Crypto: Passwords and RNGs. CS 642 Guest Lecturer: Adam Everspaugh

Similar documents
Symmetric and Password- based encrypdon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

Computer Security CS 526

Information Security CS526

CSE484 Final Study Guide

WPA Passive Dictionary Attack Overview

Not-So-Random Numbers in Virtualized Linux and the Whirlwind RNG

Lecture 4: Hashes and Message Digests,

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

Cryptography for Software and Web Developers

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has

CS 161 Computer Security

symmetric cryptography s642 computer security adam everspaugh

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

MTAT Applied Cryptography

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

L13. Reviews. Rocky K. C. Chang, April 10, 2015

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Randomness Extractors. Secure Communication in Practice. Lecture 17

FIPS Security Policy. for Marvell Semiconductor, Inc. Solaris 2 Cryptographic Module

symmetric cryptography s642 computer security adam everspaugh

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

User Authentication. Modified By: Dr. Ramzi Saifan

WPA-GPG: Wireless authentication using GPG Key

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

CS November 2018

Unit 8 Review. Secure your network! CS144, Stanford University

Chapter 24 Wireless Network Security

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptographic Hash Functions

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

1 FIVE STAGES OF I.

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Please ensure answers are neat and legible. Illegible answers may be given no points.

CS 161 Computer Security

Findings for

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Meru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009

Practical Aspects of Modern Cryptography

Lecture for February 10, 2016

PRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT B

The case for ubiquitous transport-level encryption

Leveraging Intel SGX to Create a Nondisclosure Cryptographic library

Misuse-resistant crypto for JOSE/JWT

FIPS Non-Proprietary Security Policy

FIPS Security Policy UGS Teamcenter Cryptographic Module

CPSC 467: Cryptography and Computer Security

Message Authentication and Hash function 2

Release note Tornaborate

Authenticated Encryption in TLS

CS155. Cryptography Overview

TPM v.s. Embedded Board. James Y

Feedback Week 4 - Problem Set

YubiKey Personalization Tool. User's Guide

CS408 Cryptography & Internet Security

More Attacks on Cryptography 3/12/2010

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Authentication. Steven M. Bellovin January 31,

Transport Level Security

User Authentication. Modified By: Dr. Ramzi Saifan

COSC4377. Chapter 8 roadmap

This Security Policy describes how this module complies with the eleven sections of the Standard:

CSE 127: Computer Security Cryptography. Kirill Levchenko

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

CIS 4360 Secure Computer Systems Symmetric Cryptography

Message authentication codes

CS 161 Computer Security

Cisco Systems 5760 Wireless LAN Controller

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013

/dev/random and Your FIPS Validation Can Be Friends

Computer Security: Principles and Practice

Security: Cryptography

Wireless Network Security

Randomness in Cryptography

Refresher: Applied Cryptography

network security s642 computer security adam everspaugh

Cryptography: Practice JMU Cyber Defense Boot Camp

Summary on Crypto Primitives and Protocols

Pass, No Record: An Android Password Manager

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

ID protocols. Overview. Dan Boneh

Connecting Securely to the Cloud

How to Implement Cryptography for the OWASP Top 10 (Reloaded)

Encryption. INST 346, Section 0201 April 3, 2018

PYTHIA SERVICE BY VIRGIL SECURITY WHITE PAPER

Rooting Routers Using Symbolic Execution. Mathy HITB DXB 2018, Dubai, 27 November 2018

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Wireless Network Security Spring 2015

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic

Authenticated Encryption

Architectural Support for Copy and Tamper Resistant Software

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN. Berry Hoekstra Damir Musulin OS3 Supervisor: Jan Just Keijser Nikhef

Physical and Link Layer Attacks

Transcription:

Crypto: Passwords and RNGs CS 642 Guest Lecturer: Adam Everspaugh http://pages.cs.wisc.edu/~ace

Topics! Password-based Crypto!! Random Number Generators

Symmetric Key Encryption key generation R k Gen K R M Enc C C Dec M Correctness: Dk( Ek(M,R) ) = M

Password-based Symmetric Encryption pw R M Enc C C Dec M Correctness: D(pw, E(pw,M,R) ) = M

Encrypt-then-MAC with CBC and HMAC IV M1 M2 M3 E K1 E K1 E K1 C0 C1 C2 C3 K2 ipad C H K2 opad h H T Ciphertext is: (C,T) How do we use this with a password?

Password-based Key Derivation (PBKDF) PBKDF(pw, salt): Truncate if needed pw salt 1 H H H K1 pw salt 2 H H H K2 repeat c times

PBKDF + Symmetric Encryption yields PW-Based Encryption Enc(pw,M,R): salt R = R K = PBKDF(pw,salt) C = Enc (K,M,R ) Return (salt,c) Here Enc /Dec is a typical symmetric encryption scheme (CBC+HMAC) Dec(pw,C): salt C = C K = PBKDF(pw,salt) M = Dec (K,C ) Return M Attacks?

Password Distribution From an Imperva study of released RockMe.com password database (2010)

Dictionary Attack Given a (message,ciphertext) pair: Enumerate a dictionary D of possible passwords, in order of likelihood Test each candidate password DictionaryAttack(D,M,C): R C = C for pw* in D: C* = Enc(pw*,M,R) if C* == C : return pw* IV C0 M1 E K1 C1

PBKDF Slows Down Dictionary Attacks pw salt 1 H H H K1 Iterating c times should slow down attacks by factor of c Salts: Different derived keys, even if same password Slows down attacks against multiple users Prevents precomputation attacks, if salts chosen randomly!

