Professional Documents
Culture Documents
Brksec-3005 (2017)
Brksec-3005 (2017)
Algorithms
does it take
to screw in
a light bulb ?
i.π
-e
-ei.π = - (cos (π) + i.sin (π))
= - (-1 + i.0)
=--1
=1
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cryptographic Mechanisms
Encryption Signatures
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Key Strength
Strong
Weak
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Attacker Strength
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Algorithms Never Get Stronger
SHA-1
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Key Strength
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Prevalent
AES-128-CBC
DH-1024 RSA-1024
SHA-1
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Next Generation Encryption
ECDSA-
128-bit ±30 years AES-128-GCM ECDH-P256 SHA-256
P256
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
NGE higher security levels
ECDSA-
Long term AES-256-GCM ECDH-P521 SHA-512
P521
AES-192- ECDSA-
“Foreseeable future” GCM
ECDH-P384
P384
SHA-384
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Next Generation Encryption
Authenticated
AES-GCM
Encryption
Authentication HMAC-SHA-2
Hashing SHA-2
Entropy SP800-90
TLSv1.2, IKEv2,
Protocols
IPsec, MACSec
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Hashes and HMAC’s
Focus on SHA-2
What is a Cryptographic Hash Function
Hash
Legitimate Message
Function
Hash Fixed length output
Any Length Easy & Fast Fixed Length
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Reference: Wikipedia
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Reference: Wikipedia, RFC4868
Not IKE
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Hash vs HMAC
Message
Hash
Hash
Goal: collision resistance
Function
Message Key
Hash
&@%!
Goal: unforgeability
Function
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Using a Hash or an HMAC
Alice Bob
Must send a message m
Goal: data does not get corrupted in transit
h, m Computes h'=HASH(m)
Computes h=HASH(m) Checks h' = h
If yes message is valid
Attacker could modify m if no message was damaged
and recompute h
Share pre-shared key k with Bob Share pre-shared key k with Alice
Must send a message m
Goal: Bob assured data comes from Alice
hmac, m
Computes hmac=HASH(m|k) Computes h'=HASH(m|k)
Checks h' = h
Attacker CAN NOT modify If yes message is valid
m and recompute h if no message was damaged
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Applied hashing: Blockchain & bitcoin & …
Blockchain
class Block(object):
Block # 1 def __init__(self, hashPrevBlock, payload):
Block #2 self.hashPrevBlock = hashPrevBlock
(genesis block) self.payload = payload
self.timestamp = datetime.now()
self.Nonce = self.mine()
Timestamp Timestamp
Payload Payload def hash(self, Nonce=None):
Nonce Nonce
hashPrevBlock = None hashPrevBlock = None def mine(self):
def verify(self):
Timestamp
Payload
Nonce
hashPrevBlock = None
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Mining
def mine(self):
# let's calculate hash until we have "0000" at the beginning
for nonce in range(1, 10000000):
attempt = self.hash(nonce)
if attempt.startswith("0000"): # Mathematical challenge (find hash that starts with x-number of 0’s
logger.debug("We found matching hash and we are setting it as Nonce: " + attempt)
self.Nonce = attempt
return self.Nonce
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Symmetric Encryption Algorithms:
One Time Pad & AES
One Time Pad
• A Pad is a truly random sequence of numbers
M 1 0 0 1 1 0 1 1 1 …
Pad 0 1 1 0 0 0 1 0 1 …
Cypher 1 1 1 1 1 0 0 1 0 …
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
One Time Pad - example
H E L L O message
7 4 11 11 14
+ 23 12 2 10 11 key
= 30 16 13 21 25 m+k
mod 26 4 16 13 21 25 (m+k) mod 26
E Q N V Z ciphertext
E Q N V Z ciphertext
4 16 13 21 25
- 23 12 2 10 11 key
= -19 4 11 11 14 c-k
mod 26 7 4 11 11 14 (c-k) mod 26
H E L L O message
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Issue 1 – Key Length
H E L L O message
7 4 11 11 14
+ 23 12 2 10 11 key Key must have the same
size as message… Key
= 30 16 13 21 25 m+k exchange is a problem!
mod 26 4 16 13 21 25 (m+k) mod 26
E Q N V Z ciphertext
Select Carefully…
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Issue 2 – Key Re-use & Known Plain Text Attack
H E L L O message Assumption #1: Attacker
knows some plain text
7 4 11 11 14 (e.g. injection, guess,…)
+ 23 12 2 10 11 key
= 30 16 13 21 25 m+k
mod 26 4 16 13 21 25 (m+k) mod 26
E Q N V Z ciphertext Assumption #2: Attacker
can wiretap ciphertext
H E L L O known message
4 16 13 21 25 ciphertext
- 7 4 11 11 14 known message
= -3 12 2 10 11 c-m Conclusion: Attacker can
mod 26 4 12 2 10 11 (c - m) mod 26 compute the key easily
= KEY
DO NOT REUSE KEY !!
