A Brief History of Cryptographic Failures - Mork

@NTXISSA #NTXISSACSC4

A Brief History ofCryptographic Failures

Brian MorkCISO

Celanese2016-10-07

@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 2

Who Am I?

• CISO at S&P 500/Fortune 500 company• Former air-drop hacker, security engineer,

penetration tester, RF simulation engineer, electronics intelligence expert, optician’s assistant, newspaper delivery boy, software pirate, party organizer, and short order cook.

• Also known as “Hermit” within the information security/hacker community


DISCLAIMERS

• I’m not an expert in cryptography• While I take cryptography seriously, I don’t

take myself seriously• I used pictures from the Internet. I’ve listed

the sources I know on the second to last slide.

• If we can’t have fun with this…


Well, then…


Agenda

• What is Cryptography?• Why Cryptography?• Our Cast• The Failures• Honorable Mentions• Q&A


What Is Cryptography?

“The process of writing or reading secret messages or codes.”

- Miriam Webster Dictionary“The art of writing or solving codes.”

- Oxford English Dictionary“The scientific field of study related to protecting or verifying information.”

- Brian Mork


Why Cryptography?

• Because you lack trust in… something…• Transmission mediums• Integrity of communications• Other people• Governments• Cigarette smoking men• Etc.


Our Cast

In traditional cryptographic discussions we would consider the following actors:• Alice – Someone sending information• Bob – Someone receiving information• Eve – Someone eavesdropping

All because Ron Rivest (of RSA fame) used such terms back in the 1970s.


Our REAL Cast

Times have changed, and we need heroes who reflect those times…

Alice, as… well… Alice

… Dilbert, as Bob …

… and Catbert, as Eve. Or evil. Either one/both.


And now here’s somethingwe hope you’ll really like!


Failure One

REGULAR FAIL


The Scenario

Alice and Dilbert set up a secure website. It’s amazing. It was hacker proof (just trust me on this one), with an official certificate and everything.

Unfortunately, their agents used browsers that still trusted root certificate authorities that used MD5 for hashing.


Failure: MD5 Certificate

So what is MD5?• Hashing algorithm• Vulnerable to collisions• Was still used through 2008 by certificate

authorities


Failure: MD5 Collisions

What is a collision?

It’s when two different inputs create the same output.

Why is that bad?

Because… that’s exactly what it’s not supposed to do!



How can we make that worse?

By having a condition where two different inputs share a function or format, such as documents and executables

Or, I don’t know… cryptographic material



The first MD5 collision was in 2004.

By 2007 colliding executables, documents, and more were possible and had been demonstrated, due to chosen-prefix collisions.

Enter the fake certificate authority!



Step 1: Generate a pair of certificates with the same hash but different characteristics (e.g. make one a CA that can sign anything).

Step 2: Get the benign certificate signed by a ”real” CA and copy that signature to the malicious one.

Step 3: Profit



And what does that give you?

A certificate that can sign literally anything, and which validates back to a trusted root certificate authority.

I amGoogleMicrosoftMr. Robot

Whomever I want to be!



I am Dilbert. You can trust this because Alice said I am. Now tell me

all your secrets. They’re safe with me.


Failure Two


The Scenario

• In an alternate dimension, Alice has ascended to lead a military force against the evil feline nation of Catbertia.

• Dilbert, her lead general, needs to communicate securely with her.

• They decide to deploy one of the most effective physical cryptographic systems ever made… the enigmatic… er… Enigma.


Failure X: Enigma

This is the Engima. It was a beauty of engineering. Multiple rotors, each input changed the next encoding, easy to operate and fiendishly difficult to brute force.


Failure X: Engima

How complex was it?• 3 rotor wheel positions, 5 wheel choices (60

starting combinations)• 26 starting positions per wheel (17,576

combinations)• Wheels rotate one another… wiring to

create substitutions… egads!• 107,458,687,327,250,619,360,000 keys


Failure X: Engima

Oh, and then there was the fact that Engima operations used key encrypting keys… really!

The day key was a pre-shared secret used to encrypt one-time keys called message keys. Message keys were then used to encrypt actual messages.

Pretty nifty!


Catbert Has No Chance!

• It’s true! With that many combinations and frequency of change there’s no hope for the empire of evil.

• Then again, people have been known to make mistakes.

• But I’m sure Alice and Dilbert wouldn’t make the same ones that their historical predecessors did. What were those again?


Failure X: Engima

How was Enigma previously defeated?• Reuse of rotor settings• Transmission with multiple ciphers• Operators often reused the same message

key multiple times (e.g. “cillies”)• Common message formats


Failure X: Enigma

• What’s that? Dilbert has taken to using the day of the week as the message key?


Failure 2


The Scenario

Alice and Dilbert are joining the modern age. They visit each other’s houses frequently, and use each other’s wireless networks.

To be extra safe, they’ve selected Wired Equivalent Privacy (WEP) to secure their network. What could possibly go wrong? Well, since WEP uses a single key that needs to be protected!


Failure: WEPThey know that Catbert is trying to intercept their communications, so they paid a driver to take the out in the middle of a mud field in Elbonia.

Once out there, they chose a super secret password just between the two of them. This is now their wireless network password.

Whew! That was close. Good thing that sharing the key is the biggest concern. Right?


Failure: WEP

Well, maybe not JUST that… there’s also:• Poor initialization vectors (IV) size• Weak IVs• Weak key space• Poor key entry (ASCII reduces key space)• Replay/packet stimulation (when you need

more IVs)• Chop-Chop Attack!


Failure: WEP

The only thing I like more than weak crypto is my

enemies using it.


Will this guy ever shut up?


Honorable Mention

• Advanced Encryption Standard (AES) – Electronic Codebook (ECB)• Same key used over and over• Block-based encryption• Known plaintext lookup!• SmashECB, for example (written by yours truly)


Honorable Mention

• Clipper Chip – Law Enforcement Access Field• Included data necessary to recover key• Only 16-bit hash protecting it• Bypass and reuse were possible and

demonstrated• Use of third party LEAF data was possible too!


Honorable Mention

• Microsoft’s ”Golden Key”• Booting RT/ARM devices check two things: a

policy (must be signed by Microsoft) and the operating system (also must be signed by Microsoft)

• The “Golden Key” is a debug mode policy that was accidentally shipped, and that policy allows skipping the check for the operating system

• Presto! Any OS on a Surface/WinPhone/etc.


Honorable Mentions

And so many, many more…• WPA - Design• Dual EC DRBG - Design• MD4 – Time, mostly• NIST P- curves (ECC) – Design• Digital Encryption Standard (DES) – Design• 3 DES – Design


Questions

If you’ve got ’em, throw ‘em.

If I know the answer, I’ll give it.

If I don’t, I’ll answer anyways before I disclose that I have no clue what I’m talking about.


Miscellaneous

• Picture Credits• Mulder Image: Pascal Wagler• Dilbert Characters: Scott Adams• Engima Machine: TheHistoryBlog.com• Failure Pictures: The Internet Tubes

• Find Me• Twitter: @hermit_hacker• LinkedIn: /in/bcmork

@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 41@NTXISSA #NTXISSACSC4

The Collin College Engineering DepartmentCollin College Student Chapter of the North Texas ISSA

North Texas ISSA (Information Systems Security Association)

Thank you

A Brief History of Cryptographic Failures - Mork

Documents

Transcript of A Brief History of Cryptographic Failures - Mork