Cryptographic Knowledge Base

Similar documents
Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Protect Yourself Against Security Challenges with Next-Generation Encryption

About FIPS, NGE, and AnyConnect

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

Requirements from the. Functional Package for Transport Layer Security (TLS)

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

FIPS Compliance of Industry Protocols in Edward Morris September 25, 2013

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

Contents. Configuring SSH 1

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Extended Package for Secure Shell (SSH) Version: National Information Assurance Partnership

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Cisco Desktop Collaboration Experience DX650 Security Overview

FIPS SECURITY POLICY FOR

Cisco Systems 5760 Wireless LAN Controller

Category: Standards Track Queen s University December Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Meru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009

White Paper for Wacom: Cryptography in the STU-541 Tablet

FireEye CM Series: CM-4400, CM-7400, CM-9400

Chapter 24 Wireless Network Security

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Internet Engineering Task Force (IETF) ISSN: January Suite B Profile for Transport Layer Security (TLS)

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

Assurance Activity Report (AAR) for a Target of Evaluation

Silent Circle Mobile Application Cryptographic Module

IBM Education Assistance for z/os V2R1

Misuse-resistant crypto for JOSE/JWT

Protecting TLS from Legacy Crypto

FIPS Non-Proprietary Security Policy. Cotap Cryptographic Module. Software Version 1.0. Document Version 1.4.

Cryptographic Mechanisms: Recommendations and Key Lengths

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Network Working Group Request for Comments: 4432 March 2006 Category: Standards Track

Imprivata FIPS Cryptographic Module Non-Proprietary Security Policy Version: 2.9 Date: August 10, 2016

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Wireless LAN Security. Gabriel Clothier

Cryptography (Overview)

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

FireEye HX Series: HX 4400, HX 4400D, HX 4402, HX 9402

FireEye NX Series: NX-900, NX1400, NX-2400, NX-4400, NX4420, NX-7400, NX-7420, NX7500, NX-10000, NX-9450, NX10450

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Cisco VPN 3002 Hardware Client Security Policy

CSE 127: Computer Security Cryptography. Kirill Levchenko

The OpenSSH Protocol under the Hood

Usage of SP800-56A in Industry Standard Protocols

TLS1.2 IS DEAD BE READY FOR TLS1.3

Wireless Network Security Spring 2015

NIST Cryptographic Toolkit

Acme Packet VME. FIPS Level 1 Validation. Software Version: E-CZ Date: July 20, 2018

Encryption. INST 346, Section 0201 April 3, 2018

Summary on Crypto Primitives and Protocols

Considerations in Securing Connected Devices. Chris Conlon

Cisco Integrated Services Router Security Policy

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Wi-Fi Security for Next Generation Connectivity. Perry Correll Aerohive, Wi-Fi Alliance member October 2018

Transport Layer Security

Satisfying CC Cryptography Requirements through CAVP/CMVP Certifications. International Crypto Module Conference May 19, 2017

Juniper Networks Pulse Cryptographic Module. FIPS Level 1 Security Policy Version: 1.0 Last Updated: July 19, 2013

Table of Contents 1 IKE 1-1

Chapter 4: Securing TCP connections

WAP Security. Helsinki University of Technology S Security of Communication Protocols

What is Suite B? How does it relate to Government Certifications?

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN Access Points

SSL/TLS Security Assessment of e-vo.ru

OpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12

Virtual Private Networks

Cryptography and the Common Criteria (ISO/IEC 15408) by Kirill Sinitski

RSA BSAFE Crypto-C Micro Edition Security Policy

FIPS Security Policy

FIPS Non-Proprietary Security Policy. Acme Packet FIPS Level 2 Validation. Hardware Version: Firmware Version: E-CZ8.0.

Connecting Securely to the Cloud

32c3. December 28, Nick goto fail;

Crypto: Passwords and RNGs. CS 642 Guest Lecturer: Adam Everspaugh

VPN Overview. VPN Types

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

UNCLASSIFIED INFORMATION TECHNOLOGY SECURITY GUIDANCE

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

TLS 1.1 Security fixes and TLS extensions RFC4346

Fortress Mesh Points

Wireless Network Security Spring 2016

Tabular Presentation of the

CSE484 Final Study Guide

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Sample excerpt. Virtual Private Networks. Contents

Transport Level Security

WPA-GPG: Wireless authentication using GPG Key

econet smart grid gateways: econet SL and econet MSA FIPS Security Policy

David Wetherall, with some slides from Radia Perlman s security lectures.

