ntxissacsc4 - a brief history of cryptographic failures
TRANSCRIPT
@NTXISSA#NTXISSACSC4
ABriefHistoryofCryptographicFailures
BrianMorkCISO
Celanese2016-10-07
@NTXISSA#NTXISSACSC4
WhoAmI?
• CISOatS&P500/Fortune500company• Formerair-drophacker,securityengineer,penetrationtester,RFsimulationengineer,electronicsintelligenceexpert,optician’sassistant,newspaperdeliveryboy,softwarepirate,partyorganizer,andshortordercook.
• Alsoknownas“Hermit”withintheinformationsecurity/hackercommunity
NTXISSACyberSecurityConference– October2-3,2015 2
@NTXISSA#NTXISSACSC4
DISCLAIMERS
• I’mnotanexpertincryptography• WhileItakecryptographyseriously,Idon’ttakemyselfseriously
• IusedpicturesfromtheInternet.I’velistedthesourcesIknowonthesecondtolastslide.
• Ifwecan’thavefunwiththis…
NTXISSACyberSecurityConference– October2-3,2015 3
@NTXISSA#NTXISSACSC4
Well,then…
NTXISSACyberSecurityConference– October2-3,2015 4
@NTXISSA#NTXISSACSC4
Agenda
• WhatisCryptography?• WhyCryptography?• OurCast• TheFailures• HonorableMentions• Q&A
NTXISSACyberSecurityConference– October7-8,2016 5
@NTXISSA#NTXISSACSC4
WhatIsCryptography?
“Theprocessofwritingorreadingsecretmessagesorcodes.”
- MiriamWebsterDictionary“Theartofwritingorsolvingcodes.”
- OxfordEnglishDictionary“Thescientificfieldofstudyrelatedtoprotectingorverifyinginformation.”
- BrianMork
NTXISSACyberSecurityConference– October2-3,2015 6
@NTXISSA#NTXISSACSC4
WhyCryptography?
• Becauseyoulacktrustin… something…• Transmissionmediums• Integrityofcommunications• Otherpeople• Governments• Cigarettesmokingmen• Etc.
NTXISSACyberSecurityConference– October2-3,2015 7
@NTXISSA#NTXISSACSC4
OurCast
Intraditionalcryptographicdiscussionswewouldconsiderthefollowingactors:• Alice– Someonesendinginformation• Bob– Someonereceivinginformation• Eve– Someoneeavesdropping
AllbecauseRonRivest (ofRSAfame)usedsuchtermsbackinthe1970s.
NTXISSACyberSecurityConference– October2-3,2015 8
@NTXISSA#NTXISSACSC4
OurREALCast
Timeshavechanged,andweneedheroeswhoreflectthosetimes…
NTXISSACyberSecurityConference– October2-3,2015 9
Alice,as… well… Alice
… Dilbert,asBob…
… andCatbert,asEve.Orevil.Eitherone/both.
@NTXISSA#NTXISSACSC4
Andnowhere’ssomethingwehopeyou’llreallylike!
NTXISSACyberSecurityConference– October2-3,2015 10
@NTXISSA#NTXISSACSC4
FailureOne
NTXISSACyberSecurityConference– October2-3,2015 11
REGULAR FAIL
@NTXISSA#NTXISSACSC4
TheScenario
AliceandDilbertsetupasecurewebsite.It’samazing.Itwashackerproof(justtrustmeonthisone),withanofficialcertificateandeverything.
Unfortunately,theiragentsusedbrowsersthatstilltrustedrootcertificateauthoritiesthatusedMD5forhashing.
NTXISSACyberSecurityConference– October2-3,2015 12
@NTXISSA#NTXISSACSC4
Failure:MD5Certificate
SowhatisMD5?• Hashingalgorithm• Vulnerabletocollisions• Wasstillusedthrough2008bycertificateauthorities
NTXISSACyberSecurityConference– October2-3,2015 13
@NTXISSA#NTXISSACSC4
Failure:MD5Collisions
Whatisacollision?
It’swhentwodifferentinputscreatethesameoutput.
Whyisthatbad?
Because… that’sexactlywhatit’snotsupposedtodo!
NTXISSACyberSecurityConference– October2-3,2015 14
@NTXISSA#NTXISSACSC4
Failure:MD5Collisions
Howcanwemakethatworse?
