Cryptographic applications · Digital certificate transports public key guarantees owner identity • some public-private key application do not use certificates • SSH, PGP Digital

4. 11. 2019

1

Cryptographic applications

GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS

Ing. Ondřej Ševeček | GOPAS a.s. |MCSM:Directory2012 | MCM:Directory2008 | MVP:Enterprise Security | CEH |

CHFI | CISA |

[email protected] | www.sevecek.com |

Session keys and mutual

authentication

4. 11. 2019

2

HMAC-hash-K

Authentication with password hash (HMAC)

ServerClient

random

random

HMAC-hash-K

ServerClient timestamp

KK

K K

nonce

timestamp

challenge

compare-HMAC

compare-HMAC

time in range

hash/encrypt with HMAC KSC

HMAC-hash-K

Session key data integrity or encryption with hashing

(+mutual authentication) (no PFS)

ServerClient

auth random

auth random

KKauth nonce

challengesession random S

session nonce S

ServerClient

K

session random C

session nonce C

data

HMAC KSC HMAC KSC

S C K S C

4. 11. 2019

3

encrypted by K

Authentication with symmetric encryption

ServerClient

random

random

encrypted by K

ServerClient timestamp

KK

K K

noncechallenge

decrypt by K

decrypt by K

no hash for

integrity?

encrypted by K

Session key generation with symmetric encryption

(+mutual authentication) (no PFS)

ServerClientsession key S

KK

decrypt by K

random

encrypted by S

ServerClient

SS

data

4. 11. 2019

4

sign by KPRIV

Authentication with asymmetric crypto

ServerClient

random

random

signed by KPRIV

ServerClient timestamp

KPUBKPRIV

KPRIV KPUB

noncechallenge

verify by KPUB

verify by KPUB

Session key data encryption with asymmetric crypto

(without mutual authentication) (no PFS)

encrypted by KPUBServerClient

session key S

decrypt by KPRIV

random

encrypted by S

ServerClient data

KPUBKPRIV

encrypt by KPUB

SS

4. 11. 2019

5

Session key data encryption with asymmetric crypto

(+mutual authentication) (no PFS)

encrypted by KPUBServerClient

session key S

decrypt by KPRIV

random

encrypted by S

ServerClient data

KPUBKPRIV

encrypt by KPUB

SS

signed by SPRIV

SPRIVSPUB

verify by SPUB sign by SPRIV

Certificates brief

4. 11. 2019

6

Digital certificate

transports public key

guarantees owner identity

• some public-private key application do not use certificates

• SSH, PGP

Digital certificate (signed by CA's private key)

Public key• DSA, RSA, ECDSA (ECDH)

Subject• owner of the certificate

• verified by CA

Key Usage• cryptographic usage

Subject Alternative Name (SAN)• DNS names of the owner

• login, email of the owner

Enhanced Key Usage (EKU)• application key usage

4. 11. 2019

7

Usage combinations

KU: Digital signature

• EKU: Server Authentication => (ED)DH key agreement

• EKU: Code Signing => subject is company

• EKU: Document Signing => subject is person

• EKU: Smart Card Logon => signed timestamp

• EKU: Client Authentication => VPN/HTTP/WiFi client cert

• EKU: Secure Email => subject is email (person)

KU: Key encipherment

• EKU: Server Authentication => RSA key exchange

• EKU: Smart Card Logon => encrypted timestamp

• EKU: Secure Email => subject is recipient’s email

signed by

3CAPRIV

Certificate chains

my cert

MYPUBsigned by

2CAPRIV

3CA cert

3CAPUB

signed by

rootCAPRIV

1CA cert

1CAPUB

signed by

rootCAPRIV

rootCA cert

rootCAPUB

signed by

1CAPRIV

2CA cert

2CAPUB

trust

4. 11. 2019

8

Renew or extend certificate

cannot extend

• digitally signed

can only renew

• new certificate

• possibly new keys

Private key storage

private key is never part of the certificate

certificate (+public key) in registry

private key

• encrypted with DPAPI on disk

• stored in cryptographic device

4. 11. 2019

9

Cryptographic devices

Cryptographic devices

smart cards and tokens (S/C)• crypto CPU

• safe memory for storing private keys

• flash memory for public data

hardware security modules (HSM)• bigger and faster smart cards

• self powered, fire proof, temper proof

• connected over network, USB, ...

trusted policy (platform) module (TPM)• S/C on motherboard

• boot validation

• hardware attestation

4. 11. 2019

10

Hardware devices

CryptoCPU

protected private

crypto memory

x KB

OS

firmware

ROM

API calls

PINmaster PIN

PC

log

public storage

memory

x MB+

Hardware supported offloading

AES-NI

• some newer Intel and AMD processors since 2008

• supported by CNG providers since Windows 7

TLS offloading

• PCI card + software SChannel plug-in "driver"

IPSec offloading

• NICs (Intel S)

4. 11. 2019

11

TLS basics

Transport Layer Security

HTTPS, SMTPS, LDAPS, POP3S, RDP, 802.1x

authentication, …

4. 11. 2019

12

Server certificate

serverclient

client hello

version

crypto suites

server hello

version <=

selected suite

certificate

hostname

public key

certificateprivate

keycrypto suitescrypto suitescrypto suites

serverserver

serverserver

server

SSL inspection or MITM attack

client server

cert

CA2

CA1

trusted

rootCA

attacker

proxy

cert

untrusted

rootCA

4. 11. 2019

13

serverserver

serverserver

server

Mutual authentication prevents MITM and

inspections

client server

cert

CA2

CA1

trusted

rootCA

attacker

proxy

cert

untrusted

rootCA

client cert

CA1

trusted

rootCA

SSL vs. TLS vs. DTLS

SSL 2.0 (1995) - Windows 2000+• MITM can downgrade cipher suite to 40-bit

• MAC hashes can be downgraded to 40-bit

SSL 3.0 (1996) - Windows 2000+• Support for DH, Fortezza key exchanges

• Support for non RSA certificates

TLS 1.0 (1999) - Windows 2000+• Security same as SSL 3.0

• Protocol not compatible with SSL 3.0

• IETF and US FIPS standard

TLS 1.1 and 1.2 (2006, 2008) - Windows 7/2008 R2• More recent standards offering SHA2 and ECDH suites

• Can fallback to TLS 1.0 without TCP RST

DTLS 1.0 (based on TLS 1.0) and 1.2 (based on TLS 1.2) - Windows 8/2012• Update available for Windows 7/2008 R2 (KB2574819)

• UDP datagram based communications such as RDP-UDP

TLS 1.3 - august 2018

4. 11. 2019

14

Application support for TLS 1.1 and newer

Windows XP/2003 only TLS 1.0

IE 9+ by default

RDP client and server since Windows 8/2012

NetFx 2.0/3.x TLS 1.0 only

NetFx 2.0/3.x SHA1 only

Third-party support

IOS 5+

• TLS 1.1, TLS 1.2

Java SE 7

• TLS 1.1, TLS 1.2

Java 1.4.2

• SHA-256 in crypto provider

Chrome 22-29

• TLS 1.1

Chrome 30+

• TLS 1.1, TLS 1.2

4. 11. 2019

15

SSL 2.0 cipher suites

SSL_RC4_128_WITH_MD5

SSL_DES_192_EDE3_CBC_WITH_MD5

SSL_RC2_CBC_128_CBC_WITH_MD5

SSL_DES_64_CBC_WITH_MD5

SSL_RC4_128_EXPORT40_WITH_MD5

Windows XP/2003- TLS 1.0/SSL cipher suites (no AES)

TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_DES_CBC_SHA

TLS_DHE_DSS_WITH_DES_CBC_SHA

TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA

TLS_RSA_EXPORT_WITH_RC4_40_MD5

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

TLS_RSA_WITH_NULL_MD5

TLS_RSA_WITH_NULL_SHA

SSL_RSA_WITH_RC4_128_SHA

SSL_RSA_WITH_3DES_EDE_CBC_SHA

SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

SSL_RSA_WITH_RC4_128_MD5

4. 11. 2019

16

Windows Vista/2008+ TLS v1.0 cipher suites (AES/EC/SHA1)

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_RC4_128_MD5

Original Windows 7/2008 R2 TLS v1.1 cipher suites (AES/EC/SHA2) - no

preference for PFS, enabled RC4, enabled NULL encryption

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_RC4_128_MD5

SSL_CK_RC4_128_WITH_MD5

SSL_CK_DES_192_EDE3_CBC_WITH_MD5

TLS_RSA_WITH_NULL_SHA256

TLS_RSA_WITH_NULL_SHA

SSL_RSA_WITH_RC4_128_SHA

SSL_RSA_WITH_3DES_EDE_CBC_SHA

SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

SSL_RSA_WITH_RC4_128_MD5

4. 11. 2019

17

TLS performance (TLS 1.2)

Test-Tls function

1 server CPU, 8 client CPUs

• no certificate validation on client

• server certificate only

RSA 2048

RSA 4096

client running at 90% CPU

TCP 3389 - svchost.exe, 60% CPU

TCP 443 - lsass.exe, 15% CPU

~126 sessions per second

• full handshake (client hello, server hello, key ex)

Validating TLS servers

http://www.ssllabs.com

or download offline toolkit

4. 11. 2019

18

Digital signatures and

timestamps

Document or code signatures

agreement

cannot change yet readable

software whitelisting

antispam whitelisting

data leakage prevention (DLP)

...

4. 11. 2019

19

Timestamping vs. signatures

signature

• proves identity of the author or rather means I agree

• an invoice is signed by the seller to manifest his consent

with a trade agreement

• a debt note is signed by the debtor to manifest his

willingness to borrow the money

timestamp

• confirms existence of data before the point in time

• buyer timestamps all received invoices to be able to prove

their timely possession to tax authorities

• bank timestamps debt notes in order to be able to prove

they were not crafted later

Non-repudiation private keys

digital signature is binding

• policy only

must protect keys only until certificate expires

• always better to destroy afterwards

recipient of signature is responsible for proving the

signature was made rightly

• => timestamping

4. 11. 2019

20

Time authority (TA)

timestamp signing certificate

• private key

online connection required

can sign larger amounts once

• data already existed anyway

signer

signature

Timestamp (correct??)

data

hash

TA

signature

time

4. 11. 2019

21

signer

signature

Timestamp (correct?)

data

hash

TA

signature

timehash

signer

signature

Timestamp (OK)

data

hash

TA

signature

timehash

4. 11. 2019

22

signer

signature

Timestamp (OK)

data

hash

TA

signature

timesignature

signer

signature

Re-timestamping

data

hash

TA old

signature

old timeold hash

TA 2

signature

new timenew hash

4. 11. 2019

23

Extended protection for

authentication

Combining client symmetric secret with server

P/P certificate in order to prevent SSL inspection

(MITM)