D4
/
architecture
mirror of https://github.com/D4-project/architecture
2
0
Fork 0
Code Issues Releases Wiki Activity
architecture/docs/workshop/5-snake-oil-crypto/soc.tex

351 lines
11 KiB
TeX
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

\documentclass{beamer}
\usetheme[numbering=progressbar]{focus}
\usepackage{tikz}
\usetikzlibrary{positioning}
\usetikzlibrary{shapes,arrows}
\usepackage{transparent}
\usepackage{fancyvrb}
\usepackage{listings}
\definecolor{main}{RGB}{47, 161, 219}
%\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor{background}{RGB}{240, 247, 255}
\definecolor{textcolor}{RGB}{85, 87, 83}
\title{Snake Oil Crypto:}
\subtitle{How I stopped to worry and started to love crypto}
\author{Jean-Louis Huynen}
\titlegraphic{\includegraphics[scale=0.20]{../../logos/d4-logo.pdf}}
\institute{Team CIRCL \\ \url{https://www.d4-project.org/}}
\date{2019/11/27}
\begin{document}
\begin{frame}
\maketitle
\end{frame}
\begin{frame}
\frametitle{Outline}
\begin{itemize}
\item Cryptography 101,
\item Cryptography and Network captures,
\item D4 passiveSSL Collection,
\item Leveraging OpenPGP metedata,
\item Checking for weak crypto.
\end{itemize}
\end{frame}
\begin{frame}
\begin{center}
{\bf Cryptography 101}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Cryptography Concepts}
\begin{itemize}
\item {\bf Plaintext} P: Text in clear,
\item {\bf Encryption} E: Process of disguising the plaintext to hide its content,
\item {\bf Ciphertext} C: Result of the Encryption process,
\item {\bf Decryption} D: Process of reverting encryption, transforming C
into P,
\item {\bf Encryption Key} EK: Key to encrypt P into C,
\item {\bf Decryption Key} DK: Key to decrypt C into P,
\item {\bf Cryptanalysis}: Analysis of C to recover P without knowing K.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Cryptography Services}
\begin{itemize}
\item {\bf Confidentiality }: Ensure the secrecy of the message except for
the {\bf intended } recipient,
\item {\bf Authentication }: Proving a party's identity,
\item {\bf Integrity }: Verifying that data transmitted were not altered,
\item {\bf Non-repudiation }: Proving that the sender sent a given message.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Type of Encryption Applications}
\begin{itemize}
\item {\bf In-transit encryption}: protects data while it is
transferred from one machine to another,
\item {\bf At-rest encryption}: protects data stored on one machine.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Kerckhoffs's Principle}
\begin{quote}
It [cipher] should not require secrecy, and it should not be a problem if it falls into enemy hands.
\end{quote}
\vspace{10 mm}
{ \bf There is no security in obscurity.}
\end{frame}
\begin{frame}[allowframebreaks]
\frametitle{Attackers model}
Black Box - Attackers may only see inputs / outputs:
\begin{itemize}
\item {\bf Ciphertext-Only Attackers (COA) :} see only the ciphertext,
\item {\bf Known-Plaintext Attackers (KPA):} see ciphertext and plaintext,
\item {\bf Chosen-Plaintext Attacker (CPA):} encrypt plaintext, and
see ciphertext,
\item {\bf Chosen-Ciphertext Attakers (CCA):} encrypt plaintext,
decrypt ciphertext.
\end{itemize}
\framebreak
Grey Box - Attackers see cipher's implementation:
\begin{itemize}
\item {\bf Side-Channel Attacks:} study the behavior of the
implementation, for instance {\bf timing attacks }\footnote{\url{https://cryptojedi.org/peter/data/croatia-20160610.pdf}}:
\begin{itemize}
\item Osvik, Shamir, Tromer~\cite{aes2006}: Recover AES-256 secret
key of Linuxs dmcrypt in just 65 ms
\item AlFardan, Paterson~\cite{lucky13}: “Lucky13” recovers plaintext of CBC-mode encryption in pretty much all TLS implementations
\item Yarom, Falkner~\cite{gpg2014}: Attack against RSA-2048 in GnuPG 1.4.13: “On average, the attack is able to recover 96.7\% of the bits of the secret key by observing a single signature or decryption round.”
\item Benger, van de Pol, Smart, Yarom~\cite{openssl2014}: “reasonable level of success in recovering the secret key” for OpenSSL ECDSA using secp256k1 “with as little as 200 signatures”
\end{itemize}
\framebreak
Most recent one: tpm-fail~\cite{244048}
\vspace{10 mm}
\begin{figure}[h!]
\includegraphics[width=200px]{./tpmfail.png}
\end{figure}
\framebreak
\item {\bf Invasive Attacks:}
\begin{itemize}
\item injecting faults~\cite{Matsuda2018},
\vspace{10 mm}
\begin{figure}[h!]
\includegraphics[width=200px]{./faultInjection.png}
\end{figure}
\framebreak
\item decapping chips~\footnote{~\url{https://siliconpr0n.org/wiki/doku.php?id=decap:start}}, reverse engineering~\footnote{~\url{http://siliconzoo.org}}~\footnote{~\url{http://degate.org}}, etc.
\end{itemize}
\end{itemize}
\begin{figure}[h!]
\includegraphics[width=.49\textwidth]{./decaping.jpg}%
\hfill
\includegraphics[width=.49\textwidth]{./degate.png}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{Semantic Security}
\begin{itemize}
\item
\end{itemize}
\end{frame}
\begin{frame}
\begin{center}
{\bf Cryptography and Network captures}
\end{center}
\end{frame}
\begin{frame}
\begin{center}
{\bf D4 passiveSSL Collection}
\end{center}
\end{frame}
\begin{frame}
\begin{center}
{\bf Leveraging OpenPGP metedata}
\end{center}
\end{frame}
\begin{frame}
\begin{center}
{\bf Checking for weak crypto}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Snake Oil Crypto\footnote{\url{https://github.com/d4-project/snake-oil-crypto}} - Problem Statement}
IoT devices {\bf are often the weakest devices} on a network:
\begin{itemize}
\item Usually the result of cheap engineering,
\item sloppy patching cycles,
\item sometimes forgotten--not monitored,
\item few hardening features enabled.
\end{itemize}
\vspace{10 mm}
{\bf We feel a bit safer when they use TLS, but should we?}
\end{frame}
\begin{frame}
\frametitle{Snake Oil Crypto - TLS Fingerprinting}
{\bf Keep} a log of links between:
\begin{itemize}
\item x509 certificates,
\item ports,
\item IP address,
\item client (ja3),
\item server (ja3s),
\end{itemize}
\begin{quote}
``JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.''\footnote{https://github.com/salesforce/ja3}
\end{quote}
{\bf Pivot} on additional data points during Incident Response
\end{frame}
\begin{frame}
\frametitle{Snake Oil Crypto - Objectives}
{\bf Collect} and {\bf store} x509 certificates and TLS sessions:
\begin{itemize}
\item Public keys type and size,
\item moduli and public exponents,
\item curves parameters.
\end{itemize}
{\bf Detect} anti patterns in crypto:
\begin{itemize}
\item Moduli that share one prime factor,
\item Moduli that share both prime factors, or private exponents,
\item Small factors,
\item Nonces reuse / common preffix or suffix, etc.
\end{itemize}
\vspace{5 mm}
{\bf Focus on low hanging fruits that appeal to attackers}
\end{frame}
\begin{frame}[fragile]
\frametitle{Snake Oil Crypto - RSA on IoT }
Researchers have shown that several devices generated their keypairs
at boot time without enough entropy\footnote{Bernstein, Heninger, and Lange: \url{http://facthacks.cr.yp.to/}}:
\begin{lstlisting}[frame=single, language=python]
prng.seed(seed)
p = prng.generate_random_prime()
// prng.add_entropy()
q = prng.generate_random_prime()
n = p*q
\end{lstlisting}
Given n=pq and n' = pq' it is trivial to recover the shared p by computing their
{\bf Greatest Common Divisor (GCD)}, and therefore {\bf both private keys}\footnote{\url{http://www.loyalty.org/~schoen/rsa/}}.
\end{frame}
\begin{frame}
\frametitle{Snake Oil Crypto - GCD}
In Snake-Oil-Crypto we compute GCD\footnote{using Bernstein's Batch GCD algorithm} between:
\begin{itemize}
\item between certificates having the same issuer,
\item between certificates having the same subject,
\item on keys collected from various sources (PassiveSSL, Certificate Transparency,
shodan, censys, etc.),
\end{itemize}
\vspace{10 mm}
{\bf ``Check all the keys that we know of for vendor X''}
\end{frame}
\begin{frame}
\frametitle{Snake Oil Crypto - MISP feed}
\begin{figure}
\centering
\includegraphics[width=\textwidth]{misp.png}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{Snake Oil Crypto - MISP feed}
The MISP feed:
\begin{itemize}
\item {\bf Allows} for checking automatic checking by an IDS on hashed values,
\item {\bf contains} thousands on broken keys from a dozen of vendors,
\item {\bf will be accessible upon request (info@circl.lu).}
\end{itemize}
In the future:
\begin{itemize}
\item {\bf Automatic} the vendor checks by performing TF-IDF on x509's subjects,
\item {\bf automatic} vendors notification.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{First release}
\begin{itemize}
\item[\checkmark] sensor-d4-tls-fingerprinting
\footnote{\url{github.com/D4-project/sensor-d4-tls-fingerprinting}}:
{\bf Extracts} and {\bf fingerprints} certificates, and {\bf computes} TLSH fuzzy hash.
\item[\checkmark] analyzer-d4-passivessl
\footnote{\url{github.com/D4-project/analyzer-d4-passivessl}}:
{\bf Stores} Certificates / PK details in a PostgreSQL DB.
\item snake-oil-crypto
\footnote{\url{github.com/D4-project/snake-oil-crypto}}:
{\bf Performs} crypto checks, push results in MISP for notification
\item lookup-d4-passivessl
\footnote{\url{github.com/D4-project/lookup-d4-passivessl}}:
{\bf Exposes} the DB through a public REST API.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Get in touch if you want to join/support the project, host a passive ssl sensor or contribute}
\begin{itemize}
\item Collaboration can include research partnership, sharing of collected streams or improving the software.
\item Contact: info@circl.lu
\item \url{https://github.com/D4-Project} - \url{https://twitter.com/d4_project}
\end{itemize}
\end{frame}
\nocite{*}
\begin{frame}[allowframebreaks]
\frametitle{References}
\bibliographystyle{amsalpha}
\bibliography{../references.bib}
\end{frame}
\end{document}
Reference in New Issue View Git Blame Copy Permalink