@NTXISSA #NTXISSACSC4
A Brief History ofCryptographic Failures
Brian MorkCISO
Celanese2016-10-07
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 2
Who Am I?
• CISO at S&P 500/Fortune 500 company• Former air-drop hacker, security engineer,
penetration tester, RF simulation engineer, electronics intelligence expert, optician’s assistant, newspaper delivery boy, software pirate, party organizer, and short order cook.
• Also known as “Hermit” within the information security/hacker community
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 3
DISCLAIMERS
• I’m not an expert in cryptography• While I take cryptography seriously, I don’t
take myself seriously• I used pictures from the Internet. I’ve listed
the sources I know on the second to last slide.
• If we can’t have fun with this…
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 4
Well, then…
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 5
Agenda
• What is Cryptography?• Why Cryptography?• Our Cast• The Failures• Honorable Mentions• Q&A
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 6
What Is Cryptography?
“The process of writing or reading secret messages or codes.”
- Miriam Webster Dictionary“The art of writing or solving codes.”
- Oxford English Dictionary“The scientific field of study related to protecting or verifying information.”
- Brian Mork
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 7
Why Cryptography?
• Because you lack trust in… something…• Transmission mediums• Integrity of communications• Other people• Governments• Cigarette smoking men• Etc.
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 8
Our Cast
In traditional cryptographic discussions we would consider the following actors:• Alice – Someone sending information• Bob – Someone receiving information• Eve – Someone eavesdropping
All because Ron Rivest (of RSA fame) used such terms back in the 1970s.
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 9
Our REAL Cast
Times have changed, and we need heroes who reflect those times…
Alice, as… well… Alice
… Dilbert, as Bob …
… and Catbert, as Eve. Or evil. Either one/both.
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 10
And now here’s somethingwe hope you’ll really like!
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 11
Failure One
REGULAR FAIL
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 12
The Scenario
Alice and Dilbert set up a secure website. It’s amazing. It was hacker proof (just trust me on this one), with an official certificate and everything.
Unfortunately, their agents used browsers that still trusted root certificate authorities that used MD5 for hashing.
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 13
Failure: MD5 Certificate
So what is MD5?• Hashing algorithm• Vulnerable to collisions• Was still used through 2008 by certificate
authorities
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 14
Failure: MD5 Collisions
What is a collision?
It’s when two different inputs create the same output.
Why is that bad?
Because… that’s exactly what it’s not supposed to do!
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 15
Failure: MD5 Collisions
How can we make that worse?
By having a condition where two different inputs share a function or format, such as documents and executables
Or, I don’t know… cryptographic material
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 16
Failure: MD5 Collisions
The first MD5 collision was in 2004.
By 2007 colliding executables, documents, and more were possible and had been demonstrated, due to chosen-prefix collisions.
Enter the fake certificate authority!
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 17
Failure: MD5 Collisions
Step 1: Generate a pair of certificates with the same hash but different characteristics (e.g. make one a CA that can sign anything).
Step 2: Get the benign certificate signed by a ”real” CA and copy that signature to the malicious one.
Step 3: Profit
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 18
Failure: MD5 Collisions
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 19
Failure: MD5 Collisions
And what does that give you?
A certificate that can sign literally anything, and which validates back to a trusted root certificate authority.
I amGoogleMicrosoftMr. Robot
Whomever I want to be!
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 20
Failure: MD5 Collisions
I am Dilbert. You can trust this because Alice said I am. Now tell me
all your secrets. They’re safe with me.
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 21
Failure Two
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 22
The Scenario
• In an alternate dimension, Alice has ascended to lead a military force against the evil feline nation of Catbertia.
• Dilbert, her lead general, needs to communicate securely with her.
• They decide to deploy one of the most effective physical cryptographic systems ever made… the enigmatic… er… Enigma.
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 23
Failure X: Enigma
This is the Engima. It was a beauty of engineering. Multiple rotors, each input changed the next encoding, easy to operate and fiendishly difficult to brute force.
