8 insecure cryptographic storage
play

8) Insecure Cryptographic Storage Emmanuel Benoist Fall Term - PowerPoint PPT Presentation

Apr 01, 2024 •376 likes •646 views

8) Insecure Cryptographic Storage Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Table of Contents Presentation Examples Attacks

  1. 8) Insecure Cryptographic Storage Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 1

  2. Table of Contents Presentation � Examples � Attacks Recommendations � PCI Data Security Standard � Conclusion � Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 2

  3. Presentation Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 3

  4. Insecure Cryptographic Storage Data and Credentials are rarely protected with cryptographic functions Data collected can be used by attackers For Identity Theft or other crimes like Credit Card Fraud Most common problems Not encrypting sensitive data Using home grown algorithms Insecure use of strong algorithms Continued use of proven weak algorithms (MD5, SHA-1, RC3, RC4, etc.) Hard coding keys, and storing keys in unprotected stores Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 4

  5. Examples Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 5

  6. Attacks Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 6

  7. E-Commerce Web Site Suppose we manage a e-shop We sell goods and clients pay using their credit cards We have to store the address and references of all our clients for the legal issues. Data stored: name, address, e-mail, phone, Credit Cards Numbers Our web site is attacked Attackers access to our Database They can harvest the whole content of our customer clients Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 7

  8. E-Commerce Web Site (Cont.) Damages? For the Clients Use of Credit Cards Number by attackers Privacy violation Identity Theft . . . For The Web Site Reputation Clients data stolen (can be resold to a competitor) Business secrets stolen For the Credit Card Company Reputation Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 8

  9. Which assets should be protected? Passwords of users Clear-text : accessible by SQL injection, or insiders Hashed : can be verified, but not read Problem : Easy to check using lists of hashed passwords (dictionary attack) Hashed with the same salt : Attackers need to find the salt Hashed using a generic salt and a specific salt Credit Card Numbers Ruled by the Credit card industry (see later) Private keys Should always been stored encrypted At least protected using a passphrase Business dependant Private data Social Security Number (AHV / AVS in Switzerland) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 9

  10. Cryptographic tools Encryption If you need to read and write data: symmetric encryption (e.g. DES, AES) If reading and writing are done by different entities: asymmetric encryption (e.g. RSA) One-way hash functions One input has always the same output Impossible to go from the output back to the input No collision can be generated (two inputs having the same output) Example : SHA-256 Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 10

  11. Example: Self Made Crypto Algorithm Hash Function We want to hash a Medical Record Number Highly Sensitive data Require One-Way hashing Needs to be implemented by a partner. Partner delivers a self-made algorithm Based on Modulo This function is so complicated that it can not be reversed. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 11

  12. Self Made Crypto Algorithm Algorithm Transform all the chars in the string into numbers Take an arbitrary number (always the same) Add this number to the last char, and modulo to remains in interval where conversion of number and char is automatic Add the obtained number to the penultimate char and modulo etc. The numbers obtained form a string The string is “secure” Attack Take the obtained string, start from the first Substract the arbitrary name to the char, we obtain the original value Go on the same If the obtained number is negative, then modulo was used, attacker just needs to substract this value. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 12

  13. Recommendations Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 13

  14. Recommendations Recommendations Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 14

  15. Use only Strong Crypto Algorithms Do not create cryptographic algorithms Only use approved public algorithms such as: AES, RSA public key cryptography and SHA-256 or better Do not use weak algorithms MD5 / SHA1 hash functions have been proven weak Favor safer alternatives such as SHA-256 Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 15

  16. Handle Keys with extra Care Generate keys offline and store private keys with extreme care Never transmit private keys over insecure channels Store if possible your private key encrypted Using a pass-phrase Or in a Password Manager Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 16

  17. Protect Infrastructure Credentials Data Base credentials Use tight file system permissions and controls Encrypt securely credentials Encrypted data should not be easy to decrypt database encryption, useless if database connection pool provides unencrypted access Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 17

  18. PCI Data Security Standard Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 18

  19. PCI Data Security Standard Payment Card Industry Data Security Standard Developed by major credit card companies (e.g. Visa, Mastercard, American Express) to help organizations preventing credit card fraud Must be implemented by any merchant using Credit Cards A company processing, storing or transmitting payment card data must be PCI DSS compliant Risk: losing their ability to process credit card payment Compliance must be validated periodically Validation conducted by auditors (Qualified Security Assessors (QSAs) Smaller companies just fill a self-assessment questionnaire. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 19

  20. PCI-DSS Requirements Build and Maintain a Secure network Install and maintain a firewall Do not use vendor-supplied default password and other security parameters Protect Card-holder Data Protect stored card-holder data Encrypt transmission of card-holder data across open, public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement String Access Control Measures Restrict access to card-holder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to card-holder data Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 20

  21. PCI-DSS Requirements (Cont.) Regularly Monitor and Test Networks Track and monitor all access to network resources and card-holder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 21

