The Crypto Year in Review - EEMA7 Hashfunctions X.509 Annex D MDC-2 MD2, MD4, MD5 SHA-1 This is an...
Transcript of The Crypto Year in Review - EEMA7 Hashfunctions X.509 Annex D MDC-2 MD2, MD4, MD5 SHA-1 This is an...
1
The Crypto Year in Review
Bart PreneelCOSIC KU Leuven and imec, Belgium
Bart.Preneel(at)esat.kuleuven.beNovember 2016
© KU Leuven COSIC, Bart Preneel
2
http://www.ecrypt.eu.org/csa/documents/D5.2-AlgKeySizeProt-1.0.pdf
3
Outline
• Cool hacks• Hash functions• TLS• Dual EC backdoors (again)• Postquantum crypto• Cryptowars returning• Conclusions
4
RowHammer
memory deduplication Windows 8.1/10 and Microsoft Edgehttps://www.vusec.net/projects/dedup-est-machina/
in the cloud: practical cross-VM attacks on OpenSSH and GnuPG using KSMhttps://www.vusec.net/projects/flip-feng-shui/
Page tableshttps://www.vusec.net/projects/drammer/
5
Diffie-Hellman: small subgroups
Computations modulo a large safe prime pThis means: (p-1)/2 = p’ prime or p = 2p’+1Sometimes (p-1)/2= p1’.p2’…. pk’
x
y
generate xcompute x generate y
compute y
Attack: replace x by 0, 1, or p-1replace x by element of order << p-1
compute k=( y)x compute k=( x) y
5
Solution: safe prime +check order of received point
6
Diffie-Hellman: small subgroups
Attack: replace x by 0, 1, or p-1?replace x by element of order << p-1
6
Solution: safe prime + check order or received point
Problems with RFC 5114, OpenSSL 1.0.2, GnuTLS, SSH, POP3S, IKEv1, IKEv2,….(hundred thousands of servers)
[Valenta+16] Measuring small subgroup attacks against Diffie-Hellman
7
Hash functions
X.509 Annex DMDC-2MD2, MD4, MD5SHA-1
This is an input to a crypto-graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision).
1A3FD4128A198FB3CA345932h
RIPEMD-160SHA-256SHA-512
SHA-3
8
Blockchain
Public ledger binds values together with hash function
Basis for innovative distributed consensus between mutually distrusting parties
9
Hacking the blockchain [Accenture]
Chameleon hash: with public key pkwith secret key sk it is easy to find A2, B2, rand, rand’ such that CHash(A2,rand,pk) = CHash(B2,rand’,pk)
Accenture have hacked the blockchain, more conclusively than the DAO hacker
10
[Wang+’04]
[Wang+’05][Mendel+’08]
[McDonald+’09]
[Manuel+’09]
Most attacks unpublished/withdrawn
[Sugita+’06]
log2 complexity
[Stevens’12]
SHA-1SHA-1 designed by NSA in ‘94
collision for 75/80 steps takes 257.7 [Grechnikov-Adinetz’11]
prediction: collision for SHA-1 in the next 6 months
11
Collisions for SHA-1100K$ for SHA-1 collisionExpected before EasterSummer 2016: Windows 10 Anniversary Update, Microsoft Edge
and Internet Explorer will no longer consider websites protected with a SHA-1 certificate as secure and will remove the address bar lock icon for these sites
February 2017: Microsoft Edge and Internet Explorer will block SHA-1 signed TLS certificates.
Starting in early 2016 with Chrome version 48, Chrome will display a certificate error if it encounters a site with a leaf certificate that is signed with a SHA-1-based signature and is issued on or after January 1, 2016 – then extended to intermediate certs
Starting January 1, 2017 at the latest, Chrome will completely stop supporting SHA-1 certificates (fatal network error)
12
SHA-1 migration?“CAs should no longer issue SHA-1 certs after 1
January 2016”
WoSign has issued certificates after January 1st 2016 but backdated the notBefore date to be in December 2015. This has the effect of avoiding the blocks in browsers regarding SHA-1 certs issued after January 1st 2016. The number of certs affected is probably 67, but may be a few more or less.
13
SSL/TLSmost successful end-to-end security technology
12 million serversbillions of clients
broken in many ways: RFC 7457: “Summarizing known attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS),” February 2015
SSLv2 SSLv3 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
94 96 99 06 08 16
14
TLS overview [Stebila’14]
Crypto primitives
Ciphersuitedetails
Protocol “Framework” Libraries Applications
RSA, DSA, ECDSA
DH, EC-DH
HMAC
MD5, SHA-1, SHA-2
DES, 3DES, RC4, AES
Data structures
Key derivation
Encryption modes and IVs
Padding
Compression
Alerts and errors
Certification/re-vocation
(Re-)Negotiation
Session Resumption
Key reuse
OpenSSL
GnuTLS
SChannel
Java JSSE0
Web browsers
Web servers
Application SDKs
Certificates
Theoretical analysis
15
TLS attack overview [Stebila’14] updated November 2016
DROWN
Improved RC4
biases
FREAK
Logjam
SLOTH
POODLE
DH parameter validation
sweet32
Lucky Microseconds
16
TLS 1.3 coming soonClean up and simplify
• remove renegotiation and compressionIncrease security
• RSA for key transport removed: only Diffie-Hellman (forward secrecy)
• only authenticated encryption with associated data (AEAD)Increase privacy
• start encrypting earlierReduce latency (if previously connected): 0-RTT and 1-RTTMore details: Eric Rescorla, TLS 1.3, Real World Crypto 2016
Good news: miTLS high assurance implementation [INRIA+Microsoft]
17
Elliptic Curve Crypto (ECC) deployment
Trust issue• can we trust a “new” cryptosystem• who generated the curves: NSA? BSI?
ComplexityPatent issues
1985-1995: scepticism1995-2005: support from NSA via Suite B
• 2003: NSA takes a Certicom license in 20032005-2015: RSA added to Suite B
• 2013: Snowden: the Dual_EC DRBG story
18
Random number generation
Pseudo-random number
generator(PRNG)
seed
Trapdoor allows to predict keys
19
Dual_EC_DRBGDual Elliptic Curve Deterministic Random Bit Generator
• ANSI and ISO standard• 1 of the 4 PRNGs in NIST SP 800-90A
• draft Dec. 2005; published 2006; revised 2012
• Two “suspicious” parameters P and Q• Many warnings and critical comments
• before publication [Gjøsteen05], [Schoenmakers-Sidorenko06]• after publication [Ferguson-Shumov07]
Appendix: The security of Dual_EC_DRBG requires that the points P and Q be properly generated. To avoid using potentially weak points, the points specified in Appendix A.1 should be used.
20
Dual_EC_DRBG
• 10 Sept. 2013, NYT: "internal memos leaked by a former NSA contractor suggest that [..] the Dual EC DRBG standard […] contains a backdoor for the NSA."
• 9 Sept. 2013: NIST “strongly recommends" against the use of Dual_EC_DRBG, as specified in SP 800-90A (2012)
Why was the slowest and least secure of the 4 PRNGs chosen as the default algorithm in BSAFE?
21
Dual_EC_DRBG in Juniper
Juniper Security Advisory (17/12/2015), CVE-2015-7755/7756ScreenOS 6.2.r015-r018 and 6.3.r017-r020“discovered unauthorized code in the ScreenOS software that powers Netscreen firewalls”
Two backdoors1. bypass authentication in the SSH and Telnet daemons2. passive eavesdropper can decrypt VPN traffic
(1) Was inserted on 25 April 2014, 6.3.r017password was discovered within 6 hours after release of CVE
<<< %s(un='%s') = %u
22
Dual_EC_DRBG in Juniper (2)
(2) Passive eavesdropper can decrypt VPN traffic
ScreenOS does make use of the Dual_EC_DRBG standard, but is designed to not use Dual_EC_DRBG as its primary random number generator. ScreenOS uses it in a way that should not be vulnerable to the possible issue that has been brought to light. Instead of using the NIST recommended curve points it uses self-generated basis points and then takes the output as an input to FIPS/ANSI X.9.31 PRNG, which is the random number generator used in ScreenOScryptographic operations.
From the Juniper knowledge base (Oct 2013)
23
Dual_EC_DRBG in Juniper (3)
(2) Passive eavesdropper can decrypt VPN traffic
Changes introduced on 20 October 2008 (6.2.r01)– Add Dual_EC_DRBG but with a different Q: Q’– Add global variables to RNG code– Output is supposed to be input to a second RNG based
on ANSI X9.31, but due to a subtle bug a “for loop” is never executed and there is no post-processing with ANSI X9.31
– RNG produces 32 bytes rather than 20 – Nonce for IKE (IPsec) is increased from 20 to 32 bytes– Nonces are pre-generated
24
Dual_EC_DRBG in Juniper (4)
(2) Passive eavesdropper can decrypt VPN traffic
Changes introduced on 12 September 2012 (6.2.r015)– Q’ point in Dual_EC_DRBG code is replaced by another
point Q’’– Juniper calls this as an “unauthorized patch”
17 December 2015: Juniper patch• Remove SSH/Telnet backdoor• Restore Q’
That’s it folks
25
Outline
• Cool hacks• Hash functions• TLS• Dual EC backdoors (again)• Postquantum crypto• Cryptowars returning• Conclusions
26
If a large quantum computer can be built...
all schemes based on factoring (RSA) and DLOG are insecure [Shor’94]• including elliptic curve cryptography
symmetric key sizes: x2 [Grover]
News in Jan. 2014: NSA has spent 85 M$ on research to build a quantum computer
27
Predictions
Criticism• interconnect/architecture?• algorithms depend on architecture• number of qubits needed may grow
quadratically with bit size for ECC
M. Mosca, April 2015:“With probability 1/7 we will have a large quantum computer available by 2025; the probability with increase to close to 1 by 2035”
28
When to switch to quantum resistant cryptography?
