kriptográfia - a legerősebb láncszem a kiberbiztonság gyakorlatában? boldizsár bencsáth phd...

Kriptográfia - a legerősebb láncszem a kiberbiztonság gyakorlatában?

Boldizsár Bencsáth PhDLaboratory of Cryptography and System Security (CrySyS)

Budapest University of Technology and Economicswww.crysys.hu

this is joint work with Levente Buttyán

2Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu

Part 1

Using bad crypto in bad way -> Fail


SecureURL.php flaw

In one of our comsulting work, we found SecureURL.php to be used

SecureURL.php hides and protects CGI GET parameters Instead of

www.example.com/mydata?id=11&parameter=other

You see something like www.example.com?sec=RGlQXQULVAJRWQpdVR9RWWgBXREFW1pDFw4ZFREtMUUFPRcAOjQ1OGIyNWY1

Protects against investigating parameters and manipulating them (integrity protection by checksum)


SecureURL encryption flaw

Encryption:

In function crypt($text,$key):

$key = md5($key); ...

… ($crypt .= chr(ord($text[$i]) ^ ord($key[$j]));

Problem: If You know the crypt and know the text -> You can

calculate the key (MD5 of the key). It can be easy to identify the cypher text – cleartext pairs

by guessing, etc. The length of the key is limited - MD5: 32 chars.


SecureURL integrity check flaw

The problematic part:

return dechex(crc32(md5($text) . md5($this->key))); A CRC is calculated over the cleartext with adding the

md5 of the key CRC is not a cyptographically strong integrity protection

algorithm The main problem is if you don’t need the key for

producing fake integrity check code, just the MD5 of the key

The MD5 of the key can be calculated from the previous encryption flaw


What was the problem?

MD5, CRC, and XOR worked how it was intended We know problems with MD5 We know where to use CRC But the main problem was the bad application of the

elements


Part 2

Intermezzo

How we are thinking about the position of cryptography?


People think like this / Importance

Users

Applications

OS

Cryptographic primitives

Math

Libraries

In marketing, and in user’s head the most important thing is theUser and nobody cares about layers below.

However, a bug in lower layers can cause a hype – everybody loves to be “clever” about those things.


The reality: Strong security foundations

Cryptographic primitives

Mathematics

Users

Applications

OS

Libraries

In reality if we go deeper we see much stronger foundations and lessproblems. Users are the weakest point, problems at or below the cryptographic primitives level are not the main problem.


Press hype on “protocol X is cracked”

The hype begins when some guys, whose technical knowledge something like

but knows that the real importance is

tries to tell others the importance of a small flaw in lower layers….

Basically, he knows that math/problem is important, but does not understand the problem in detail


Part 3

Using good crypto in bad way -> Fail

(protocol errors)

Vaudenay ASP .NET Bleichenbacher Others


CBC encryption with padding

example: TLS padding

– last byte is the length n of the padding (not including the last byte)– all padding bytes have the value n– examples for correct padding: x00, x01x01, x02x02x02, …

verification of TLS padding:– if the last byte is n, then verify if the last n+1 bytes are all n

EE

P1

C1

K

+

EE

P2

C2

K

+

EE

P3

C3

K

+

EE

PN

CN

K

+IV CN-1

…

padd

ing

pad.

len.


The padding oracle attack on CBC

padding oracle – assume that a system uses CBC encryption/decryption with MAC and padding (in this order!) – the receiver of a CBC encrypted message may respond differently in the case of “incorrect

padding” and in the case of “correct padding but incorrect MAC”– we get 1 bit of information !

example padding oracle in practice: a TLS server– send a random message to a TLS server (chosen ciphertext attack model)– the server will drop the message with overwhelming probability

• either the padding is incorrect (the server responds with a DECRYPTION_FAILED alert)• or the MAC is incorrect with very high probability (the server responds with

BAD_RECORD_MAC)– if the response is BAD_RECORD_MAC, then the padding was correct we get 1 bit of

information !

how to exploit this?– such an oracle can be used repeatedly in a clever way to obtain more bits of information– ultimately, any encrypted message can be decrypted in an efficient way (~1024*N oracle call,

where N is the number of ciphertext blocks in the message) – this attack was discovered by Vaudenay in 2002– vulnerable protocols: SSL/TLS, WTLS, IPsec (with AH and ESP), ASP.NET (2010-2011!) …

lesson learnt– the block cipher can be strong (e.g., AES), the problem is in the protocol (the way it is used)


Bleichenbacher’s attack on PKCS1 v1.5

conceptually similar to the Vaudenay attack on CBC Introduced on Crypto’98 adaptive chosen ciphertext attack on RSA with PKCS1

v1.5 formatting (e.g. SSL v3.0) the goal is to decrypt a message with the help of an

oracle that– inputs an arbitrary message– decrypts it – verifies PKCS formatting– responds with 1 if the obtained plaintext is PKCS conform, and 0

otherwise

the attack needs ~220 oracle call only


Some other examples

Latest TLS v1.0 problem– related to IV handling in CBC mode– makes it possible to recover some bytes under special conditions – Fixed in TLS v1.1, v1.2

Sony hack – PS3 digital signature– ECDSA signature is created– The random element was _not_ random– The private key can be calculated from two signatures


Part 4

Using good crypto in good way


Good crypto with proper usage

Good crypto done in good way is working It’s the strongest element of the computer security

chain Nobody cares about that, hype only begins when there

are problems Cryptography should not be blamed in general, it is our

friend


Conclusions

bad crypto --> fail (example: secure URL) good crypto used in a bad way --> fail (example:

Vaudenay attack on CBC) good crypto used in a good way --> strongest element in

the chain, however, theoretical foundations are often missing for telling if crypto is used in a good or in a bad way – solid work exists for proving correctness of cipher modes – some works exist for key exchange protocols – nothing exists for modeling real operation environments


The end…

Dr. Boldizsár Bencsáth

www.crysys.hu

kriptográfia - a legerősebb láncszem a kiberbiztonság gyakorlatában? boldizsár bencsáth phd...

Documents