DOCSLIB.ORG

Security 101 Image Attribution: Randall Munroe ELCA For

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security 101 Image Attribution: Randall Munroe ELCA For Security 101 Image attribution: Randall Munroe https://xkcd.com/936/ ELCA for Security 101 or what do we owe our parents? Moral responsibility and obligations of IT workers (But the talk mostly is about know-how) 2 Who am I? – Dániel Kovács – Currently working @ ELCA • as senior software engineer • and self-appointed security enthusiast – Beforehand @ IBM Research – Zurich Research Lab • as software engineer in the “Security & Privacy Group” – Before that Junior Mainframe Administrator, Master’s, etc. • in Hungary Security 101 An important note – Do not trust the exact algorithm and protocol names mentioned in this presentation • Anything can become outdated from one day to the next – Always consult your own (hopefully in-house) experts before doing anything security related Security 101 1. Introduction Agenda 2. Becoming more security-aware 3. Distributing the knowledge Security 1015 Introduction The range of “security people” Security Laymen Developers Cryptographers Specialists Security 101 The range of “security people” Security Laymen Developers Cryptographers Specialists Security 101 Image attribution: ? The range of “security people” Security Laymen Developers Cryptographers Specialists Security 101 Who are cryptographers? – We are talking here about guys like (arbitrary list): • Whitfield Diffie, Martin Hellman, Ralph Merkle ⇒ Diffie–Hellman(–Merkle) key-exchange, a.k.a. DH • Ron Rivest, Adi Shamir, Leonard Adleman ⇒ RSA • Daniel J. Bernstein (Salsa20, ChaCha20, Ed25519, SipHash) • Dan Boneh – Remote Timing Attacks are Practical (Brumley, Boneh) – Threshold Cryptosystems From Threshold Fully Homomorphic Encryption (Boneh, Gennaro, Goldfeder, Jain, Kim, Rasmussen, Sahai) • Countless others – like my former colleagues: Camenisch, Lehmann, Neven, Lyubashevsky, Boschini, Drijvers, et al. Security 101 Who are cryptographers? – Designing games with: • Alice (Person A) • Bob (Person B) • Eve ‍♀️ (the Eavesdropper) • Mallory (the Malicious) – Nowadays doing “verifiable cryptography”, like the UC-Framework • And creating equations and protocols like Security 101 Who are cryptographers? – Nowadays doing “verifiable cryptography”, like the UC-Framework • And creating equations and protocols like “Optimal Distributed Password Verification” Security 101 (Camenisch, Lehmann, Neven, CCS 2015 https://www.zurich.ibm.com/pdf/csc/CCS15_passwords.pdf) Who are cryptographers? – Nowadays doing “verifiable cryptography”, like the UC-Framework • And creating equations and protocols like “Elligator: Elliptic-curve points indistinguishable from uniform random strings” Security 101 (Bernstein et al. 2013 ACM SIGSAC https://elligator.cr.yp.to/elligator-20130828.pdf) Who are cryptographers? – Nowadays doing “verifiable cryptography”, like the UC-Framework • And creating equations and protocols like “Elligator: Elliptic-curve points indistinguishable from uniform random strings” Security 101 (Bernstein et al. 2013 ACM SIGSAC https://elligator.cr.yp.to/elligator-20130828.pdf ) The range of “security people” Security Laymen Developers Cryptographers Specialists Security 101 Who are security specialists? – Mediate between the ideal world of cryptography and the real world – Main goal is to create software systems, which are: secure, fast, usable – Whom you can ask what to use for a certain task • Can answer, why you should use exactly that method – Mostly understand how the method works • Although they most probably don’t hold a PhD in cryptography – Follows news regarding security and are usually up-to-date • Although not always, nobody knows all CVEs by heart Security 101 The range of “security people” Security Laymen Developers Cryptographers Specialists Security 101 Who are developers? – Most probably: you – Average in the sense that they do not care – and should not care – details and internals of security methods (protocols, algorithms, etc.) – The ones who actually build the systems • Uses whatever the specialists provide them – They do not need to understand the details, just follow the best practices • This does not mean that they cannot understand, it is just not necessary – Most of the IT is around this point and this is good Security 101 The range of “security people” Security Laymen Developers Cryptographers Specialists Security 101 Who are laymen? – They are the ones who use the systems • Your family and friends; bosses and managers; customers – They trust the other actors (usually) without second guesses • This does not mean that they do not care – Their trust is implicit but in the recent times more and more questions arise – We did not necessarily wanted this trust, but we have it, it is there – Now we have to educate ourselves and them in order to • do not lose their trust • thus do not lose them Security 