Kriptográfia - a legerősebb láncszem a kiberbiztonság gyakorlatában? Boldizsár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest.

Slides:



Advertisements
Similar presentations
Chapter 3 Public Key Cryptography and Message authentication.
Advertisements

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Symmetric Encryption Prof. Ravi Sandhu.
PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.
Célzott informatikai támadások napjainkban Boldizsár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology.
Cryptography encryption authentication digital signatures
1 Pretty Good Privacy (PGP) Security for Electronic .
Public Key Cryptosystem
Block Cipher Modes of Operation and Stream Ciphers
Chapter 4: Modes of Operation CS 472: Fall Encrypting a Large Massage 1.Electronic Code Book (ECB) 2.Cipher Block Chaining (CBC) 3.Output Feedback.
ECE454/CS594 Computer and Network Security
Targeted attacks of recent days Boldizsár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics.
L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.
Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.
Off-the-Record Communication, or, Why Not To Use PGP
Lecture 5: Cryptographic Hashes
Web security: SSL and TLS
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Chapter 5 Cryptography Protecting principals communication in systems.
Wired Equivalent Privacy (WEP)
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Dan Boneh Authenticated Encryption Case study: TLS Online Cryptography Course Dan Boneh.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Towards Automated Security Proof for Symmetric Encryption Modes Martin Gagné Joint work with Reihaneh Safavi-Naini, Pascal Lafourcade and Yassine Lakhnech.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Lecture 4: Using Block Ciphers
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
Modes of Usage Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up: Modes of.
TinySec : Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Anil Karamchandani 10/01/2007.
Enterprise Security API (ESAPI) 2.0 Crypto Changes
Lecture 2: Introduction to Cryptography
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Intro to Cryptography Lesson Introduction
Lecture 5.1: Message Authentication Codes, and Key Distribution
Template vertLeftWhite2 Authenticated Encryption Attacking non-atomic decryption Online Cryptography Course Dan Boneh.
Various Attacks on Cryptosystems slides (c) 2012 by Richard Newman.
Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.
Cryptographic Hash Functions
Authenticated encryption
Cryptographic Hash Functions
Cryptography Lecture 12.
Cryptography Lecture 10.
RC4 RC
Block Ciphers (Crypto 2)
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Cryptography Lecture 11.
Padding Oracle Attacks
Lecture 4.1: Hash Functions, and Message Authentication Codes
Cryptography Lecture 9.
Presentation transcript:

Kriptográfia - a legerősebb láncszem a kiberbiztonság gyakorlatában? Boldizsár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics this is joint work with Levente Buttyán

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 2 Part 1 Using bad crypto in bad way -> Fail

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 3 SecureURL.php flaw  In one of our comsulting work, we found SecureURL.php to be used  SecureURL.php hides and protects CGI GET parameters  Instead of You see something like WgBXREFW1pDFw4ZFREtMUUFPRcAOjQ1OGIyNWY1  Protects against investigating parameters and manipulating them (integrity protection by checksum)

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 4 SecureURL encryption flaw  Encryption: In function crypt($text,$key): $key = md5($key);... … ($crypt.= chr(ord($text[$i]) ^ ord($key[$j])); Problem:  If You know the crypt and know the text -> You can calculate the key (MD5 of the key).  It can be easy to identify the cypher text – cleartext pairs by guessing, etc.  The length of the key is limited - MD5: 32 chars.

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 5 SecureURL integrity check flaw  The problematic part: return dechex(crc32(md5($text). md5($this->key)));  A CRC is calculated over the cleartext with adding the md5 of the key  CRC is not a cyptographically strong integrity protection algorithm  The main problem is if you don’t need the key for producing fake integrity check code, just the MD5 of the key  The MD5 of the key can be calculated from the previous encryption flaw

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 6 What was the problem?  MD5, CRC, and XOR worked how it was intended  We know problems with MD5  We know where to use CRC  But the main problem was the bad application of the elements

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 7 Part 2 Intermezzo How we are thinking about the position of cryptography?

