Cargo Cult Security- Utah Java User Group 2015

https://github.com/disaacson/cargo-cult-security

by Derrick Isaacson

http://en.wikipedia.org/wiki/Cargo_cult

Richard Feynman

Cargo Cult Programming

Ritualistic inclusion of code or patterns that are unnecessary for the task at hand.

• Design patterns• Factory• Wrapper

• Dependency injection• Cryptography• Encryption• Hashing

The Big Picture

Crypto Primitives & GoalsHash MAC

HMACSymmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data AuthenticationNon-repudiation

Confidentiality

Trust

Classic EncryptionHash MAC

HMACSymmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data AuthenticationNon-repudiation

Confidentiality

Trust

PlaintextCiphertext Cipher

Symmetric Key Cryptography(Private-key Cryptography)

• Blowfish• Twofish• Serpent• AES (Rijndael)• CAST5• RC4• 3DES• IDEA

HTTPS (TLS)SSH (SSL)LUKS Disk EncryptionKeePass

Anti-pattern: Authentication

/private_image?secure_id=573146feb41e

Anti-pattern: Authentication

/private_image?secure_id=573146feb41e

import javax.crypto.*

public static String getPrivateURL(String plainTextId) {

Cipher cipher = Cipher.getInstance("Blowfish/OFB/NoPadding"); cipher.init(Cipher.ENCRYPT_MODE, key, initVector);

byte[] cipherBytes = cipher.doFinal(plainTextId.getBytes());

return bytesToHex(cipherBytes);}

String plainTextId = "100000";String cipherTextId = Auth.getPrivateURL(plainTextId);

/private_image?secure_id=573146feb41epublic static String getSecretImg(String cipherTextId) { cipher = Cipher.getInstance("Blowfish/OFB/NoPadding"); cipher.init(Cipher.DECRYPT_MODE, key, initVector);

byte[] plainBytes = cipher.doFinal(hexToBytes(cipherTextId));

String plainTextId = new String(plainBytes, "UTF-8"); return getImage(plainTextId);}

573146feb41e

100000

Team Photo

/private_image?secure_id=573146feb41e/private_image?secure_id=573146feb41fpublic static String getSecretImg(String cipherTextId) { cipher = Cipher.getInstance("Blowfish/OFB/NoPadding"); cipher.init(Cipher.DECRYPT_MODE, key, initVector);

byte[] plainBytes = cipher.doFinal(hexToBytes(cipherTextId));

String plainTextId = new String(plainBytes, "UTF-8"); return new String(plainBytes, "UTF-8");}

573146feb41f

100001

Attack Plan

Crypto Primitives & GoalsHash MAC

HMACSymmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data AuthenticationNon-repudiation

Confidentiality

Trust

Message Authentication Codes

HMAC(key, message)

HMAC: RFC 2104

• HMAC-MD5• HMAC-SHA1• HMAC-SHA256

Message MAC

HMAC

SecretKeySpec signingKey = new SecretKeySpec(key.getBytes(), "HmacSHA1");

Mac mac = Mac.getInstance("HmacSHA1"); mac.init(signingKey);

byte[] hmacBytes = mac.doFinal(message.getBytes());

return bytesToHex(hmacBytes);

Anti-pattern: Authentication 2

/private_image?user_id=3d90e

http://aes.online-domain-tools.com/

224 search space with a valid URL density of

String plainTextId = “834";String cipherTextId = Auth.getPrivateURL(plainTextId);

public static String getPrivateURL(String plainTextId) {

Cipher cipher = Cipher.getInstance("Blowfish/OFB/NoPadding"); cipher.init(Cipher.ENCRYPT_MODE, key, initVector);

byte[] cipherBytes = cipher.doFinal(plainTextId.getBytes());

return bytesToHex(cipherBytes);}

Crypto Primitives & GoalsHash MAC

HMACSymmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data AuthenticationNon-repudiation

Confidentiality

Trust

Anti-pattern: Bank Deposit

cipher = Cipher.getInstance(“AES/CBC/NoPadding");…return cipher.doFinal(plainText.getBytes());

msg[45] = (byte)(msg[45] ^ “0".getBytes()[0] ^ "t".getBytes()[0]);

cipher = Cipher.getInstance(“AES/CBC/NoPadding");…return cipher.doFinal(cipherText);

Or…

Replay it 1000 times

Crypto Primitives & GoalsHash MAC

HMACSymmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data AuthenticationNon-repudiation

Confidentiality

Trust

Encryption Parameters

Cipher (AES, Blowfish, …) Secret keyData to encryptCBC, ECB, OFB, …Initialization Vector

Cipher cipher = Cipher.getInstance(“AES/ECB/NoPadding");cipher.init(Cipher.ENCRYPT_MODE, key, initVector);

