD5 – yes, fully broken since 2007, stop using it! SHA-1
“Oh please, we’ve used MD5 forever and it’s been ok!”
![Page 27: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/27.jpg)
Cryptographic hash
MD5What’s similar for these 3 images?..
Their MD5 hash!And a freely available tool HashClash was used!
![Page 28: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/28.jpg)
Cryptographic hash
MD5 Chosen prefix collisions
![Page 29: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/29.jpg)
Authenticated encryption
![Page 30: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/30.jpg)
Authenticated encryption
Approaches to Authenticated Encryption Encrypt-and-MAC (E&M): A MAC is produced based on the
plaintext, and the plaintext is encrypted without the MAC.
MAC-then-Encrypt (MtE): A MAC is produced based on the plaintext, then the plaintext and MAC are together encrypted to produce a ciphertext based on both.
Encrypt-then-MAC (EtM): The plaintext is first encrypted, then a MAC is produced based on the resulting ciphertext.
One should NEVER start decrypting if the MAC isn’t right!
![Page 31: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/31.jpg)
Authenticated encryption
AE with Associated Data – AEAD Basically means that some data is sent in cleartext but the
MAC authenticates it as well (e.g. packet routing info)
NEVER use un-authenticated encryption! E.g. TLS 1.3 removes support for non-AEAD cipher modes!
NEVER implement encryption (cryptography) yourself! Go google how to use AE in your framework Example AEAD modes are GCM, EAX, CWC
![Page 32: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/32.jpg)
“That’s all cool stuff, but how do we securely exchange encryption keys over an insecure Internet connection with people we’ve never met in person?...”
Public-key cryptography!
CRYPTOMANTo the rescue!
![Page 33: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/33.jpg)
Public-key cryptography
A famous example is RSA
![Page 34: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/34.jpg)
Digital signature
A simplified signing scheme via RSA
![Page 35: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/35.jpg)
Key exchange
Abstract Diffie-Hellman key exchange Acronyms – DHE, ECDHE Basic principle: paints Paints are easy to mix But difficult to separate Vulnerable to MITM! “Common paint” must be signed Then why not just use public-keyto encrypt the key?.. Perfect forward secrecy!
![Page 36: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/36.jpg)
Perfect forward secrecy
Even if private keys are stolen, the actual encryption keys can not be uncovered When Diffie-Hellman is properly configured, e.g IPSec,
SSH, TLS, STARTTLS, OpenSSL support it
![Page 37: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/37.jpg)
Best Practices
1. NEVER invent your own crypto – it’s way too easy to screw up!
2. NEVER implement existing cryptographic algorithms yourself!3. NEVER use export (EXP) crypto!4. NEVER use broken cryptographic functions/primitives!5. NEVER use passphrases as encryption keys! Go for key
derivation functions!6. NEVER use unauthenticated encryption!7. Use cryptographically strong PRNGs!8. For symmetric encryption, use at least AES-128 or higher 9. For cryptographic hashing, use at least SHA-256 or higher10. For password storage, use a key derivation function with a
long, random salt!
![Page 38: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/38.jpg)
Best Practices
•Do TLS the right way!•Yay or nay?• ECDHE-RSA-AES256-GCM-SHA256• Yay!
• ECDHE-RSA-RC4-SHA• Nay!
• EXP-RC4-MD5• Nay nay nay!!!
![Page 40: «Applied cryptanalysis everything else» by Vladimir Garbuz](https://reader036.vdocuments.mx/reader036/viewer/2022062320/55d279f2bb61eb4f128b45d0/html5/thumbnails/40.jpg)
Questions and Discussion