Crypto Manifesto
Yekaterina Tsipenyuk OʼNeil Security Research Group Fortify Software
March 12, 2009
2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM
Contents
Overview ...... 3 Cryptographic Hash Functions...... 4 Encryption and Encoding Standards...... 5 Guidelines for Encryption Keys ...... 6 Pseudo-Random Number Generators...... 7 References ...... 8
2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM
Overview
Experts in the security community have indicted many commonly used cryptographic algorithms as insecure. Bases for these claims of insecurity often include advances in cryptographic research that have demonstrated previously unknown weakness in algorithms and advances in the computational power of readily available hardware. In the face of an ongoing stream of advice from an active security community, the struggle for software developers has long been to differentiate problems that introduce real risk to their systems from hypothetical research focused on attacks that wonʼt be feasible in the mainstream for years.
This document provides best-practice guidelines for using modern cryptography in software systems. These guidelines are backed up by the research of the security community and strive to align themselves with the practical tradeoffs between maximal security and acceptable paranoia.
Even though there are a number of cryptographic primitives we could discuss, we limit the scope of this document to the following:
• Cryptographic Hashes • Encryption and Encoding • Symmetric and Public Keys • Pseudo-Random Number Generators (PRNGs)
The following table summarizes guidelines in each of these areas, which are described in more detail throughout the remainder of the paper:
Avoid Use Cryptographic Hashes MD2, MD4, RIPEMD-160, SHA- MD5, SHA-1 224, SHA-256, SHA- 384, SHA-512 Encryption and Encoding RC2, RC4, 3DES, AES DES, Base 64 Encoding Functions Symmetric Keys (AES) < 128 bits >= 128 bits Public Keys (RSA) < 1024 bits >= 2048 bits with OAEP padding Pseudo-Random Number Generators (PRNGs) Statistical Cryptographic PRNGs PRNGs
2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM
Cryptographic Hashes
The cryptographic hashes RIPEMD, RIPEMD-160, MD2, MD4, MD5, and the SHA family, including SHA-1 SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are among the most widely know and used cryptographic hash algorithms.
Despite their widespread use, there are security risks associated with several of these algorithms. Collisions have been found in MD2 as early as 1997 [11] and, in 2004, MD2 was found vulnerable to pre-image attacks that enable the recovery of the original value based on its hash [9]. These findings clearly illustrate that MD2 is no longer safe for use in security-sensitive contexts.
Researchers at Shandong University discovered attacks on a number of cryptographic functions, including HAVAL-128, MD4, MD5, RIPEMD, and SHA-0. These findings described attacks that found collisions in about 15 minutes [17]. This was the wake-up-call that caused security-space leaders such as Microsoft to ban the use of MD4 and MD5 algorithms by their development teams [4].
Furthermore, a recent research project determined that it was possible to mount a man-in- the-middle attack on Secure Sockets Layer (SSL) by creating rogue certificates issued by rogue Certification Authorities (CAs) with only homegrown array of machines [13]. This attack exploited the weakness that the Shandong researchers had found in MD5.
This discovery together with Domain Name System (DNS) weakness demonstrated in the summer of 2008 [5], resulted in the possibility of undetectable phishing attacks on the Internet. This vulnerability was picked up by the United States Computer Emergency Response Team (US-CERT), which now urges software developers, CAs, website owners, and users to avoid implementing MD5 in any capacity [15].
Once the weaknesses in MD4 and MD5 were illustrated, some proposed SHA-1 as a more secure alternative. However, the same researchers from Shandong University showed that collisions can be found in SHA-1 as well, with complexities less than the theoretical bound [16]. Today, Microsoft has banned SHA-1 [4] for internal use and the National Institute for Standards and Technology (NIST) suggests phasing out the use of SHA-1 by 2010 [10].
The Fortify Security Research Group (SRG) recommends that developers avoid using MD2, MD4, MD5, and SHA-1 for computing hashes on sensitive information, such as passwords, certificates or any security-relevant values where it is important avoid collisions and retain pre-image resistance. Fortify Source Code Analyzer (SCA) enforces this by flagging uses of any of these algorithms in code.
2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM
Encryption and Encoding
There are a number of encryption algorithms that can be used to stop attackers from accessing secrets. Some of the most popular encryption algorithms are RC2, RC4, DES, triple DES (3DES), AES, among others.
Microsoft developers misused RC4 on various occasions and Microsoft now prohibits the use of RC4 in code development [4]. One such incident is described by Hongjun Wu [18]: Because the initialization vector (IV) used together with the key to encrypt two different documents remained the same, encryption could be broken by simply XOR-ing two ciphertexts. A number of other attacks on RC4 are known to the security community, including one that famously breaks the Wired Equivalent Privacy (WEP) protocol that uses RC4 in less than a minute [14].
Microsoft has also banned the use of the DES encryption algorithm [4], because it has been broken [3]. Although there are attacks on 3DES, the best attack requires around 232 known plaintexts, 2113 steps, 290 single DES encryptions, and 288 memory, which is currently impractical [8] due to hardware constraints. The National Institute of Standards and Technology suggests phasing out 2-key 3DES by 2010, and 3-key 3DES – by 2030 [1].
There is also some controversy concerning the security of RC2. Although research suggested that RC2 is resistant to differential cryptanalysis, it is still unclear how resistant it is to linear cryptanalysis [7]. RC2 has also demonstrated weaknesses to related-key attacks [6]. Microsoft advises against its use [2].
Many people mistakenly think of base-64 encoding as a form of encryption. Base-64 encoding is useful for transmitting binary data over a communication channel designed to transmit character data. However, considering that its character space is only size 64, the scheme does not attempt to provide the same security guarantees as strong cryptographic encryption algorithms. For this reason, it should not be used for protecting secrets.
Fortify SCA issues high-severity warnings when it finds the use of RC4 or DES algorithms and lower severity warnings when it finds the use of RC2. It also issues warnings whenever passwords are base-64 decoded before use.
2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM
Guidelines for Encryption Keys
The suggested length for symmetric keys (particularly AES keys) is no less than 128 bits, while the suggested length for RSA keys is no less than 1024 bits, with 2048-bit keys providing better security [4][10]. In the case of RSA keys, it is also important to choose the right padding scheme, which can prevent a number of attacks that potentially work against RSA without padding. Public-Key Cryptography Standard (PKCS) #1 v.2.1 recommends the use of Optimal Asymmetric Encryption Padding (OAEP) for new applications [12].
Fortify SCA reports higher severity warnings when the code uses RSA keys with fewer than 1024 bits in length and lower severity warnings when RSA keys are between 1024 and 2048 bits in length.
2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM
Pseudo-Random Number Generators
When unpredictability is critical, as in most in security-sensitive contexts, it is important to use strong cryptographic rather than statistical PRNGs. Unlike cryptographic PRNGs, statistical pseudo-random number generators produce highly predictable output, which makes it trivial for an attacker to guess the values of generated strings. However, statistical PRNGs are acceptable when predictability is not a concern – for example, for generating the order in which images are displayed in a slideshow application.
Fortify SCA reports a warning whenever it encounters the use of a statistical PRNG.
2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM
References
[1] Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid. “Recommendation for Key Management – Part 1: General (Revised)”. NIST Special Publication 800-57. http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf . [2] Andrew Cushman. “Microsoft Security Fundamentals”. EUSecWest, London, February 20, 2006. http://eusecwest.com/esw06/esw06-cushman.ppt . [3] Electronic Frontier Foundation. “Cracking DES”. http://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_des_faq.html . [4] Michael Howard. “Security Development Lifecycle: Development Practices”. http://download.microsoft.com/download/8/4/7/8471a3cb-e4bf-442a-bba4- c0c907d598c5/Michael%20Howard%20SDL%20Development%20Practices.ppsx . [5] Dan Kaminsky,"Black Ops 2008: It's the end of the cache as we know it", August 2008, http://www.doxpara.com/DMK_BO2K8.ppt . [6] John Kelsey, Bruce Schneier, and David Wagner. “Related-key cryptanalysis of 3-WAY, Biham- DES, CAST, DES-X, NewDES, RC2, and TEA”. ICICS, 1997, pp 233–246. [7] Lars R. Knudsen, Vincent Rijmen, Ronald L. Rivest, Matthew J. B. Robshaw. “On the Design and Security of RC2”. Fast Software Encryption, 1998, pp 206–221. [8] Stefan Lucks. “Attacking Triple Encryption”. Fast Software Encryption, 1998, pp 239–253. [9] Frédéric Muller. “The MD2 Hash Function is Not One-Way”. ASIACRYPT 2004, pp 214–229. [10] W. Timothy Polk, Donna F. Dodson, and William E. Burr. “Cryptographic Algorithms and Key Sizes for Personal Identity Verification”. NIST Special Publication 800-78-1. http://csrc.nist.gov/publications/nistpubs/800-78-1/SP-800-78-1_final2.pdf . [11] N. Rogier, Pascal Chauvaud. “MD2 is not Secure without the Checksum Byte”. Designs, Codes and Cryptography, 12(3), pp 245–251, 1997. [12] RSA Laboratories. “PKCS #1 v2.1: RSA Cryptography Standard”. June 14, 2002. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf . [13] Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. “MD5 considered harmful today”. 25th Annual Chaos Communication Congress, Berlin, December 30, 2008. http://www.win.tue.nl/hashclash/rogue-ca/ . [14] Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. “Breaking 104 bit WEP in less than 60 seconds”. http://eprint.iacr.org/2007/120.pdf . [15] United States Computer Emergency Response Team. “Vulnerability Note VU#836068”. http://www.kb.cert.org/vuls/id/836068 . [16] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu.“Finding Collisions in the Full SHA-1”. http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf . [17] Xiaoyun Wang and Hongbo Yu. “How to Break MD5 and Other Hash Functions”. EUROCRYPT 2005, LNCS 3494, pp. 19–35, 2005. http://www.infosec.sdu.edu.cn/uploadfile/papers/How%20to%20Break%20MD5%20and%20Other %20Hash%20Functions.pdf . [18] Hongjun Wu. “The Misuse of RC4 in Microsoft Word and Excel”. http://eprint.iacr.org/2005/007.pdf .
2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM