Applied Cryptography (Pt. 2) Engineering Secure Software Last - - PowerPoint PPT Presentation

SWEN-331: Engineering Secure Software Benjamin S Meyers

Applied Cryptography (Pt. 2)

Engineering Secure Software

Last Revised: October 16, 2020 1

SWEN-331: Engineering Secure Software Benjamin S Meyers

Recap

• Symmetric keys

○ Benefit: fastest, mathematically the strongest ○ Drawback: distributing the keys

• Public keys

○ Benefit: easier to distribute the keys ○ Drawback: trusting public keys is tricky

• How to establish trust?

○ SSH, SSL, PGP approach this differently

2

SWEN-331: Engineering Secure Software Benjamin S Meyers

SSL: Secure Sockets Layer

• SSL/TLS are the modern public-key encryption standards

○ Protocols suffixed with “s”: https, ftps, etc. ○ Another algorithm implementation best left to the experts

• Untrusted public keys?

○ For ~$30/year, you can get your public key signed!

■ Seriously, this is how it works ■ e.g. VeriSign and GoDaddy are Certificate Authorities (CA’s) ■ Thus, trust the public key != trust the website ■ Ray of hope: letsencrypt.org

○ Self-signed certificate?

■ Not usually a good idea to accept them, but… ■ If the key changes, you will be alerted ■ You only need to trust the server once

3

SWEN-331: Engineering Secure Software Benjamin S Meyers

PGP: Pretty Good Privacy

• Open protocol created in 1991

○ Primarily used for email encryption today ○ Very popular in open source culture

• Combines symmetric-key and public-key cryptography

○ Symmetric is much faster and harder to crack than public-key ○ Uses public-key to distribute the symmetric-key ○ Untrusted recipient now has your symmetric-key? ■ One-time symmetric-key only ■ Use a secure PRNG to generate symmetric-keys

4

SWEN-331: Engineering Secure Software Benjamin S Meyers

PGP: Web of Trust

• How do you trust PGP public-keys?

○ There are no PGP certificate authorities ○ Public-key databases are open

• How do you know that the food you’re eating is disease-free?

○ You trust the grocery store, who trusts the distributors, who trust the farmers ○ FDA is also a trusted third party ○ But when you trust the farmers directly, you trust their food more

• In the same way, PGP incentivizes short trust chains

○ Each person can “sign” someone else’s key, connecting you to them in a web of trust ○ Each “hop” diminishes the trust of a given public-key

5

SWEN-331: Engineering Secure Software Benjamin S Meyers

PGP: Web of Trust

6

Bryan Me Jen Sid Paul

Emilio

Andy Direct Trust I n d i r e c t T r u s t

SWEN-331: Engineering Secure Software Benjamin S Meyers

PGP: Mean Shortest Distance

• How trusted should this key be?

○ Geodesic paths (shortest paths) ○ Compare the mean geodesic distance to entire network mean ○ “Closeness” in social network analysis

• Relatively trusted by the community?

○ Many will trust you (direct connections) ○ If you are trusted by people who are trusts (indirect connections)

7

SWEN-331: Engineering Secure Software Benjamin S Meyers

Example: PGP Web of Trust

• Compute shortest distances for every pair in your community

○ MSDPaul: (2+

■ Paul → Karen: 2

8 Karen

Sid Paul

Emilio Bryan

Andy Jen

SWEN-331: Engineering Secure Software Benjamin S Meyers

Example: PGP Web of Trust

• Compute shortest distances for every pair in your community

○ MSDPaul: (2+2+

■ Paul → Karen: 2 ■ Paul → Sid: 2

9 Karen

Sid Paul

Emilio Bryan

Andy Jen

SWEN-331: Engineering Secure Software Benjamin S Meyers

Example: PGP Web of Trust

• Compute shortest distances for every pair in your community

○ MSDPaul: (2+2+1+

■ Paul → Karen: 2 ■ Paul → Sid: 2 ■ Paul → Jen: 1

10 10 Karen

Sid Paul

Emilio Bryan

Andy Jen

SWEN-331: Engineering Secure Software Benjamin S Meyers

Example: PGP Web of Trust

• Compute shortest distances for every pair in your community

○ MSDPaul: (2+2+1+1+

■ Paul → Karen: 2 ■ Paul → Sid: 2 ■ Paul → Jen: 1 ■ Paul → Andy: 1

11 11 Karen

Sid Paul

Emilio Bryan

Andy Jen

SWEN-331: Engineering Secure Software Benjamin S Meyers

Example: PGP Web of Trust

• Compute shortest distances for every pair in your community

○ MSDPaul: (2+2+1+1+1)/5 = 1.4

■ Paul → Karen: 2 ■ Paul → Sid: 2 ■ Paul → Jen: 1 ■ Paul → Andy: 1 ■ Paul → Emilio: 1

