© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Eric Brandwine, AWS Senior Principal Security Engineer

December 1, 2016

EncryptionIt Was the Best of Controls,

It Was the Worst of Controls

SAC306

A tale of twociphers

datasets

What is this talk?

Why Encrypt?

PCI:DSS Requirement 3: Protection at rest

PCI:DSS Requirement 4: Encrypt on the network

"A covered entity must, in accordance with §164.306…

Implement a mechanism to encrypt and decrypt electronic

protected health information.” (45 CFR § 164.312(a)(2)(iv))

Etc., etc., etc.

Encryption is

HARD

Encryption is

EXPENSIVE

Encryption is

worth it(sometimes)

MA

TH

+ + =

A recipe

MA

TH

+ + =

Unbreaking an egg

How I thought crypto failed

How crypto actually fails

Primitives, Modes, and Protocols

MA

TH

+ + = Super_Secret_Message

S u p e r _ S e

E n c r y p t e

Block

Cipher

c r e t _ M e s

d _ C i p h e r

Block

Cipher…

TLS as a protocolArbitrarily bad

network

(The Internet)

Confidentiality

Server authentication

Tamper evidence

Replay protection

…

A leak!

MA

TH

+ + = Awfully_Awfully_Secret

A w f u l l y _

E n c r y p t e

Block

Cipher

A w f u l l y _

E n c r y p t e

Block

Cipher…

A big pile of crypto

Primitive

Protocol

Mode

Primitive

Protocol

Mode

Primitive

Mode

We believe

Crypto here and crypto there

Encryption in transit

A tale of one cipher

Super_Secret_Message

S u p e r _ S e

E n c r y p t e

Stream

Cipher

c r e t _ M e s

d _ C i p h e r

K e y s t r e a m _ b y t e s _

⨁ ⨁⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁ ⨁

RC4

RC4 timeline

1987: Created by Rivest at RSA

1994: Anonymously leaked

1995: Included in SSL

1999: RFC 2246, TLS 1.0

Use RC4,

don't use RC4,

I don't care

A wild BEAST appears

Browser Exploit Against SSL/TLS

Cipher Block Chaining

E n c r y p t e

Block

Cipher

d _ C i p h e r

Block

Cipher …

Awfully_Awfully_Secret

A w f u l l y _ A w f u l l y _

⨁ ⨁IV

Chosen Plaintext Attack

x ⨁ A ⨁ A = x

Ci = AES(k, Ci-1 ⨁ Pi)

We want to decrypt Ci, and obtain Pi.

Pick m as a guess for Pi.

Let Pj = Cj-1 ⨁ Ci-1⨁ m

Cj = AES(k, Cj-1 ⨁ Pj)

Cj = AES(k, Cj-1 ⨁ Cj-1⨁ Ci-1 ⨁ m)

Cj = AES(k, Ci-1 ⨁ m)

Thus, m = Pi iff Cj = Ci

Blockwise Chosen Boundary Attack

POST /A HTTP 1.1\r\nCookie: SessionID=XXXX

POST /AAAAAA HTTP 1.1\r\nCookie: SessionID=XXXX

Let m = ‘P 1.1\r\nCookie: a’

Let m = ‘P 1.1\r\nCookie: b’

Let m = ‘P 1.1\r\nCookie: S’…

POST /AAAAA HTTP 1.1\r\nCookie: SessionID=XXXX

Let m = ‘ 1.1\r\nCookie: Sa’

…

Cj ≠ Ci

Cj ≠ Ci

Cj = Ci

Assume the cookie is 16 characters, one full block.

Guessing the entire cookie at once:

2128 guesses (worst case) = 340,282,366,920,938,463,463,374,607,431,768,211,456

Guessing the entire cookie one byte at a time:

16 * 28 guesses (worst case)

= 4,096

That’s 2116 times faster or just

0.0000000000000000000000000000000012%

as many guesses

The short version

If:

I can cause your client to make requests

JavaScript

I can control block alignment

I can sniff the resulting TLS traffic

There is a repeated field worth stealing

Cookies

Then:

I can guess byte-wise rather than block-wise

RC4 timeline

1987: Created by Rivest at RSA

1994: Anonymously leaked

1995: Included in SSL

1999: RFC 2246, TLS 1.0

2011: BEAST

Use RC4,

don't use RC4,

I don't care

Use RC4!!!

But….

If:

I can cause your client to make requests

JavaScript

I can control block alignment

I can sniff the resulting TLS traffic

There is a repeated field worth stealing

Cookies

Then:

I can guess byte-wise rather than block-wise

Defense in depth

Includes timestamp!

The end approaches

RC4 timeline

1987: Created by Rivest at RSA

1994: Anonymously leaked

1995: Included in SSL

1999: RFC 2246, TLS 1.0

2011: BEAST

2013: Statistical biases

2015: RFC7465, Nope!

Use RC4,

don't use RC4,

I don't care

Use RC4!!!

Oh my, no way!

IoT, the Internet of Television

I like RC4, AES, and 3DES

In that order.

Cool! Let's use AES

'cause RC4 is broken

LIES!

Don't fly blind

2015-05-13T23:39:43.945958Z my-loadbalancer

192.168.131.39:2817 10.0.0.1:80 0.000086 0.001048 0.001337

200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1"

"curl/7.38.0" DHE-RSA-AES128-SHA TLSv1.2

We've got a logjam

Diffie Hellman key agreement

Tackling the discrete log problem

512 bit: 50 core-years 35 core-minutes

768 bit: 36.5k core-years 2 core-days

1024 bit: 45M core-years 30 core-days

Meet SSL Labs

Diffie-Hellman in S3

Every webserver thread creates a new prime at startup

>> 10k primes in use at any time

We fingerprint the ClientHello and alter our response

Browsers are not offered DHE

SSL Labs gets a different view than your browser

https://github.com/awslabs/s2n

The bathtub curve of change

How

scary

is it?

How often does it happen?

Encryption at rest

MA

TH

+ + =

Our recipe

MA

TH

Following the recipe

This is a human

She's a beauty! Low, low miles!

This one, not so much

Data

Encryption

Standard

1975: Published

1976: Approved as a standard

1977: FIPS

1992: Differential cryptanalysis

1998: First public break

1998: Break in 58 hours

1999: Break in 22 hours

2006: COPACOBANA: 9 days, $10,000

MA

TH

+ + =

Another recipe

MORE

MATH

Keys are sensitive

Ciphertext is sensitive

Keep your ciphertext close

MA

TH

Oblivious clients

Keys in the network

Keys on disk

Keys are long term sensitive

Ciphertext is long term sensitive

How we do this in S3

S3

Storage

Backend

S3 Web

AWS KMS

Encryption is HARD

Encryption is EXPENSIVE

Encryption is worth it

(sometimes)

In theory, there's no

difference between theory

and practice.

In practice, there is.

Thank you!

Remember to complete

your evaluations!

Rules of Crypto

Rule #1: Don’t do it unless you’re an expert

Rule #2: You’re not an expert

Rule #3: You’re going to screw it up, even if you are an

expert