101 Becoming more security-aware The range of “security people” Security Laymen Developers Cryptographers Specialists Security 101 The range of “security people” Security Laymen Developers Cryptographers Specialists Security 101 What is security? – Common mistake, this is actually “just” authentication • Arguably the most important part – As it is the entry point – It is your first line of defense – Let’s discuss authentication in more details, before diving head-first into security en bloc Security 101 Image attribution: Cornel Stefanache & Constantin Orasanu https://www.monkeyuser.com/2017/security/ What is authentication? – Authentication is the answer to the question: “Who are you?” – Nowadays the basic in IT is username and password, usually explained as: – But that is not an answer to “who are you?” • This answers the question “do you hold the key? (regardless of who you are.)” Security 101 What is authentication? – For our primitive brains the answer the “who are you?” is – But currently that is identity, and not authentication. – Authentication is proving a claim that you are who you were, when registering: • 0-factor authentication: ID-based (“username”, ID-card, biometrics, etc.) – Fingerprints are Usernames, not Passwords by Dustin Kirkland • 1-factor authentication: password, key, etc. • 2-factor authentication: a second password, a second key, etc. – the point being it is independent of the 1st factor • n-factor authentication: generalize to n Security 101 How should we authenticate? – Primitive 1: hash – What is hashing? ≔ F a non-linear function ⊕ ≔ addition mod 232 ⋘s ≔ shift by s bits One round of MD5 Security 101 Image attribution: https://en.wikipedia.org/wiki/MD5 by https://en.wikipedia.org/wiki/User:Matt_Crypto How should we authenticate? – Primitive 1: hash – What is hashing? ⊕ ≔ addition mod 232 Ch(E, F, G) ≔ (E ∧ F) ⊕ (¬E ∧ G) Ma(A, B, C) ≔ (A ∧ B) ⊕ (A ∧ C) ⊕ (B ∧ C) ∑0(A) ≔ (A ⋙ 2) ⊕ (A ⋙ 13) ⊕ (A ⋙ 22) ∑1(E) ≔ (E ⋙ 6) ⊕ (E ⋙ 11) ⊕ (E ⋙ 25) One round of SHA2 Security 101 Image attribution: https://en.wikipedia.org/wiki/SHA-2 by https://commons.wikimedia.org/wiki/User:Kockmeyer How should we authenticate? – Primitive 1: hash – What is hashing? N-times Security 101 How should we authenticate? – 1st factor is currently in 99.9999% the cases is a password • Please do not store them as plaintext, it does not matter how convenient that is – Also: non-compliant with GDPR • Please do not store them as a simple one-round SHA1 or SHA2 (256/512) hash – You think it is irreversible? a80b18fcf1d66cfcf86b50d493b0ba0406184855 – The internet does not think so: numerous sites where you will find the input of this hash – Reverse-indexes even for multi-round basic hashes are freely available (so-called rainbow tables) • Ask your security specialist what are current best practices, as far as I am aware – Use PBKDF2, bcrypt, or scrypt with settings so it is not painful for the end-user – Always use a random “salt” (i.e., extra randomly generated value, stored next to the username and password) • We will talk about so-called password policies towards the end – There are alternatives but they are still not widespread, used currently as 2nd factors Security 101 How should we authenticate? – 2nd factor is currently in 99.9999% the cases is an SMS • Don’t. Just don’t. Remember Eve the Eavesdropper? – Look on the net for attacks against SS7 (a.k.a. Signaling System 7, a.k.a. Common Channel Signaling System 7) – Sometimes SMSs are in the plain on the net (just like passwords) – Social engineering (re-registering, scam calls/texts, etc.) – If you want to provide second factors, there are some good alternatives • Authenticator apps for smartphones (like ELCARD, etc.) – Issue: channel is often not really separated • Physical tokens, mostly for more tech-savvy users (like FIDO, RSA-tokens, etc.) – Only for tech-savvy because of portability, drivers, etc. Security 101 What is authorization? – Authorization is the answer to the question: “What do you want?” – This is more well-known in the physical world • signature rights • door opening rights • etc. – There are standardized solutions, mostly hidden behind acronyms • IBAC/ACL (Identity-Based Access Control/Access Control List) • ABAC (Attribute-Based Access Control) • RBAC (Role-Based Access Control) – Thus XACML was born Security 101 Image attribution: Randall Munroe https://xkcd.com/2077/ How should we authorize? – Sadly no one-size-fits-all solution – It will pretty much depend on the actual software – Some key points: • At the lowest level: always do it, even if it’s a duplicate check • Do not do it more granular than needed • Pre vs. Post authorization • Function vs. Data authorization – Attacks: privilege escalation Security 101 What is verification? ✓ Security 101 What
Load more

Recommended publications
  • GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units
    Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX.
