Post on 21-May-2020
Protecting Passwords & DataIn a Post-Quantum Computing Era Using Military-Grade Crypto
Carlos A. Villegascv127.0.0.1[at]gmail[dot]com
● Northrop Grumman employee for 20 years
● Programming since age 13, professionally for 25 years
● Master of Science in Computer Science, Cybersecurity – NYU, 2016
● Master of Science in Computer Science, Artificial Intelligence – USC
● Designing cyber resilient military drones (current job)
About Me
https://github.com/CarlosVilleags/CryptographicSecureMessagingSteganographyhttps://github.com/CarlosVilleags/Linux-Logs
Open Source Contributions:
About Me (cont.)
● Participated in five Capture The Flag (CTF) cyber offensive competitions
● Nationally ranked 37th place in National Cyber League 2014, silver brkt
● CompTIA Security+ certification
● Mentoring ~50 high school students since 2014 in CyberPatriot
● Attended U.S. Cyber Challenge 2014 in San Jose, California
● Attended U.S. Cyber Challenge 2015 in Cedar City, Utah
● Honorary Girl Scout Member, GenCyber 2015/2016 @ CSUSB
● Ideal Job: Designing cyber resilient military drones (current job!)
● Technical Interests:
○ Active Defense
○ Evading Anti-Viruses
○ Cracking Passwords
○ Intersection of Cybersecurity and Artificial Intelligence
● Favorite Programming Language: Go
● Non-Technical Interests:
○ Rueda de Casino
Interests
● Fanless PC, 4GB RAM, 1TB SSD, 2GBit Ethernet ports
● pfSense = industrial firewall/router/proxy
● FreeBSD - best network stack implementation
Latest Project:
The Cybersecurity Problem
● Cybersecurity has become a global threat and a global challenge
● Cybersecurity cuts across every segment of the United States
● Cybersecurity is not a just a military problem
Drug-Dispensing-Robots Education RetailHealth CareBanking
Cities Homes Electrical Grid Entertainment Transportation H20 Sanitation
The Cybersecurity Problem
Most Recently Targeted: Medical Equipment
"Enriquez says his team found malware planted on several types of medical devices including an x-ray printer, an oncology unit's MRI scanner, a surgical center's blood gas analyzer and a health care provider's PACS-picture archiving and communication system."
src: http://abc7news.com/technology/san-mateo-cyber-security-firm-uncovers-malware-on-medical-devices/1757268/
● Cybercrime damage costs to hit $6 trillion annually by 2021 worldwide
● Cybersecurity spending to exceed $1 trillion from 2017 to 2021
● Unfilled cybersecurity jobs will reach 1.5 million by 2019
● Human attack surface to reach 4 billion people by 2020
● Up to 200 billion IoT devices will need securing by 2020
Cybersecurity - Why Is It a Big Deal?
Answer the question correctly and this YubiKey 4 is yours (a $40 value)
I am not associated in any way with Yubico. I just picked-up an extra one of these from Yubico's booth at BlackHat USA.
src: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
World's Biggest Data Breaches - Visualization
New Era of Quantum Computing
Quantum ComputingA quantum computer (QC) uses qubits instead of classic binary digits, and each qubit is in a quantum state between zero and
one. QCs can perform a huge number of calculations simultaneously by harnessing this superposition phenomenon
along with quantum entanglement.
src: https://www.theregister.co.uk/2017/02/13/quantum_computer_billions_of_times_faster_than_todays_binary_computers/
Quantum Computer Chips
IBM’s five qubit processor uses a lattice architecture that scale to create larger, more powerful quantum computers.
A quantum computing chip made by Rigetti Computing with three quantum bits.
Moore's Law"Mr. Gordon Moore made a prediction in 1965 that every 18 months for the next 10 years, the number
of components on a integrated circuit doubles."
src: https://en.wikipedia.org/wiki/Moore's_law
His prediction continues to hold after 52 years.
src: http://hexus.net/tech/news/cpu/97468-d-wave-systems-previews-2000-qubit-quantum-processor/
Quantum Computing and Moore's Law ?
Quantum Computing's Threat To Encryption
● As of Jan 2016, NSA realized that popular forms of Asymmetric Encryption can be brute forced by powerful Quantum Computers (QC) by 2030.
