Security 101 Image Attribution: Randall Munroe ELCA For

Security 101 Image attribution: Randall Munroe https://xkcd.com/936/ ELCA for

Security 101 or what do we owe our parents? Moral responsibility and obligations of IT workers (But the talk mostly is about know-how)

2 Who am I?

– Dániel Kovács

– Currently working @ ELCA • as senior software engineer • and self-appointed security enthusiast

– Beforehand @ IBM Research – Zurich Research Lab • as software engineer in the “Security & Privacy Group”

– Before that Junior Mainframe Administrator, Master’s, etc. • in Hungary

Security 101 An important note

– Do not trust the exact algorithm and protocol names mentioned in this presentation • Anything can become outdated from one day to the next

– Always consult your own (hopefully in-house) experts before doing anything security related

Security 101 1. Introduction

Agenda 2. Becoming more security-aware

3. Distributing the knowledge

Security 1015 Introduction The range of “security people”

Security Laymen Developers Cryptographers Specialists

Security 101 The range of “security people”

Security Laymen Developers Cryptographers Specialists

Security 101 Image attribution: ? The range of “security people”

Security Laymen Developers Cryptographers Specialists

Security 101 Who are cryptographers?

– We are talking here about guys like (arbitrary list): • Whitfield Diffie, Martin Hellman, Ralph Merkle ⇒ Diffie–Hellman(–Merkle) key-exchange, a.k.a. DH • Ron Rivest, Adi Shamir, Leonard Adleman ⇒ RSA • Daniel J. Bernstein (Salsa20, ChaCha20, Ed25519, SipHash) • Dan Boneh – Remote Timing Attacks are Practical (Brumley, Boneh) – Threshold Cryptosystems From Threshold Fully Homomorphic Encryption (Boneh, Gennaro, Goldfeder, Jain, Kim, Rasmussen, Sahai) • Countless others – like my former colleagues: Camenisch, Lehmann, Neven, Lyubashevsky, Boschini, Drijvers, et al.

Security 101 Who are cryptographers?

– Designing games with: • Alice  (Person A) • Bob  (Person B) • Eve 🧞‍♀️ (the Eavesdropper) • Mallory  (the Malicious) – Nowadays doing “verifiable cryptography”, like the UC-Framework • And creating equations and protocols like

Security 101 Who are cryptographers?

– Nowadays doing “verifiable cryptography”, like the UC-Framework • And creating equations and protocols like

“Optimal Distributed Password Verification” Security 101 (Camenisch, Lehmann, Neven, CCS 2015 https://www.zurich.ibm.com/pdf/csc/CCS15_passwords.pdf) Who are cryptographers?

– Nowadays doing “verifiable cryptography”, like the UC-Framework • And creating equations and protocols like

“Elligator: Elliptic-curve points indistinguishable from uniform random strings” Security 101 (Bernstein et al. 2013 ACM SIGSAC https://elligator.cr.yp.to/elligator-20130828.pdf) Who are cryptographers?

– Nowadays doing “verifiable cryptography”, like the UC-Framework • And creating equations and protocols like

Security Laymen Developers Cryptographers Specialists

Security 101 Who are security specialists?

– Mediate between the ideal world of cryptography and the real world

– Main goal is to create software systems, which are: secure, fast, usable

– Whom you can ask what to use for a certain task • Can answer, why you should use exactly that method

– Mostly understand how the method works • Although they most probably don’t hold a PhD in cryptography

– Follows news regarding security and are usually up-to-date • Although not always, nobody knows all CVEs by heart

Security 101 The range of “security people”

Security Laymen Developers Cryptographers Specialists

Security 101 Who are developers?

– Most probably: you

– Average in the sense that they do not care – and should not care – details and internals of security methods (protocols, algorithms, etc.)

– The ones who actually build the systems • Uses whatever the specialists provide them

– They do not need to understand the details, just follow the best practices • This does not mean that they cannot understand, it is just not necessary

– Most of the IT is around this point and this is good

Security 101 The range of “security people”

Security Laymen Developers Cryptographers Specialists

Security 101 Who are laymen?

– They are the ones who use the systems • Your family and friends; bosses and managers; customers

– They trust the other actors (usually) without second guesses • This does not mean that they do not care

– Their trust is implicit but in the recent times more and more questions arise

– We did not necessarily wanted this trust, but we have it, it is there

– Now we have to educate ourselves and them in order to • do not lose their trust • thus do not lose them

Security 101 Becoming more security-aware The range of “security people”

Security Laymen Developers Cryptographers Specialists

Security 101 The range of “security people”

Security Laymen Developers Cryptographers Specialists

Security 101 What is security?

