The Crypto Year in Review - EEMA7 Hashfunctions X.509 Annex D MDC-2 MD2, MD4, MD5 SHA-1 This is an...

1

The Crypto Year in Review

Bart PreneelCOSIC KU Leuven and imec, Belgium

Bart.Preneel(at)esat.kuleuven.beNovember 2016

© KU Leuven COSIC, Bart Preneel

2

http://www.ecrypt.eu.org/csa/documents/D5.2-AlgKeySizeProt-1.0.pdf

3

Outline

• Cool hacks• Hash functions• TLS• Dual EC backdoors (again)• Postquantum crypto• Cryptowars returning• Conclusions

4

RowHammer

memory deduplication Windows 8.1/10 and Microsoft Edgehttps://www.vusec.net/projects/dedup-est-machina/

in the cloud: practical cross-VM attacks on OpenSSH and GnuPG using KSMhttps://www.vusec.net/projects/flip-feng-shui/

Page tableshttps://www.vusec.net/projects/drammer/

5

Diffie-Hellman: small subgroups

Computations modulo a large safe prime pThis means: (p-1)/2 = p’ prime or p = 2p’+1Sometimes (p-1)/2= p1’.p2’…. pk’

x

y

generate xcompute x generate y

compute y

Attack: replace x by 0, 1, or p-1replace x by element of order << p-1

compute k=( y)x compute k=( x) y

5

Solution: safe prime +check order of received point

6

Diffie-Hellman: small subgroups

Attack: replace x by 0, 1, or p-1?replace x by element of order << p-1

6

Solution: safe prime + check order or received point

Problems with RFC 5114, OpenSSL 1.0.2, GnuTLS, SSH, POP3S, IKEv1, IKEv2,….(hundred thousands of servers)

[Valenta+16] Measuring small subgroup attacks against Diffie-Hellman

7

Hash functions

X.509 Annex DMDC-2MD2, MD4, MD5SHA-1

This is an input to a crypto-graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision).

1A3FD4128A198FB3CA345932h

RIPEMD-160SHA-256SHA-512

SHA-3

8

Blockchain

Public ledger binds values together with hash function

Basis for innovative distributed consensus between mutually distrusting parties

9

Hacking the blockchain [Accenture]

Chameleon hash: with public key pkwith secret key sk it is easy to find A2, B2, rand, rand’ such that CHash(A2,rand,pk) = CHash(B2,rand’,pk)

Accenture have hacked the blockchain, more conclusively than the DAO hacker

10

[Wang+’04]

[Wang+’05][Mendel+’08]

[McDonald+’09]

[Manuel+’09]

Most attacks unpublished/withdrawn

[Sugita+’06]

log2 complexity

[Stevens’12]

SHA-1SHA-1 designed by NSA in ‘94

collision for 75/80 steps takes 257.7 [Grechnikov-Adinetz’11]

prediction: collision for SHA-1 in the next 6 months

11

Collisions for SHA-1100K$ for SHA-1 collisionExpected before EasterSummer 2016: Windows 10 Anniversary Update, Microsoft Edge

and Internet Explorer will no longer consider websites protected with a SHA-1 certificate as secure and will remove the address bar lock icon for these sites

February 2017: Microsoft Edge and Internet Explorer will block SHA-1 signed TLS certificates.

Starting in early 2016 with Chrome version 48, Chrome will display a certificate error if it encounters a site with a leaf certificate that is signed with a SHA-1-based signature and is issued on or after January 1, 2016 – then extended to intermediate certs

Starting January 1, 2017 at the latest, Chrome will completely stop supporting SHA-1 certificates (fatal network error)

12

SHA-1 migration?“CAs should no longer issue SHA-1 certs after 1

January 2016”

WoSign has issued certificates after January 1st 2016 but backdated the notBefore date to be in December 2015. This has the effect of avoiding the blocks in browsers regarding SHA-1 certs issued after January 1st 2016. The number of certs affected is probably 67, but may be a few more or less.

13

SSL/TLSmost successful end-to-end security technology

12 million serversbillions of clients

broken in many ways: RFC 7457: “Summarizing known attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS),” February 2015

SSLv2 SSLv3 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3

94 96 99 06 08 16

14

TLS overview [Stebila’14]

Crypto primitives

Ciphersuitedetails

Protocol “Framework” Libraries Applications

RSA, DSA, ECDSA

DH, EC-DH

HMAC

MD5, SHA-1, SHA-2

DES, 3DES, RC4, AES

Data structures

Key derivation

Encryption modes and IVs

Padding

Compression

Alerts and errors

Certification/re-vocation

(Re-)Negotiation

Session Resumption

Key reuse

OpenSSL

GnuTLS

SChannel

Java JSSE0

Web browsers

Web servers

Application SDKs

Certificates

Theoretical analysis

15

TLS attack overview [Stebila’14] updated November 2016

DROWN

Improved RC4

biases

FREAK

Logjam

SLOTH

POODLE

DH parameter validation

sweet32

Lucky Microseconds

16

TLS 1.3 coming soonClean up and simplify

• remove renegotiation and compressionIncrease security

• RSA for key transport removed: only Diffie-Hellman (forward secrecy)

