defending against the sneakers scenario bryan sullivan
play

Defending Against the Sneakers Scenario Bryan Sullivan, Security - PowerPoint PPT Presentation

Defending Against the Sneakers Scenario Bryan Sullivan, Security Program Manager, Microsoft SDL Crypto systems get broken eh vxuh wr gulqn brxu rydowlqh be sure to drink your ovaltine Why assume that current algorithms really are unbreakable,


  1. Defending Against the Sneakers Scenario Bryan Sullivan, Security Program Manager, Microsoft SDL

  2. Crypto systems get broken eh vxuh wr gulqn brxu rydowlqh be sure to drink your ovaltine Why assume that current algorithms really are unbreakable, unlike every other time in the history of cryptography?

  3. Consequences  Change code  Rebuild  Retest  Deploy patches to n users  Pretty big window of attack…

  4. Other concerns  Export controls  International regulations  FIPS‐140

  5. Solution  Plan for this from the beginning  Assume the crypto algorithms you use will be defeated in your application’s lifetime  Code your apps in a cryptographically agile manner  Or code‐review apps for crypto agility if you’re of the pentester persuasion and not a dev

  6. Steps toward crypto agility  Step 1: Avoid hardcoded algorithms

  7. Abstraction  Want one of these?  Are you sure?

  8. Three Cryptographically Agile Frameworks * .NET JCA CNG Java Cryptography Cryptography API Architecture Next Generation *If used correctly…

  9. .NET Cryptography

  10. .NET top‐level abstract classes  SymmetricAlgorithm  AsymmetricAlgorithm  HashAlgorithm  KeyedHashAlgorithm  HMAC  RandomNumberGenerator

  11. .NET Crypto Architecture HashAlgorithm +ComputeHash() #HashCore() +Create() SHA512 SHA1 SHA512Managed SHA512Cng SHA1Managed

  12. .NET examples  Non‐agile: MD5Cng hashObj = new MD5Cng(); byte[] result = hashObj.ComputeHash(data);

  13. .NET examples  More agile: HashAlgorithm hashObj = HashAlgorithm.Create("MD5"); byte[] result = hashObj.ComputeHash(data);

  14. Java Cryptography Architecture (JCA)

  15. JCA top‐level classes  javax.crypto.Cipher  javax.crypto.KeyAgreement  java.security.KeyFactory  javax.crypto.KeyGenerator  java.security.KeyPairGenerator  javax.crypto.Mac  java.security.MessageDigest  javax.crypto.SecretKeyFactory  java.security.SecureRandom  java.security.Signature

  16. JCA Architecture MessageDigestSpi +engineDigest() MessageDigest DigestBase +digest() +getInstance() MD5 SHA SHA2

  17. JCA example  More agile (by default, this is great!): MessageDigest md = MessageDigest.getInstance("MD5"); byte[] result = md.digest(data);

  18. JCA Architecture MessageDigestSpi +engineDigest() MessageDigest DigestBase +digest() +getInstance() MD5 SHA SHA2

  19. Cryptography API: Next Generation (CNG)

  20. CNG agile capabilities  Key generation and exchange  Object encoding and decoding  Data encryption and decryption  Hashing and digital signatures  Random number generation

  21. CNG Architecture BCRYPT_HASH_INTERFACE +GetHashInterface() BCRYPT_HASH_FUNCTION_TABLE BCRYPT_HASH_INTERFACE +Version +OpenAlgorithmProvider +GetProperty HashProvider +SetProperty +CloseAlgorithmProvider +CreateHash +HashData +FinishHash +DuplicateHash +DestroyHash

  22. CAPI example  Non‐agile: HCRYPTPROV hProv = 0; HCRYPTHASH hHash = 0; CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL, 0); CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash); CryptHashData(hHash, data, len, 0);

  23. CNG example  More agile: BCRYPT_ALG_HANDLE hAlg = 0; BCRYPT_HASH_HANDLE hHash = 0; BCryptOpenAlgorithmProvider(&hAlg, "MD5", NULL, 0); BCryptCreateHash(hAlg, &hHash, …); BCryptHashData(hHash, data, len, 0);

  24. Still looks hardcoded to me…  .NET HashAlgorithm.Create("MD5");  JCA MessageDigest.getInstance("MD5");  CNG BCryptOpenAlgorithmProvider(&hAlg, "MD5", NULL, 0);

  25. Steps toward crypto agility  Step 1: Avoid hardcoded algorithms  Step 2: Reconfigure the algorithm provider

  26. JCA Provider Framework Application Provider Framework SHA‐1 MD5 MD5 SHA‐256 SHA‐1 SHA‐512 Provider A Provider B Provider C

  27. JCA Provider Framework MessageDigest. Application getInstance ("MD5"); Provider Framework SHA‐1 MD5 MD5 SHA‐256 SHA‐1 SHA‐512 Provider A Provider B Provider C