  22. PCI DSS - Storage of data Card-holder Data Primary Account Number (PAN, a.k.a. credit card number) Card-holder name Service Code Expiration Date Can be stored Require protection Sensitive Authentication Data Full Magnetic Stripe CVC2/CVV2/CID PIN Can in no case be stored Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 22

  23. Store only necessary data Develop a data retention and disposal policy Limit storage and retention time to which is required for business, legal, and/or regulatory Protect PAN Truncate card-holder data if full PAN is not needed Never send PAN in unencrypted e-mails Mask PAN when displayed Render PAN unreadable anywhere it is stored Strong one-way hash functions Truncation Index tokens and pads (pads must be securely stored) Strong cryptography with associated key management processes and procedures Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 23

  24. Conclusion Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ninja Scaning by Fyodor CanSecWest 2009 March 20, 3:50 PM

Ninja Scaning by Fyodor CanSecWest 2009 March 20, 3:50 PM

Insecure.Org Insecure.Org Ninja Scaning by Fyodor CanSecWest 2009 March 20, 3:50 PM http://insecure.org/presentations/CSW09/ Insecure.Org Insecure.Org Ncat http://nmap.org/ncat/ Insecure.Org Insecure.Org Modern Networking Features

689 views • 21 slides
On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage

On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage

On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage Aaram Yun , Chunhui Shi, Yongdae Kim University of Minnesota CCSW 2009, 13 Nov 2009 Cryptographic network file system How to achieve a

348 views • 16 slides
Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs & Gordon Fyodor

Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs & Gordon Fyodor

Insecure.Org Insecure.Org Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs & Gordon Fyodor Lyon Sharkfest 2010 June 16, 1:15 PM http://insecure.org/presentations/Sharkfest10/ Insecure.Org Insecure.Org Nmap

278 views • 16 slides
Cryptographic proofs for remote storage: models and construction Julien Lavauzelle 1 , Franoise

Cryptographic proofs for remote storage: models and construction Julien Lavauzelle 1 , Franoise

Cryptographic proofs for remote storage: models and construction Julien Lavauzelle 1 , Franoise Levy-dit-Vehel 1,2 1 LIX & INRIA Saclay, Universit Paris-Saclay 2 ENSTA ParisTech Journes codage & cryptographie 2018, Aussois, France

842 views • 55 slides
Cryptographic Cloud Storage: a proposal a proposal Seny Kamara, Kristin Lauter Cryptography

Cryptographic Cloud Storage: a proposal a proposal Seny Kamara, Kristin Lauter Cryptography

Cryptographic Cloud Storage: a proposal a proposal Seny Kamara, Kristin Lauter Cryptography Group Microsoft Research Applications/Scenarios Secure Outsourcing for Business Electronic Health Records Interactive Scientific Publishing

452 views • 4 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
CS2 : A Searchable Cryptographic Cloud Storage System Seny Kamara (MSR) Charalampos Papamanthou

CS2 : A Searchable Cryptographic Cloud Storage System Seny Kamara (MSR) Charalampos Papamanthou

CS2 : A Searchable Cryptographic Cloud Storage System Seny Kamara (MSR) Charalampos Papamanthou (UC Berkeley) Tom Roeder (MSR) Cloud Computing Cloud Computing o Main concern o will my data be safe? o will anyone see it? o can anyone modify it?

960 views • 42 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
A4: Insecure Direct Object References A4 Insecure Direct Object References General

A4: Insecure Direct Object References A4 Insecure Direct Object References General

A4: Insecure Direct Object References A4 Insecure Direct Object References General problem: Unrestricted Access A4: Data not properly protected A7: Functions not properly protected Examples Presentation-layer access control

506 views • 27 slides
Cryptographic Implementation Attacks Check Point June 25, 2010 Joseph Bonneau Security Group

Cryptographic Implementation Attacks Check Point June 25, 2010 Joseph Bonneau Security Group

Cryptographic Implementation Attacks Check Point June 25, 2010 Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Insecure MAC checking routine #1 int check_MAC(u_char * test, u_char * correct){ return (strcmp(test, correct) == 0); }

2.11k views • 122 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides
Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16

Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16

Insecure.Org Insecure.Org Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16 August 8, 2008; 4PM Insecure.Org Insecure.Org Scan Goals Collect empirical data and use it to enhance Nmap

558 views • 45 slides
Mastering the Nmap Scripting Engine by Fyodor and David Fifield

Mastering the Nmap Scripting Engine by Fyodor and David Fifield

Insecure.Org Insecure.Org Mastering the Nmap Scripting Engine by Fyodor and David Fifield http://insecure.org/presentations/BHDC10/ Black Hat Briefings Las Vegas Defcon 18 July 28; 4:45 PM; Augustus 5+6 July 30; 5:00 PM; Track One

539 views • 4 slides
Mastering the Nmap Scripting Engine by Fyodor and David Fifield

