Cargo Cult Security - OpenWest https://github.com/disaacson/cargo-cu lt-security by Derrick Isaacson
Cargo Cult Security at OpenWest
May 20, 2015
See common anti-patterns for securing web applications and how to correct them. Learn how to differentiate between authentication, authorization, secrecy, integrity, non-repudiation, and other security goals.
Examples include how:
* a theoretical "secret" banking request is corrupted to pad an attacker's bank account,
* an insecure "session" authentication token is attacked, and
* a "random" XSRF value gives a false sense of security.
Correct principles and patterns are analyzed and compared with common incorrect ones.
Presented at OpenWest 2014
Examples include how:
* a theoretical "secret" banking request is corrupted to pad an attacker's bank account,
* an insecure "session" authentication token is attacked, and
* a "random" XSRF value gives a false sense of security.
Correct principles and patterns are analyzed and compared with common incorrect ones.
Presented at OpenWest 2014
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Cargo Cult Security- OpenWest
https://github.com/disaacson/cargo-cult-security
by Derrick Isaacson
Richard Feynman
Cargo Cult Programming
Ritualistic inclusion of code or patterns that are unnecessary for the task at hand.
• Design patterns• Factory• Wrapper
• Dependency injection• Cryptography• Encryption• Hashing
The Big Picture
Crypto Primitives & Goals
Hash MACHMAC
Symmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data Authentication
Non-repudiation
Confidentiality
Trust
Classic Encryption
Hash MACHMAC
Symmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data Authentication
Non-repudiation
Confidentiality
Trust
PlaintextCiphertext Cipher
Symmetric Key Cryptography(Private-key Cryptography)
• Blowfish• Twofish• Serpent• AES (Rijndael)• CAST5• RC4• 3DES• IDEA
HTTPS (TLS)
SSH (SSL)
LUKS Disk Encryption
KeePass
Blowfish Example
$plaintext = ‘Keep it secret. Keep it safe.';
$ciphertext = mcrypt_encrypt(MCRYPT_BLOWFISH, ‘0123456789', $plaintext, MCRYPT_MODE_CBC, ‘87acec17cd9dcd20');
$crypttextHex = bin2hex($ciphertext);
echo $crypttextHex;
a8 c5 22 a1 c5 19 97 70 95 a9 12 af 1a 1f 83 4e0e d7 20 9e ea ab ba 7f 6c d5 d7 de a0 24 1a 5b
Anti-pattern: Authentication
$plainTextId = '100000';
echo '<h4>"Secure" URL for image ' . $plainTextId . '.</h4>';
$cryptTextId = bin2hex(mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plainTextId, MCRYPT_MODE_OFB, $initializationVector));
$secretImageUrl = "…?secure_id=". $cryptTextId;
echo '<a href="'. $secretImageUrl .'">'.$secretImageUrl.'</a>';
private_image.php?secure_id=573146feb41e
private_image.php?secure_id=573146feb41e
$cryptTextId = $_GET["secure_id"];
$plainTextId = rtrim(mcrypt_decrypt(MCRYPT_BLOWFISH, $key,hex2bin($cryptTextId), MCRYPT_MODE_OFB,
$initializationVector));
$imageData = file_get_contents("img/“ . $plainTextId);echo '<img src="data:image/png;base64,‘
. base64_encode($imageData).'">‘;
573146feb41e
100000
Team Photo
private_image.php?secure_id=573146feb41eprivate_image.php?secure_id=573146feb41f$cryptTextId = $_GET["secure_id"];
$plainTextId = rtrim(mcrypt_decrypt(MCRYPT_BLOWFISH, $key,hex2bin($cryptTextId), MCRYPT_MODE_OFB,
$initializationVector));
$imageData = file_get_contents("img/“ . $plainTextId);echo '<img src="data:image/png;base64,‘
. base64_encode($imageData).'">‘;
573146feb41f
100001
Attack Plan
Crypto Primitives & Goals
Hash MACHMAC
Symmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data Authentication
Non-repudiation
Confidentiality
Trust
Message Authentication Codes
HMAC(key, message)
HMAC: RFC 2104
• HMAC-MD5• HMAC-SHA1• HMAC-SHA256
Message MAC
HMAC$plainTextId = '100000';$hmac = hash_hmac("sha256", $key, $plainTextId);$secretImageUrl = "…?id=". $plainTextId . "&hmac=" . $hmac;
echo '<a href="'. $secretImageUrl .'">' . $secretImageUrl . '</a>';
$plainTextId = $_GET["id"];$signature = $_GET["hmac"];$hmac = hash_hmac("sha256", $key, $plainTextId);if ($hmac == $signature) { $imageData = file_get_contents("img/" . $plainTextId . ".jpg"); echo '<img src="data:image/png;base64,'. base64_encode($imageData)
.'">'; }else { echo '<h4 class="error">Permission Denied!</h4>';}
Permission Denied!
/cargo-cult-security/private_image_2php?id=100000&hmac=9d892a6925a0a3eb36a3fcff47d12f0c03c2f7c8c1eb139b82408ddccc2d39da/cargo-cult-security/private_image_2php?id=100001&hmac=9d892a6925a0a3eb36a3fcff47d12f0c03c2f7c8c1eb139b82408ddccc2d39da
Crypto Primitives & Goals
Hash MACHMAC
Symmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data Authentication
Non-repudiation
Confidentiality
Trust
Anti-pattern: Authentication 2$plainTextUserId = ‘834';
echo '<h4>"Secure" URL for image ' . $plainTextUserId . '.</h4>';
$cryptTextId = bin2hex(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $plainTextId, MCRYPT_MODE_OFB, $initializationVector));
$secretImageUrl = "…?secure_id=". $cryptTextId;
echo '<a href="'. $secretImageUrl .'">'.$secretImageUrl.'</a>';
private_image.php?secure_id=f3d90e
http://aes.online-domain-tools.com/
224 search space with a valid URL density of
HMAC for authentication$authInfo = ‘uid=‘ . $userId ‘&ts=‘ . time(); // uid=123&ts=12345$hmac = hash_hmac("sha256", $key, $authInfo);$authToken = $authInfo . ‘&hmac=‘ . $hmac;// uid=123&ts=12345&hmac=9a0b1c// send token to user (e.g. set as a cookie)
$token = // read token (from cookie, Authorization header, …)$message = // regenerate base message (uid=123&ts=12345)$signature = $token["hmac"];$validationHmac = hash_hmac("sha256", $key, $message);if ($validationHmac == $signature) {// let request through if timestamp is also recent enoughelse {// send back a 403 Forbidden}
Login
Protected service
Crypto Primitives & Goals
Hash MACHMAC
Symmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data Authentication
Non-repudiation
Confidentiality
Trust
Anti-pattern: Integrity
$aes = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');…return mcrypt_generic($aes, $data);
$cipher [45] = chr(ord($cipher [45]) ^ ord(".") ^ ord ("0"));
$aes = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');…return mdecrypt_generic($aes, $data);
Crypto Primitives & Goals
Hash MACHMAC
Symmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data Authentication
Non-repudiation
Confidentiality
Trust
Encryption Parameters
Creates cipher textCipher (AES, Blowfish, …) Secret keyData to encryptCBC, ECB, OFB, …Initialization Vector
mcrypt_encrypt( MCRYPT_BLOWFISH, $key, $plainText, MCRYPT_MODE_CBC, $iv);
Anti-pattern: Encryption Modes
$plainImageData = file_get_contents($file);
$cryptText = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plainImageData, MCRYPT_MODE_ECB, $initializationVector);
file_put_contents($file . ".encrypted.data", $cryptText);
Cipher-block Chaining Mode
$plainImageData = file_get_contents($file);
$cryptText = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plainImageData, MCRYPT_MODE_CBC, $initializationVector);
file_put_contents($file . ".encrypted.data", $cryptText);
Encryption Parameters
Creates cipher textCipher (AES, Blowfish, …) Secret keyData to encryptCBC, ECB, OFB, …Initialization Vector
mcrypt_encrypt( MCRYPT_BLOWFISH, $key, $plainText, MCRYPT_MODE_CBC, $iv);
May 20th 1942Message interceptedIsland “AF”
June 3rd 1942Battle of Midway
Anti-pattern: Initialization Vector
$plainText = “Hold";
$cryptText = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plainText, MCRYPT_MODE_CBC, md5($key));
• Monday: “a8b8f95c4684b3f3”• Tuesday: “a8b8f95c4684b3f3”• Wednesday: “a8b8f95c4684b3f3”• Thursday: “a8b8f95c4684b3f3”• Friday: “10f32c937a1284db”
Modes and IVs
• Cipher-block chaining prevents patterns within messages• Correct IV prevents patterns across messages