Q = #years until first large quantum computerx = #years it takes to switch (3-10 years)y = #years data needs to be confidential (10 years)
Need to start switching in the year2016 + Q – x – ye.g. Q = 15, x=5, y=10: today!
For data and entity authentication: y = small(and defense-in-depth)
29
August 19 2015: do not switch to Suite B
IAD will initiate a transition to quantum resistant algorithms in the not too distant future[…]
For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition[…]
For now: ECC P-384/RSA-3072/Diffie-Hellman 3072
30
Post-Quantum public key cryptoPQCrypto: http://pqcrypto.eu.org/
• Digital signatures• Hash-based: secure but large signatures (40 Kbyte) and keys• Lattice based: BLISS
• Public key encryption/key establishment• NTRU• Lattice based (Ring Learning With Errors): BGV/BV• Code-based crypto• Isogenies
v2
v10
lettuce
lattice
31
Open competitionsAESDES SHA-3
RIPE NESSIE eSTREAM
CRYPTREC CRYPTREC
1975-1977 1988-2002 1997 2000 2000 2005 2012
POSTQUANTUM
CAESAR
Lightweight
2014 2016 2018 2020 2022 2024
32
Post-Quantum Standardization
NIST Internal Report (NISTIR) 8105: Report on Post-Quantum Cryptography http://csrc.nist.gov/groups/ST/post-quantum-crypto/index.html
Fall 2016 Formal Call for Proposals
Nov 2017 Deadline for submissions
Early 2018 Workshop - Submitter's Presentations
3-5 years Analysis Phase - NIST will report findings1-2 workshops during this phase
2 years later Draft Standards ready
33
We are going dark
34
“[I]n our country, do we want to allow a means of communication between people which we cannot read?”
35
As predicted at ISSE 2015
36
San Bernardino, CA, December 2, 2015
37
At the request of the FBI, based on an all writs order (1789), a U.S. federal magistrate judge has ordered
Apple to break the security of the iPhone
38
Court cases end
March 28: FBI gets access with help of a hacker at the cost of over US$ 1 million…yielded almost no useful information
April 22: federal government withdraws from a similar case in NY related to drugs trafficking
Sergei Skorobogatov: The bumpy road towards iPhone 5c NAND mirroring. arXiv:1609.04327, Sept. 2016 (US$ 100 kit)
39
www.wired.com
NSA: “Collect it all, know it all,
exploit it all”
40
US citizens have protections based on 4th Amendment but Europeans don’t
NSA and GCHQ claim that they perform targeted surveillance while they run mass surveillance programs (Tempora and XKeyScore Deep Dive)
41
It’s the
metadatastupid
42
(Part of) government seems to prefer offense over defense
How many 0-days does the FBI and the NSA have?Are they revealed to vendors?If so when?
New 0-days
43
The crypto war returns
44
45
.. and an ongoing battleApril 22, 2016 US tech industry[…] would weaken the very defenses we need to protect us from people who want to cause economic and physical harm. We believe it is critical to the safety of the nation’s, and the world’s, information technology infrastructure for us all to avoid actions that will create government-mandated security vulnerabilities in our encryption systems.
April 13, 2016
Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) propose a bill that would require smartphone makers to decrypt data on demand for law enforcement agencies
Patriot Act, Oct. 26, 2001(minor revision in 2015)
46
France and Germany push for encryption limits
47
48
Encryption to protect industry ~18.3B
log10
6.2B 6B250M
37M200M
3B 2.4B200M
© Bart Preneel
49
Encryption to protect user data ~12.5B(not meta data)
log10
6.3B
Not end to
end
3.5B500M1B
https://http://
Browser
HTTP over SSL
SSLTransport System
500M20-
50M? 12 M
© Bart Preneel
700M
50
Architecture is politics [Mitch Kaipor’93]
Control:
avoid single point of trust that becomes single point of failure
Stop massive data collection
big data yields big breaches (think pollution)this is both a privacy and a security problem (think OPM)
51
Governance and Architectures
Back to principles: minimum disclosure– stop collecting massive amounts of data
• local secure computation– if we do collect data: encrypt with key outside control of host
• with crypto still useful operations
Bring “cryptomagic” to use without overselling– zero-knowledge, oblivious transfer, functional encryption– road pricing, smart metering, health care
52
From Big Data to Small Local Data
Data stays with users
53
From Big Data to Big Encrypted Data
Encrypted data
Keys stay with users
Can still compute on
the data
54
Open (Source) Solutions
Effective governance
Transparency for service providers
55
Conclusions• Crypto problems are definitely not solved but
we making some progress• Crypto wars are not over• Ongoing pervasive surveillance needs
pervasive collection and active attacks with massive collateral damage on our ICT infrastructure
• Better protected end systems: open systems with better governance
56
Thank you for your attention
More crypto: www.ecrypt.eu.org