    [Show full text]
  • PHC: Status Quo
    PHC: status quo JP Aumasson @veorq / http://aumasson.jp academic background principal cryptographer at Kudelski Security, .ch applied crypto research and outreach BLAKE, BLAKE2, SipHash, NORX Crypto Coding Standard Password Hashing Competition Open Crypto Audit Project board member do you use passwords? this talk might interest you! Oct 2013 "hash" = 3DES-ECB( static key, password ) users' hint made the guess game easy... (credit Jeremi Gosney / Stricture Group) May 2014; "encrypted passwords" (?) last week that's only the reported/published cases Lesson if Adobe, eBay, and Avast fail to protect their users' passwords, what about others? users using "weak passwords"? ITsec people using "weak defenses"? developers using "weak hashes"? cryptographers, who never bothered? agenda 1. how (not) to protect passwords 2. the Password Hashing Competition (PHC) 3. the 24-2 PHC candidates 4. next steps, and how to contribute WARNING this is NOT about bikeshed topics as: password policies password managers password-strength meters will-technology-X-replace-passwords? 1. how (not) to protect passwords solution of the 60's store "password" or the modern alternative: obviously a bad idea (assuming the server and its DB are compromised) solution of the early 70's store hash("password") "one-way": can't be efficiently inverted vulnerable to: ● efficient dictionary attacks and bruteforce ● time-memory tradeoffs (rainbow tables, etc.) solution of the late 70's store hash("password", salt) "one-way": can't be efficiently inverted immune to time-memory tradeoffs vulnerable to: ● dictionary attacks and bruteforce (but has to be repeated for different hashes) solution of the 2000's store hash("password", salt, cost) "one-way": can't be efficiently inverted immune to time-memory tradeoffs inefficient dictionary attacks and bruteforce main ideas: ● be "slow" ● especially on attackers' hardware (GPU, FPGA) => exploit fast CPU memory access/writes PBKDF2 (Kaliski, 2000) NIST and PKCS standard in Truecrypt, iOS, etc.
    [Show full text]
  • Modern Password Security for System Designers What to Consider When Building a Password-Based Authentication System
    Modern password security for system designers What to consider when building a password-based authentication system By Ian Maddox and Kyle Moschetto, Google Cloud Solutions Architects This whitepaper describes and models modern password guidance and recommendations for the designers and engineers who create secure online applications. A related whitepaper, Password security ​ for users, offers guidance for end users. This whitepaper covers the wide range of options to consider ​ when building a password-based authentication system. It also establishes a set of user-focused recommendations for password policies and storage, including the balance of password strength and usability. The technology world has been trying to improve on the password since the early days of computing. Shared-knowledge authentication is problematic because information can fall into the wrong hands or be forgotten. The problem is magnified by systems that don't support real-world secure use cases and by the frequent decision of users to take shortcuts. According to a 2019 Yubico/Ponemon study, 69 percent of respondents admit to sharing passwords with ​ ​ their colleagues to access accounts. More than half of respondents (51 percent) reuse an average of five passwords across their business and personal accounts. Furthermore, two-factor authentication is not widely used, even though it adds protection beyond a username and password. Of the respondents, 67 percent don’t use any form of two-factor authentication in their personal life, and 55 percent don’t use it at work. Password systems often allow, or even encourage, users to use insecure passwords. Systems that allow only single-factor credentials and that implement ineffective security policies add to the problem.
