Why You Need Cryptography

Junade Ali (@IcyApril)

What You Need To Know About

CryptographyJunade Ali (@IcyApril)

Back to Basics

This is a login form.

How do you store a password in a

database?

You hash it of course!• Hashes are one-way cryptographic

functions. Maps any data to a fixed length string.

• The hash should be non-invertible, it is infeasible to turn the hash back into the input.

• On a good algorithm, the Avalanche Effect means if you alter the input slightly, the output is completely different. This makes it harder to guess the input.

But how…?• Use a key derivation function like PBKDF2

or BCrypt.• That way the crypto is handled for you,

preventing homebrew insecure crypto.• Some would argue BCrypt is better than

PBKDF2 because it can’t be GPU accelerated.

PHP Password Functions

• PHP 5.5.0 made things easy:• password_hash - to hash passwords• password_verify - Check a password

matches the hash• password_needs_rehash - check if a hash

matches the algorithm supplied

Homebrew Crypto is Bad

• You’re probably not a cryptographer.• Real key derivation functions are peer

reviewed by mathematicians, cryptographers, computer scientists; professional and amateur alike.

• Complicated code doesn’t provide better security. Byte shuffling adds no security, neither does base64 encoding.

-Kerckhoffs's principle

“A cryptosystem should be secure even if everything about the system, except the

key, is public knowledge.”

-Shannon's maxim

"one ought to design systems under the assumption that the enemy will

immediately gain full familiarity with them"

-in layman’s terms

A strong cryptosystem is strong regardless of whether the algorithm is

known to the attacker.

Why We Salt

• Let’s hash a password without a salt:• echo sha1(“p4$$w0rd”);• 6c067b3288c1b5c791afa04e12fb013ed2e8

4d10

Rainbow TablesRainbow Tables are precomputed hashes.

Table from sha1.wisetock.com.

Dictionary Attack• Rainbow Tables help you do Dictionary

Attacks quicker.• You simply check if an unsalted hash

appears in a pre-computed database of hashes.

• If the hash is the same for every hash in the algorithm you can simply pre-compute a database of hashes using known passwords with that salt.

The Caveat…

• If a user’s password is not in any publicly known database of pre-computed hashes, it is secure from Rainbow Tables.

• Hence one reason why you should use strong unique passwords.

Therefore…• We hash our passwords.• We salt our hashes.• We use a unique salt for each password we

hash.• This is easily handled by the

password_hash function in PHP.

Hashes have other uses

• Hashes aren’t great for just for key derivation.

• One other use is in file integrity validation, this is particularly useful in SSL/TLS certificates.

A Ideal Hash Algorithm

• A hash must be easy to compute.• It must be impractical to turn the hash

back into the original input (non-invertible).

• The hash does not have two inputs which lead to the same (collision resistance).

Collision Resistance• Where h() is a hash function, a collision is

where h(A) = h(B), but A ≠ B.• Where two different inputs produce the

same hash.• They are inevitable given the pigeonhole

principle.

Pigeonhole Principle• Given a hash is a fixed length string there

are only a finite number of variations.• On the other hand the input can be

infinitely long.• Therefore there must be more than one

input which has the same hash output.• I.e. A collision is inevitable.

The Birthday Problem

• The chance of 2 people having the same birthday reaches 100% when you have 366 people according to the Pigeonhole Principle.

• However the probability reaches 99% with just 57 people.

The Birthday ProblemThe probability of two people with the same

birthday.

The Birthday Attack

• The Birthday Problem can be used to find hash collisions where amount of possible hashes (pigeonholes) are limited.

• Yuval’s Birthday Attack highlights this.

Yuval’s Birthday Attack

• Let n be the bit-length of a hash output.• With 2n/2 different permutations of the

original message compared to 2n/2 different permutations of a forged message; you should expect to find a collision.

TLS (very basic overview)

• Server has a CipherSuite ordering.• Client submits a list of supported ciphers and server

chooses the highest shared cipher (note SSLHonorCipherOrder in Apache or ssl_prefer_server_ciphers in Nginx).

• Certificate Chain, root certificates sign intermediaries which eventually sign a site. Server sends this certificate.

• Key exchange protocol to share keys for symmetric encryption (quicker than asymmetric).

• Integrity check using Message Authentication Code.

Best Practice with TLS

• Disabling SSL protocols (and only enabling TLS), note POODLE on SSLv3.

• HSTS (Strict Transport Security), enforced TLS with cached time period. Mitigates SSLStrip by Moxie Marlinspike.

• Forward Secrecy setting ciphers that support it to be preferred.

• Qualys SSLLabs tests are a good idea.

Symmetric Encryption

• Caesar Cipher. Simple offsets, easy to brute force.

• DES. Proceeded AES, insecure in a lot of applications.

• Rijndael (AES), TwoFish, Serpent.

Plausible Deniability• Stenography is the practice is hiding one file within

another. • The Rubberhose File System was written by Julian

Assange, Suelette Dreyfus, and Ralf Weinmann.• Available in VeraCrypt, the successor to TrueCrypt.• Uses the random padding data surrounding an

encrypted volume to create alternative encrypted volumes.

• Can be cascaded.• Initially designed for third world dictatorships, but found

a use in the UK due to RIPA.

Asymmetric Encryption

• Diffie-Hellman Key Exchange. Malcolm J. Williamson at GCHQ had already conceived this a year earlier.

• RSA. Named after Ron Rivest, Adi Shamir, and Leonard Adleman but was discovered by Clifford Cocks and James H. Ellis at GCHQ 3 years earlier.

• ECC (Elliptic Curve Cryptography). Entered wide use in 2004/2005.

Trapdoor Functions• Asymmetric encryption uses Trapdoor

Functions.• Easy to compute one way, hard the other

way.• For example it is easy to multiply 2 prime

numbers together, harder to find the prime factors.

RSA Revision• Select two prime numbers p & q.• n = pq. This is the modulus.• φ = (p-1)(q-1). This is the totient. • Calculate integer e where 1 < e < φ and the

greatest common divisor of e and φ is 1.• Calculate integer d where 1 < d < φ and the

congruency relation ed ≡ 1(mod φ) is satisfied.• Public key is n & e whereas the the private key is n

& d.

RSA Revision• Basic encrypt: me mod n• Basic decrypt: cd mod n• Fermat’s Little Theorem underlies this.• In real life padding is used.• Note: Mod is the modulo operator (% or

the fmod function in PHP).

The Problem• RSA and Diffie-Hellman rely on the Discrete

Logarithm Problem being difficult to solve.• RSA relies less heavily on the Discrete Log

Problem than Diffie-Hellman does.• If a discrete logarithm can be computed

easily, these forms of cryptography face an issue.

–Alex Stamos, CTO of Artemis in 2013

“Our conclusion is there is a small but definite chance that RSA and classic Diffie-Hellman will not be usable for

encryption purposes in four to five years”

Concluding with ECCECC provides the only viable and reasonable

alternative to RSA and Diffie-Hellman so far.

ECC• Consists of points satisfying the equation:

y2=x3+ax+b• Faster (over 20 times!) than RSA.• Already has a Digital Signature alternative to

RSA called ECDSA.• But ECDSA does require a good source of

entropy, a decent source of (pseudo)random numbers is required.

• No mathematical proof of security. Question of whether one-way functions truly exist is open.

https://ju.je/cryptointro• A (Relatively Easy To Understand) Primer

on Elliptic Curve Cryptography (Nick Sullivan): https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

• Guide to Elliptic Curve Cryptography: http://math.boisestate.edu/~liljanab/MATH508/GuideEllipticCurveCryptography.PDF