Cryptography

yllan, 2015

• @yllan

• hypo https://hypo.cc/

• SOLDA https://solda.io/

•

http://hypo.cc/

https://solda.io/

Q: AES

•

•

• /

• key

• key

Encryption

Encryption System• Block Cipher

•

• DES, AES, RSA, …

• block padding block

• Block Mode: ECB / CBC / GCM / ……

Don’t Use ECB mode!Block 1 Block 2 Block N…

Cipher 1 Cipher 2 Cipher N…

ECB: Cut & Paste

Cookie: auth=AES-ECB(username)

Cookie: auth=AES-ECB(1234567890123456admin)

ECB: Byte-by-Byte• Oracle(m)=AES-ECB(m‖secret, key)

AES-ECB(123456789012345secret, key) AES-ECB(123456789012345*secret, key) AES-ECB(123456789012345ssecret, key) AES-ECB(12345678901234secret, key) AES-ECB(12345678901234s*secret, key) AES-ECB(12345678901234sesecret, key) AES-ECB(1234567890123secret, key)

A block: 16-bytes

comment=hello ,%20MOPCON. %26admin=true&admin=true

comment=hello ,%20MOPCON. %26admin=true&admin=true

comment=hello ?SDA(*H@*(#$& %2&admin=true

&⊕6

CBC Padding Oracle• PKCS7 Padding

• xxxxxxxxxx\01

• xxxxxxxxx\02\02

• xxxxxxxx\03\03\03

if (!bytes.takeRight(bytes.last)

.forAll(_ == bytes.last))

{

throw Exception(“Padding invalid!”)

}

030303

030303

⊕01

030302

⊕01

030303

⊕02

030301

⊕02

valid padding!

030301

⊕02

valid padding!last byte ⊕ 02 = 01, last byte = 03

030303

valid padding!last byte ⊕ 02 = 01, last byte = 03

??040404

⊕??070707

Authentication(Signing)

(Crypto) Hash• MD5, SHA1, SHA2, SHA3……

• input n output

• One-Way: H(x) x

• 2nd Pre-Image Resistance: y H(x) = H(y)

• Collision Free: x ≠ y ⇒ H(x) = H(y)

Hash ≠ Authentication

• user=yllan&rating=5&album=12345

• MD5(secretalbum12345rating5useryllan)

•

• Length Extension Attack

Length Extension Attack• ????user=yllan&rating=5

• ????user=yllan&rating=5…&admin=true

data data paddata

1 length0…0

64bytes 64bytes 64bytes

data paddatadata


v1: 0x67452301

v2: 0xEFCDAB89

v3: 0x98BADCFE

v4: 0x10325476

v5: 0xC3D2E1F0

data paddatadata


v1: 0xAAAAAAAA

v2: 0xBBBBBBBB

v3: 0xCCCCCCCC

v4: 0xDDDDDDDD

v5: 0xEEEEEEEE

data paddatadata


v1: 0xFFFFFFFF

v2: 0xFFFFFFFF

v3: 0xFFFFFFFF

v4: 0xFFFFFFFF

v5: 0xFFFFFFFF

data paddatadata


v1: 0x00000000

v2: 0x11111111

v3: 0x22222222

v4: 0x33333333

v5: 0x44444444

SHA1: 0x0000000011111111222222223333333344444444

? ???


SHA1: 0x0000000011111111222222223333333344444444

? ???


SHA1: 0x0000000011111111222222223333333344444444

v1: 0x00000000

v2: 0x11111111

v3: 0x22222222

v4: 0x33333333

v5: 0x44444444

? ???


v1: 0x00000000

v2: 0x11111111

v3: 0x22222222

v4: 0x33333333

v5: 0x44444444

PadExtension

? ???


v1: 0x55555555

v2: 0x66666666

v3: 0x77777777

v4: 0x88888888

v5: 0x99999999

SHA1: 0x5555555566666666777777778888888899999999

PadExtension

MAC

• Message Authentication Code

• HMAC-SHA256(message, secret)

• m, MACk(m) ⇒ n, MACk(n)

Side Channel Attack

Comparisonpublic static boolean isEqual(byte digesta[], byte digestb[]) { if (digesta.length != digestb.length) return false;

for (int i = 0; i < digesta.length; i++) { if (digesta[i] != digestb[i]) { return false; } } return true; }

Java 6u15: MessageDigest.isEqual

Constant Time Comparison ( )

public static boolean isEqual(byte[] a, byte[] b) { if (a.length != b.length) { return false; }

int result = 0; for (int i = 0; i < a.length; i++) { result |= a[i] ^ b[i]; } return result == 0; }

Side Channel

•

•

•

• HEARTBLEED

• bcrypt()

• RSA/DES library… Orz

1 2 3 4 5 6 78 9 10……

Cryptography

Technology

Transcript of Cryptography