Go paranoid

Nisheed Meethal
www.nisheed.com
7/Nov'13
Go Paranoid !!!
tl;dr
●
security done wrong is worser than not done!
●
security is relative to the computational power the world
has at a given point in time!
●
go paranoid to survive!

Cryptology
Symmetric Enc. Algorithms
Asymmetric Enc. Algorithms
● Security through Obscurity
● Moore's law
● Ciphers are powerful enough
● Kerckhoff's Principle

Then what may mess things up?
1. Passive cryptanalysis
2. Lawful Interception & Coercion
3. Bad ciphers
4. CA vulnerabilities
5. Bad Keys and RNGs

The Key Exchange Mechanism
&
Perfect Forward Secrecy

How does SSL/TLS work?
1. With RSA for key exchange
●
Prime Factorization Problem
even though (n,e) are known to the adversary, d
can't be computed back since he can't calculate
'Ø = (p-1)(q-1)'
●
Passive Cryptanalysis is possible if one gets the
Private key.

RSA
●
Good for signing and encryption
●
Bad for key exchange
●
Advance key computation
●
Patent expired in 2000
Key Terms:
Extended Euclidian Algo., Fast exponentiation; Square and Multiply
Group Cardinality, Cyclic Group
Ron Rivest, Adi Shamir and Leonard Adleman in 1977
●
Prime Factorization Problem
even though (n,e) are known to the adversary, d
can't be computed back since he can't calculate
'Ø = (p-1)(q-1)'
●
Passive Cryptanalysis is possible if one gets the
Private key.

How does SSL/TLS work?
With Diffe-Hellman Key Exchange
●
Discrete Logarithm Problem (in Zp*)
even though α,p,A and B are known to the
adversary, calculating 'a = logα
A mod p' is
practically impossible with 'p' being a large prime
number.
●
No long term private key involved
●
The value of 'i' changes for every session
●
Ephemeral Session Key makes passive
cryptanalysis practically impossible
Ephemeral Diffe-Hellman
KE
= Emphemeral Key
KM
= Masking Key
if we know α, A and p, what's a ? given A = αa
mod p

What next?
Slow and heavy for
wireless/embedded devices?

Elliptic Curve Cryptography
●
(Menezes-Qu-Vanston) Key Exchange algorithm
●
Related to Diffe-Hellman
●
Key-compromise impersonation resilience and unknown key-share resilience
●
Patented by Certicom
ECDHE
ECMQV
ECDSA
●
Discovered in 1985 by Victor Miller (IBM) and Neil Koblitz (University of
Washington)
●
Some implementation patented by Certicom
●
OpenSSL
●
Low computing power requirements
●
Reduced key length and hence fast
●
Use only standard curves (NIST recommended ones)
Applications:

T
Elliptic Curve Cryptography
●
Discrete Logarithm Problem (on EC)
i. Start with a standard EC and a primitive
element P.
ii. Decide on the integer private key 'a'.
iii. Hop the curve 'a' times from P and get the
point A(a,b), which is the public key.
●
A square root attack takes √P steps to fnd
'a' out.
Key Terms:
Scalar and Point multiplication; Double and Add,
Group Cardinality, Cyclic Group, Primitive element,
Eg:-
In the elliptic curve group defned by
y2 = x3 + 9x + 17 over F23,
What is the discrete logarithm a of Q = (4,5) to the base P
= (16,5)?
One (naive) way to fnd 'a' is to compute multiples of P until
Q is found. The frst few multiples of P are:
P = (16,5) 2P = (20,20)
3P = (14,14) 4P = (19,20)
5P = (13,10) 6P = (7,3)
7P = (8,7) 8P = (12,17)
9P = (4,5)
Since 9P = (4,5) = Q, the discrete logarithm of Q to the
base P is a = 9.
In a real application, 'a' would be large enough such that it
would be infeasible to determine 'a' in this manner.
if we know A and P, what's a ? given A = aP