Generating Keys & Initialization Vectors$key = “koicy37m8ao2nl07";$iv = rand();$cypherText = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $plainText, MCRYPT_MODE_CBC, $iv);
• How many bits of key entropy can be contained in 16 alphanumeric characters?• 96 bits!• ~0.00000002% of possible search space
• What initialization vector is really used here?• “\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0”!• PHP Warning: mcrypt_decrypt(): The IV parameter must be as long
as the blocksize in /home/derrick/…/CBC.php on line 27• Use
• $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128,
MCRYPT_MODE_CBC);• mcrypt_create_iv($size);
Anti-pattern: Random Values<form action=""> <label>Donation amount</label> <input type="text" value="10.00"> <?php $csrfToken = rand(); setCookie("csrfToken", $csrfToken); echo "<input type=\"hidden\" value=\"$csrfToken\">“; ?> <input type="submit" value="Submit"></form>
Finding Linear Congruential Seed
Random random = new Random();long v1 = random.nextInt();long v2 = random.nextInt();for (int i = 0; i < 65536; i++) { long seed = v1 * 65536 + i; if (((seed * multiplier + addend) & mask) >>> 16) == v2) { System.out.println("Seed found: " + seed); break; }}
Anti-pattern: Psuedo-random Session IDs
<?php $uid = "12345678"; $sessionId = md5($uid . rand() . microtime()); setCookie(“session_id", $sessionId);?>
Really only ~20 bits of entropy.A modern GPU can calculate that in a second!9,12
HMACs and Secure Random
<form action=""> <label>Donation amount</label> <input type="text" value="10.00"> <?php $csrfToken = openssl_random_pseudo_bytes(32); setCookie("csrfToken", bin2hex($csrfToken)); echo "<input type=\"hidden\" value=\"$csrfToken\">“; ?> <input type="submit" value="Submit"></form>
Do not use sessions! Use HMACs!Seriously.
No Cargo Cult Security!
1. Identify true security goal.2. Find correct crypto primitive.3. Spend some time to learn about it.4. Write as little of your own crypto code as possible.
Crypto Primitives & Goals
Hash MACHMAC
Symmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data Authentication
Non-repudiation
Confidentiality
Trust
Crypto Primitives & Goals
Hash MACHMAC
Symmetric Key Crypto
Asymmetric Key Crypto
Digital Signature
Digital Certificates
Data Integrity
Data Authentication
Non-repudiation
Confidentiality
Trust
Questions?
https://github.com/disaacson/cargo-cult-security
References
1. http://en.wikipedia.org/wiki/Cargo_cult
2. http://neurotheory.columbia.edu/~ken/cargo_cult.html
3. http://en.wikipedia.org/wiki/Post_hoc_ergo_propter_hoc
4. http://en.wikipedia.org/wiki/Cargo_cult_programming
5. https://oracleus.activeevents.com/2013/connect/sessionDetail.ww?SESSION_ID=6325
6. http://www.scs.stanford.edu/10au-cs144/notes/
7. http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/
8. http://security.stackexchange.com/questions/18033/how-insecure-are-phps-rand-functions
9. http://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks_files/paper.pdf
10. http://security.stackexchange.com/questions/17988/how-insecure-are-non-cryptographic-random-number-generators
11. http://jazzy.id.au/default/2010/09/20/cracking_random_number_generators_part_1.html
12. http://thepasswordproject.com/oclhashcat_benchmarking
13. http://www.php.net/manual/en/function.openssl-random-pseudo-bytes.php
14. http://blowfish.online-domain-tools.com/
15. https://github.com/disaacson/cargo-cult-security
16. http://tools.ietf.org/html/rfc2104
Related Documents