How Fast Are Dictionary Attacks? openssl speed sha1 Assume: 4 cores @ 2.2M hashes per second Size of Dictionary Computation time! c=1 Computation time! c=4096 6 digit PIN 10 0.11 seconds 7.8 minutes 6 alphanumerics (lowercase) 8 alphanumerics! (mixed case) 36 4.1 minutes 11.7 days 62 287 days 3,222 years

802.11 WPA Authentication Wifi AP PMK = PBKDF( pw, ssid ssidlength ) with c = 4096 PTK = H( PMK ANonce SNonce AP MAC address STA MAC address ) MIC = HMAC-MD5(PTK, M2) Observe just one handshake by another party, and attacker can mount offline dictionary attack against the password

Attacking WPA Passwords Wifi AP PMK = PBKDF( pw, ssid ssidlength ) with c = 4096 PTK = H( PMK ANonce SNonce AP MAC address STA MAC address ) MIC = HMAC-MD5(PTK, M2) DictionaryAttack(D,MIC,ANonce,SNonce,SSID,M2): for pw* in D: PMK* = PBKDF(pw*, ssid ssidlength) PTK* = H(PMK* ANonce ) MIC* = HMAC-MD5(PTK*, M2) If MIC* == MIC: return pw* return None

Recap: Password-based Crypto pw salt 1 H H H K1 Allows use of passwords in existing crypto schemes! Gain: Increases attackers computations Prevents precomputation! Cost: Increased computation! Limitation: Strength of key still limited to strength of password Don t make it easy for attacker to mount offline dictionary attacks

Uses for Secure Random Numbers Cryptography! Keys Nonces, initial values (IVs), salts!! System Security! TCP Initial Sequence Numbers (ISNs) ASLR Stack Canaries

Where can we get secure random numbers? OSX/Linux! cat /dev/urandom xxd -l 1024 -p /dev/urandom openssl rand 256 -hex! Intel HW RNG! OSX: sysctl -a grep RDRAND Linux: cat /proc/cpuinfo grep rdrand

Operating System Random Number Generators System Events Keyboard Clicks Mouse Movements Hard Disk Event Network Packets Other Interrupts RNG Random Numbers Statistically Uniform Hard to predict

Linux RNG System Events RNG Random Numbers Linux /dev/(u)random: Random Pool /dev/random interrupt events Interrupt Pool disk events keyboard events mouse events hardware RNGs Input Pool URandom Pool /dev/urandom Cryptographic hash

RNG Failures System Events RNG Random Numbers RNG Failures! Predictable Output Repeated Output Outputs from a small range (not-statistically uniform)! Broken Windows RNG: [DGP 2007] Broken Linux RNG: [GPR 2008], [LRSV 2012], [DPRVW 2013], [EZJSR 2014] Factorable RSA Keys: [HDWH 2012] Taiwan National IDs: [BCCHLS 2013]

Virtual Machine Snapshots disk Snapshot Resumption

Security Problems with VM Resets VM Reset Vulnerabilities [Ristenpart, Yilek 2010] Use key App starts Read /dev/urandom Derives key Initialization Snapshot Use key Firefox and Apache reused random values for TLS! Attacker can read previous TLS sessions, recover private keys from Apache

Linux RNG after VM Reset Not-So-Random Numbers in Virtualized Linux [Everspaugh, et al, 2014] disk Snapshot Read RNG Read RNG Experiment:! Boot VM in Xen or VMware Capture snapshot Resume from snapshot, read from /dev/urandom Repeat: 8 distinct snapshots 20 resumptions/snapshot

/dev/urandom outputs after resumption 21B8BEE4 9D27FB83 6CD124A6 E8734F71 111D337C 1E6DD331 8CC97112 2A2FA7DB DBBF058C 26C334E7 F17D2D20 CC10232E... 21B8BEE4 9D27FB83 6CD124A6 E8734F71 111D337C 1E6DD331 8CC97112 2A2FA7DB DBBF058C 26C334E7 F17D2D20 CC10232E... 21B8BEE4 9D27FB83 6CD124A6 E8734F71 111D337C 1E6DD331 8CC97112 2A2FA7DB DBBF058C 26C334E7 45C78AE0 E678DBB2... Linux RNG is not reset secure: 7/8 snapshots produce mostly identical outputs Reset 1 Reset 2 Reset 3

Reset insecurity and applications Generate RSA key on resumption: openssl genrsa! 30 snapshots; 2 resets/snapshot (ASLR Off) 27 trials produced identical private keys 3 trials produced unique private keys

Why does this happen? if (entropy estimate >= 64) if (count > 64 or elapsed time > 1s ) Random Pool /dev/random interrupts Interrupt Pool disk events Input Pool URandom Pool /dev/urandom if (entropy estimate >= 192) Buffering and thresholds prevent new inputs from impacting outputs Linux /dev/(u)random

What about other platforms? FreeBSD! /dev/random produces identical output stream! Up to 100 seconds after resumption! Microsoft Windows 7 Produces repeated outputs indefinitely! rand_s!!!! (stdlib)! CryptGenRandom!! (Win32)! RngCryptoServices! (.NET)

RNG Recap RNG! /dev/urandom RNGs are critical for security! Keys, nonces, etc! Building good RNGs is hard!! OS provides a strong RNG! e.g.: /dev/urandom! Intel CPUs provide an RNG! RDRAND instructions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback