how crypto fails in practice
play

HOW CRYPTO FAILS IN PRACTICE CMSC 414 APR 3 2018 POOR PROGRAMING - PowerPoint PPT Presentation

Apr 22, 2023 •352 likes •841 views

HOW CRYPTO FAILS IN PRACTICE CMSC 414 APR 3 2018 POOR PROGRAMING CryptoLint tool to perform static analysis on Android apps to detect how they are using crypto libraries CRYPTO MISUSE IN ANDROID APPS 15,134 apps from Google play

  1. HOW CRYPTO FAILS 
 IN PRACTICE CMSC 414 APR 3 2018

  2. POOR PROGRAMING CryptoLint tool to perform static 
 analysis on Android apps to detect 
 how they are using crypto libraries

  3. CRYPTO MISUSE IN ANDROID APPS 15,134 apps from Google play used crypto; Analyzed 11,748 of them

  4. CRYPTO MISUSE IN ANDROID APPS 15,134 apps from Google play used crypto; Analyzed 11,748 of them 48% 31% 17% 16% 14% 12%

  5. CRYPTO MISUSE IN ANDROID APPS 15,134 apps from Google play used crypto; Analyzed 11,748 of them 48% 31% 17% 16% 14% 12%

  6. NEVER use ECB (but over 50% of Android apps do)

  7. 
 BOUNCYCASTLE DEFAULTS • BouncyCastle is a library that conforms to Java’s Cipher interface : Cipher c = 
 Cipher.getInstance(“AES/CBC/PKCS5Padding”); // Ultimately end up wrapping a ByteArrayOutputStream 
 // in a CipherOutputStream • Java documentation specifies:

  10. CRYPTO MISUSE IN ANDROID APPS 15,134 apps from Google play used crypto; Analyzed 11,748 of them 48% 31% 17% 16% 14% 12%

  11. CRYPTO MISUSE IN ANDROID APPS 15,134 apps from Google play used crypto; Analyzed 11,748 of them 48% 31% 17% 16% 14% 12% A failure of the programmers to know the tools they use A failure of library writers to provide safe defaults

  12. MISUSING CRYPTO Avoid shooting yourself in the foot: • Do not roll your own cryptographic mechanisms • Takes peer review • Apply Kerkhoff’s principle • Do not misuse existing crypto • Do not even implement the underlying crypto

  13. WHY NOT IMPLEMENT AES/RSA YOURSELF? • Not talking about creating a brand new crypto scheme, just implementing one that’s already widely accepted and used. • Kerkhoff’s principle: these are all open standards; should be implementable. • Potentially buggy/incorrect code, but so might be others’ implementations (viz. OpenSSL bugs, poor defaults in Bouncy castles, etc.) • So why not implement it yourself?

  14. SIDE-CHANNEL ATTACKS • Cryptography concerns the theoretical difficulty in breaking a cipher Input 
 Output 
 Cryptographic processing 
 message message (Encrypt/decrypt/sign/etc.) Secret keys

  15. SIDE-CHANNEL ATTACKS • Cryptography concerns the theoretical difficulty in breaking a cipher Input 
 Output 
 Cryptographic processing 
 message message (Encrypt/decrypt/sign/etc.) Secret keys • But what about the information that a particular implementation could leak? • Attacks based on these are “ side-channel attacks ”

  16. SIDE-CHANNEL ATTACKS • Cryptography concerns the theoretical difficulty in breaking a cipher Leaked information 
 - Power consumption 
 - Electromagnetic radiation - Other (Timing, errors, etc.) Input 
 Output 
 Cryptographic processing 
 message message (Encrypt/decrypt/sign/etc.) Secret keys • But what about the information that a particular implementation could leak? • Attacks based on these are “ side-channel attacks ”

  17. SIMPLE POWER ANALYSIS (SPA) • Interpret power traces taken during a cryptographic operation • Simple power analysis can reveal the sequence of instructions executed

  18. SPA ON DES Overall operation clearly visible: 
 Can identify the 16 rounds of DES

  19. SPA ON DES 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Overall operation clearly visible: 
 Can identify the 16 rounds of DES

  20. SPA ON DES Specific instructions are also discernible

  21. SPA ON DES Jump taken No jump taken Specific instructions are also discernible

  22. HIGH-LEVEL IDEA HypotheticalEncrypt(msg, key) { for(int i=0; i < key.len(); i++) { 
 if(key[i] == 0) // branch 0 else // branch 1 } }

