密碼學中的錯誤

1. yllan, 2015

2. • @yllan
• hypo
https://hypo.cc/
• SOLDA
https://solda.io/
•

5. Q: AES

8. •
•
• /
• key
• key

9. Encryption

10. Encryption System
• Block Cipher
•
• DES, AES, RSA, …
• block padding
block
• Block Mode: ECB / CBC / GCM / ……

11. Don’t Use ECB mode!
Block 1 Block 2 Block N…
Cipher 1 Cipher 2 Cipher N…

12. ECB: Cut & Paste
Cookie: auth=AES-ECB(username)
Cookie: auth=AES-ECB(1234567890123456admin)

13. ECB: Byte-by-Byte
• Oracle(m)=AES-ECB(m‖secret, key)
AES-ECB(123456789012345secret, key)
AES-ECB(123456789012345*secret, key)
AES-ECB(123456789012345ssecret, key)
AES-ECB(12345678901234secret, key)
AES-ECB(12345678901234s*secret, key)
AES-ECB(12345678901234sesecret, key)
AES-ECB(1234567890123secret, key)
A block: 16-bytes

14. CBC

15. comment=hello ,%20MOPCON. %26admin=true
&admin=true

16. comment=hello ,%20MOPCON. %26admin=true
&admin=true
comment=hello ?SDA(*H@*(#$& %2&admin=true
&⊕6

17. CBC Padding Oracle
• PKCS7 Padding
• xxxxxxxxxx01
• xxxxxxxxx0202
• xxxxxxxx030303

18. if (!bytes.takeRight(bytes.last)
.forAll(_ == bytes.last))
{
throw Exception(“Padding invalid!”)
}

20. 030303

21. 030303
⊕01

22. 030302
⊕01

23. 030302
⊕01

24. 030303
⊕02

25. 030301
⊕02
valid padding!

26. 030301
⊕02
valid padding!last byte ⊕ 02 = 01, last byte = 03

27. 030303
valid padding!last byte ⊕ 02 = 01, last byte = 03

28. ??040404
⊕??070707

29. Authentication
(Signing)

30. (Crypto) Hash
• MD5, SHA1, SHA2, SHA3……
• input n output
• One-Way: H(x) x
• 2nd Pre-Image Resistance: y H(x) = H(y)
• Collision Free: x ≠ y H(x) = H(y)

31. Hash ≠ Authentication

32. • user=yllan&rating=5&album=12345
• MD5(secretalbum12345rating5useryllan)
•
• Length Extension Attack

33. Length Extension Attack
• ????user=yllan&rating=5
• ????user=yllan&rating=5…&admin=true

34. data data paddata
1 length0…0
64bytes 64bytes 64bytes

35. data paddatadata
64bytes 64bytes 64bytes
v1: 0x67452301
v2: 0xEFCDAB89
v3: 0x98BADCFE
v4: 0x10325476
v5: 0xC3D2E1F0

36. data paddatadata
64bytes 64bytes 64bytes
v1: 0xAAAAAAAA
v2: 0xBBBBBBBB
v3: 0xCCCCCCCC
v4: 0xDDDDDDDD
v5: 0xEEEEEEEE

37. data paddatadata
64bytes 64bytes 64bytes
v1: 0xFFFFFFFF
v2: 0xFFFFFFFF
v3: 0xFFFFFFFF
v4: 0xFFFFFFFF
v5: 0xFFFFFFFF

38. data paddatadata
64bytes 64bytes 64bytes
v1: 0x00000000
v2: 0x11111111
v3: 0x22222222
v4: 0x33333333
v5: 0x44444444
SHA1: 0x0000000011111111222222223333333344444444

39. ? ???
64bytes 64bytes 64bytes
SHA1: 0x0000000011111111222222223333333344444444

40. ? ???
64bytes 64bytes 64bytes
SHA1: 0x0000000011111111222222223333333344444444
v1: 0x00000000
v2: 0x11111111
v3: 0x22222222
v4: 0x33333333
v5: 0x44444444

41. ? ???
ytes 64bytes 64bytes
v1: 0x00000000
v2: 0x11111111
v3: 0x22222222
v4: 0x33333333
v5: 0x44444444
PadExtension

42. ? ???
ytes 64bytes 64bytes
v1: 0x55555555
v2: 0x66666666
v3: 0x77777777
v4: 0x88888888
v5: 0x99999999
SHA1: 0x5555555566666666777777778888888899999999
PadExtension

43. ? ???
ytes 64bytes 64bytes
v1: 0x55555555
v2: 0x66666666
v3: 0x77777777
v4: 0x88888888
v5: 0x99999999
SHA1: 0x5555555566666666777777778888888899999999
PadExtension

44. MAC
• Message Authentication Code
• HMAC-SHA256(message, secret)
• m, MACk(m) n, MACk(n)

45. Side Channel Attack

46. Comparison
public static boolean isEqual(byte digesta[], byte digestb[])
{
if (digesta.length != digestb.length)
return false;
for (int i = 0; i < digesta.length; i++) {
if (digesta[i] != digestb[i]) {
return false;
}
}
return true;
}
Java 6u15: MessageDigest.isEqual

47. Constant Time
Comparison ( )
public static boolean isEqual(byte[] a, byte[] b) {
if (a.length != b.length) {
return false;
}
int result = 0;
for (int i = 0; i < a.length; i++) {
result |= a[i] ^ b[i];
}
return result == 0;
}

48. Side Channel
•
•
•
• HEARTBLEED

52. • bcrypt()

53. • RSA/DES library… Orz

56. Q & A

57. 1 2 3 4 5 6 7
8 9 10……