Cargo Cult Security at OpenWest

Cargo Cult Security- OpenWest

https://github.com/disaacson/cargo-cult-security

by Derrick Isaacson

http://en.wikipedia.org/wiki/Cargo_cult

Richard Feynman

Cargo Cult Programming

Ritualistic inclusion of code or patterns that are unnecessary for the task at hand.

• Design patterns• Factory• Wrapper

• Dependency injection• Cryptography• Encryption• Hashing

The Big Picture

Crypto Primitives & Goals

Hash MACHMAC

Symmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data Authentication

Non-repudiation

Confidentiality

Trust

Classic Encryption

Hash MACHMAC

Symmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data Authentication

Non-repudiation

Confidentiality

Trust

PlaintextCiphertext Cipher

Symmetric Key Cryptography(Private-key Cryptography)

• Blowfish• Twofish• Serpent• AES (Rijndael)• CAST5• RC4• 3DES• IDEA

HTTPS (TLS)

SSH (SSL)

LUKS Disk Encryption

KeePass

Blowfish Example

$plaintext = ‘Keep it secret. Keep it safe.';

$ciphertext = mcrypt_encrypt(MCRYPT_BLOWFISH, ‘0123456789', $plaintext, MCRYPT_MODE_CBC, ‘87acec17cd9dcd20');

$crypttextHex = bin2hex($ciphertext);

echo $crypttextHex;

a8 c5 22 a1 c5 19 97 70 95 a9 12 af 1a 1f 83 4e0e d7 20 9e ea ab ba 7f 6c d5 d7 de a0 24 1a 5b

Anti-pattern: Authentication

$plainTextId = '100000';

echo '<h4>"Secure" URL for image ' . $plainTextId . '.</h4>';

$cryptTextId = bin2hex(mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plainTextId, MCRYPT_MODE_OFB, $initializationVector));

$secretImageUrl = "…?secure_id=". $cryptTextId;

echo '<a href="'. $secretImageUrl .'">'.$secretImageUrl.'</a>';

private_image.php?secure_id=573146feb41e

private_image.php?secure_id=573146feb41e

$cryptTextId = $_GET["secure_id"];

$plainTextId = rtrim(mcrypt_decrypt(MCRYPT_BLOWFISH, $key,hex2bin($cryptTextId), MCRYPT_MODE_OFB,

$initializationVector));

$imageData = file_get_contents("img/“ . $plainTextId);echo '<img src="data:image/png;base64,‘

. base64_encode($imageData).'">‘;

573146feb41e

100000

Team Photo

private_image.php?secure_id=573146feb41eprivate_image.php?secure_id=573146feb41f$cryptTextId = $_GET["secure_id"];

$plainTextId = rtrim(mcrypt_decrypt(MCRYPT_BLOWFISH, $key,hex2bin($cryptTextId), MCRYPT_MODE_OFB,

$initializationVector));

$imageData = file_get_contents("img/“ . $plainTextId);echo '<img src="data:image/png;base64,‘

. base64_encode($imageData).'">‘;

573146feb41f

100001

Attack Plan

Crypto Primitives & Goals

Hash MACHMAC

Symmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data Authentication

Non-repudiation

Confidentiality

Trust

Message Authentication Codes

HMAC(key, message)

HMAC: RFC 2104

• HMAC-MD5• HMAC-SHA1• HMAC-SHA256

Message MAC

HMAC$plainTextId = '100000';$hmac = hash_hmac("sha256", $key, $plainTextId);$secretImageUrl = "…?id=". $plainTextId . "&hmac=" . $hmac;

echo '<a href="'. $secretImageUrl .'">' . $secretImageUrl . '</a>';

$plainTextId = $_GET["id"];$signature = $_GET["hmac"];$hmac = hash_hmac("sha256", $key, $plainTextId);if ($hmac == $signature) { $imageData = file_get_contents("img/" . $plainTextId . ".jpg"); echo '<img src="data:image/png;base64,'. base64_encode($imageData)

.'">'; }else { echo '<h4 class="error">Permission Denied!</h4>';}

Permission Denied!

/cargo-cult-security/private_image_2php?id=100000&hmac=9d892a6925a0a3eb36a3fcff47d12f0c03c2f7c8c1eb139b82408ddccc2d39da/cargo-cult-security/private_image_2php?id=100001&hmac=9d892a6925a0a3eb36a3fcff47d12f0c03c2f7c8c1eb139b82408ddccc2d39da

Crypto Primitives & Goals

Hash MACHMAC

Symmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data Authentication

Non-repudiation

Confidentiality

Trust

Anti-pattern: Authentication 2$plainTextUserId = ‘834';

echo '<h4>"Secure" URL for image ' . $plainTextUserId . '.</h4>';

$cryptTextId = bin2hex(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $plainTextId, MCRYPT_MODE_OFB, $initializationVector));

$secretImageUrl = "…?secure_id=". $cryptTextId;

echo '<a href="'. $secretImageUrl .'">'.$secretImageUrl.'</a>';

private_image.php?secure_id=f3d90e

http://aes.online-domain-tools.com/

224 search space with a valid URL density of

HMAC for authentication$authInfo = ‘uid=‘ . $userId ‘&ts=‘ . time(); // uid=123&ts=12345$hmac = hash_hmac("sha256", $key, $authInfo);$authToken = $authInfo . ‘&hmac=‘ . $hmac;// uid=123&ts=12345&hmac=9a0b1c// send token to user (e.g. set as a cookie)

$token = // read token (from cookie, Authorization header, …)$message = // regenerate base message (uid=123&ts=12345)$signature = $token["hmac"];$validationHmac = hash_hmac("sha256", $key, $message);if ($validationHmac == $signature) {// let request through if timestamp is also recent enoughelse {// send back a 403 Forbidden}

