4. 11. 2019
1
Cryptographic applications
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Ing. Ondřej Ševeček | GOPAS a.s. |MCSM:Directory2012 | MCM:Directory2008 | MVP:Enterprise Security | CEH |
CHFI | CISA |
[email protected] | www.sevecek.com |
Session keys and mutual
authentication
4. 11. 2019
2
HMAC-hash-K
Authentication with password hash (HMAC)
ServerClient
random
random
HMAC-hash-K
ServerClient timestamp
KK
K K
nonce
timestamp
challenge
compare-HMAC
compare-HMAC
time in range
hash/encrypt with HMAC KSC
HMAC-hash-K
Session key data integrity or encryption with hashing
(+mutual authentication) (no PFS)
ServerClient
auth random
auth random
KKauth nonce
challengesession random S
session nonce S
ServerClient
K
session random C
session nonce C
data
HMAC KSC HMAC KSC
S C K S C
4. 11. 2019
3
encrypted by K
Authentication with symmetric encryption
ServerClient
random
random
encrypted by K
ServerClient timestamp
KK
K K
noncechallenge
decrypt by K
decrypt by K
no hash for
integrity?
encrypted by K
Session key generation with symmetric encryption
(+mutual authentication) (no PFS)
ServerClientsession key S
KK
decrypt by K
random
encrypted by S
ServerClient
SS
data
4. 11. 2019
4
sign by KPRIV
Authentication with asymmetric crypto
ServerClient
random
random
signed by KPRIV
ServerClient timestamp
KPUBKPRIV
KPRIV KPUB
noncechallenge
verify by KPUB
verify by KPUB
Session key data encryption with asymmetric crypto
(without mutual authentication) (no PFS)
encrypted by KPUBServerClient
session key S
decrypt by KPRIV
random
encrypted by S
ServerClient data
KPUBKPRIV
encrypt by KPUB
SS
4. 11. 2019
5
Session key data encryption with asymmetric crypto
(+mutual authentication) (no PFS)
encrypted by KPUBServerClient
session key S
decrypt by KPRIV
random
encrypted by S
ServerClient data
KPUBKPRIV
encrypt by KPUB
SS
signed by SPRIV
SPRIVSPUB
verify by SPUB sign by SPRIV
Certificates brief
4. 11. 2019
6
Digital certificate
transports public key
guarantees owner identity
• some public-private key application do not use certificates
• SSH, PGP
Digital certificate (signed by CA's private key)
Public key• DSA, RSA, ECDSA (ECDH)
Subject• owner of the certificate
• verified by CA
Key Usage• cryptographic usage
Subject Alternative Name (SAN)• DNS names of the owner
• login, email of the owner
Enhanced Key Usage (EKU)• application key usage
4. 11. 2019
7
Usage combinations
KU: Digital signature
• EKU: Server Authentication => (ED)DH key agreement
• EKU: Code Signing => subject is company
• EKU: Document Signing => subject is person
• EKU: Smart Card Logon => signed timestamp
• EKU: Client Authentication => VPN/HTTP/WiFi client cert
• EKU: Secure Email => subject is email (person)
KU: Key encipherment
• EKU: Server Authentication => RSA key exchange
• EKU: Smart Card Logon => encrypted timestamp
• EKU: Secure Email => subject is recipient’s email
signed by
3CAPRIV
Certificate chains
my cert
MYPUBsigned by
2CAPRIV
3CA cert
3CAPUB
signed by
rootCAPRIV
1CA cert
1CAPUB
signed by
rootCAPRIV
rootCA cert
rootCAPUB
signed by
1CAPRIV
2CA cert
2CAPUB
trust
4. 11. 2019
8
Renew or extend certificate
cannot extend
• digitally signed
can only renew
• new certificate
• possibly new keys
Private key storage
private key is never part of the certificate
certificate (+public key) in registry
private key
• encrypted with DPAPI on disk
• stored in cryptographic device
4. 11. 2019
9
Cryptographic devices
Cryptographic devices
smart cards and tokens (S/C)• crypto CPU
• safe memory for storing private keys
• flash memory for public data
hardware security modules (HSM)• bigger and faster smart cards
• self powered, fire proof, temper proof
• connected over network, USB, ...
trusted policy (platform) module (TPM)• S/C on motherboard
• boot validation
• hardware attestation
4. 11. 2019
10
Hardware devices
CryptoCPU
protected private
crypto memory
x KB
OS
firmware
ROM
API calls
PINmaster PIN
PC
log
public storage
memory
x MB+
Hardware supported offloading
AES-NI
• some newer Intel and AMD processors since 2008
• supported by CNG providers since Windows 7
TLS offloading
• PCI card + software SChannel plug-in "driver"
IPSec offloading
• NICs (Intel S)
4. 11. 2019
11
TLS basics
Transport Layer Security
HTTPS, SMTPS, LDAPS, POP3S, RDP, 802.1x
authentication, …
4. 11. 2019
12
Server certificate
serverclient
client hello
version
crypto suites
server hello
version <=
selected suite
certificate
hostname
public key
certificateprivate
keycrypto suitescrypto suitescrypto suites
serverserver
serverserver
server
SSL inspection or MITM attack
client server
cert
CA2
CA1
trusted
rootCA
attacker
proxy
cert
untrusted
rootCA
4. 11. 2019
13
serverserver
serverserver
server
Mutual authentication prevents MITM and
inspections
client server
cert
CA2
CA1
trusted
rootCA
attacker
proxy
cert
untrusted
rootCA
client cert
CA1
trusted
rootCA
SSL vs. TLS vs. DTLS
SSL 2.0 (1995) - Windows 2000+• MITM can downgrade cipher suite to 40-bit
• MAC hashes can be downgraded to 40-bit
SSL 3.0 (1996) - Windows 2000+• Support for DH, Fortezza key exchanges
• Support for non RSA certificates
TLS 1.0 (1999) - Windows 2000+• Security same as SSL 3.0
• Protocol not compatible with SSL 3.0
• IETF and US FIPS standard
TLS 1.1 and 1.2 (2006, 2008) - Windows 7/2008 R2• More recent standards offering SHA2 and ECDH suites
• Can fallback to TLS 1.0 without TCP RST
DTLS 1.0 (based on TLS 1.0) and 1.2 (based on TLS 1.2) - Windows 8/2012• Update available for Windows 7/2008 R2 (KB2574819)
• UDP datagram based communications such as RDP-UDP
TLS 1.3 - august 2018
4. 11. 2019
14
Application support for TLS 1.1 and newer
Windows XP/2003 only TLS 1.0
IE 9+ by default
RDP client and server since Windows 8/2012
NetFx 2.0/3.x TLS 1.0 only
NetFx 2.0/3.x SHA1 only
Third-party support
IOS 5+
• TLS 1.1, TLS 1.2
Java SE 7
• TLS 1.1, TLS 1.2
Java 1.4.2
• SHA-256 in crypto provider
Chrome 22-29
• TLS 1.1
Chrome 30+
• TLS 1.1, TLS 1.2
4. 11. 2019
15
SSL 2.0 cipher suites
SSL_RC4_128_WITH_MD5
SSL_DES_192_EDE3_CBC_WITH_MD5
SSL_RC2_CBC_128_CBC_WITH_MD5
SSL_DES_64_CBC_WITH_MD5
SSL_RC4_128_EXPORT40_WITH_MD5
Windows XP/2003- TLS 1.0/SSL cipher suites (no AES)
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
4. 11. 2019
16
Windows Vista/2008+ TLS v1.0 cipher suites (AES/EC/SHA1)
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
Original Windows 7/2008 R2 TLS v1.1 cipher suites (AES/EC/SHA2) - no
preference for PFS, enabled RC4, enabled NULL encryption
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL_CK_RC4_128_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_NULL_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
4. 11. 2019
17
TLS performance (TLS 1.2)
Test-Tls function
1 server CPU, 8 client CPUs
• no certificate validation on client
• server certificate only
RSA 2048
RSA 4096
client running at 90% CPU
TCP 3389 - svchost.exe, 60% CPU
TCP 443 - lsass.exe, 15% CPU
~126 sessions per second
• full handshake (client hello, server hello, key ex)
Validating TLS servers
http://www.ssllabs.com
or download offline toolkit
4. 11. 2019
18
Digital signatures and
timestamps
Document or code signatures
agreement
cannot change yet readable
software whitelisting
antispam whitelisting
data leakage prevention (DLP)
...
4. 11. 2019
19
Timestamping vs. signatures
signature
• proves identity of the author or rather means I agree
• an invoice is signed by the seller to manifest his consent
with a trade agreement
• a debt note is signed by the debtor to manifest his
willingness to borrow the money
timestamp
• confirms existence of data before the point in time
• buyer timestamps all received invoices to be able to prove
their timely possession to tax authorities
• bank timestamps debt notes in order to be able to prove
they were not crafted later
Non-repudiation private keys
digital signature is binding
• policy only
must protect keys only until certificate expires
• always better to destroy afterwards
recipient of signature is responsible for proving the
signature was made rightly
• => timestamping
4. 11. 2019
20
Time authority (TA)
timestamp signing certificate
• private key
online connection required
can sign larger amounts once
• data already existed anyway
signer
signature
Timestamp (correct??)
data
hash
TA
signature
time
4. 11. 2019
21
signer
signature
Timestamp (correct?)
data
hash
TA
signature
timehash
signer
signature
Timestamp (OK)
data
hash
TA
signature
timehash
4. 11. 2019
22
signer
signature
Timestamp (OK)
data
hash
TA
signature
timesignature
signer
signature
Re-timestamping
data
hash
TA old
signature
old timeold hash
TA 2
signature
new timenew hash
4. 11. 2019
23
Extended protection for
authentication
Combining client symmetric secret with server
P/P certificate in order to prevent SSL inspection
(MITM)