– Common mistake, this is actually “just” authentication • Arguably the most important part – As it is the entry point – It is your first line of defense

– Let’s discuss authentication in more details, before diving head-first into security en bloc

Security 101 Image attribution: Cornel Stefanache & Constantin Orasanu https://www.monkeyuser.com/2017/security/ What is authentication?

– Authentication is the answer to the question: “Who are you?”

– Nowadays the basic in IT is username and password, usually explained as:

– But that is not an answer to “who are you?” • This answers the question “do you hold the key? (regardless of who you are.)”

Security 101 What is authentication?

– For our primitive brains the answer the “who are you?” is

– But currently that is identity, and not authentication.

– Authentication is proving a claim that you are who you were, when registering: • 0-factor authentication: ID-based (“username”, ID-card, biometrics, etc.) – Fingerprints are Usernames, not Passwords by Dustin Kirkland • 1-factor authentication: password, key, etc. • 2-factor authentication: a second password, a second key, etc. – the point being it is independent of the 1st factor • n-factor authentication: generalize to n

Security 101 How should we authenticate?

– Primitive 1: hash

– What is hashing?

F ≔ a non-linear function ⊕ ≔ addition mod 232

⋘s ≔ shift by s bits

One round of MD5

Security 101 Image attribution: https://en.wikipedia.org/wiki/MD5 by https://en.wikipedia.org/wiki/User:Matt_Crypto How should we authenticate?

– Primitive 1: hash

– What is hashing?

⊕ ≔ addition mod 232 Ch(E, F, G) ≔ (E ∧ F) ⊕ (¬E ∧ G) Ma(A, B, C) ≔ (A ∧ B) ⊕ (A ∧ C) ⊕ (B ∧ C)

∑0(A) ≔ (A ⋙ 2) ⊕ (A ⋙ 13) ⊕ (A ⋙ 22) ∑1(E) ≔ (E ⋙ 6) ⊕ (E ⋙ 11) ⊕ (E ⋙ 25)

One round of SHA2

Security 101 Image attribution: https://en.wikipedia.org/wiki/SHA-2 by https://commons.wikimedia.org/wiki/User:Kockmeyer How should we authenticate?

– Primitive 1: hash

– What is hashing? N-times

Security 101 How should we authenticate?

– 1st factor is currently in 99.9999% the cases is a password • Please do not store them as plaintext, it does not matter how convenient that is – Also: non-compliant with GDPR • Please do not store them as a simple one-round SHA1 or SHA2 (256/512) hash – You think it is irreversible? a80b18fcf1d66cfcf86b50d493b0ba0406184855 – The internet does not think so: numerous sites where you will find the input of this hash – Reverse-indexes even for multi-round basic hashes are freely available (so-called rainbow tables) • Ask your security specialist what are current best practices, as far as I am aware – Use PBKDF2, bcrypt, or scrypt with settings so it is not painful for the end-user – Always use a random “salt” (i.e., extra randomly generated value, stored next to the username and password) • We will talk about so-called password policies towards the end

– There are alternatives but they are still not widespread, used currently as 2nd factors

Security 101 How should we authenticate?

– 2nd factor is currently in 99.9999% the cases is an SMS • Don’t. Just don’t. Remember Eve the Eavesdropper? – Look on the net for attacks against SS7 (a.k.a. Signaling System 7, a.k.a. Common Channel Signaling System 7) – Sometimes SMSs are in the plain on the net (just like passwords) – Social engineering (re-registering, scam calls/texts, etc.)

– If you want to provide second factors, there are some good alternatives • Authenticator apps for smartphones (like ELCARD, etc.) – Issue: channel is often not really separated • Physical tokens, mostly for more tech-savvy users (like FIDO, RSA-tokens, etc.) – Only for tech-savvy because of portability, drivers, etc.

Security 101 What is authorization?

– Authorization is the answer to the question: “What do you want?”

– This is more well-known in the physical world • signature rights • door opening rights • etc.

– There are standardized solutions, mostly hidden behind acronyms • IBAC/ACL (Identity-Based Access Control/Access Control List) • ABAC (Attribute-Based Access Control) • RBAC (Role-Based Access Control)

– Thus XACML was born

Security 101 Image attribution: Randall Munroe https://xkcd.com/2077/ How should we authorize?

– Sadly no one-size-fits-all solution

– It will pretty much depend on the actual software

– Some key points: • At the lowest level: always do it, even if it’s a duplicate check • Do not do it more granular than needed • Pre vs. Post authorization • Function vs. Data authorization

– Attacks: privilege escalation

Security 101 What is verification?

 ✓

Security 101 What is verification?

  ✓

Security 101 What is verification?

  

Security 101 What is verification?

  ⚠

So-called integrity verification

Security 101 What is verification?

  ⚠

Security 101 What is verification?

  ⚠

So-called authenticity verification

Security 101 What is verification?

  ⚠

– Primitive 2: MAC (Message Authentication Code)

– Nowadays not really used in itself, but it is a primitive • has be known and well understood • part of lot of more complex stuff, as we’ll see

– Key properties (as long as the key is kept secret) • data integrity: the data is not modified, it is exactly as sent • authentication: the message comes from somebody who has the key

Security 101 What is verification?

 🧞‍♀️ ✓

– Primitive 2: MAC (Message Authentication Code)

– Nowadays not really used in itself, but it is a primitive • has be known and well understood • part of lot of more complex stuff, as we’ll see

– Key properties (as long as the key is kept secret) • data integrity: the data is not modified, it is exactly as sent • authentication: the message comes from somebody who has the key

Security 101 What are random numbers?

– Primitive 3: CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) – They are the basis of any kind of key generation

– Real random numbers would be good but are very hard to obtain • There are some devices, based on quantum mechanics

Security 101 Image attribution: Randall Munroe https://xkcd.com/221/ What are random numbers?

– Primitive 3: CSPRNG (Cryptographically Secure Pseudo-Random Number Generator)

– PRNGs are a process, where from a seed value and a deterministic algorithm • Yes, they are deterministic • Nowadays usually a so-called Mersenne Twister, with a period of 219937−1 iterations (≈4.3×106001)

– CSPRNGs are a similar process but with security considerations • /dev/random too; please always use /dev/urandom! https://www.2uo.de/myths-about-urandom/ • there is a huge difference between Random and SecureRandom – Java: 48 vs. 128 bit space + source of seed – Period of SecureRandom around 264 (2 exabits), but period is not really security relevant

Security 101 Image attribution: Randall Munroe https://xkcd.com/221/ What is entropy in this context?

– Primitive 3: CSPRNG (Cryptographically Secure Pseudo-Random Number Generator)

– Well… ± the real randomness in the system

– In current OSs there is an “entropy pool” • filled from different sources, mostly timings of input and other system events • bias needs to be pro-actively removed

– Problems with entropy in virtualized environments • there are workarounds for them (haveged, rng-tools, etc.) • if you need really good entropy (banking, gambling), you will anyways use an HSM

Security 101 Image attribution: Randall Munroe https://xkcd.com/221/ What is encryption?

 ✓

Security 101 What is encryption?

 ✓

Security 101 What is encryption?

 ✓

Security 101 What is encryption?

   ?

Security 101 What is encryption?

  ⚠

Some ciphers are “malleable” E.g., Caesar-cipher over ASCII with key = 3 Plaintext: TRANSFER $0000100.00 TO ACCOUNT #199 Ciphertext: WUDQVIHU ‘3333433133 WR DFFRXQW &4<< Altered: WUDQVIHU ‘4333333133 WR DFFRXQW &4<< Countering with: MAC or use a CCA2 secure cipher Note: Kerckhoffs's principle: the details of any implementation are always known to the public

Security 101 What is encryption?

  ⚠

Some ciphers are “malleable” E.g., Caesar-cipher over ASCII with key = 3 Plaintext: TRANSFER $0000100.00 TO ACCOUNT #199 Ciphertext: WUDQVIHU ‘3333433133 WR DFFRXQW &4<< Altered: WUDQVIHU ‘4333333133 WR DFFRXQW &4<< Countering with: MAC or use a CCA2 secure cipher → in practice use AES with HMAC Note: Kerckhoffs's principle: the details of any implementation are always known to the public

Security 101 The limits of symmetric encryption

– Well… it’s symmetric        

⇒ Key distribution and management quickly becomes a problem

• “The hotline between Moscow and Washington D.C., established in 1963 after the Cuban missile crisis, used teleprinters protected by a commercial one-time tape system. Each country prepared the keying tapes used to encode its messages and delivered them via their embassy in the other country. A unique advantage of the OTP in this case was that neither country had to reveal more sensitive encryption methods to the other.” https://en.wikipedia.org/wiki/One-time_pad#Historical_uses

– Quadratic number of keys needed (unless keys are shared)

– Secure channel needed for the keys for each pair of correspondents