  23. HIGH-LEVEL IDEA HypotheticalEncrypt(msg, key) { for(int i=0; i < key.len(); i++) { 
 if(key[i] == 0) What if branch 0 had, e.g., 
 // branch 0 a jmp that brand 1 didn’t? else // branch 1 } }

  24. HIGH-LEVEL IDEA HypotheticalEncrypt(msg, key) { for(int i=0; i < key.len(); i++) { 
 if(key[i] == 0) What if branch 0 had, e.g., 
 // branch 0 a jmp that brand 1 didn’t? else // branch 1 } } Implementation issue: If the execution path depends on the inputs (key/data), then SPA can reveal keys

  25. HIGH-LEVEL IDEA HypotheticalEncrypt(msg, key) { for(int i=0; i < key.len(); i++) { 
 if(key[i] == 0) What if branch 0 had, e.g., 
 // branch 0 a jmp that brand 1 didn’t? else // branch 1 What if branch 0 } } Implementation issue: If the execution path depends on the inputs (key/data), then SPA can reveal keys

  26. HIGH-LEVEL IDEA HypotheticalEncrypt(msg, key) { for(int i=0; i < key.len(); i++) { 
 if(key[i] == 0) What if branch 0 had, e.g., 
 // branch 0 a jmp that brand 1 didn’t? else // branch 1 What if branch 0 } - took longer? (timing attacks) } Implementation issue: If the execution path depends on the inputs (key/data), then SPA can reveal keys

  27. HIGH-LEVEL IDEA HypotheticalEncrypt(msg, key) { for(int i=0; i < key.len(); i++) { 
 if(key[i] == 0) What if branch 0 had, e.g., 
 // branch 0 a jmp that brand 1 didn’t? else // branch 1 What if branch 0 } - took longer? (timing attacks) - gave off more heat? } Implementation issue: If the execution path depends on the inputs (key/data), then SPA can reveal keys

  28. HIGH-LEVEL IDEA HypotheticalEncrypt(msg, key) { for(int i=0; i < key.len(); i++) { 
 if(key[i] == 0) What if branch 0 had, e.g., 
 // branch 0 a jmp that brand 1 didn’t? else // branch 1 What if branch 0 } - took longer? (timing attacks) - gave off more heat? } - made more noise? 
 - … Implementation issue: If the execution path depends on the inputs (key/data), then SPA can reveal keys

  29. DIFFERENTIAL POWER ANALYSIS (DPA) • SPA just visually inspects a single run • DPA runs iteratively and reactively • Get multiple samples • Based on these, construct new plaintext messages as inputs, and repeat

  30. MITIGATING SUCH ATTACKS • Hide information by making the execution paths depend on the inputs as little as possible • Have to give up some optimizations that depend on particular bit values in keys Some Chinese Remainder Theorem (CRT) optimizations - permitted remote timing attacks on SSL servers • The crypto community should seek to design cryptosystems under the assumption that some information is going to leak

  31. POOR POLICIES FROM GOVERNMENTS Exploits export-grade encryption 1024-bit and smaller feasibly broken Logjam downgrades to export-grade (512)

  32. Clipper chip A lesson in poorly designed protocols Clipper Clipper Goal: 
 Support encrypted communication 
 Confidentiality between devices Goal: 
 Permit law enforcement to obtain 
 Key escrow “session keys” with a warrant

  33. Clipper chip: Design Tamper-proof hardware Hardware that is difficult to introspect (e.g., extract keys), Skipjack 
 alter (change the algorithms), or impersonate encryption algorithm Skipjack Keys 
 Unit key 
 Global family key Diffie-Hellman 
 key exchange LEAF generation & validation

  34. 
 Clipper chip: Design Tamper-proof hardware Skipjack 
 Block cipher designed by the 
 encryption algorithm NSA, originally classified 
 SECRET. Skipjack Keys 
 (Violates Kirchhoff’s principle) Unit key 
 Global family key Broken within one day of declassification. Diffie-Hellman 
 key exchange 80-bit key; similar algorithm to DES (also broken) LEAF generation & validation

  35. Clipper chip: Design Tamper-proof hardware Skipjack 
 Assigned when the hardware 
 encryption algorithm is manufactured. Unit key is unique to this unit 
 Skipjack Keys 
 in particular (each Clipper chip 
 Unit key 
 also has a unit ID ). Global family key Global family key is the same 
 Diffie-Hellman 
 across many units. key exchange LEAF generation & validation