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 8 People think like this / Importance Users Applications OS Cryptographic primitives Math Libraries In marketing, and in user’s head the most important thing is the User and nobody cares about layers below. However, a bug in lower layers can cause a hype – everybody loves to be “clever” about those things.

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 9 The reality: Strong security foundations Cryptographic primitives Mathematics Users Applications OS Libraries In reality if we go deeper we see much stronger foundations and less problems. Users are the weakest point, problems at or below the cryptographic primitives level are not the main problem.

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 10 Press hype on “protocol X is cracked”  The hype begins when some guys, whose technical knowledge something like but knows that the real importance is tries to tell others the importance of a small flaw in lower layers…. Basically, he knows that math/problem is important, but does not understand the problem in detail

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 11 Part 3 Using good crypto in bad way -> Fail (protocol errors)  Vaudenay  ASP.NET  Bleichenbacher  Others

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 12 CBC encryption with padding example:  TLS padding –last byte is the length n of the padding (not including the last byte) –all padding bytes have the value n –examples for correct padding: x00, x01x01, x02x02x02, …  verification of TLS padding: –if the last byte is n, then verify if the last n+1 bytes are all n E E P1P1 C1C1 K + E E P2P2 C2C2 K + E E P3P3 C3C3 K + E E PNPN CNCN K + IV C N-1 … padding pad. len.

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 13 The padding oracle attack on CBC  padding oracle –assume that a system uses CBC encryption/decryption with MAC and padding (in this order!) –the receiver of a CBC encrypted message may respond differently in the case of “incorrect padding” and in the case of “correct padding but incorrect MAC” –we get 1 bit of information !  example padding oracle in practice: a TLS server –send a random message to a TLS server (chosen ciphertext attack model) –the server will drop the message with overwhelming probability either the padding is incorrect (the server responds with a DECRYPTION_FAILED alert) or the MAC is incorrect with very high probability (the server responds with BAD_RECORD_MAC) –if the response is BAD_RECORD_MAC, then the padding was correct  we get 1 bit of information !  how to exploit this? –such an oracle can be used repeatedly in a clever way to obtain more bits of information –ultimately, any encrypted message can be decrypted in an efficient way (~1024*N oracle call, where N is the number of ciphertext blocks in the message) –this attack was discovered by Vaudenay in 2002 –vulnerable protocols: SSL/TLS, WTLS, IPsec (with AH and ESP), ASP.NET ( !) …  lesson learnt –the block cipher can be strong (e.g., AES), the problem is in the protocol (the way it is used)

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 14 Bleichenbacher’s attack on PKCS1 v1.5  conceptually similar to the Vaudenay attack on CBC  Introduced on Crypto’98  adaptive chosen ciphertext attack on RSA with PKCS1 v1.5 formatting (e.g. SSL v3.0)  the goal is to decrypt a message with the help of an oracle that –inputs an arbitrary message –decrypts it –verifies PKCS formatting –responds with 1 if the obtained plaintext is PKCS conform, and 0 otherwise  the attack needs ~2 20 oracle call only

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 15 Some other examples  Latest TLS v1.0 problem –related to IV handling in CBC mode –makes it possible to recover some bytes under special conditions – Fixed in TLS v1.1, v1.2  Sony hack – PS3 digital signature –ECDSA signature is created –The random element was _not_ random –The private key can be calculated from two signatures

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 16 Part 4 Using good crypto in good way

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 17 Good crypto with proper usage  Good crypto done in good way is working  It’s the strongest element of the computer security chain  Nobody cares about that, hype only begins when there are problems  Cryptography should not be blamed in general, it is our friend

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 18 Conclusions  bad crypto --> fail (example: secure URL)  good crypto used in a bad way --> fail (example: Vaudenay attack on CBC)  good crypto used in a good way --> strongest element in the chain, however, theoretical foundations are often missing for telling if crypto is used in a good or in a bad way –solid work exists for proving correctness of cipher modes –some works exist for key exchange protocols –nothing exists for modeling real operation environments

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 19 The end… Dr. Boldizsár Bencsáth

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.