    [Show full text]
  • Authentication Requirements in Cryptography
    Authentication Requirements In Cryptography Autolytic Micah scurrying narcotically and numerically, she perdures her contractility denigrate fustily. Utilitarian Thibaud attempt questioningly. Deviate and bleached Christie still carry-ons his Leonids sullenly. In the session key above are equivalent aes encrypt sensitive, requirements in authentication ciphersuite or on various vendors who the phy layer to the recipient passes the ciphertext Message authentication with fancy key implies message integrity. The requirements be considered as generic in the sense that they are ss technologies. Any inner authentication method employed authentication from the combine to the authentication server. The preceding paragraphs have endeavoured to present the complete set of concepts in a logical sequence of development. Chapter 11 Message Authentication Codes The luncheon of. MAC even to get obtain the confidentially part. AAA connection rm authentication the peers, as well as additional information about authenticators, roaming agreements, network policies and other network information. Since X509 is based on cross key cryptography the maintain of DOA used. Most often referred to hash functions has available protocols that it harder for vehicular networks. AWS KMS also lets you use all or part of the encryption context as the condition for a permission in a policy or grant. To authority confirms that authentication as a bad decision. This can be done by using it to support the secure transmission of a new secret key from the originator to the other party. There still appear to be many engineering details that have to be worked out before such a machine could be built. Most toward the web pages on the Internet require no authentication or authorization Encryption Encryption involves the crest of transforming data.
    [Show full text]
  • Post-Quantum Cryptography
    Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago; Ruhr University Bochum & Technische Universiteit Eindhoven 12 September 2020 I Motivation #1: Communication channels are spying on our data. I Motivation #2: Communication channels are modifying our data. I Literal meaning of cryptography: \secret writing". I Achieves various security goals by secretly transforming messages. I Confidentiality: Eve cannot infer information about the content I Integrity: Eve cannot modify the message without this being noticed I Authenticity: Bob is convinced that the message originated from Alice Cryptography with symmetric keys AES-128. AES-192. AES-256. AES-GCM. ChaCha20. HMAC-SHA-256. Poly1305. SHA-2. SHA-3. Salsa20. Cryptography with public keys BN-254. Curve25519. DH. DSA. ECDH. ECDSA. EdDSA. NIST P-256. NIST P-384. NIST P-521. RSA encrypt. RSA sign. secp256k1. Cryptography / Sender Receiver \Alice" \Bob" Tsai Ing-Wen picture credit: By =q府, Attribution, Wikimedia. Donald Trump picture credit: By Shealah Craighead - White House, Public Domain, Wikimedia. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography2 Cryptography with symmetric keys AES-128. AES-192. AES-256. AES-GCM. ChaCha20. HMAC-SHA-256. Poly1305. SHA-2. SHA-3. Salsa20. I Literal meaning of cryptography: \secret writing". Cryptography with public keys Achieves various security goals by secretly transforming messages. BN-254I . Curve25519. DH. DSA. ECDH. ECDSA. EdDSA. NIST P-256. NIST P-384. Confidentiality: Eve cannot infer information about the content NISTI P-521. RSA encrypt. RSA sign. secp256k1. I Integrity: Eve cannot modify the message without this being noticed I Authenticity: Bob is convinced that the message originated from Alice Cryptography / Sender Untrustworthy network Receiver \Alice" \Eve" \Bob" I Motivation #1: Communication channels are spying on our data.
    [Show full text]
  • SPHINCS: Practical Stateless Hash-Based Signatures
    SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein1;3, Daira Hopwood2, Andreas Hülsing3, Tanja Lange3, Ruben Niederhagen3, Louiza Papachristodoulou4, Peter Schwabe4, and Zooko Wilcox O'Hearn2 1 Department of Computer Science University of Illinois at Chicago Chicago, IL 606077045, USA [email protected] 2 Least Authority 3450 Emerson Ave. Boulder, CO 803056452 USA [email protected],[email protected] 3 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O. Box 513, 5600 MB Eindhoven, The Netherlands [email protected], [email protected], [email protected] 4 Radboud University Nijmegen Digital Security Group P.O. Box 9010, 6500 GL Nijmegen, The Netherlands [email protected], [email protected] Abstract. This paper introduces a high-security post-quantum stateless hash-based sig- nature scheme that signs hundreds of messages per second on a modern 4-core 3.5GHz Intel CPU. Signatures are 41 KB, public keys are 1 KB, and private keys are 1 KB. The signature scheme is designed to provide long-term 2128 security even against attackers equipped with quantum computers. Unlike most hash-based designs, this signature scheme is stateless, allowing it to be a drop-in replacement for current signature schemes. Keywords: post-quantum cryptography, one-time signatures, few-time signatures, hyper- trees, vectorized implementation 1 Introduction It is not at all clear how to securely sign operating-system updates, web-site certicates, etc. once an attacker has constructed a large quantum computer: RSA and ECC are perceived today as being small and fast, but they are broken in polynomial time by Shor's algorithm.
    [Show full text]
  • Secure Authentication Protocol for Internet of Things Achraf Fayad
    Secure authentication protocol for Internet of Things Achraf Fayad To cite this version: Achraf Fayad. Secure authentication protocol for Internet of Things. Networking and Internet Archi- tecture [cs.NI]. Institut Polytechnique de Paris, 2020. English. NNT : 2020IPPAT051. tel-03135607 HAL Id: tel-03135607 https://tel.archives-ouvertes.fr/tel-03135607 Submitted on 9 Feb 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Protocole d’authentification securis´ e´ pour les objets connectes´ These` de doctorat de l’Institut Polytechnique de Paris prepar´ ee´ a` Tel´ ecom´ Paris Ecole´ doctorale n◦626 Ecole´ doctorale de l’Institut Polytechnique de Paris (EDIPP) Specialit´ e´ de doctorat : Reseaux,´ informations et communications NNT : 2020IPPAT051 These` present´ ee´ et soutenue a` Palaiseau, le 14 decembre´ 2020, par ACHRAF FAYAD Composition du Jury : Ken CHEN Professeur, Universite´ Paris 13 Nord President´ Pascal LORENZ Professeur, Universite´ de Haute-Alsace (UHA) Rapporteur Ahmed MEHAOUA Professeur, Universite´ Paris Descartes Rapporteur Lyes KHOUKHI Professeur, Ecole´ Nationale Superieure´ d’Ingenieurs´ de Examinateur Caen-ENSICAEN Ahmad FADLALLAH Associate Professor, University of Sciences and Arts in Lebanon Examinateur (USAL) Rida KHATOUN Maˆıtre de conferences,´ Tel´ ecom´ Paris Directeur de these` Ahmed SERHROUCHNI Professeur, Tel´ ecom´ Paris Co-directeur de these` Badis HAMMI Associate Professor, Ecole´ pour l’informatique et les techniques Invite´ avancees´ (EPITA) 626 Acknowledgments First, I would like to thank my thesis supervisor Dr.
    [Show full text]
  • Alternative Elliptic Curve Representations
    Alternative Elliptic Curve Representations draft-struik-lwig-curve-representations-00 René Struik Struik Security Consultancy E-mail: [email protected] IETF 101draft-struik – London,-lwig-curve- representationsUK, March-002018 1 Outline 1. The ECC Algorithm Zoo – NIST curve P-256, ECDSA – Curve25519 – Ed25519 2. Implementation Detail 3. How to Reuse Code 4. How to Reuse Existing Standards 5. Conclusions draft-struik-lwig-curve-representations-00 2 ECC Algorithm Zoo (1) NIST curves: Curve model: Weierstrass curve Curve equation: y2 = x3 + ax + b (mod p) Base point: G=(Gx, Gy) Scalar multiplication: addition formulae using, e.g., mixed Jacobian coordinates Point representation: both coordinates of point P=(X, Y) (affine coordinates) 0x04 || X || Y in most-significant-bit/octet first order Examples: NIST P-256 (ANSI X9.62, NIST SP 800-56a, SECG, etc.); Brainpool256r1 (RFC 5639) ECDSA: Signature: R || s in most-significant-bit/octet first order Signing equation: e = s k + d r (mod n), where e=Hash(m) Example: ECDSA, w/ P-256 and SHA-256 (FIPS 186-4, ANSI X9.62, etc.) Note: message m pre-hashed draft-struik-lwig-curve-representations-00 3 ECC Algorithm Zoo (2) CFRG curves: Curve model: Montgomery curve Curve equation: By2 = x3 + Ax2 + x (mod p) Base point: G=(Gx, Gy) Scalar multiplication: Montgomery ladder, using projective coordinates [X: :Z] Point representation: x-coordinate of point P=(X, Y) (x-coordinate-only) X in least-significant-octet, most-significant-bit first order Examples: Curve25519, Curve448 (RFC 7748) DH Key agreement:
    [Show full text]
  • Package 'Bcrypt'
    Package ‘bcrypt’ January 26, 2018 Type Package Title 'Blowfish' Password Hashing Algorithm Version 1.1 Description Bindings to the 'blowfish' password hashing algorithm derived from the 'OpenBSD' implementation. URL https://github.com/jeroen/bcrypt https://www.openbsd.org/papers/bcrypt-paper.pdf BugReports https://github.com/jeroen/bcrypt/issues License BSD_2_clause + file LICENSE Imports openssl RoxygenNote 6.0.1.9000 Suggests spelling Language en-US Encoding UTF-8 NeedsCompilation yes Author Jeroen Ooms [cre, aut], Damien Miller [cph], Niels Provos [cph] Maintainer Jeroen Ooms <[email protected]> Repository CRAN Date/Publication 2018-01-26 09:08:42 UTC R topics documented: bcrypt . .2 Index 4 1 2 bcrypt bcrypt Bcrypt password hashing Description Bcrypt is used for secure password hashing. The main difference with regular digest algorithms such as MD5 or SHA256 is that the bcrypt algorithm is specifically designed to be CPU intensive in order to protect against brute force attacks. The exact complexity of the algorithm is configurable via the log_rounds parameter. The interface is fully compatible with the Python one. Usage gensalt(log_rounds = 12) hashpw(password, salt = gensalt()) checkpw(password, hash) Arguments log_rounds integer between 4 and 31 that defines the complexity of the hashing, increasing the cost as 2^log_rounds. password the message (password) to encrypt salt a salt generated with gensalt. hash the previously generated bcrypt hash to verify Details The hashpw function calculates a hash from a password using a random salt. Validating the hash is done by rehashing the password using the hash as a salt. The checkpw function is a simple wrapper that does exactly this.
    [Show full text]
  • Forgery and Key Recovery Attacks for Calico
    Forgery and Key Recovery Attacks for Calico Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schl¨affer Institute for Applied Information Processing and Communications Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria April 1, 2014 1 Calico v8 Calico [3] is an authenticated encryption design submitted to the CAESAR competition by Christopher Taylor. In Calico v8 in reference mode, ChaCha-14 and SipHash-2-4 work together in an Encrypt-then-MAC scheme. For this purpose, the key is split into a Cipher Key KC and a MAC Key KM . The plaintext is encrypted with ChaCha under the Cipher Key to a ciphertext with the same length as the plaintext. Then, the tag is calculated as the SipHash MAC of the concatenated ciphertext and associated data. The key used for SipHash is generated by xoring the nonce to the (lower, least significant part of the) MAC Key: (C; T ) = EncCalico(KC k KM ; N; A; P ); where k is concatenation, and with ⊕ denoting xor, the ciphertext and tag are calculated vi C = EncChaCha-14(KC ; N; P ) T = MACSipHash-2-4(KM ⊕ N; C k A): Here, A; P; C denote associated data, plaintext and ciphertext, respectively, all of arbitrary length. T is the 64-bit tag, N the 64-bit nonce, and the 384-bit key K is split into a 256-bit encryption and 128-bit authentication part, K = KC k KM . 2 Missing Domain Separation As shown above, the tag is calculated over the concatenation C k A of ciphertext and asso- ciated data. Due to the missing domain separation between ciphertext and associated data in the generation of the tag, the following attack is feasible.