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

RFS7000 SERIES Wireless Controller. FIPS Cryptographic Module Security Policy

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Information Security CS 526

Requirements from the. Protection Profile for Mobile Device Fundamentals

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

State of TLS usage current and future. Dave Thompson

This Security Policy describes how this module complies with the eleven sections of the Standard:

Transcription:

Johns Hopkins and the Cryptographic Knowledge Base Debra Baker, CISSP CCSP Compliance Engineer at Cisco October 27, 2017 @deb_infosec

>whoami Debra Baker, CISSP CCSP 20 years of practical experience in security starting in USAF IBM - Entrust - Cisco Cisco Champion of JHU Crypto Knowledge Base Editor of CYS Report: https://cysreport.com Debra s Blog: https://debinfosec.com Distinguished SME in Information Security (ISC2) Twitter: @deb_infosec

Cryptography and the Internet How are we doing?

Internet Wide Scanning Search Engine https://censys.io

250,000,000 Certificates on the Internet 200,000,000 150,000,000 100,000,000 All CerCficates Trusted CerCficates 50,000,000 0 SHA256WithRSA SHA1WithRSA ECDSAWithSHA256 MD5WithRSA unknown_algorithm SHA512WithRSA SHA384WithRSA ECDSAWitHSHA384 ECDSAWithSHA512 ECDSAWithSHA1 DSAWithSHA1 MD2WithRSA

Certificates on the Internet

Certification Authorities Trusted Certificates Let s Encrypt: 40,868,332 COMODO CA Limited: 7,768,715 cpanel, Inc: 5,448,400 Symantec Corporation: 3,332,312 GeoTrust Inc: 1,977,954 GoDaddy.com, Inc: 1,819,771 GlobalSign nv-sa: 1,357,564 Western Digital Technologies: 824,914 DigiCert Inc: 503,847 Thawte, Inc: 483,361 StartCom Ltd.: 435,647 TrustAsia Technologies, Inc.: 300,467 Amazon: 264,489 WoSign CA Limited 183,553 Entrust, Inc: 148,104 Starfield Technologies, Inc: 146,947 Internet2: 87,281 TERENA: 84,249 CloudFlare, Inc: 66,916 ActalisS.pA/033585209 67: 64,939 Source:theregister.co.uk Source:Threatpost

A SHA-1 collision occurs when two distinct pieces of data hash to the same message digest. If an attacker can craft a collision, they could use it to create two different files that share the same SHA-1 hash value.

What is SHA-1? SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function.txt.txt ABC Defg ABC ABC Defg 94c41e93c5a19744c5061b2bfee82b85b08547f7 = 94c41e93c5a19744c5061b2bfee82b85b08547f7

What is SHA-1? SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function.txt.txt ABC fg ABC ABC Defg Defg a80ce785e49c3fb30d8a4ffa5b79eace3ffc78e = 94c41e93c5a19744c5061b2bfee82b85b08547f7

SHA-1 Attack SHAttered Attack https://shattered.io http://bit.ly/shattered-sha1 38762cf7f55934b34d179ae6a4c80cadccbb7f0a = 38762cf7f55934b34d179ae6a4c80cadccbb7f0a Based on an identical-prefix collision attack: two files have the same predetermined beginning, followed by different inputs and an optional amount of identical data. - techtarget

SHAttered Attack Does Not Allow an attacker to generate a collision with an existing file. For example, it's not possible to use this method to generate a malicious executable file which matches the signature of an existing legitimate executable. However, it would be possible for an attacker to generate two executable files which have the same SHA-1 hash but perform different actions when they run.

When is it still ok to use SHA-1? Checking the hash of an executable or file that we know is trusted (from trusted site) As a key derivation function, there are no known flaws in SHA-1, which is how dh-group14-sha1 is being used in SSH and IPSec. Similarly, HMAC-SHA1 is believed to be (still) safe as long as SHA1 is pseudorandom. - Matthew Green

hmac-sha1- Why its safe HMAC uses two passes of hash computation. The secret key is first used to derive two keys - inner and outer. The first pass of the algorithm produces an internal hash derived from the message and the inner key. The second pass produces the final HMAC code derived from the inner hash result and the outer key..txt inner ABC Defg outer inner inner inner outer

dh-group14-sha1 - Why its safe SSH and IPsec uses both SHA-1 and hmac-sha1 when dh-group14-sha1 is used for key derivation TLS only uses hmac-sha1 In RFC 4253 Section 8 2, it says SHA-1 is H in the diffie-hellman key exchange used for key derivation: H = hash(v_c V_S I_C I_S K_S e f K) (these elements are encoded according to their types), and signature s on H with its private host key. S sends (K_S f s) to C. The signing operation may involve a second hashing operation.