SSL Cipher checks
You can check the ciphers supported by an SSL site using the openssl tool.
exponent@~ > openssl s_client -connect yahoo.com:443
---
SSL handshake has read 1399 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
CAB7722C5ED37D00ACB35E983337CD4BF4C0B466642C2B933AF52991CA4A299DF7820DE8E27A00
5D51393602265831D8
Key-Arg : None
Start Time: 1375166699
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the frst certifcate)
---

Interpret the cipher suites supported
Look for phrase "Cipher is". Below is a sample cipher supported and how to interpret it.
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS : Transport Layer Security
(It is the transport layer protocol used. other values can be SSLv3 etc.)
[other possible values: SSL]
ECDHE : Elliptic Curve Diffe Hellman Ephemeral
(Session key exchange algorithm)
[other possible values: RSA, DH, DHE]
RSA : Rivest, Adleman and Shamir
(PKI type of Certifcate )
[other possible values: DSS]
AES256 : Advanced Encryption Standard 256 (bit key).
(Algorithm used to encrypt the actual data)
[other possible values: RC4, 3DES, DES]
CBC : Cypher Block Chaining
(Mode in which the cipher algorithm works. CBC is diffcult to crack, but susceptible to
BEAST/Luck13 attacks.)
[other possible values: CBC3,CTR,GCM,ECB]
SHA : Secure Hash Algorithm
(A hashing algorithm for data integrity)
[other possible values: MD5]

Perfect Forward Secrecy
✔ Do not use RSA for Key exchange !
✔ Use DHE/ECDHE
✔ Off-The-Record (OTR) messaging protocol & Pond, TOR, Tails etc.
Passive Cryptanalysis

Lawful Interception
&
Legal Coercion

✔ PIPA (Protect IP Act) May'11, SOPA (Stop Online Piracy Act) Oct'11
✔ What is about Edward Snowden & PRISM ?
✔ All major players like Google, Facebook, Yahoo, Twitter etc.
✔ Lavabit and Silent Mail ?
Lawful Interception & Legal Coercion

Bad Ciphers
Prob:
BEAST and Lucky13. These are CBC vulnerabilities.
Fix:
The exploit attack impacts TLS 1.0/SSL 3.0, but does not work for TLS versions 1.1 and 1.2. So use
TLS 1.2 with AES GCM suits. But the GCM mode is new and it is an arduous job to get every security
systems (both at the server and the client sides) upgraded;
So instead use RC4 which is a stream cipher and hence faster and CBC/IV-free. But the bad news is
that RC4 has got its own security problems (fxed string cipher entropy problem) when compared to
block ciphers like AES and DSA, but that is less devastating than what CBC mode offers.
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:
!ADH:!AECDH:!MD5:!DSS
ssl_prefer_server_ciphers On;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:
!ADH:!AECDH:!MD5:!DSS;
Apache
Nginx

Bad Ciphers
Prob:
CRIME attack. A vulnerability exposed by TLS compression. Exposes the site cookies on side-channel
attacks.
Fix:
Disable TLS compression. Most of the applications like Nginx and Apache have directives to disable
compression.
SSLCompression Off
Apache
export OPENSSL_NO_DEFAULT_ZLIB=1
RHEL
...and many more.

What if your CA's private key gets
compromised?

CA Vulnerability
Recent Incidents (in last 2 years) :
1. Comodo ‐hacker issued bad certs
2. Diginotar - hacker issued bad certs for MITM
3. Trustwave - issued sub CA to customer for MITM
4. Turktrust - issued sub CA by mistake, used for MITM
●
Man-In-The-Middle and CA private key compromises leading to change
in certifcate
●
Require systems to detect a change in the certifcate during the SSL
hand shake.