• only authenticated encryption with associated data (AEAD)Increase privacy

• start encrypting earlierReduce latency (if previously connected): 0-RTT and 1-RTTMore details: Eric Rescorla, TLS 1.3, Real World Crypto 2016

Good news: miTLS high assurance implementation [INRIA+Microsoft]

17

Elliptic Curve Crypto (ECC) deployment

Trust issue• can we trust a “new” cryptosystem• who generated the curves: NSA? BSI?

ComplexityPatent issues

1985-1995: scepticism1995-2005: support from NSA via Suite B

• 2003: NSA takes a Certicom license in 20032005-2015: RSA added to Suite B

• 2013: Snowden: the Dual_EC DRBG story

18

Random number generation

Pseudo-random number

generator(PRNG)

seed

Trapdoor allows to predict keys

19

Dual_EC_DRBGDual Elliptic Curve Deterministic Random Bit Generator

• ANSI and ISO standard• 1 of the 4 PRNGs in NIST SP 800-90A

• draft Dec. 2005; published 2006; revised 2012

• Two “suspicious” parameters P and Q• Many warnings and critical comments

• before publication [Gjøsteen05], [Schoenmakers-Sidorenko06]• after publication [Ferguson-Shumov07]

Appendix: The security of Dual_EC_DRBG requires that the points P and Q be properly generated. To avoid using potentially weak points, the points specified in Appendix A.1 should be used.

20

Dual_EC_DRBG

• 10 Sept. 2013, NYT: "internal memos leaked by a former NSA contractor suggest that [..] the Dual EC DRBG standard […] contains a backdoor for the NSA."

• 9 Sept. 2013: NIST “strongly recommends" against the use of Dual_EC_DRBG, as specified in SP 800-90A (2012)

Why was the slowest and least secure of the 4 PRNGs chosen as the default algorithm in BSAFE?

21

Dual_EC_DRBG in Juniper

Juniper Security Advisory (17/12/2015), CVE-2015-7755/7756ScreenOS 6.2.r015-r018 and 6.3.r017-r020“discovered unauthorized code in the ScreenOS software that powers Netscreen firewalls”

Two backdoors1. bypass authentication in the SSH and Telnet daemons2. passive eavesdropper can decrypt VPN traffic

(1) Was inserted on 25 April 2014, 6.3.r017password was discovered within 6 hours after release of CVE

<<< %s(un='%s') = %u

22

Dual_EC_DRBG in Juniper (2)

(2) Passive eavesdropper can decrypt VPN traffic

ScreenOS does make use of the Dual_EC_DRBG standard, but is designed to not use Dual_EC_DRBG as its primary random number generator. ScreenOS uses it in a way that should not be vulnerable to the possible issue that has been brought to light. Instead of using the NIST recommended curve points it uses self-generated basis points and then takes the output as an input to FIPS/ANSI X.9.31 PRNG, which is the random number generator used in ScreenOScryptographic operations.

From the Juniper knowledge base (Oct 2013)

23



Changes introduced on 20 October 2008 (6.2.r01)– Add Dual_EC_DRBG but with a different Q: Q’– Add global variables to RNG code– Output is supposed to be input to a second RNG based

on ANSI X9.31, but due to a subtle bug a “for loop” is never executed and there is no post-processing with ANSI X9.31

– RNG produces 32 bytes rather than 20 – Nonce for IKE (IPsec) is increased from 20 to 32 bytes– Nonces are pre-generated

24



Changes introduced on 12 September 2012 (6.2.r015)– Q’ point in Dual_EC_DRBG code is replaced by another

point Q’’– Juniper calls this as an “unauthorized patch”

17 December 2015: Juniper patch• Remove SSH/Telnet backdoor• Restore Q’

That’s it folks

25

Outline

• Cool hacks• Hash functions• TLS• Dual EC backdoors (again)• Postquantum crypto• Cryptowars returning• Conclusions

26

If a large quantum computer can be built...

all schemes based on factoring (RSA) and DLOG are insecure [Shor’94]• including elliptic curve cryptography

symmetric key sizes: x2 [Grover]

News in Jan. 2014: NSA has spent 85 M$ on research to build a quantum computer

27

Predictions

Criticism• interconnect/architecture?• algorithms depend on architecture• number of qubits needed may grow

quadratically with bit size for ECC

M. Mosca, April 2015:“With probability 1/7 we will have a large quantum computer available by 2025; the probability with increase to close to 1 by 2035”

28

When to switch to quantum resistant cryptography?

Q = #years until first large quantum computerx = #years it takes to switch (3-10 years)y = #years data needs to be confidential (10 years)

Need to start switching in the year2016 + Q – x – ye.g. Q = 15, x=5, y=10: today!