Byhavingaconditionwheretwodifferentinputsshareafunctionorformat,suchasdocuments andexecutables
Or,Idon’tknow… cryptographicmaterial
NTXISSACyberSecurityConference– October2-3,2015 15
@NTXISSA#NTXISSACSC4
Failure:MD5Collisions
ThefirstMD5collisionwasin2004.
By2007collidingexecutables,documents,andmorewerepossibleandhadbeendemonstrated,duetochosen-prefixcollisions.
Enterthefakecertificateauthority!
NTXISSACyberSecurityConference– October2-3,2015 16
@NTXISSA#NTXISSACSC4
Failure:MD5Collisions
Step1:Generateapairofcertificateswiththesamehashbutdifferentcharacteristics(e.g.makeoneaCAthatcansignanything).
Step2:Getthebenigncertificatesignedbya”real”CAandcopythatsignaturetothemaliciousone.
Step3:ProfitNTXISSACyberSecurityConference– October2-3,2015 17
@NTXISSA#NTXISSACSC4
Failure:MD5Collisions
NTXISSACyberSecurityConference– October2-3,2015 18
@NTXISSA#NTXISSACSC4
Failure:MD5CollisionsAndwhatdoesthatgiveyou?
Acertificatethatcansignliterallyanything,andwhichvalidatesbacktoatrustedrootcertificateauthority.
IamGoogle
MicrosoftMr.Robot
WhomeverIwanttobe!
NTXISSACyberSecurityConference– October2-3,2015 19
@NTXISSA#NTXISSACSC4
Failure:MD5Collisions
NTXISSACyberSecurityConference– October2-3,2015 20
I am Dilbert. You can trust this because Alice said I am. Now tell me
all your secrets. They’re safe with me.
@NTXISSA#NTXISSACSC4
FailureTwo
NTXISSACyberSecurityConference– October2-3,2015 21
@NTXISSA#NTXISSACSC4
TheScenario
• Inanalternatedimension,AlicehasascendedtoleadamilitaryforceagainsttheevilfelinenationofCatbertia.
• Dilbert,herleadgeneral,needstocommunicatesecurelywithher.
• Theydecidetodeployoneofthemosteffectivephysicalcryptographicsystemsevermade… theenigmatic… er… Enigma.
NTXISSACyberSecurityConference– October2-3,2015 22
@NTXISSA#NTXISSACSC4
FailureX:Enigma
ThisistheEngima.Itwasabeautyofengineering.Multiplerotors,eachinputchangedthenextencoding,easytooperateandfiendishlydifficulttobruteforce.
NTXISSACyberSecurityConference– October2-3,2015 23
@NTXISSA#NTXISSACSC4
FailureX:Engima
Howcomplexwasit?• 3rotorwheelpositions,5wheelchoices(60startingcombinations)
• 26startingpositionsperwheel(17,576combinations)
• Wheelsrotateoneanother… wiringtocreatesubstitutions… egads!
• 107,458,687,327,250,619,360,000keysNTXISSACyberSecurityConference– October2-3,2015 24
@NTXISSA#NTXISSACSC4
FailureX:Engima
Oh,andthentherewasthefactthatEngimaoperationsusedkeyencryptingkeys… really!
Thedaykeywasapre-sharedsecretusedtoencryptone-timekeyscalledmessagekeys.Messagekeyswerethenusedtoencryptactualmessages.
Prettynifty!NTXISSACyberSecurityConference– October2-3,2015 25
@NTXISSA#NTXISSACSC4
Catbert HasNoChance!
• It’strue!Withthatmanycombinationsandfrequencyofchangethere’snohopefortheempireofevil.
• Thenagain,peoplehavebeenknowntomakemistakes.
• ButI’msureAliceandDilbertwouldn’tmakethesameonesthattheirhistoricalpredecessorsdid.Whatwerethoseagain?
NTXISSACyberSecurityConference– October2-3,2015 26
@NTXISSA#NTXISSACSC4
FailureX:Engima
HowwasEnigmapreviouslydefeated?• Reuseofrotorsettings• Transmissionwithmultipleciphers• Operatorsoftenreusedthesamemessagekeymultipletimes(e.g.“cillies”)
• Commonmessageformats
NTXISSACyberSecurityConference– October2-3,2015 27
@NTXISSA#NTXISSACSC4
FailureX:Enigma
• What’sthat?Dilberthastakentousingthedayoftheweekasthemessagekey?