dh-group14-sha1 What is H hashing? The hash H is computed as the HASH of the concatenation of the following: Ø string V_C, the client's identification string (CR and LF excluded) Ø string V_S, the server's identification string (CR and LF excluded) Ø string I_C, the payload of the client's SSH_MSG_KEXINIT Ø string I_S, the payload of the server's SSH_MSG_KEXINIT Ø string K_S, the host key mpint e, exchange value sent by the client mpint Ø f, exchange value sent by the server mpint Ø K, the shared secret

dh-group14-sha2 & above RFC (KEX) In Draft Key Exchange (KEX) Method Updates and Recommendations for Secure Shell Section 3.6 group14 is still a reasonable size. [RFC3526] This key exchange group uses SHA-1 which has security concerns [RFC6194]. However, this group is still strong enough and is widely deployed. This method is being moved from MUST to SHOULD to aid in transition to stronger SHA-2 based hashes. This method will transition to SHOULD NOT when SHA-2 alternatives are more generally available.

Cryptographic Best Practices

No matter how good the algorithm, bad random numbers =

What is entropy? Entropy is true randomness Such as atmospheric pressure Used to seed DRBG

Random numbers and security Cryptographic key generation (MACSec, IPSec, SSH, TLS...) Nonces and initialization vectors (802.11i, EAP, MACSec...) Padding schemes, digital signatures (DSA, OTPs... ) Using poor random numbers (random!= unique) can have catastrophic consequences. And cause severe embarrassment!

/dev/[u]random - Linux Seed File optional Conditioned SHA-1/ SHA-256/ SHA-512 (preferred) Output to DRBG Image courtesy of: http://samvartaka.github.io; updated by Debra Baker

/dev/[u]random Noise Source ENTROPY SOURCE Digitization Health Tests Conditioner Entropy output to DRBG Image courtesy of: http://samvartaka.github.io

/dev/[u]random Use a Hardware RNG Make sure your entropy pool is seeded on boot and reseeded properly Test the PRNG using NIST SP800-90B assessment tools QNX 7.0 (random.c) Fortuna FreeBSD 11.1 Fortuna Truerand.c https://www.getnetrandom.com - Windows or Linux Image courtesy of: http://samvartaka.github.io

In the News

WPA2 Krack Attack - What Happened? WPA2 has been broken Belgian Univ Researchers The attack works against all modern protected wifi networks. Forces nonce reuse on the client Weakness in the design of the WPA2 protocol in which the client can be forced into reusing a key

WPA2 Krack Attack - What Does This Mean? WPA2 is no longer secure. Reveals sensitive information such as credit card numbers, passwords, or usernames, and so on. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

WPA2 Krack Attack - Details Devastating against Linux and Android 6.0 or higher. Ø Android and Linux can be tricked into (re)installing an all-zero encryption key If the client uses either the WPA-TKIP or GCMP encryption protocol, instead of AES-CCMP, Ø Nonce reuse enables an adversary to not only decrypt, but also to forge and inject packets. Note that the attacks do not recover Ø the password of the Wi-Fi network. Ø (any parts of) the fresh encryption key that is negotiated during the 4-way handshake.

WPA2 Krack Attack The Details Please PTK = Session Key

Krack Attack 4-way handshake Access Point same mac addr 1. AP (Authenticator) sends ANonce to client (supplicant) and client derives the PTK PTK 1 2 PTK GTK 2. Client sends SNonce to AP and the AP derives the PTK 3. Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment, client resets it nonce and retransmits so hacker has key Laptop Nonce reset 3 4 AP Attacker MitM same mac addr different channel (Linux and Android zero out key) (Win & IOS don t accept the retransmission, but are susceptible to the GTK) 4. Malicious AP derives PTK and client installs PTK and GTK