For data and entity authentication: y = small(and defense-in-depth)

29

August 19 2015: do not switch to Suite B

IAD will initiate a transition to quantum resistant algorithms in the not too distant future[…]

For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition[…]

For now: ECC P-384/RSA-3072/Diffie-Hellman 3072

30

Post-Quantum public key cryptoPQCrypto: http://pqcrypto.eu.org/

• Digital signatures• Hash-based: secure but large signatures (40 Kbyte) and keys• Lattice based: BLISS

• Public key encryption/key establishment• NTRU• Lattice based (Ring Learning With Errors): BGV/BV• Code-based crypto• Isogenies

v2

v10

lettuce

lattice

31

Open competitionsAESDES SHA-3

RIPE NESSIE eSTREAM

CRYPTREC CRYPTREC

1975-1977 1988-2002 1997 2000 2000 2005 2012

POSTQUANTUM

CAESAR

Lightweight

2014 2016 2018 2020 2022 2024

32

Post-Quantum Standardization

NIST Internal Report (NISTIR) 8105: Report on Post-Quantum Cryptography http://csrc.nist.gov/groups/ST/post-quantum-crypto/index.html

Fall 2016 Formal Call for Proposals

Nov 2017 Deadline for submissions

Early 2018 Workshop - Submitter's Presentations

3-5 years Analysis Phase - NIST will report findings1-2 workshops during this phase

2 years later Draft Standards ready

33

We are going dark

34

“[I]n our country, do we want to allow a means of communication between people which we cannot read?”

35

As predicted at ISSE 2015

36

San Bernardino, CA, December 2, 2015

37

At the request of the FBI, based on an all writs order (1789), a U.S. federal magistrate judge has ordered

Apple to break the security of the iPhone

38

Court cases end

March 28: FBI gets access with help of a hacker at the cost of over US$ 1 million…yielded almost no useful information

April 22: federal government withdraws from a similar case in NY related to drugs trafficking

Sergei Skorobogatov: The bumpy road towards iPhone 5c NAND mirroring. arXiv:1609.04327, Sept. 2016 (US$ 100 kit)

39

www.wired.com

NSA: “Collect it all, know it all,

exploit it all”

40

US citizens have protections based on 4th Amendment but Europeans don’t

NSA and GCHQ claim that they perform targeted surveillance while they run mass surveillance programs (Tempora and XKeyScore Deep Dive)

41

It’s the

metadatastupid

42

(Part of) government seems to prefer offense over defense

How many 0-days does the FBI and the NSA have?Are they revealed to vendors?If so when?

New 0-days

43

The crypto war returns

45

.. and an ongoing battleApril 22, 2016 US tech industry[…] would weaken the very defenses we need to protect us from people who want to cause economic and physical harm. We believe it is critical to the safety of the nation’s, and the world’s, information technology infrastructure for us all to avoid actions that will create government-mandated security vulnerabilities in our encryption systems.

April 13, 2016

Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) propose a bill that would require smartphone makers to decrypt data on demand for law enforcement agencies

Patriot Act, Oct. 26, 2001(minor revision in 2015)

46

France and Germany push for encryption limits

49

Encryption to protect user data ~12.5B(not meta data)

log10

6.3B

Not end to

end

3.5B500M1B

https://http://

Browser

HTTP over SSL

SSLTransport System

500M20-

50M? 12 M

© Bart Preneel

700M

50

Architecture is politics [Mitch Kaipor’93]

Control:

avoid single point of trust that becomes single point of failure

Stop massive data collection

big data yields big breaches (think pollution)this is both a privacy and a security problem (think OPM)

51

Governance and Architectures

Back to principles: minimum disclosure– stop collecting massive amounts of data

• local secure computation– if we do collect data: encrypt with key outside control of host

• with crypto still useful operations

Bring “cryptomagic” to use without overselling– zero-knowledge, oblivious transfer, functional encryption– road pricing, smart metering, health care

52

From Big Data to Small Local Data

Data stays with users

53

From Big Data to Big Encrypted Data

Encrypted data

Keys stay with users

Can still compute on

the data

54

Open (Source) Solutions

Effective governance

Transparency for service providers

55

Conclusions• Crypto problems are definitely not solved but

we making some progress• Crypto wars are not over• Ongoing pervasive surveillance needs

pervasive collection and active attacks with massive collateral damage on our ICT infrastructure

• Better protected end systems: open systems with better governance

56

Thank you for your attention

More crypto: www.ecrypt.eu.org

The Crypto Year in Review - EEMA7 Hashfunctions X.509 Annex D MDC-2 MD2, MD4, MD5 SHA-1 This is an...

Documents

Transcript of The Crypto Year in Review - EEMA7 Hashfunctions X.509 Annex D MDC-2 MD2, MD4, MD5 SHA-1 This is an...