12 12 Karen

Sid Paul

Emilio Bryan

Andy Jen

SWEN-331: Engineering Secure Software Benjamin S Meyers

Example: PGP Web of Trust

• Compute shortest distances for every pair in your community

○ MSDPaul: (2+2+1+1+1)/5 = 1.4 ○ MSDAndy: (2+2+1+1+1)/5 = 1.4 ○ MSDJen: (3+2+1+1+1)/5 = 1.6 ○ MSDEmilio: (3+2+1+1+1)/5 = 1.6 ○ MSDKaren: (4+3+2+2+1)/5 = 2.4 ○ MSDSid: (4+3+2+2+1)/5 = 2.4

• Nobody trusts Bryan

○ Disconnected → Untrusted

13 13 Karen

Sid Paul

Emilio Bryan

Andy Jen

SWEN-331: Engineering Secure Software Benjamin S Meyers 14 14

Source: https://xkcd.com/1181/

SWEN-331: Engineering Secure Software Benjamin S Meyers

Cryptanalysis

• Definition: “the analytic investigation of an information

system with the goal of illuminating hidden aspects of that system” [nsa.gov]

• In other words: breaking cryptography
• Comes in many forms

○ Brute force attacks ○ Theoretical/algorithmic weaknesses ○ Side-channel attacks

15 15

SWEN-331: Engineering Secure Software Benjamin S Meyers

Side Channel Attacks

• Side channel:

○ Information emitted from a physical implementation of a cryptosystem

• Side channel vulnerabilities are mutually exclusive from

algorithmic vulnerabilities

○ Although coding vulnerabilities can lead to side channel attacks

• e.g. password fields obscure the text to prevent someone

from looking over your shoulder

• e.g. keeping the sticky note with your password on your

monitor

16 16

SWEN-331: Engineering Secure Software Benjamin S Meyers

Timing Attacks

• Using the timing of an operation to gain information
• e.g. computing large prime numbers for SSL

○ Constant concern for OpenSSL: CVE-2013-0169 ○ “Square and multiply” algorithm ○ Dependent on how many times you go through a for loop

• e.g. timing for password lookups

○ Does a user exist in MySQL → padding lookup time

• e.g. cache-hit vs. cache-miss on a sensitive record

17 17

SWEN-331: Engineering Secure Software Benjamin S Meyers

Data Remanence

• Deleted data is not always deleted

○ Hard drives release the memory, but it’s not necessarily

• verwritten

○ Magnetic fields can remain even after it’s been overwritten ○ e.g. rebooting a router

• Many, many creative ways to do this

○ Cold Boot Attack: Freezing RAM with liquid nitrogen ○ Hibernation files store RAM ○ Core dumps reveal sensitive information

18 18

SWEN-331: Engineering Secure Software Benjamin S Meyers

So many more...

• Power monitoring attacks

○ Can predict which branch of an if-statement was taken by monitoring power consumption ○ Particularly nasty on embedded devices ○ Even AES encryption can be broken with way

• Van Eck Phreaking (Radiation) → TEMPEST
• Acoustic analysis of hard drive/keyboard sounds
• Accelerometers in phones reveal what you type
• “Chatter” -- even the known existence of encrypted

communication can be useful information

19 19

SWEN-331: Engineering Secure Software Benjamin S Meyers

Lessons from Side Channel Attacks

• Okay, so what?

○ Can we do anything about this? ○ What must software engineers do?

• Lesson 1: Identify your side channels

○ Network chatter, timing, power, etc.

20 20

SWEN-331: Engineering Secure Software Benjamin S Meyers

Lessons from Side Channel Attacks

• Okay, so what?

○ Can we do anything about this? ○ What must software engineers do?

• Lesson 1: Identify your side channels

○ Network chatter, timing, power, etc.

• Lesson 2: You have not identified all of your side channels

21 21

SWEN-331: Engineering Secure Software Benjamin S Meyers

Lessons from Side Channel Attacks

• Okay, so what?

○ Can we do anything about this? ○ What must software engineers do?

• Lesson 1: Identify your side channels

○ Network chatter, timing, power, etc.

• Lesson 2: You have not identified all of your side channels
• Lesson 3: Better testing

○ Realistic production environments ○ Third-party testers with security experience

22 22

SWEN-331: Engineering Secure Software Benjamin S Meyers

Keeping Up

• Networking and cryptographic algorithms are constantly

changing

○ New networking protocols, new models ○ Broken cryptographic algorithms

• You will need to keep up with the news on algorithms

○ Organizations:

■ CWE ■ OWASP: Open Web Application Security Project

○ Bloggers & Researchers:

■ Bruce Schneier: https://www.schneier.com/ ■ Steve Gibson: https://www.grc.com/news.htm ■ Gary McGraw: https://www.synopsys.com/

23 23