OpenWest 2014/Cargo Cult Security

From Omnia
Jump to navigation Jump to search

by Derrick Isaacson

Cargo Cult Security 2014_01_18 - http://www.slideshare.net/DerrickIsaacson/cargo-cult-security-20140118

Github - https://github.com/disaacson/cargo-cult-security

Zimmermann Telegram - Mexico German war

Cypher text, plain text

Symmetric Key Cryptography (Private-key Cryptography)

Blowfish, twofish, serpent, aes (rijndael) cast5, rc4, 3des, idea

Ctrypto Primitives & Goals - https://oracleus.activeevents.com/2013/connect/sessionDetail.ww?SESSION_ID=6325

Crytpo Primitives	Hash		MAC		Symmetric Key	Asymmetric Key	Digital		Digital
			Salted Hash	HMAC		Crypto		Crypto		Signature	Certificates

Security Goals
--------------------------------------------------------------------------------------------------------------------

Data Integrity		XXX		XXX						XXX

Data Authentication			XXX				XXX		XXX

Non-Repudiation								XXX		XXX

Confidentiality						XXX		XXX*

Trust													XXX
  • Public key can be used to encrypt data that can only be decrypted with private key

Love HMACs

Cargo Cult Programming - Ritualistic inclusion of code or patterns that are unnecessary for the task at hand.

Anti-pattern: authentication

  • using encryption for authentication is bad. Use HMAC instead
  • don't use symmetric key alone, as flipping a bit will just bump IDs to the next
  • Use HMAC

Anti-pattern: Integrity

  • Symmetric key is only good for confidentiality
  • HMAC good for Data Integrity and Data Authentication

Anti-pattern: Encryption Modes

  • Electronic Codebook (ECB) mode encryption
    • can do bit mapping (think picture) hack to get an idea of contained data
  • Cipher Block Chaining (CBC) mode encryption
    • avoids the patterns found among blocks of ECB

Anti-pattern: Initialization Vector

  • Avoid same data being encrypted repeatedly looking the same
  • Cipher-block chaining prevents patterns within messages
  • Correct IV prevents patterns across messages

Anti-pattern: Random Values

  • Finding linear congruential seed

Anti-pattern: Psuedo-random Session IDs

  • really only ~20 bits of entropy
  • HMACs and secure random
    • do not use sessions - use HMACs - seriously

No Cargo Cult Security:

  1. Identify true security goal.
  2. Find correct crypto primitive.
  3. Spend some time to learn about it.
  4. Write as little of your own crypto code as possible.