Bolt on some Crypto Michael Samuel @mik235 https://miknet.net/ - - PowerPoint PPT Presentation

bolt on some crypto
SMART_READER_LITE
LIVE PREVIEW

Bolt on some Crypto Michael Samuel @mik235 https://miknet.net/ - - PowerPoint PPT Presentation

Sep 13, 2023 115 likes •407 views

Bolt on some Crypto Michael Samuel @mik235 https://miknet.net/ Ruxcon 2014 Why you should bolt on some crypto There could be 25+ routers between client and server on the internet. One of them is operated by the barista that burnt your latte.

slide-1
SLIDE 1

Bolt on some Crypto

Michael Samuel

@mik235 https://miknet.net/ Ruxcon 2014

slide-2
SLIDE 2

Why you should bolt on some crypto

There could be 25+ routers between client and server on the internet. One of them is operated by the barista that burnt your latte. Crypto can remove trust from elements - this narrows down the list of things that could compromise your data. Crypto can also provide trust - it can tell you who is on the

  • ther end of a connection, or if a file has changed.
slide-3
SLIDE 3

Securing The Network - TLS & SSH

IETF Standards: SSH - RFC 4250-4255

  • Remote shell
  • File transfer
  • TCP port forwarding, socks proxy
  • Pipe commands over ssh (stdin/stdout)

TLS - RFC 5246.

  • https URIs use TLS
  • STARTTLS command in SMTP, IMAP, POP3, XMPP,

LDAP

slide-4
SLIDE 4

Public Key Cryptography Primer

Keypair: Private Key - This key must be kept safe! Don’t email me your

private key!

Public Key - This key can be shared with anyone you need to

communicate with

Signing:

The Private Key is used to encrypt a hash of a message, which can be verified by anyone with the public key

Encryption:

The Public Key is used to encrypt a message, which only the holder of the Private Key can decrypt

slide-5
SLIDE 5

MiTM Attack

“Man-in-the-middle attack”

(The actual attack isn’t gender specific)

  • 1. Intercept client connection and answer like a server.
  • 2. Connect to the real server, using client’s credentials
  • 3. Log or modify data as it passes through
slide-6
SLIDE 6

MiTM Attack - Linux Quickstart

  • iptables -t nat -A PREROUTING -p tcp --dport 5222 -j \

REDIRECT --to-port 5002

  • Run your client program, listening on 5002
  • Route the traffic through your linux box using arpspoof, dns spoofing, etc

To get the original IP address in your proxy code:

getsockopt(s, SOL_IP, SO_ORIGINALDEST, &addr, &addrlen);

Python version:

packedDest = s.getsockopt(socket.SOL_IP, 80, 16) (destPort, ) = struct.unpack(">H", packedDest[2:4]) destHost = socket.inet_ntoa(packedDest[4:8])

slide-7
SLIDE 7

SSH Host Keys

OpenSSH caches host keys:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

StrictHostKeyChecking: if you don’t have the host key,

  • yes - don’t connect
  • no - cache it
  • ask (default) - display the fingerprint and ask user

ssh-keyscan can collect host keys from remote systems - allows you to pre-populate known_hosts

slide-8
SLIDE 8

SSH Host Keys - APIs

JSch:

StrictHostKeyChecking=no won’t cache the host key!

Paramiko:

client.load_system_host_keys() client.set_missing_host_key_policy(paramiko.RejectPolicy)

paramiko.WarningPolicy won’t cache the host key! Always pre-populate /etc/ssh/ssh_known_hosts if using APIs - no need for write access.

slide-9
SLIDE 9

SSH Client Authentication

You can create a client keypair with ssh-keygen, then add it to ~/.ssh/authorized_keys on remote hosts. This can be put in kickstart/preseed files. Even if the remote server is compromised your private key should be safe, so you don’t need a fresh one for each server you connect to. You can do “two-factor” in OpenSSH with the AuthenticationMethods sshd_config option.

slide-10
SLIDE 10

TLS Certificates

Certificate chain from my website:

0 s:/C=AU/CN=www.miknet.net/emailAddress=webmaster@miknet.net i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority

Subject: the entity identifed by the certificate Issuer: the authority that signed the certificate Only “StartCom Certification Authority” is trusted by my system

slide-11
SLIDE 11

Why you need to verify

When looking at a "View Certificate" dialog, what do you check for? The only thing that matters in an unverified certificate are the fingerprint and public key - if you can find something to verify them against. The text in the certificate doesn’t mean anything if the signature can’t be verified

slide-12
SLIDE 12

Cloning a chain

  • A Root CA is a self-signed certificate
  • Intermediate CAs and the certificate are

signed by their parent CA This will still fail to verify - but is way less likely to raise alarm bells than a self-signed cert or

  • ne signed by the "wrong" CA.

Support staff would advise customers to click through the warning

slide-13
SLIDE 13

TLS - Verifying the hostname

Most TLS libraries do not check that the certificate matches the hostname - even if you turn on verification. Anyone can

  • btain a valid TLS certificate.

The hostname must match either the CN field or one of the SubjectAltName extensions. WARNINGS: NULL bytes are valid Do not trust the results of DNS (SRV/MX)

slide-14
SLIDE 14

TLS APIs

Almost all TLS apis require explicit validation calls - they don’t default to anything sane! Tons of high-level APIs don’t do any checking at all.

This includes everything in python’s standard library, and every ruby module I’ve looked at. Recommended: python “requests” module. libcurl.

slide-15
SLIDE 15

STARTTLS

<?xml version='1.0' ?> <stream:stream to='jabber.org' xmlns='jabber:client' xmlns:stream='http: //etherx.jabber.org/streams' version='1.0'> <?xml version='1.0'?> <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.

  • rg/streams' from='jabber.org' id='5ce74cfce8e91fc4' version='1.0'>

<stream:features> <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanism>DIGEST-MD5</mechanism> <mechanism>PLAIN</mechanism> </mechanisms> </stream:features> <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>

slide-16
SLIDE 16

STARTTLS - or not!

<?xml version='1.0' ?> <stream:stream to='jabber.org' xmlns='jabber:client' xmlns:stream='http: //etherx.jabber.org/streams' version='1.0'> <?xml version='1.0'?> <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.

  • rg/streams' from='jabber.org' id='5ce74cfce8e91fc4' version='1.0'>

<stream:features> <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanism>DIGEST-MD5</mechanism> <mechanism>PLAIN</mechanism> </mechanisms> </stream:features>

slide-17
SLIDE 17

Forward Secrecy

Key Exchange - another form of public key cryptography It is ephemeral - you don’t keep the keys long-term. Diffie-Hellman or Elliptic Curve Diffie-Hellman - this is referred to as “Forward Secrecy” or PFS. TLS Ciphersuits that start with DHE- or ECDHE- The old ciphersuites use RSA encryption - if the RSA key is stolen, past traffic can be decrypted!

slide-18
SLIDE 18

TLS - Authenticating Clients

The original design of SSL was for e-commerce. This basically only required “money green” authenticity. TLS has support for client certificates - you can run your

  • wn CA and have your server trust it. [ This is a pain in the

butt though ] This is could be used as a two-factor mechanism - put client certificate authentication on the webserver, but leave password auth in the backend.

slide-19
SLIDE 19

Entropy

Session IDs/random passwords/CSRF tokens need to be

  • unguessable. mt_rand() rand() random() rand_r() do not

provide this, even if seeded with real random data. Unix-like systems: read from /dev/urandom Windows: CryptGenRandom Collect 32 bytes, then base64/hex encode. Linux early boot (only): use /dev/random - eg. for encrypted swap or automated host key generation.

slide-20
SLIDE 20

Hash Functions

A fixed-length digest of variable length input

  • Preimage resistance

○ Hard to find the original input from the hash ○ Guessing inputs still works!

  • Second-preimage resistance

○ Hard to find a second input that produces a given hash ○ A good hash function would provide 2hash length resistance to this

  • Collision Resistance

○ Hard to find two inputs that produce the same hash ○ Birthday attack - requires 256-bit hash for 128-bit security ○ When a hash function is broken this is usually first to go

slide-21
SLIDE 21

Checksums and Signatures

For general use, you should use SHA-2 256/384/512 Creating a certificate:

  • penssl req -new -sha256 …

Checksum of a file: sha256sum *.iso blake2 - is a very fast and secure hash function - if performance is critical. MD4 and MD5 are broken! SHA-1 isn’t looking so good either

slide-22
SLIDE 22

Password Hashes

Normal hash functions allow you to make extremely fast guesses - do not use these!

Salting A salt is a unique string that is hashed with the password and stored next to the hash.

  • Mutliple users with the same password won’t have the same hash
  • An attacker can’t pre-calculate passwords

Stretching

  • An operation that makes the hashing deliberately slow
  • Must be sure that attackers can’t take a shortcut

Current recommendation: bcrypt Future recommendation: Winner of PHC - https://password-hashing.net/

slide-23
SLIDE 23

Password Hashing - Remediation

If you store your passwords in cleartext - go hash them all! If you use an unsalted hash - use a password hash on the original hash Avoid HTTP Digest Authentication, NTLM, various CHAP-alikes.

slide-24
SLIDE 24

Hash Tables

Wait, do these need to be secure?!?

Worker pools or select() loops - colliding hash table entries can block the CPU!

SipHash was designed to fix this

This is now the default in Python3, Ruby, Perl

http://commons.wikimedia.org/wiki/File:Hashtable_linkedlist_collision. png

slide-25
SLIDE 25

MACs

If you need an untrusted entity hold some state for you, you can use a MAC

  • Ensure your data cannot be used out of context

○ HKDF, or just separate keys

  • The key needs to be secret and preferably random
  • Timing attacks! Brad Hill’s trick:

HMAC(random, mac) == HMAC(random, HMAC(secret, data))

If the data needs to be encrypted, MAC the ciphertext

slide-26
SLIDE 26

Hash functions aren’t MACs!

Most hash functions do not function as a MAC. So if you do: mac = Hash(secret, message) and send mac, message that person can then perform a length extension attack. Use HMAC when there’s a secret key!

slide-27
SLIDE 27

Homework!

  • Write a MiTM attack for TLS and/or SSH
  • Try it against every connection that leaves

your machine

  • File bug reports, despair
  • Try a length-extension attack

Once you’ve added some crypto to your code, you should add some attacks to your testsuite

slide-28
SLIDE 28

Thanks!

Comments/Questions? Michael Samuel

Web https://www.miknet.net/ Twitter @mik235 GitHub therealmik