Future for Crypto Me Graeme Neilson CISO / Head of Research www.aurainfosec.com Reverse engineering, Cryptanalysis Talked at BlackHat, CanSecWest, H2HC, Troopers and Daycon many times... Past Years ● Backdooring firewalls ● Quantum cryptography ● Cracking audio one time passwords ● Potential real world crypto attacks Why is Crypto Important? Fundamental to the Internet ● Privacy, confidentiality, integrity, non-repudiation, anonymity ● Blockchain technology is going to be the basis of new financial systems (transactions, public ledger, contracts, identity) and is reliant on cryptography Cryptography Last Year ● Supply chain interception ● Weakened PRNG ● Weakened crypto protocol ● Exploitable implementations Backdooring Firewalls Described by an NSA manager as being: “some of the most productive operations in TAO because they pre-position access points into hard target networks around the world.” How? 2013, NSA manager describes the process: “shipments of computer network devices (servers, routers, etc,) being delivered to our targets throughout the world are intercepted. Next, they are redirected to a secret location where Tailored Access Operations/Access Operations (AO-S326) employees, with the support of the Remote Operations Center (S321), enable the installation of beacon implants directly into our targets’ electronic devices. These devices are then re-packaged and placed back into transit to the original destination.” Me: Netscreen of the Dead 2008, Welcome to Rootkit Country 2011 Told ya so :-) The NSA ANT catalog ● FEEDTROUGH: Software that can penetrate Juniper Networks firewalls allowing other NSA-deployed software to be installed on mainframe computers ● GOURMETTROUGH: User-configurable persistence implant for certain Juniper Networks firewalls ● HALLUXWATER: Back door exploit for Huawei Eudemon firewalls ● JETPLOW: Firmware that can be implant to create a permanent backdoor in a Cisco PIX series and ASA firewalls. ● SCHOOLMONTANA: Software that makes DNT implants persistent on JUNOS-based (FreeBSD-variant) J-series routers/firewalls. ● SIERRAMONTANA: Software that makes DNT implants persistent on JUNOS-based M- series routers/firewalls. ● STUCCOMONTANA: Software that makes DNT implants persistent on JUNOS-based T- series routers/firewalls. ● SOUFFLETROUGH: BIOS injection software that can compromise Juniper Networks SSG300 and SSG500 series firewalls Weak Randomness ● 2005-2006 NIST and NSA release PRNG based on elliptic curve cryptography - Dual Elliptic Curve Deterministic Random Bit Generator. ● 2007 Microsoft researchers - vulnerabilities in the PRNG combined with some knowledge that only NIST/NSA might have opened a perfect backdoor into the PSRNG ● If you use Dual-EC PRG to generate the "Client Random" nonce transmitted in the beginning of an SSL connection, then the NSA will be able to predict the "Pre-Master" secret that will be generated during the RSA handshake. ● Given this information the connection is now cleartext. ● Used by Microsoft’s SChannel (IE and IIS), OpenSSL’s FIPS, RSA’s BSAFE Weaken Randomness Again ● Extended Random protocol ● Pentagon-funded paper in 2008, the Extended Random protocol was touted as a way to boost the randomness of the numbers generated by the Dual Elliptic Curve ● Extra data transmitted by Extended Random before a secure connection begins makes predicting the following secure numbers dramatically easier. ● NSA and Mozilla staff authored, RSA embraced Prof Matthew Green, John Hopkins said “If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline" SSL Problems ● Apple certificate checking ● GNU TLS certificate checking ● OpenSSL Heartbleed server memory read ● ...and others... Crypto Code Apple: if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; OpenSSL: [ go and read the code ] OpenSource...? ● OpenSSL – Vulnerabilities – Complex – Poor documentation – Unaudited ● OpenBSD – Secure – Simple – Good documentation – Audited Why Crypto is Hard ● Testing crypto code is hard ● Every single outside variable must be validated ● Avoiding timing attacks (code paths, error paths) ● Random data must random ● Sensitive/secret data must be protected (in memory) ● Sensitive/secret data must be wiped cleanly and actually! ● Some high-level languages are preculded because of data requirements ● Must be well optimized code otherwise too expensive Developer Skills ● Cryptographic algorithms ● Cryptographic practice ● Software engineering ● Software optimization ● The language(s) used ● Devs not recognised Crypto Currency Code ● Must be written well (OpenBSD not OpenSSL) ● Mt Gox code was OpenSSL style not OpenBSD Current state ● Standard client / wallet (maybe well written) ● Exchanges (nope...) So? ● What's the best way to steal money? ● Don't be noticed – Steal a tiny amount from everyone – Amass the amount gradually – Automated Prediction 1 There will be malware that runs on the Internet of Things that will generate or attack a crypto currency. Quantum QomputerTM ● Superposition ● Decoherence ● Probability Quantum Qomputer Algorithms ● Shor's algorithm kills RSA AND all past data encrypted with RSA ● We will not know when it happens only at some time later... ● Use Perfect Forward Secrecy now. ● Start implementing existing algorithms that are not vulnerable to QQ What about Crypto Currencies...? ● Are those crypto currencies vulnerable to quantum qomputers...? ● ECDSA vulnerable to a variant of Shor's algorithm ● This would attack existing coins and blockchains. Prediction 2 Crypto currency will be attacked at the crypto layer resulting in a crash, then readjustment post transition to a new blockchain and a new coin. Crypto Trust ● What to trust, what not to trust? ● Short term mitigations to the bad crypto? ● Long term strategies for crypto? Untrustworthy Systems Closed source Proprietary hardware Trustworthy ● Shannon “The enemy knows the system” ● Kerckhoff “The security of a system resides only in the key” ● Open source ● We know good crypto works ● Crypto tunnelled in crypto (SSH in VPN) – use separate algos, implementations – defense in depth Long Term Strategies ● Cryprography is the foundation of the financial and Internet social system (privacy, confidentiality, integrity, non-repudiation, anonymity) is cryptography. ● Cryptography must be free, must be open, must be auditable. ● The best physicists in the world build CERN the most complex and beautiful machine (LHC) ever made by humans. ● Why can't the best cryptographers, mathematicians and computer scientists collaborate and build beautiful cryptography? ● We should be building and distributing robust, standard, cross- platform crytpo implementations .