● Shor's algorithm can efficiently factor numbers, breaking RSA. ● A Shor's algorithm variant can break Diffie-Hellman and other discrete
log-based cryptosystems, including those that use elliptic curves.● Some leading cryptographers disagree with NSA on the timespace, far
beyond 2030.● Secrets run risk of being recorded today and decrypted later by QC
src: https://www.schneier.com/blog/archives/2015/08/nsa_plans_for_a.html
https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm
https://threatpost.com/cryptographers-dismiss-ai-quantum-computing-threats/123723/
Passwords
A) D0g........
B) r*<d2Gs%Er
Which Password is Harder to Brute Force?
Which Password is Harder to Brute Force?
● Passwords are encoded using Cryptographic functions
● Cryptographic functions are special mathematical functions that
cannot be reversed ( one-way functions )
● Properties
○ One-way functions (mathematically irreversible)
○ Collision free
Mechanics of Passwords
Src: https://hashcat.net/wiki/doku.php?id=example_hashes
Plethora of cryptographic hash function
this
is a
par
tial l
ist.
..
● Automate Authentication
○ Identify privileges with passwords
○ i.e. "Can I read this or write that?"
● Integrity Protection
○ Detect if anyone tampered with this data or program
Passwords, What Are They Good For?
● Passwords should never be stored in plaintext
● New guidelines: NIST Special Pub 800-63b
○ Make password policies user friendly; put the burden on verifier.
○ Size matters, allow long passphrases with all printable ASCII chars.
○ Check new passwords against a dictionary of known-bad choices.
● Should be individually salted (next slide) when stored on
the server side
Passwords - Best Practices
Src: https://pages.nist.gov/800-63-3/sp800-63b.html
Salt, What is it?
● Salt makes hashed password more complex○ Imagine a single password file that contains hundreds of usernames and passwords. Without a salt, I could
compute "md5(attempt[0])", and then scan through the file to see if that hash shows up anywhere. If salts are present, then I have to compute "md5(salt[a] . attempt[0])", compare against entry A, then "md5(salt[b] . attempt[0])", compare against entry B, etc. Now I have n times as much work to do, where n is the number of usernames and passwords contained in the file.
● Salt makes more resilient against rainbow table attacks○ A rainbow table is a large list of pre-computed hashes for commonly-used passwords. Imagine again the
password file without salts. All I have to do is go through each line of the file, pull out the hashed password, and look it up in the rainbow table. I never have to compute a single hash. If the look-up is considerably faster than the hash function (which it probably is), this will considerably speed up cracking the file.
UNSAFE a) ECDH and ECDSA with NIST P-256
UNSAFE b) RSA with 2048-bit keys
UNSAFE c) Diffie-Hellman with 2048-bit keys
UNSAFE d) SHA-256
UNSAFE e) AES-128
Quantum Computing Threat to Encryption
src: https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm
a) Symmetric Encryption short rotating key schedule
b) RSA 3072-bit or larger
2) Diffie-Hellman (DH) 3072-Bit or larger
3) ECDH with NIST P-384
4) ECDSA with NIST P-384
5) SHA-384
6) AES-256
NSA Recommended Cryptographic Algorithms
src: https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm
NSA NIST Quantum docs + Paper
● NIST Report on Post-Quantum Cryptography April2016 http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf
● CNSA Quantum Computing FAQhttps://drive.google.com/open?id=0BwMw6ipu4nPzVmNFQ3pPTnpnSDA
● Commercial National Security Algorithm (CNSA) Suite Factsheet by NSAhttps://drive.google.com/open?id=0BwMw6ipu4nPzMWlKaVZTTUt5clU
● A Riddle Wrapped in an Enigma by Neal Koblits and Alfred J. Menenzeshttps://drive.google.com/open?id=0BwMw6ipu4nPzRW9zd09lMC14eTA
Sample Quantum-Proof Messaging App Here's why this app is Quantum Proof:
● CCA is regarded as the most lethal attack against a cryptosystem.
● It consists in that the adversary can choose an arbitrary ciphertext and obtain the corresponding plaintext using a decryption oracle.
● This application uses AES-256 in CBC mode. AES is an encryption algorithm (aka Rijndael) approved by NIST as U.S. FIPS PUB 197 on November 26, 2001.