Login

Protected service

Crypto Primitives & Goals

Hash MACHMAC

Symmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data Authentication

Non-repudiation

Confidentiality

Trust

Anti-pattern: Integrity

$aes = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');…return mcrypt_generic($aes, $data);

$cipher [45] = chr(ord($cipher [45]) ^ ord(".") ^ ord ("0"));

$aes = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');…return mdecrypt_generic($aes, $data);

Crypto Primitives & Goals

Hash MACHMAC

Symmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data Authentication

Non-repudiation

Confidentiality

Trust

Encryption Parameters

Creates cipher textCipher (AES, Blowfish, …) Secret keyData to encryptCBC, ECB, OFB, …Initialization Vector

mcrypt_encrypt( MCRYPT_BLOWFISH, $key, $plainText, MCRYPT_MODE_CBC, $iv);

Anti-pattern: Encryption Modes

$plainImageData = file_get_contents($file);

$cryptText = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plainImageData, MCRYPT_MODE_ECB, $initializationVector);

file_put_contents($file . ".encrypted.data", $cryptText);

Cipher-block Chaining Mode

$plainImageData = file_get_contents($file);

$cryptText = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plainImageData, MCRYPT_MODE_CBC, $initializationVector);

file_put_contents($file . ".encrypted.data", $cryptText);

Encryption Parameters

Creates cipher textCipher (AES, Blowfish, …) Secret keyData to encryptCBC, ECB, OFB, …Initialization Vector

mcrypt_encrypt( MCRYPT_BLOWFISH, $key, $plainText, MCRYPT_MODE_CBC, $iv);

May 20th 1942Message interceptedIsland “AF”

June 3rd 1942Battle of Midway

Anti-pattern: Initialization Vector

$plainText = “Hold";

$cryptText = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plainText, MCRYPT_MODE_CBC, md5($key));

• Monday: “a8b8f95c4684b3f3”• Tuesday: “a8b8f95c4684b3f3”• Wednesday: “a8b8f95c4684b3f3”• Thursday: “a8b8f95c4684b3f3”• Friday: “10f32c937a1284db”

Modes and IVs

• Cipher-block chaining prevents patterns within messages• Correct IV prevents patterns across messages

Generating Keys & Initialization Vectors$key = “koicy37m8ao2nl07";$iv = rand();$cypherText = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $plainText, MCRYPT_MODE_CBC, $iv);

• How many bits of key entropy can be contained in 16 alphanumeric characters?• 96 bits!• ~0.00000002% of possible search space

• What initialization vector is really used here?• “\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0”!• PHP Warning: mcrypt_decrypt(): The IV parameter must be as long

as the blocksize in /home/derrick/…/CBC.php on line 27• Use

• $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128,

MCRYPT_MODE_CBC);• mcrypt_create_iv($size);

Anti-pattern: Random Values<form action=""> <label>Donation amount</label> <input type="text" value="10.00"> <?php $csrfToken = rand(); setCookie("csrfToken", $csrfToken); echo "<input type=\"hidden\" value=\"$csrfToken\">“; ?> <input type="submit" value="Submit"></form>

Finding Linear Congruential Seed

Random random = new Random();long v1 = random.nextInt();long v2 = random.nextInt();for (int i = 0; i < 65536; i++) { long seed = v1 * 65536 + i; if (((seed * multiplier + addend) & mask) >>> 16) == v2) { System.out.println("Seed found: " + seed); break; }}

Anti-pattern: Psuedo-random Session IDs

<?php $uid = "12345678"; $sessionId = md5($uid . rand() . microtime()); setCookie(“session_id", $sessionId);?>

Really only ~20 bits of entropy.A modern GPU can calculate that in a second!9,12

HMACs and Secure Random

<form action=""> <label>Donation amount</label> <input type="text" value="10.00"> <?php $csrfToken = openssl_random_pseudo_bytes(32); setCookie("csrfToken", bin2hex($csrfToken)); echo "<input type=\"hidden\" value=\"$csrfToken\">“; ?> <input type="submit" value="Submit"></form>

Do not use sessions! Use HMACs!Seriously.

No Cargo Cult Security!

1. Identify true security goal.2. Find correct crypto primitive.3. Spend some time to learn about it.4. Write as little of your own crypto code as possible.

Crypto Primitives & Goals

Hash MACHMAC

Symmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data Authentication

Non-repudiation

Confidentiality

Trust

Crypto Primitives & Goals

Hash MACHMAC

Symmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data Authentication

Non-repudiation

Confidentiality

Trust

Questions?

derrick@lucidchart.com

https://github.com/disaacson/cargo-cult-security

References

1. http://en.wikipedia.org/wiki/Cargo_cult

2. http://neurotheory.columbia.edu/~ken/cargo_cult.html

3. http://en.wikipedia.org/wiki/Post_hoc_ergo_propter_hoc

4. http://en.wikipedia.org/wiki/Cargo_cult_programming

5. https://oracleus.activeevents.com/2013/connect/sessionDetail.ww?SESSION_ID=6325

6. http://www.scs.stanford.edu/10au-cs144/notes/

7. http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/

8. http://security.stackexchange.com/questions/18033/how-insecure-are-phps-rand-functions

9. http://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks_files/paper.pdf

10. http://security.stackexchange.com/questions/17988/how-insecure-are-non-cryptographic-random-number-generators

11. http://jazzy.id.au/default/2010/09/20/cracking_random_number_generators_part_1.html

12. http://thepasswordproject.com/oclhashcat_benchmarking

13. http://www.php.net/manual/en/function.openssl-random-pseudo-bytes.php

14. http://blowfish.online-domain-tools.com/

15. https://github.com/disaacson/cargo-cult-security

16. http://tools.ietf.org/html/rfc2104