Crypto Manifesto Yekaterina Tsipenyuk OʼNeil Security Research Group Fortify Software March 12, 2009 2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM Contents Overview .....................................................................................................3 Cryptographic Hash Functions.................................................................4 Encryption and Encoding Standards.......................................................5 Guidelines for Encryption Keys ...............................................................6 Pseudo-Random Number Generators......................................................7 References .................................................................................................8 2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM Overview Experts in the security community have indicted many commonly used cryptographic algorithms as insecure. Bases for these claims of insecurity often include advances in cryptographic research that have demonstrated previously unknown weakness in algorithms and advances in the computational power of readily available hardware. In the face of an ongoing stream of advice from an active security community, the struggle for software developers has long been to differentiate problems that introduce real risk to their systems from hypothetical research focused on attacks that wonʼt be feasible in the mainstream for years. This document provides best-practice guidelines for using modern cryptography in software systems. These guidelines are backed up by the research of the security community and strive to align themselves with the practical tradeoffs between maximal security and acceptable paranoia. Even though there are a number of cryptographic primitives we could discuss, we limit the scope of this document to the following: • Cryptographic Hashes • Encryption and Encoding • Symmetric and Public Keys • Pseudo-Random Number Generators (PRNGs) The following table summarizes guidelines in each of these areas, which are described in more detail throughout the remainder of the paper: Avoid Use Cryptographic Hashes MD2, MD4, RIPEMD-160, SHA- MD5, SHA-1 224, SHA-256, SHA- 384, SHA-512 Encryption and Encoding RC2, RC4, 3DES, AES DES, Base 64 Encoding Functions Symmetric Keys (AES) < 128 bits >= 128 bits Public Keys (RSA) < 1024 bits >= 2048 bits with OAEP padding Pseudo-Random Number Generators (PRNGs) Statistical Cryptographic PRNGs PRNGs 2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM Cryptographic Hashes The cryptographic hashes RIPEMD, RIPEMD-160, MD2, MD4, MD5, and the SHA family, including SHA-1 SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are among the most widely know and used cryptographic hash algorithms. Despite their widespread use, there are security risks associated with several of these algorithms. Collisions have been found in MD2 as early as 1997 [11] and, in 2004, MD2 was found vulnerable to pre-image attacks that enable the recovery of the original value based on its hash [9]. These findings clearly illustrate that MD2 is no longer safe for use in security-sensitive contexts. Researchers at Shandong University discovered attacks on a number of cryptographic functions, including HAVAL-128, MD4, MD5, RIPEMD, and SHA-0. These findings described attacks that found collisions in about 15 minutes [17]. This was the wake-up-call that caused security-space leaders such as Microsoft to ban the use of MD4 and MD5 algorithms by their development teams [4]. Furthermore, a recent research project determined that it was possible to mount a man-in- the-middle attack on Secure Sockets Layer (SSL) by creating rogue certificates issued by rogue Certification Authorities (CAs) with only homegrown array of machines [13]. This attack exploited the weakness that the Shandong researchers had found in MD5. This discovery together with Domain Name System (DNS) weakness demonstrated in the summer of 2008 [5], resulted in the possibility of undetectable phishing attacks on the Internet. This vulnerability was picked up by the United States Computer Emergency Response Team (US-CERT), which now urges software developers, CAs, website owners, and users to avoid implementing MD5 in any capacity [15]. Once the weaknesses in MD4 and MD5 were illustrated, some proposed SHA-1 as a more secure alternative. However, the same researchers from Shandong University showed that collisions can be found in SHA-1 as well, with complexities less than the theoretical bound [16]. Today, Microsoft has banned SHA-1 [4] for internal use and the National Institute for Standards and Technology (NIST) suggests phasing out the use of SHA-1 by 2010 [10]. The Fortify Security Research Group (SRG) recommends that developers avoid using MD2, MD4, MD5, and SHA-1 for computing hashes on sensitive information, such as passwords, certificates or any security-relevant values where it is important avoid collisions and retain pre-image resistance. Fortify Source Code Analyzer (SCA) enforces this by flagging uses of any of these algorithms in code. 2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM Encryption and Encoding There are a number of encryption algorithms that can be used to stop attackers from accessing secrets. Some of the most popular encryption algorithms are RC2, RC4, DES, triple DES (3DES), AES, among others. Microsoft developers misused RC4 on various occasions and Microsoft now prohibits the use of RC4 in code development [4]. One such incident is described by Hongjun Wu [18]: Because the initialization vector (IV) used together with the key to encrypt two different documents remained the same, encryption could be broken by simply XOR-ing two ciphertexts. A number of other attacks on RC4 are known to the security community, including one that famously breaks the Wired Equivalent Privacy (WEP) protocol that uses RC4 in less than a minute [14]. Microsoft has also banned the use of the DES encryption algorithm [4], because it has been broken [3]. Although there are attacks on 3DES, the best attack requires around 232 known plaintexts, 2113 steps, 290 single DES encryptions, and 288 memory, which is currently impractical [8] due to hardware constraints. The National Institute of Standards and Technology suggests phasing out 2-key 3DES by 2010, and 3-key 3DES – by 2030 [1]. There is also some controversy concerning the security of RC2. Although research suggested that RC2 is resistant to differential cryptanalysis, it is still unclear how resistant it is to linear cryptanalysis [7]. RC2 has also demonstrated weaknesses to related-key attacks [6]. Microsoft advises against its use [2]. Many people mistakenly think of base-64 encoding as a form of encryption. Base-64 encoding is useful for transmitting binary data over a communication channel designed to transmit character data. However, considering that its character space is only size 64, the scheme does not attempt to provide the same security guarantees as strong cryptographic encryption algorithms. For this reason, it should not be used for protecting secrets. Fortify SCA issues high-severity warnings when it finds the use of RC4 or DES algorithms and lower severity warnings when it finds the use of RC2. It also issues warnings whenever passwords are base-64 decoded before use. 2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM Guidelines for Encryption Keys The suggested length for symmetric keys (particularly AES keys) is no less than 128 bits, while the suggested length for RSA keys is no less than 1024 bits, with 2048-bit keys providing better security [4][10]. In the case of RSA keys, it is also important to choose the right padding scheme, which can prevent a number of attacks that potentially work against RSA without padding. Public-Key Cryptography Standard (PKCS) #1 v.2.1 recommends the use of Optimal Asymmetric Encryption Padding (OAEP) for new applications [12]. Fortify SCA reports higher severity warnings when the code uses RSA keys with fewer than 1024 bits in length and lower severity warnings when RSA keys are between 1024 and 2048 bits in length. 2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM Pseudo-Random Number Generators When unpredictability is critical, as in most in security-sensitive contexts, it is important to use strong cryptographic rather than statistical PRNGs. Unlike cryptographic PRNGs, statistical pseudo-random number generators produce highly predictable output, which makes it trivial for an attacker to guess the values of generated strings. However, statistical PRNGs are acceptable when predictability is not a concern – for example, for generating the order in which images are displayed in a slideshow application. Fortify SCA reports a warning whenever it encounters the use of a statistical PRNG. 2215 BRIDGEPOINTE PARKWAY, SUITE 400, SAN MATEO, CA 94404 USA P 650 358 5600 F 650 358 4600 WWW.FORTIFY.COM References [1] Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid. “Recommendation for Key Management – Part 1: General (Revised)”. NIST Special Publication 800-57. http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf . [2] Andrew Cushman. “Microsoft Security Fundamentals”. EUSecWest, London, February 20,
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages8 Page
-
File Size-