NTXISSACyberSecurityConference– October2-3,2015 28
@NTXISSA#NTXISSACSC4
Failure2
NTXISSACyberSecurityConference– October2-3,2015 29
@NTXISSA#NTXISSACSC4
TheScenario
AliceandDilbertarejoiningthemodernage.Theyvisiteachother’shousesfrequently,anduseeachother’swirelessnetworks.
Tobeextrasafe,they’veselectedWiredEquivalentPrivacy(WEP)tosecuretheirnetwork.Whatcouldpossiblygowrong?Well,sinceWEPusesasinglekeythatneedstobeprotected!
NTXISSACyberSecurityConference– October2-3,2015 30
@NTXISSA#NTXISSACSC4
Failure:WEP
NTXISSACyberSecurityConference– October2-3,2015 31
TheyknowthatCatbert istryingtointercepttheircommunications,sotheypaidadrivertotaketheoutinthemiddleofamudfieldinElbonia.
Onceoutthere,theychoseasupersecretpasswordjustbetweenthetwoofthem.Thisisnowtheirwirelessnetworkpassword.
Whew!Thatwasclose.Goodthingthatsharingthekeyisthebiggestconcern.Right?
@NTXISSA#NTXISSACSC4
Failure:WEP
Well,maybenotJUSTthat… there’salso:• Poorinitializationvectors(IV)size• WeakIVs• Weakkeyspace• Poorkeyentry(ASCIIreduceskeyspace)• Replay/packetstimulation(whenyouneedmoreIVs)
• Chop-ChopAttack!
NTXISSACyberSecurityConference– October2-3,2015 32
@NTXISSA#NTXISSACSC4
Failure:WEP
NTXISSACyberSecurityConference– October2-3,2015 33
TheonlythingIlikemorethanweakcryptoismy
enemiesusingit.
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October2-3,2015 34
Will this guy ever shut up?
@NTXISSA#NTXISSACSC4
HonorableMention
• AdvancedEncryptionStandard(AES)–ElectronicCodebook(ECB)• Samekeyusedoverandover• Block-basedencryption• Knownplaintextlookup!• SmashECB,forexample(writtenbyyourstruly)
NTXISSACyberSecurityConference– October2-3,2015 35
@NTXISSA#NTXISSACSC4
HonorableMention
• ClipperChip– LawEnforcementAccessField• Includeddatanecessarytorecoverkey• Only16-bithashprotectingit• Bypassandreusewerepossibleanddemonstrated
• UseofthirdpartyLEAFdatawaspossibletoo!
NTXISSACyberSecurityConference– October2-3,2015 36
@NTXISSA#NTXISSACSC4
HonorableMention
• Microsoft’s”GoldenKey”• BootingRT/ARMdeviceschecktwothings:apolicy(mustbesignedbyMicrosoft)andtheoperatingsystem(alsomustbesignedbyMicrosoft)
• The“GoldenKey”isadebugmodepolicythatwasaccidentallyshipped,andthatpolicyallowsskippingthecheckfortheoperatingsystem
• Presto!AnyOSonaSurface/WinPhone/etc.NTXISSACyberSecurityConference– October2-3,2015 37
@NTXISSA#NTXISSACSC4
HonorableMentions
Andsomany,manymore…• WPA- Design• DualECDRBG- Design• MD4– Time,mostly• NISTP- curves(ECC)– Design• DigitalEncryptionStandard(DES)– Design• 3DES– Design
NTXISSACyberSecurityConference– October7-8,2016 38
@NTXISSA#NTXISSACSC4
Questions
Ifyou’vegot’em,throw‘em.
IfIknowtheanswer,I’llgiveit.
IfIdon’t,I’llansweranywaysbeforeIdisclosethatIhavenocluewhatI’mtalkingabout.
NTXISSACyberSecurityConference– October2-3,2015 39
@NTXISSA#NTXISSACSC4
Miscellaneous
• PictureCredits• MulderImage:PascalWagler• DilbertCharacters:ScottAdams• Engima Machine:TheHistoryBlog.com• FailurePictures:TheInternetTubes
• FindMe• Twitter:@hermit_hacker• LinkedIn:/in/bcmork
NTXISSACyberSecurityConference– October2-3,2015 40
@NTXISSA#NTXISSACSC4@NTXISSA#NTXISSACSC4
The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA
NorthTexasISSA(InformationSystemsSecurityAssociation)
NTXISSACyberSecurityConference– October7-8,2016 41
Thankyou