Cryptographic Foibles COEN 225 Secure Coding False Assumptions
Cryptographic Foibles COEN 225 Secure Coding
False Assumptions n Fresh from the press: ¨ RAM retains memory after shutdown ¨ Retention boosted by cold air ¨ Allows access to encryption keys after system shutdown J. Alex Haldermany, Seth D. Schoenz, Nadia Heningery, William Clarksony, William Paulx, Joseph A. Calandrinoy, Ariel J. Feldmany, Jacob Appelbaum, and Edward W. Felteny: Lest We Remember: Cold Boot Attacks on Encryption Keys http: //citp. princeton. edu. nyud. net/pub/coldboot. pdf
Using poor random numbers Most cryptographical algorithms relay on random numbers n Random numbers can be predictable n ¨ C-run time function rand will generate exactly the same sequence of random numbers ¨ Need to set seed
Using poor random numbers n n Most cryptographical algorithms relay on random numbers Random numbers can be predictable ¨ C-run time function rand will generate exactly the same sequence of random numbers ¨ Need to set seed ¨ Derive seed from something that cannot be guessed or controlled n Time-date stamp not good enough
Using poor random numbers n Using simple random number generation techniques ¨ Linear congruence random number generator: int __cdecl rand(void) { return((holdrand = holdrand * 214013 L+2351011 L)>>16)&0 x 7 ffff; } ¨ Allows to predict next value
Using poor random numbers n Linear congruence random number generator ¨ ASF n Software’s Texas Hold ‘Em Poker Allowed to predict the complete deck after knowing five cards from the deck ¨ ¨ Code n n http: //www. cigital. com/news/index. php? pg=art&artid=20 Red Worm IP address generation “Random” IP addresses were not random Worm tried to infect same targets from all infected computers ¨ Netscape n Navigator (Early versions) SSL keys were highly predictable
Using poor random numbers n Mitigation ¨ Use better random number generators ¨ FIPS 186 -2 approved ¨ Crypt. Gen. Random() API in Windows n Uses system entropy for a seed: ¨ ¨ ¨ Current time Performance counters User environment block Low level system information System exception information …
Poor Key Management n Password derived keys ¨ Subject to guessing attacks ¨ Subject to dictionary attacks ¨ Pronouncable or memorizable passwords contain entropy: n Minimum password length for 56 b / 128 b key is ¨ ¨ ¨ Numeric PIN: Case insensitive alpha: Case sensitive alpha: Alpha-numeric + punct. 17 12 10 10 9 40 28 23 22 20
Poor Key Management n Using crypto is easy, storing and managing keys is difficult: ¨ Key Generation ¨ Key Transmission ¨ Key Storage ¨ Key Destruction ¨ Key Revocation
Poor Key Management n Key storage ¨ If stored in plaintext, can find keys in on-disk image n ¨ Keys that are text strings can be found by looking for all strings. n ¨ Passwords are easier, since we can store the hash of a password Try out Windows utility strings Can find keys in memory image of running processes n n Winhex will dump Windows memory n. Cipher offers utility that attaches itself to running process and scans process memory for areas of high entropy ¨ ¨ These are possible keys RAM does not loose contents immediately after power-down n Can investigate RAM for keys
Poor Key Management n If possible: ¨ Generate key (possibly from user input, system info, …) ¨ Write code that does not move key around n n Generates multiple copies Pass key with handle / pointer ¨ Safely n destroy key after use If possible: ¨ Do n not use the same buffer for plain text and cipher IIS 4 did that and under certain load conditions would send out plain text in SSL
Poor Key Management n Mitigation ¨ Never store key in code, configuration files, or registry n Use the protection the OS provides ¨ n ¨ Windows Data Protection API § Not feasible in Win 95, Win 98, Win 2000, Win. CE Use removable media if it fits into operational environment If key is generated in memory: 1. 2. 3. Generate key e. g. from user password Use key Scrub the memory by overwriting key n Beware of optimizing compilers deciding that the memory area is not going to be used and does not need to be scrubbed
Poor Key Management n Mitigation ¨ Key Exchange n n n Avoid key exchange if possible Consider sneaker net Use cryptographic protocols that ¨ ¨ create a secure channel authenticate both partners are secure against man-in-the-middle attacks are certified § Never, never invent your own crypto-protocol § (Unless you know what you are doing and have it subjected to public scrutiny)
Using poor encryption n Do not invent your own encryption algorithm ¨ Unless you know what you are doing ¨ Subject the result to public scrutiny ¨ Are willing to face product liability suits if your product is unsafe
Using poor encryption Do not create a cipher text by xor-ing a natural language text with another text n Do not create a cipher text by xor-ing with a password n void encrypt( char * plain, char * cipher, char * passwd) { while(*plain != '