Anti-pattern: Encryption Modes

cipher = Cipher.getInstance(“AES/ECB/NoPadding");

Cipher-block Chaining Mode

cipher = Cipher.getInstance(“AES/CBC/NoPadding");

Encryption Parameters

Cipher (AES, Blowfish, …) Secret keyData to encryptCBC, ECB, OFB, …Initialization Vector

Cipher cipher = Cipher.getInstance(“AES/ECB/NoPadding");cipher.init(Cipher.ENCRYPT_MODE, key, initVector);

May 20th 1942Message interceptedIsland “AF”

June 3rd 1942Battle of Midway

Anti-pattern: Initialization Vector

plainText = “Hold";

cryptText = cipher.doFinal(plainText.getBytes());

• Monday: “a8b8f95c4684b3f3”• Tuesday: “a8b8f95c4684b3f3”• Wednesday: “a8b8f95c4684b3f3”• Thursday: “a8b8f95c4684b3f3”• Friday: “10f32c937a1284db”

Modes and IVs• Cipher-block chaining prevents patterns within

messages• Correct IV prevents patterns across messages

Generating Keys & Initialization Vectorskey = “koicy37m8ao2nl07";iv = new java.util.Random().nextLong();

• How many bits of key entropy can be contained in 16 alphanumeric characters?• 96 bits• ~0.00000002% of possible search space

• What initialization vector is really used here?• “\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0”!• Warning: The IV parameter must be as long as the blocksize in …

• Use• javax.crypto• SecretKey key = KeyGenerator.getInstance("AES").generateKey();• IvParameterSpec iv = new javax.crypto.spec.IvParameterSpec(secureRandBytes);

Anti-pattern: Random Values<form action=""> <label>Donation amount</label> <input type="text" value="10.00"> <%

Long csrfToken = new java.lang.Random().nextLong();

setCookie("csrfToken", csrfToken); print(String.format("<input type=\"hidden\" value=%s\">“, csrfToken); %> <input type="submit" value="Submit"></form>

Finding Linear Congruential Seed

Random random = new Random();long v1 = random.nextInt();long v2 = random.nextInt();

for (int i = 0; i < 65536; i++) { long seed = v1 * 65536 + i; if (((seed * multiplier + addend) & mask) >>> 16) == v2) { System.out.println("Seed found: " + seed); break; }}

Anti-pattern: Psuedo-random Session IDs<% uid = "12345678";

sessionId = md5(uid + rand.nextLong() + System.currentTimeMillis());

setCookie(“session_id", sessionId);%>

Really < 20 bits of entropy.A modern GPU can calculate that in a second!9,12

HMACs and Secure Random<form action=""> <label>Donation amount</label> <input type="text" value="10.00"> <% Long csrfToken = new java.security.SecureRandom().nextLong();

setCookie("csrfToken", csrfToken); print(String.format("<input type=\"hidden\" value=%s\">“, csrfToken)); %> <input type="submit" value="Submit"></form>

Do not use sessions! Use HMACs!Seriously.

No Cargo Cult Security!1. Identify true security goal.2. Find correct crypto primitive.3. Spend some time to learn about it.4. Write as little of your own crypto code as possible.

Crypto Primitives & GoalsHash MAC

HMACSymmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data AuthenticationNon-repudiation

Confidentiality

Trust

Crypto Primitives & GoalsHash MAC

HMACSymmetric Key Crypto

Asymmetric Key Crypto

Digital Signature

Digital Certificates

Data Integrity

Data AuthenticationNon-repudiation

Confidentiality

Trust

Questions?

derrick@lucidchart.com

https://github.com/disaacson/cargo-cult-security

References1. http://en.wikipedia.org/wiki/Cargo_cult2. http://neurotheory.columbia.edu/~ken/cargo_cult.html3. http://en.wikipedia.org/wiki/Post_hoc_ergo_propter_hoc4. http://en.wikipedia.org/wiki/Cargo_cult_programming5. http://www.slideshare.net/javagroup2006/data-security-essentials-java-one-20136. http://www.scs.stanford.edu/10au-cs144/notes/7. http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/8. http://security.stackexchange.com/questions/18033/how-insecure-are-phps-rand-functions9. http://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks_files/paper.pdf10. http://security.stackexchange.com/questions/17988/how-insecure-are-non-cryptographic-random-number-generators11. http://jazzy.id.au/default/2010/09/20/cracking_random_number_generators_part_1.html12. http://thepasswordproject.com/oclhashcat_benchmarking13. http://www.php.net/manual/en/function.openssl-random-pseudo-bytes.php14. http://blowfish.online-domain-tools.com/15. https://github.com/disaacson/cargo-cult-security16. http://tools.ietf.org/html/rfc2104