  28. JCA Provider Framework MessageDigest. Application getInstance ("MD5", "Provider C"); Provider Framework SHA‐1 MD5 MD5 SHA‐256 SHA‐1 SHA‐512 Provider A Provider B Provider C

  29. Configure providers  Option #1: Modify java.security file (static) security.provider.1= sun.security.provider.Sun security.provider.2= sun.security.provider.SunJCE …

  30. Configure providers  Option #2: Add in code (dynamic) java.security.Provider provider = new MyCustomProvider(); Security.addProvider(provider);

  31. Scenario #1: Bad provider security.provider.1=foo security.provider.2=bar

  32. Scenario 2: Bad algorithm Application Provider Framework SHA‐1 MD5 MD5 “MD5” SHA‐256 SHA‐1 SHA‐512 Provider A Provider B Provider C New Custom Provider

  33. Custom provider public class Provider extends java.security.Provider { put("MessageDigest.MD5", "MyFakeMD5Implementation"); }

  34. JCA Architecture MessageDigestSpi +engineDigest() MessageDigest DigestBase +digest() +getInstance() MD5 SHA SHA2

  35. Fake implementation MessageDigestSpi +engineDigest() FakeMD5Implementation SHA +digest()

  36. CNG provider framework  Similar to JCA, but less flexible  Custom providers go in system folder  Must register programmatically  Can only specify top or bottom of the list

  37. Fake implementation BCRYPT_HASH_INTERFACE +GetHashInterface() BCRYPT_HASH_FUNCTION_TABLE BCRYPT_HASH_INTERFACE +Version +OpenAlgorithmProvider +GetProperty FakeMD5Implementation +SetProperty +CloseAlgorithmProvider +CreateHash +HashData +FinishHash +DuplicateHash +DestroyHash

  38. Registering a custom provider CRYPT_PROVIDER_REG providerReg = {…}; BCryptRegisterProvider( "FakeMD5Implementation", 0, &providerReg); BCryptAddContextFunctionProvider( CRYPT_LOCAL, NULL, BCRYPT_HASH_INTERFACE, "MD5", "FakeMD5Implementation", CRYPT_PRIORITY_TOP);

  39. Avoid hardcoded implementation BCRYPT_ALG_HANDLE hAlg = 0; BCryptOpenAlgorithmProvider( &hAlg, "SHA1", "Microsoft Primitive Provider", 0);

  40. .NET Application HashAlgorithm. Create("MD5") mscorlib machine.config

  41. Altering machine.config <configuration> <mscorlib> <cryptographySettings> <nameEntry name="MD5" class="MyPreferredHash" /> <cryptoClasses> <cryptoClass MyPreferredHash="SHA512Cng, …" /> </cryptoClasses>

  42. Remapping algorithm names is dangerous MD5 SHA‐1  This is a good thing, right?  What could possibly go wrong?

  43. Steps toward crypto agility  Step 1: Avoid hardcoded algorithms  Step 2: Avoid hardcoded implementations  Step 3: Reconfigure the algorithm provider  Step 3 (alternate): Avoid default algorithm names

  44. Unique algorithm names  .NET HashAlgorithm.Create( "ApplicationFooPreferredHash");  JCA MessageDigest.getInstance( "ApplicationBarPreferredDigest");  CNG BCryptOpenAlgorithmProvider(&hAlg, "ApplicationFooPreferredHash", …);

  45. Steps toward crypto agility  Step 1: Avoid hardcoded algorithms  Step 2: Avoid hardcoded implementations  Step 3: Reconfigure the algorithm provider  Step 3 (alternate): Avoid default algorithm names  Step 3 (alternate #2): Pull algorithm name from secure configuration store

  46. Unique provider vs. config Unique provider Configuration store  Pros  Pros  Much easier to  Security to perform this implement action already part of the system  Cons  Cons  Probably prohibitive in  Must remember to terms of secure the store! implementation cost

  47. What went wrong?  Changing the algorithms is one thing…  …but changing stored data is another.

  48. Steps toward crypto agility  Step 1: Avoid hardcoded algorithms  Step 2: Avoid hardcoded implementations  Step 3: Reconfigure the algorithm provider  Step 3 (alternate): Avoid default algorithm names  Step 3 (alternate #2): Pull algorithm name from secure configuration store  Step 4: Store and consume algorithm metadata

  49. What metadata to store  Hashes  Algorithm name  Salt size  Output size  (Max input size)  Size considerations  Local variables (ie source code)  Database columns

  50. What metadata to store  Symmetric encryption  Algorithm name  Block size  Key size  Mode  Padding mode  Feedback size

  51. What metadata to store  Asymmetric encryption  Algorithm name  Key sizes  Key exchange algorithm  Signature algorithm

  52. What metadata to store  MAC  Algorithm name  Key size  Key derivation function  Function algorithm  Salt size  Iteration count  Output size  (Max input size)

  53. MS‐OFFCRYPTO  Office Document Cryptography Structure Specification  http://msdn.microsoft.com/en‐us/library/ cc313071(office.12).aspx

Recommend


More recommend