    [Show full text]
  • Security Analysis of the Signal Protocol Student: Bc
    ASSIGNMENT OF MASTER’S THESIS Title: Security Analysis of the Signal Protocol Student: Bc. Jan Rubín Supervisor: Ing. Josef Kokeš Study Programme: Informatics Study Branch: Computer Security Department: Department of Computer Systems Validity: Until the end of summer semester 2018/19 Instructions 1) Research the current instant messaging protocols, describe their properties, with a particular focus on security. 2) Describe the Signal protocol in detail, its usage, structure, and functionality. 3) Select parts of the protocol with a potential for security vulnerabilities. 4) Analyze these parts, particularly the adherence of their code to their documentation. 5) Discuss your findings. Formulate recommendations for the users. References Will be provided by the supervisor. prof. Ing. Róbert Lórencz, CSc. doc. RNDr. Ing. Marcel Jiřina, Ph.D. Head of Department Dean Prague January 27, 2018 Czech Technical University in Prague Faculty of Information Technology Department of Computer Systems Master’s thesis Security Analysis of the Signal Protocol Bc. Jan Rub´ın Supervisor: Ing. Josef Kokeˇs 1st May 2018 Acknowledgements First and foremost, I would like to express my sincere gratitude to my thesis supervisor, Ing. Josef Kokeˇs,for his guidance, engagement, extensive know- ledge, and willingness to meet at our countless consultations. I would also like to thank my brother, Tom´aˇsRub´ın,for proofreading my thesis. I cannot express enough gratitude towards my parents, Lenka and Jaroslav Rub´ınovi, who supported me both morally and financially through my whole studies. Last but not least, this thesis would not be possible without Anna who re- lentlessly supported me when I needed it most. Declaration I hereby declare that the presented thesis is my own work and that I have cited all sources of information in accordance with the Guideline for adhering to ethical principles when elaborating an academic final thesis.
    [Show full text]
  • Multi-Party Encrypted Messaging Protocol Design Document, Release 0.3-2-Ge104946
    Multi-Party Encrypted Messaging Protocol design document Release 0.3-2-ge104946 Mega Limited, Auckland, New Zealand Guy Kloss <[email protected]> arXiv:1606.04593v1 [cs.CR] 14 Jun 2016 11 January 2016 CONTENTS 1 Strongvelope Multi-Party Encrypted Messaging Protocol 2 1.1 Intent.......................................... ....... 2 1.2 SecurityProperties.............................. ............ 2 1.3 ScopeandLimitations ............................. ........... 3 1.4 Assumptions ..................................... ........ 3 1.5 Messages........................................ ....... 3 1.6 Terminology ..................................... ........ 4 2 Cryptographic Primitives 5 2.1 KeyPairforAuthentication . ............. 5 2.2 KeyAgreement.................................... ........ 5 2.3 (Sender)KeyEncryption. ............ 5 2.4 MessageAuthentication . ............ 6 2.5 MessageEncryption ............................... .......... 6 3 Message Encryption 7 3.1 SenderKeyExchange ............................... ......... 7 3.2 ContentEncryption............................... ........... 8 4 Protocol Encoding 9 4.1 TLVTypes ........................................ ...... 9 4.2 MessageSignatures ............................... .......... 10 4.3 MessageTypes.................................... ........ 10 4.4 KeyedMessages ................................... ........ 10 4.5 FollowupMessages ................................ ......... 10 4.6 AlterParticipantMessages. .............. 11 4.7 LegacySenderKeyEncryption . ............ 11 4.8 SenderKeystoInclude...
    [Show full text]