  36. Clipper chip: Design Tamper-proof hardware Skipjack 
 Used for establishing a 
 encryption algorithm (symmetric) session key Session keys are ephemeral Skipjack Keys 
 (e.g., last only for a given Unit key 
 connection, transaction, etc.) Global family key General properties about Diffie-Hellman 
 session keys: key exchange • Compromising one session key 
 does not compromise others • Compromising a long-term key 
 LEAF generation should not compromise past 
 & validation session keys ( forward secrecy )

  37. Clipper chip: Design Tamper-proof hardware LEAF 
 Skipjack 
 (Law Enforcement Access Field) encryption algorithm To permit wiretapping, law 
 enforcement needs to be able 
 Skipjack Keys 
 to extract session keys, but 
 Unit key 
 only has access to what is sent 
 Global family key during communication Diffie-Hellman 
 key exchange Idea : send data that has enough 
 info to allow law enforcement 
 to extract keys (but not any 
 LEAF generation other eavesdropper). & validation

  38. LEAF protocol design 1. DH key exchange 2. Each send LEAF packet Clipper Clipper 3. Send data encrypted 
 with the session key The Clipper chips will not decrypt until 
 it has received a valid LEAF packet Law enforcement sees all packets. • Cannot infer key from DH key exchange • Can infer it from the LEAF packet

  39. LEAF message structure Session key 80 bits Other 
 variables Unit Key Skipjack Hash algorithm 16 bits Unit ID Encrypted session key Hash Global family key Skipjack LEAF

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HOW CRYPTO FAILS IN PRACTICE GRAD SEC OCT 31 2017 TODAYS PAPERS POOR PROGRAMING

HOW CRYPTO FAILS IN PRACTICE GRAD SEC OCT 31 2017 TODAYS PAPERS POOR PROGRAMING

HOW CRYPTO FAILS IN PRACTICE GRAD SEC OCT 31 2017 TODAYS PAPERS POOR PROGRAMING CryptoLint tool to perform static analysis on Android apps to detect how they are using crypto libraries CRYPTO MISUSE IN ANDROID APPS 15,134 apps

1.6k views • 133 slides
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thom e, Luke Valenta, Benjamin

1.01k views • 34 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
The LOGJAM attack Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian,

The LOGJAM attack Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian,

The LOGJAM attack Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thom e, Luke

674 views • 45 slides
10 Reasons Why Compliance Fails Sinead OConnor www.aicp.im Ten reasons why compliance fails

10 Reasons Why Compliance Fails Sinead OConnor www.aicp.im Ten reasons why compliance fails

10 Reasons Why Compliance Fails Sinead OConnor www.aicp.im Ten reasons why compliance fails Sinead OConnor Head of Regulatory &amp; Compliance services Lack of leadership Compliance comply dont they? What do the rules actually

482 views • 13 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
From theoretical crypto to practice: gloups an abominable gap Cryptie, Oblazy Cryptie, O. Blazy

From theoretical crypto to practice: gloups an abominable gap Cryptie, Oblazy Cryptie, O. Blazy

From theoretical crypto to practice: gloups an abominable gap Cryptie, Oblazy Cryptie, O. Blazy (Xlim) RMLL CC-BY-SA 4.0 1 / 35 Encryption and Signature: Just a 2 min reminder 1 Libraries 2 Funny Cryptography 3 Cryptie, O. Blazy (Xlim)

919 views • 52 slides
Ethics Issues in Opinion Practice 419 (TriBar Report), are widely accepted as setting forth

Ethics Issues in Opinion Practice 419 (TriBar Report), are widely accepted as setting forth

Ethics Issues in Opinion Practice * By Charles E. McCallum and Bruce C. Young ** A. I NTRODUCTION Lawyers giving legal opinions, like all lawyers, are subject to many duties. A law- yer who fails to meet his ethical obligations may be subject to

478 views • 10 slides
- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops Did you know? Our payment system has ZERO FEES for processing payments How it works? It takes only a few minutes to complete Merchant Initiate

269 views • 11 slides
Javascript Crypto &amp; The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto &amp; The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto &amp; The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on Real-World Crypto January 2013 promote openness, innovation &amp; opportunity on the Web. previously easy to deploy easy to use privacy

610 views • 22 slides
When Knuth Bendix Completion Fails 17ai The Knuth Bendix procedure fails if an equation cannot be

When Knuth Bendix Completion Fails 17ai The Knuth Bendix procedure fails if an equation cannot be

When Knuth Bendix Completion Fails 17ai The Knuth Bendix procedure fails if an equation cannot be orientated eg x+y = y+x leads to circular rewriting as in 2+3 =&gt; 3+2 =&gt; 2+3 ..., f(x, g(z)) = f(g(z), x) leads to

246 views • 5 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Public key crypto Public key crypto RSA Essentials RSA Essentials Public Key Crypto in Java Public Key Crypto in Java Radboud University Nijmegen Radboud University Nijmegen Public key protocols Public key protocols Diffie-Hellman and El

448 views • 16 slides
w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

Aditus Luxury Access Platform for Crypto A ffl uents Presentation 21 Nov 2017 w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals Crypto-currency values have been the best performing asset class

206 views • 19 slides
Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO Use this space to add an image. IMPLEMENTATION, OR CRYPTO RNG Insert an image and change the scale to cover this box. ALSO, KEY MANAGEMENT IS

1.01k views • 81 slides
Clipper Breathing Life into Cultural Collections and Archives John Casey 1 , Trevor Collins 2

Clipper Breathing Life into Cultural Collections and Archives John Casey 1 , Trevor Collins 2

Clipper Breathing Life into Cultural Collections and Archives John Casey 1 , Trevor Collins 2 Gill Hamilton 3 and Will Gregory 4 Clipper 20/04/2016 An online media analysis and collaboration tool for digital researchers 1. City of Glasgow

784 views • 14 slides
Diodes Waveform shaping Circuits Lecture notes: page 2-20 to 2-31 Sedra &amp; Smith (6 th Ed):

Diodes Waveform shaping Circuits Lecture notes: page 2-20 to 2-31 Sedra &amp; Smith (6 th Ed):

Diodes Waveform shaping Circuits Lecture notes: page 2-20 to 2-31 Sedra &amp; Smith (6 th Ed): Sec. 4.5 &amp; 4.6 Sedra &amp; Smith (5 th Ed): Sec. 3.5 &amp; 3.6 F. Najmabadi, ECE65, Winter 2012 Two-port networks as building blocks Recall:

316 views • 30 slides
Prediction Serving what happens after learning? Joseph E. Gonzalez Asst. Professor, UC Berkeley

Prediction Serving what happens after learning? Joseph E. Gonzalez Asst. Professor, UC Berkeley

Prediction Serving what happens after learning? Joseph E. Gonzalez Asst. Professor, UC Berkeley jegonzal@cs.berkeley.edu Co-founder, Dato Inc. joseph@dato.com Outline VELOX Clipper Caffe VW Create Daniel Crankshaw, Xin Wang Michael

1.09k views • 55 slides
Machine Learning Pipelines Marco Serafini COMPSCI 532 Lecture 21 Training vs. Inference

Machine Learning Pipelines Marco Serafini COMPSCI 532 Lecture 21 Training vs. Inference

Machine Learning Pipelines Marco Serafini COMPSCI 532 Lecture 21 Training vs. Inference Training: data model Computationally expensive No hard real-time requirements (typically) Inference: data + model prediction

432 views • 25 slides
Key Management Choosing long, random keys doesnt do you any good if your clerk is selling

Key Management Choosing long, random keys doesnt do you any good if your clerk is selling

Key Management Choosing long, random keys doesnt do you any good if your clerk is selling them for $10 a pop at the back door Or if you keep a plaintext list of them on a computer on the net whose root password is root

589 views • 15 slides
RAN School Council February 2020 Nock/Molin Change of Start Time New times: Arrival 7:45,

RAN School Council February 2020 Nock/Molin Change of Start Time New times: Arrival 7:45,

RAN School Council February 2020 Nock/Molin Change of Start Time New times: Arrival 7:45, Dismissal 2:15 Operational Challenges Arrival and dismissal Elementary procedures vs middle level procedures Safety (875 students

321 views • 6 slides
EFL on Wayland Rafael Antognolli October, 22th - 2013 Wayland Simpler replacement for X

EFL on Wayland Rafael Antognolli October, 22th - 2013 Wayland Simpler replacement for X

EFL on Wayland Rafael Antognolli October, 22th - 2013 Wayland Simpler replacement for X Core protocol + extensions Weston is the reference compositor Toolkits (EFL, Qt, GTK) implement the client API EFL Enlightenment

541 views • 25 slides
rs Prt r sr r

rs Prt r sr r

rs Prt r sr r r SHIQ s tr 1 rt 1 ts s 1 r

859 views • 38 slides

More recommend