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 24
Failure X: Engima
How complex was it?• 3 rotor wheel positions, 5 wheel choices (60
starting combinations)• 26 starting positions per wheel (17,576
combinations)• Wheels rotate one another… wiring to
create substitutions… egads!• 107,458,687,327,250,619,360,000 keys
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 25
Failure X: Engima
Oh, and then there was the fact that Engima operations used key encrypting keys… really!
The day key was a pre-shared secret used to encrypt one-time keys called message keys. Message keys were then used to encrypt actual messages.
Pretty nifty!
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 26
Catbert Has No Chance!
• It’s true! With that many combinations and frequency of change there’s no hope for the empire of evil.
• Then again, people have been known to make mistakes.
• But I’m sure Alice and Dilbert wouldn’t make the same ones that their historical predecessors did. What were those again?
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 27
Failure X: Engima
How was Enigma previously defeated?• Reuse of rotor settings• Transmission with multiple ciphers• Operators often reused the same message
key multiple times (e.g. “cillies”)• Common message formats
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 28
Failure X: Enigma
• What’s that? Dilbert has taken to using the day of the week as the message key?
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 29
Failure 2
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 30
The Scenario
Alice and Dilbert are joining the modern age. They visit each other’s houses frequently, and use each other’s wireless networks.
To be extra safe, they’ve selected Wired Equivalent Privacy (WEP) to secure their network. What could possibly go wrong? Well, since WEP uses a single key that needs to be protected!
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 31
Failure: WEPThey know that Catbert is trying to intercept their communications, so they paid a driver to take the out in the middle of a mud field in Elbonia.
Once out there, they chose a super secret password just between the two of them. This is now their wireless network password.
Whew! That was close. Good thing that sharing the key is the biggest concern. Right?
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 32
Failure: WEP
Well, maybe not JUST that… there’s also:• Poor initialization vectors (IV) size• Weak IVs• Weak key space• Poor key entry (ASCII reduces key space)• Replay/packet stimulation (when you need
more IVs)• Chop-Chop Attack!
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 33
Failure: WEP
The only thing I like more than weak crypto is my
enemies using it.
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 34
Will this guy ever shut up?
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 35
Honorable Mention
• Advanced Encryption Standard (AES) – Electronic Codebook (ECB)• Same key used over and over• Block-based encryption• Known plaintext lookup!• SmashECB, for example (written by yours truly)
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 36
Honorable Mention
• Clipper Chip – Law Enforcement Access Field• Included data necessary to recover key• Only 16-bit hash protecting it• Bypass and reuse were possible and
demonstrated• Use of third party LEAF data was possible too!
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 37
Honorable Mention
• Microsoft’s ”Golden Key”• Booting RT/ARM devices check two things: a
policy (must be signed by Microsoft) and the operating system (also must be signed by Microsoft)
• The “Golden Key” is a debug mode policy that was accidentally shipped, and that policy allows skipping the check for the operating system
• Presto! Any OS on a Surface/WinPhone/etc.
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 38
Honorable Mentions
And so many, many more…• WPA - Design• Dual EC DRBG - Design• MD4 – Time, mostly• NIST P- curves (ECC) – Design• Digital Encryption Standard (DES) – Design• 3 DES – Design
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 39
Questions
If you’ve got ’em, throw ‘em.
If I know the answer, I’ll give it.
If I don’t, I’ll answer anyways before I disclose that I have no clue what I’m talking about.
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 2-3, 2015 40
Miscellaneous
• Picture Credits• Mulder Image: Pascal Wagler• Dilbert Characters: Scott Adams• Engima Machine: TheHistoryBlog.com• Failure Pictures: The Internet Tubes
• Find Me• Twitter: @hermit_hacker• LinkedIn: /in/bcmork
@NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 41@NTXISSA #NTXISSACSC4
The Collin College Engineering DepartmentCollin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
Thank you
Top Related