Certifcate Pinning
HPKP (HTTP Public Key Extension)
●
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04
●
An extension to the HTTP protocol allowing webhost operators
to instruct user agents (UAs) to remember ("pin") the hosts'
cryptographic identities for a given period of time.
TACK (Trust Assertions for Certifcate Keys)
●
http://tack.io/draft.html
●
Server sends his “tack” through TLS Extension
●
Client has seen the same (hostname, TSK) pair multiple times, the client will "activate" a
pin between the hostname and TSK for a period equal to the length of time the pair has
been observed for.
●
Client pins to a server-chosen signing key, known as a "TACK signing key" or "TSK", which
signs the server's TLS keys.
DNSSec
●
Chain of trust

CA Replacements
Convergence.io et. al.
●
An agile, distributed, and secure strategy for replacing
Certifcate Authorities
●
Firefox add-on, once activated, replaces the entire CA
infrastructure
●
User initiated
●
No more self signed certifcate warnings
●
Privacy with bounce notaries

Bad Keys & RNGs
A study of RSA and DSA cryptographic keys in use on the Internet performed by computer scientists
at the University of California, San Diego and the University of Michigan.
●
5% of HTTPS hosts and nearly 10% of SSH hosts shared keys
●
compute the private keys from public information for 0.5% of HTTPS hosts and 1% of SSH hosts
Examples of bad randomness:
●
PGP database. [Lenstra et al. 2012]
2 factored RSA keys out of 700,000. Why?
●
Smartcards. [2012 Chou (slides in Chinese)]
Taiwan Citizen Digital Certicates smartcard certicates used for paying taxes, etc.
Factored 103 (out of 2.26 million)
prng.seed()
p = prng.random_prime()
prng.add_randomness()
q = prng.random_prime()
N = p*q
Linux PRNGs, /dev/random and /dev/urandom

Bad Keys & RNGs
➔ RNG entropy is diffcult to achieve
➔ Collect entropy more aggressively
➔ Natural entropy Sources for true randomness
➔ True NRGs
Hardware RNGs (SSL Accelerator cards)
= Transducer (noise conversion) + Amplifer + A-D converter
Seeds faster cryptographic PRNGs
➔ Intels Ivy Bridge Entropy Source
Each Ivy Bridge die contains one hardware RNG, shared by all the cores.
The RNG begins with an entropy source (ES) whose behavior is determined
by unpredictable thermal noise.
➔ Mind your Ps & Qs -Nadia Heninger

Bruce Schneier -
“I have no idea if the NSA convinced Intel to do this (reducing the entropy to enable
easy cryptanalysis) with the hardware random number generator it embedded into its
CPU chips, but I do know that it could. And I was always leery of Intel strongly pushing
for applications to use the output of its hardware RNG directly and not putting it
through some strong software PRNG like Fortuna. And now Theodore Ts'o writes this
about Linux: "I am so glad I resisted pressure from Intel engineers to let /dev/random
rely only on the RDRAND instruction."”
But again.. can we trust h/w RNGs ?

Hey.. you devels,
Never ever implement your own crypto, use standard
libraries instead.

Whew !!
Hehe... did that help?
Of course.. thanks to our advanced
Cryptology. now I know what to
fx to be secure online.
Sure, but they don't fx the
entire problem we have.
What?!!! come on...
Yeah,
it is just 70% of the
problems we have
What about the next 30%?
Fix yourself !Fix yourself !
Ah!

✔ Watch yourself in the cyber mirror
✔ Be careful while you show up and show off in the social networking
spree.
✔ Investigate the exposure
✔ Surprises from unverifed sources (lottery,dead bank account,job
offers etc.)
✔ Electronic Frontier Foundation (https://www.eff.org)
Raise your web conscience

✔ A known good OS and browser combo
✔ HTTPS Everywhere extension
✔ Third party cookies and tracking
✔ The onion router network to protect your anonymity
✔ OpenDNS and parental controls
✔ End-to-end encrypted mail services
✔ Dark Mail Alliance and Email 3.0 (on XMPP)
✔ Duck Duck Go, Tails, OTR, TrueCrypt, BleachBit etc.
✔ GPG (http://pgp.mit.edu:11371/pks/lookup?op=get&search=nisheed_km@yahoo.com)
http://epic.org/privacy/tools.html
Protect your privacy

Go Paranoid !!!
“Only the paranoid survive”
– Andrew S Grove, Ex-CEO Intel.

Go paranoid

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Go paranoid

Similar to Go paranoid (20)

Recently uploaded

Recently uploaded (20)

Go paranoid