WPA2 Krack Attack How to Protect Yourself Attack is executed against the client Note: Only access points that support the Fast BSS Transition handshake (802.11r) can be vulnerable, but all clients are vulnerable Remediation: Patch all devices phones, tablets, computers, wireless Apps What if I don t have a patch for my AP? Disable client functionality on AP (which is used in repeater modes) Use a VPN, (not free) recommended: F-Secure Freedome, Cisco Anyconnect Use TLS when accessing websites

http://bit.ly/ciscodemo-jhu JHU Crypto Knowledge Base

References Network Security Assessment, 3rd Edition (O Reilly) By: Chris McNab TLS: https://testssl.sh https://www.ssllabs.com/ssltest/ http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-52r1.pdf https://feistyduck.com For FIPS 140 related information go to: http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401vend.htm http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140val-historical.htm >> No longer FIPS Validated NIST: http://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-115.pdf Entropy Links: http://opensource.apple.com//source/apache/apache-678/mod_ssl/pkg.contrib/truerand.c https://github.com/freebsd/freebsd/blob/master/sys/dev/random/fortuna.c NIST SP800-90B tools: https://github.com/usnistgov/sp800-90b_entropyassessment

Random Number Generation ØUse: NIST SP800-90A Rev 1: HMAC_DRBG (SHA-256, SHA-512) (512 recommended) CTR_DRBG (AES), AES Hash_DRBG (any) ØAvoid: DUAL_EC_DRBG and ANSI X9.31 using AES Hardware based RNG is always best ex. ACT-2Lite, Octeon Otherwise /dev/urandom with truerand.c pulling random data from the clock variance between the real time clock and CPU clock.

Asymmetic Cryptography ØUse: RSA 2048, 3072, 4096 ürsa 2048 is recommended; ücsfc: RSA 3072 or above; ürsa 4096 Quantum proof ECDSA with P-256, P-384, P-521 üp-256 is recommended; ücsfc: P-384 ØAvoid: DSA any key size

cpps cryptography Best Practices (TLSv1.2) Ø Use: TLSv1.1, TLSv1.2 (Recommended) Ø Avoid: TLSv1.0 or lower or SSLv3 or lower Ø TLS Recommended Ciphers: TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_192_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_192_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_192_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_192_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_192_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_192_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_192_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS Best Practices Avoid the following ciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256 Unless: dh group 14 (2048 bit) or above for key exchange (kek). Otherwise: Key sizes less than dh group 14 susceptible to logjam, attack

TLS Best Practices Avoid the following ciphers: TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_192_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_192_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 Why? Do not provide perfect forward secrecy Same RSA public/private key pair is used to both authenticate and encrypt the Symmetric Key used for encryption

TLS Recommended Ciphers Best Practices Ø https://weakdh.org/sysadmin.html Network Security Assessment, 3rd Edition (O Reilly) By: Chris McNab Ø Use X.509v3 certificates for mutual authentication for server to server communications whenever possible. Ø Use: secp256r1, secp384r1, secp521r1 Ø Server and Client must reject any connections offering SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0 Ø TLS Server must support mutual authentication with X.509v3 certificates Ø For most websites, using RSA keys stronger than 2048 bits and ECDSA keys stronger than 256 bits is a waste of CPU resources and might impair user experience. Similarly, increasing the strength of the ephemeral key exchange beyond 256 bits for ECDHE has little benefit.

SSHv2 For SSHv2 key exchange: Ø Use: diffie-hellmann-group14-sha1 for SSH key exchange Ø Avoid: diffie-hellman-group1-sha1(768 bit), ecdh-sha2-nistp256, ecdh-sha2-nistp384, and ecdh-sha2-nistp521 diffie-hellman-group2 and below susceptible to the logjam attack Ecdh does not provide perfect forward secrecy NIST curves may be unsafe per SafeCurves web site http://safecurves.cr.yp.to - Lange and Bernstein All sessions must be rejected if remote client or server is only advertising a non compliant Common Criteria algorithms and key sizes in hello. Disable export algorithms.

SSHv2 SSH transport data encryption: Ø Use: aes123-ctr, aes256-ctr, AEAD_AES_128_GCM, AEAD_AES_256_GCM Ø Avoid: aes123-cbc, aes256-cbc SSH authentication public key algorithms: Ø Use: ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, x509v3- ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521 Ø Avoid: ssh-dsa SSH transport data integrity: Ø Use: hmac-sha1, hmac-sha2-256, hmac-sha2-512, AEAD_AES_128_GCM, AEAD_AES_256_GCM Ø Avoid: hmac-md5, hmac-sha1-96

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback