AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst of Controls (SAC306)
-
Upload
amazon-web-services -
Category
Technology
-
view
160 -
download
0
Transcript of AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst of Controls (SAC306)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Eric Brandwine, AWS Senior Principal Security Engineer
December 1, 2016
EncryptionIt Was the Best of Controls,
It Was the Worst of Controls
SAC306
A tale of twociphers
datasets
What is this talk?
Why Encrypt?
PCI:DSS Requirement 3: Protection at rest
PCI:DSS Requirement 4: Encrypt on the network
"A covered entity must, in accordance with §164.306…
Implement a mechanism to encrypt and decrypt electronic
protected health information.” (45 CFR § 164.312(a)(2)(iv))
Etc., etc., etc.
Encryption is
HARD
Encryption is
EXPENSIVE
Encryption is
worth it(sometimes)
MA
TH
+ + =
A recipe
MA
TH
+ + =
Unbreaking an egg
How I thought crypto failed
How crypto actually fails
Primitives, Modes, and Protocols
MA
TH
+ + = Super_Secret_Message
S u p e r _ S e
E n c r y p t e
Block
Cipher
c r e t _ M e s
d _ C i p h e r
Block
Cipher…
TLS as a protocolArbitrarily bad
network
(The Internet)
Confidentiality
Server authentication
Tamper evidence
Replay protection
…
A leak!
MA
TH
+ + = Awfully_Awfully_Secret
A w f u l l y _
E n c r y p t e
Block
Cipher
A w f u l l y _
E n c r y p t e
Block
Cipher…
A big pile of crypto
Primitive
Protocol
Mode
Primitive
Protocol
Mode
Primitive
Mode
We believe
Crypto here and crypto there
Encryption in transit
A tale of one cipher
Super_Secret_Message
S u p e r _ S e
E n c r y p t e
Stream
Cipher
c r e t _ M e s
d _ C i p h e r
K e y s t r e a m _ b y t e s _
⨁ ⨁⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁
RC4
RC4 timeline
1987: Created by Rivest at RSA
1994: Anonymously leaked
1995: Included in SSL
1999: RFC 2246, TLS 1.0
Use RC4,
don't use RC4,
I don't care
A wild BEAST appears
Browser Exploit Against SSL/TLS
Cipher Block Chaining
E n c r y p t e
Block
Cipher
d _ C i p h e r
Block
Cipher …
Awfully_Awfully_Secret
A w f u l l y _ A w f u l l y _
⨁ ⨁IV
Chosen Plaintext Attack
x ⨁ A ⨁ A = x
Ci = AES(k, Ci-1 ⨁ Pi)
We want to decrypt Ci, and obtain Pi.
Pick m as a guess for Pi.
Let Pj = Cj-1 ⨁ Ci-1⨁ m
Cj = AES(k, Cj-1 ⨁ Pj)
Cj = AES(k, Cj-1 ⨁ Cj-1⨁ Ci-1 ⨁ m)
Cj = AES(k, Ci-1 ⨁ m)
Thus, m = Pi iff Cj = Ci
Blockwise Chosen Boundary Attack
POST /A HTTP 1.1\r\nCookie: SessionID=XXXX
POST /AAAAAA HTTP 1.1\r\nCookie: SessionID=XXXX
Let m = ‘P 1.1\r\nCookie: a’
Let m = ‘P 1.1\r\nCookie: b’
Let m = ‘P 1.1\r\nCookie: S’…
POST /AAAAA HTTP 1.1\r\nCookie: SessionID=XXXX
Let m = ‘ 1.1\r\nCookie: Sa’
…
Cj ≠ Ci
Cj ≠ Ci
Cj = Ci
Assume the cookie is 16 characters, one full block.
Guessing the entire cookie at once:
2128 guesses (worst case) = 340,282,366,920,938,463,463,374,607,431,768,211,456
Guessing the entire cookie one byte at a time:
16 * 28 guesses (worst case)
= 4,096
That’s 2116 times faster or just
0.0000000000000000000000000000000012%
as many guesses
The short version
If:
I can cause your client to make requests
JavaScript
I can control block alignment
I can sniff the resulting TLS traffic
There is a repeated field worth stealing
Cookies
Then:
I can guess byte-wise rather than block-wise
RC4 timeline
1987: Created by Rivest at RSA
1994: Anonymously leaked
1995: Included in SSL
1999: RFC 2246, TLS 1.0
2011: BEAST
Use RC4,
don't use RC4,
I don't care
Use RC4!!!
But….
If:
I can cause your client to make requests
JavaScript
I can control block alignment
I can sniff the resulting TLS traffic
There is a repeated field worth stealing
Cookies
Then:
I can guess byte-wise rather than block-wise
Defense in depth
Includes timestamp!
The end approaches
RC4 timeline
1987: Created by Rivest at RSA
1994: Anonymously leaked
1995: Included in SSL
1999: RFC 2246, TLS 1.0
2011: BEAST
2013: Statistical biases
2015: RFC7465, Nope!
Use RC4,
don't use RC4,
I don't care
Use RC4!!!
Oh my, no way!
IoT, the Internet of Television
I like RC4, AES, and 3DES
In that order.
Cool! Let's use AES
'cause RC4 is broken
LIES!
Don't fly blind
2015-05-13T23:39:43.945958Z my-loadbalancer
192.168.131.39:2817 10.0.0.1:80 0.000086 0.001048 0.001337
200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1"
"curl/7.38.0" DHE-RSA-AES128-SHA TLSv1.2
We've got a logjam
Diffie Hellman key agreement
Tackling the discrete log problem
512 bit: 50 core-years 35 core-minutes
768 bit: 36.5k core-years 2 core-days
1024 bit: 45M core-years 30 core-days
Meet SSL Labs
Diffie-Hellman in S3
Every webserver thread creates a new prime at startup
>> 10k primes in use at any time
We fingerprint the ClientHello and alter our response
Browsers are not offered DHE
SSL Labs gets a different view than your browser
https://github.com/awslabs/s2n
The bathtub curve of change
How
scary
is it?
How often does it happen?
Encryption at rest
MA
TH
+ + =
Our recipe
MA
TH
Following the recipe
This is a human
She's a beauty! Low, low miles!
This one, not so much
Data
Encryption
Standard
1975: Published
1976: Approved as a standard
1977: FIPS
1992: Differential cryptanalysis
1998: First public break
1998: Break in 58 hours
1999: Break in 22 hours
2006: COPACOBANA: 9 days, $10,000
MA
TH
+ + =
Another recipe
MORE
MATH
Keys are sensitive
Ciphertext is sensitive
Keep your ciphertext close
MA
TH
Oblivious clients
Keys in the network
Keys on disk
Keys are long term sensitive
Ciphertext is long term sensitive
How we do this in S3
S3
Storage
Backend
S3 Web
AWS KMS
Encryption is HARD
Encryption is EXPENSIVE
Encryption is worth it
(sometimes)
In theory, there's no
difference between theory
and practice.
In practice, there is.
Thank you!
Remember to complete
your evaluations!
Rules of Crypto
Rule #1: Don’t do it unless you’re an expert
Rule #2: You’re not an expert
Rule #3: You’re going to screw it up, even if you are an
expert