OpenWest 2014/Cargo Cult Security
by Derrick Isaacson
Cargo Cult Security 2014_01_18 - http://www.slideshare.net/DerrickIsaacson/cargo-cult-security-20140118
Github - https://github.com/disaacson/cargo-cult-security
Zimmermann Telegram - Mexico German war
Cypher text, plain text
Symmetric Key Cryptography (Private-key Cryptography)
Blowfish, twofish, serpent, aes (rijndael) cast5, rc4, 3des, idea
Ctrypto Primitives & Goals - https://oracleus.activeevents.com/2013/connect/sessionDetail.ww?SESSION_ID=6325
Crytpo Primitives Hash MAC Symmetric Key Asymmetric Key Digital Digital Salted Hash HMAC Crypto Crypto Signature Certificates Security Goals -------------------------------------------------------------------------------------------------------------------- Data Integrity XXX XXX XXX Data Authentication XXX XXX XXX Non-Repudiation XXX XXX Confidentiality XXX XXX* Trust XXX
- Public key can be used to encrypt data that can only be decrypted with private key
Love HMACs
Cargo Cult Programming - Ritualistic inclusion of code or patterns that are unnecessary for the task at hand.
Anti-pattern: authentication
- using encryption for authentication is bad. Use HMAC instead
- don't use symmetric key alone, as flipping a bit will just bump IDs to the next
- Use HMAC
Anti-pattern: Integrity
- Symmetric key is only good for confidentiality
- HMAC good for Data Integrity and Data Authentication
Anti-pattern: Encryption Modes
- Electronic Codebook (ECB) mode encryption
- can do bit mapping (think picture) hack to get an idea of contained data
- Cipher Block Chaining (CBC) mode encryption
- avoids the patterns found among blocks of ECB
Anti-pattern: Initialization Vector
- Avoid same data being encrypted repeatedly looking the same
- Cipher-block chaining prevents patterns within messages
- Correct IV prevents patterns across messages
Anti-pattern: Random Values
- Finding linear congruential seed
Anti-pattern: Psuedo-random Session IDs
- really only ~20 bits of entropy
- HMACs and secure random
- do not use sessions - use HMACs - seriously
No Cargo Cult Security:
- Identify true security goal.
- Find correct crypto primitive.
- Spend some time to learn about it.
- Write as little of your own crypto code as possible.