Mastering the Nmap Scripting Engine by Fyodor and David Fifield

Insecure.Org Insecure.Org Mastering the Nmap Scripting Engine by Fyodor and David Fifield http://insecure.org/presentations/BHDC10/ Black Hat Briefings Las Vegas Defcon 18 July 28; 4:45 PM; Augustus 5+6 July 30; 5:00 PM; Track One

424 views • 20 slides
Mastering the Nmap Scripting Engine by Fyodor and David Fifield

Mastering the Nmap Scripting Engine by Fyodor and David Fifield

Insecure.Org Insecure.Org Mastering the Nmap Scripting Engine by Fyodor and David Fifield http://insecure.org/presentations/BHDC10/ Black Hat Briefings Las Vegas Defcon 18 July 28; 4:45 PM; Augustus 5+6 July 30; 5:00 PM; Track One

622 views • 34 slides
10 YEARS OF FFAG DEVELOPMENT Yoshiharu Mori Kyoto University, Research Reactor Institute 2010

10 YEARS OF FFAG DEVELOPMENT Yoshiharu Mori Kyoto University, Research Reactor Institute 2010

10 YEARS OF FFAG DEVELOPMENT Yoshiharu Mori Kyoto University, Research Reactor Institute 2010 10 27 10 YEARS OF FFAG DEVELOPMENT mostly in Japan Yoshiharu Mori Kyoto University, Research Reactor Institute 2010 10

1.28k views • 66 slides
FFAG as a phase rotator for the PRISM project A. Sato, M. Aoki, Y. Arimoto, Y. Kuno, M.

FFAG as a phase rotator for the PRISM project A. Sato, M. Aoki, Y. Arimoto, Y. Kuno, M.

FFAG as a phase rotator for the PRISM project A. Sato, M. Aoki, Y. Arimoto, Y. Kuno, M. Yoshida, Osaka University S. Machida, Y. Mori, C. Ohmori, T. Yokoi, K. Yoshimura, KEK Y. Iwashita, Kyoto ICR S. Ninomiya, RCNP Physics motivation

706 views • 21 slides
DEVELOPMENT OF SSR2 FOCUSING LENSES FOR PIP-II Updates on cold measurements on SSR2 magnets

DEVELOPMENT OF SSR2 FOCUSING LENSES FOR PIP-II Updates on cold measurements on SSR2 magnets

DEVELOPMENT OF SSR2 FOCUSING LENSES FOR PIP-II Updates on cold measurements on SSR2 magnets Electromagnetic Application Section Electromagnetic Applications & Instrumentation Division Team members: Kumud Singh, Janvin Itteera, Mahima, R R

79 views • 4 slides
Helicity/Chirality Helicities of (ultra-relativistic) massless particles are (approximately)

Helicity/Chirality Helicities of (ultra-relativistic) massless particles are (approximately)

Helicity/Chirality Helicities of (ultra-relativistic) massless particles are (approximately) conserved Right-handed Left-handed Conservation of chiral charge is a property of massless Dirac theory (classically) The symmetry is

355 views • 33 slides
Magnetic Effects in Matter Consider the following, semi-classical model of an atom. An unpaired

Magnetic Effects in Matter Consider the following, semi-classical model of an atom. An unpaired

Magnetic Effects in Matter Consider the following, semi-classical model of an atom. An unpaired electron follows a circular orbit around the nucleus with a speed v (Figure 1). An external field B is applied per- pendicular to the place of the

283 views • 9 slides
Holographic models of QCD in the strong coupling regime Petr N. Kopnin 1 , 2 1 Institute for

Holographic models of QCD in the strong coupling regime Petr N. Kopnin 1 , 2 1 Institute for

AdS/QCD Setup Low-Energy Theorems CME Debye Mass in Holography Magnetic Susceptibility GrossOoguri Transition Holographic models of QCD in the strong coupling regime Petr N. Kopnin 1 , 2 1 Institute for Theoretical and Experimental

1.55k views • 143 slides
Differentially algebraic equations in physics Youssef Abdelaziz, Jean-Marie Maillard (Universit

Differentially algebraic equations in physics Youssef Abdelaziz, Jean-Marie Maillard (Universit

Differentially algebraic equations in physics Youssef Abdelaziz, Jean-Marie Maillard (Universit e Paris VI) Based on Modular forms, Schwarzian conditions, and symmetries of differential equations in physics , arXiv 1611.08493 S

442 views • 42 slides
Applications of Jarzynskis relation in lattice gauge theories Alessandro Nada Universit` a

Applications of Jarzynskis relation in lattice gauge theories Alessandro Nada Universit` a

Applications of Jarzynskis relation in lattice gauge theories Alessandro Nada Universit` a degli Studi di Torino INFN, Sezione di Torino 34th International Symposium on Lattice Field Theory Southampton, 24-30 July 2016 Based on: M.

733 views • 45 slides

More recommend