kriptográfia - a legerősebb láncszem a kiberbiztonság gyakorlatában? boldizsár bencsáth phd...
TRANSCRIPT
Kriptográfia - a legerősebb láncszem a kiberbiztonság gyakorlatában?
Boldizsár Bencsáth PhDLaboratory of Cryptography and System Security (CrySyS)
Budapest University of Technology and Economicswww.crysys.hu
this is joint work with Levente Buttyán
2Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Part 1
Using bad crypto in bad way -> Fail
3Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
SecureURL.php flaw
In one of our comsulting work, we found SecureURL.php to be used
SecureURL.php hides and protects CGI GET parameters Instead of
www.example.com/mydata?id=11¶meter=other
You see something like www.example.com?sec=RGlQXQULVAJRWQpdVR9RWWgBXREFW1pDFw4ZFREtMUUFPRcAOjQ1OGIyNWY1
Protects against investigating parameters and manipulating them (integrity protection by checksum)
4Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
SecureURL encryption flaw
Encryption:
In function crypt($text,$key):
$key = md5($key); ...
… ($crypt .= chr(ord($text[$i]) ^ ord($key[$j]));
Problem: If You know the crypt and know the text -> You can
calculate the key (MD5 of the key). It can be easy to identify the cypher text – cleartext pairs
by guessing, etc. The length of the key is limited - MD5: 32 chars.
5Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
SecureURL integrity check flaw
The problematic part:
return dechex(crc32(md5($text) . md5($this->key))); A CRC is calculated over the cleartext with adding the
md5 of the key CRC is not a cyptographically strong integrity protection
algorithm The main problem is if you don’t need the key for
producing fake integrity check code, just the MD5 of the key
The MD5 of the key can be calculated from the previous encryption flaw
6Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
What was the problem?
MD5, CRC, and XOR worked how it was intended We know problems with MD5 We know where to use CRC But the main problem was the bad application of the
elements
7Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Part 2
Intermezzo
How we are thinking about the position of cryptography?
8Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
People think like this / Importance
Users
Applications
OS
Cryptographic primitives
Math
Libraries
In marketing, and in user’s head the most important thing is theUser and nobody cares about layers below.
However, a bug in lower layers can cause a hype – everybody loves to be “clever” about those things.
9Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
The reality: Strong security foundations
Cryptographic primitives
Mathematics
Users
Applications
OS
Libraries
In reality if we go deeper we see much stronger foundations and lessproblems. Users are the weakest point, problems at or below the cryptographic primitives level are not the main problem.
10Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Press hype on “protocol X is cracked”
The hype begins when some guys, whose technical knowledge something like
but knows that the real importance is
tries to tell others the importance of a small flaw in lower layers….
Basically, he knows that math/problem is important, but does not understand the problem in detail
11Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Part 3
Using good crypto in bad way -> Fail
(protocol errors)
Vaudenay ASP .NET Bleichenbacher Others
12Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
CBC encryption with padding
example: TLS padding
– last byte is the length n of the padding (not including the last byte)– all padding bytes have the value n– examples for correct padding: x00, x01x01, x02x02x02, …
verification of TLS padding:– if the last byte is n, then verify if the last n+1 bytes are all n
EE
P1
C1
K
+
EE
P2
C2
K
+
EE
P3
C3
K
+
EE
PN
CN
K
+IV CN-1
…
padd
ing
pad.
len.
13Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
The padding oracle attack on CBC
padding oracle – assume that a system uses CBC encryption/decryption with MAC and padding (in this order!) – the receiver of a CBC encrypted message may respond differently in the case of “incorrect
padding” and in the case of “correct padding but incorrect MAC”– we get 1 bit of information !
example padding oracle in practice: a TLS server– send a random message to a TLS server (chosen ciphertext attack model)– the server will drop the message with overwhelming probability
• either the padding is incorrect (the server responds with a DECRYPTION_FAILED alert)• or the MAC is incorrect with very high probability (the server responds with
BAD_RECORD_MAC)– if the response is BAD_RECORD_MAC, then the padding was correct we get 1 bit of
information !
how to exploit this?– such an oracle can be used repeatedly in a clever way to obtain more bits of information– ultimately, any encrypted message can be decrypted in an efficient way (~1024*N oracle call,
where N is the number of ciphertext blocks in the message) – this attack was discovered by Vaudenay in 2002– vulnerable protocols: SSL/TLS, WTLS, IPsec (with AH and ESP), ASP.NET (2010-2011!) …
lesson learnt– the block cipher can be strong (e.g., AES), the problem is in the protocol (the way it is used)
14Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Bleichenbacher’s attack on PKCS1 v1.5
conceptually similar to the Vaudenay attack on CBC Introduced on Crypto’98 adaptive chosen ciphertext attack on RSA with PKCS1
v1.5 formatting (e.g. SSL v3.0) the goal is to decrypt a message with the help of an
oracle that– inputs an arbitrary message– decrypts it – verifies PKCS formatting– responds with 1 if the obtained plaintext is PKCS conform, and 0
otherwise
the attack needs ~220 oracle call only
15Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Some other examples
Latest TLS v1.0 problem– related to IV handling in CBC mode– makes it possible to recover some bytes under special conditions – Fixed in TLS v1.1, v1.2
Sony hack – PS3 digital signature– ECDSA signature is created– The random element was _not_ random– The private key can be calculated from two signatures
16Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Part 4
Using good crypto in good way
17Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Good crypto with proper usage
Good crypto done in good way is working It’s the strongest element of the computer security
chain Nobody cares about that, hype only begins when there
are problems Cryptography should not be blamed in general, it is our
friend
18Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Conclusions
bad crypto --> fail (example: secure URL) good crypto used in a bad way --> fail (example:
Vaudenay attack on CBC) good crypto used in a good way --> strongest element in
the chain, however, theoretical foundations are often missing for telling if crypto is used in a good or in a bad way – solid work exists for proving correctness of cipher modes – some works exist for key exchange protocols – nothing exists for modeling real operation environments
19Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
The end…
Dr. Boldizsár Bencsáth
www.crysys.hu