● AES-256 in CBC mode uses an Initialization Vector (IV) of 128-bits pseudo-random data suitable for cryptographic purposes, created by Python’s os.urandom() properly seeded with time to a precision of microseconds (1 millionth of a second). It also uses 64-bits of salt which is pseudo-random data also to the microsecond precision.
● Each message is encrypted with a unique IV and salt, therefore, it is virtually impossible for the same plaintext to yield the same ciphertext.
https://github.com/CarlosVilleags/CryptographicSecureMessagingSteganography
Make Your Passwords Uncrackable!
a. Not be in any dictionary of any language
b. If using compound words, make sure to use at least 4 words
c. Contain at least 1 of each of the four character sets: upper, lower,
number, symbol
d. At least 12 in length
e. Use a computationally expensive cryptographic hash algorithm, such as
those that use 64-bit logic because (GPUs are 32 bit based)
f. Know nothing about the semantic format of the password. Anything goes.
Bruteforcing a Password
Password Cracking Box - Favorite Past ProjectAMD Radeon HD 7990
amd.com/en-us/products/graphics/desktop/7000/7990
Raw computing power
Creating a strong cryptographic hash value using ‘mkpasswd’ via command line interface (CLI)
Demo
● U.S. Cyber Challenge (deadline 04/23/17 11:59pm EDT)○ http://uscc.cyberquests.org/
● CTFs (“Capture The Flag”) hacking competitions
● Security+, SSCP, CEH, CISSP, GISP, GSEC, GCFE, CEH○ https://niccs.us-cert.gov/featured-stories/cybersecurity-certifications
● Cybersecurity degree? Online vs. In-person
● What to Expect in an Online Cybersecurity Degree Program○ http://www.usnews.com/education/online-education/articles/2016-11-28/what-to-expect-in-an-online-cybersecurity-degree-program
How to get into Cybersecurity?
https://github.com/CarlosVilleags/Linux-Logs https://github.com/CarlosVilleags/CryptographicSecureMessagingSteganography https://www.youtube.com/watch?v=uxaSTZv5k-8 https://youtu.be/tnGKRfJhlYkhttp://dx.doi.org/10.6028/NIST.IR.8105 http://www.usnews.com/education/online-education/articles/2016-11-28/what-to-expect-in-an-online-cybersecurity-degree-program http://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ http://www.csoonline.com/article/3083798/security/cybersecurity-spending-outlook-1-trillion-from-2017-to-2021.html http://www.cybersecurityventures.com/jobs http://blogs.microsoft.com/microsoftsecure/2016/01/27/the-emerging-era-of-cyber-defense-and-cybercrime/%20target=http://www.fool.com/investing/2016/11/23/iot-stocks-what-to-watch-in-2017.aspx http://abc7news.com/technology/san-mateo-cyber-security-firm-uncovers-malware-on-medical-devices/1757268/ http://www.uscyberchallenge.org/ https://en.wikipedia.org/wiki/Moore's_law http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ http://www.digitaltrends.com/features/dt10-quantum-computing-will-make-your-pc-look-like-a-graphing-calculator/ http://www.globalfuturist.org/2017/02/scientists-publish-a-breakthrough-architecture-for-the-worlds-first-quantum-computer/ https://www.theregister.co.uk/2017/02/13/quantum_computer_billions_of_times_faster_than_todays_binary_computers/ https://www.newscientist.com/article/mg23130894-000-revealed-googles-plan-for-quantum-computer-supremacy/ https://www.technologyreview.com/s/600711/the-tiny-startup-racing-google-to-build-a-quantum-computing-chip/ https://www.washingtonpost.com/news/the-switch/wp/2014/01/10/this-company-sold-google-a-quantum-computer-heres-how-it-works/?utm_term=.b76a4450ef60 http://hexus.net/tech/news/cpu/97468-d-wave-systems-previews-2000-qubit-quantum-processor/ http://www.nbcnews.com/id/8985989/#.WKjOYld74_t https://pages.nist.gov/800-63-3/sp800-63b.html https://threatpost.com/cryptographers-dismiss-ai-quantum-computing-threats/123723/
References
Thank You for
Your Time and Attention
Carlos A. Villegascv127.0.0.1[at]gmail[dot]com