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
AES – The Advanced Encryption Standard
• The block size is large (128 bits standardized)
• The key size is large (128, 192 or 256 bits)
• AES operates on full bytes (faster on general purpose CPU’s)
• National Institute of Standards and Technology:
• “A machine that cracks 56 bits DES in 1 seconds takes 149 trillions years to crack 128-
bits AES”
• Summary:
• AES is faster and more secure than DES or 3-DES
• AES is easier to implement than DES on tight hardware
• IS THIS TRUE ?
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
AES: Individual Rounds
Input
Note: Last Round Is Slightly Different from the Rest of the Sub
Rounds (no Mix Columns) Bytes
Shift
Input
Rows
Key 1
Round 0
Mix
Key 2
Round 1 Columns
Key
Schedule
Output
Output
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Block Cipher Mode of Operation (ECB, CBC, counter)
ECB CBC CTR
m= 1 2 3 1 4 m= 1 2 3 1 4 m= 1 2 3 1 4 IV IV IV+1 IV+2 IV+3 IV+4
DRBG seeded by IV
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
IV
6 5 4 3 9
One Time Pad
m= 1 2 3 1 4 depends on IV
Make IV unique to
c= 1 2 3 1 4 c= 5 9 1 5 3 c= 7 2 6 0 8 c= 5 6 3 9 7 ensure unique pad
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Fed from Initialization
Vector
AES GCM
AES Based PRNG
generate pad…
One Time Pad Secure CTR DRBG
Algorithm
Weak but
fast HMAC
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
RSA
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Modular Arithmetic 0
0
• Modulo is like a clock 0
1 1 1
0 1 2 3 4 5 6 7 8 9 10 11… mod 4 3 3 3
2
2
2
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Encryption with Modular Arithmetic
Alice Bob
Must send a private message m Selects three numbers n, d & e
n & e are public, d is secret
Takes n & e from Bob e, d are chosen such as ed ≡ 1 mod n
c
(we assume m < n)
Computes c = me mod n Computes m' = cd mod n
Attacker can not guess m m' = cd mod n
just knowing c, n and e = (me)d mod n
= med mod n
= m1 mod n
=m
Bob has reversed the operation !!
Bob knows d but nobody else…
We have an encryption scheme
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Signature with Modular Arithmetic
Alice Bob
Selects three numbers n, d & e
n & e are public, d is secret
Attacker can not guess d e, d are chosen such as ed ≡ 1 mod n
just knowing m, n and e
Must send a signed message m
Takes n & e from Bob
c, m
Computes c = md mod n
(we assume m < n)
Computes m' = ce mod n
m' = ce mod n
= (md)e mod n
= mde mod n
= m1 mod n
= m mod n
=m Now how can we find such e, d and n ?
Bob must have sent the c,m
(since d is impossible to guess,
c is impossible to forge)
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Regular Exponentiation – Use Dichotomy
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
MODP Exponentiation – dichotomy is broken
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Where Quantum Computers Come In
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
About Prime Numbers
• A number is prime if it can be divided by one or itself
picture: Khan Academy
• A number is composite is it can be divided by 2 or more prime numbers
• Factorization is a hard problem. Best algorithm yields
• Fundamental Theorem of Arithmetic: a given number has a single factorization
• Euclid's theorems: there are infinitely many primes
• prime density (ratio of primes per composite up to x) is 1/ln(x)
• density drops off rapidly in the beginning but very slowly after a few powers of 10
• π(x) = x/ln(x) : number of primes < x
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
RSA keys – finding e,d,n | med ≡ m (mod n)
• Choose two distinct prime numbers p, q and hide them forever!
• n = p.q n is hard to factor if p & q are very large
• φ(n) = n-(p+q-1)
• p & q are prime φ(p)=p-1 φ(q)=q-1 m – arbitrary message
• φ(n) = φ(pq) = φ(p) φ(q) = (p-1)(q-1) = n-(p+q-1) n – the modulus
• Final steps Euler theorem… e – the public key
• 1k = 1 (mφ(n))k ≡ 1k (mod n) mkφ(n) ≡ 1 (mod n) d – the private key
• 1m = m m mkφ(n) ≡ m (mod n) mkφ(n)+1 ≡ m (mod n)
• we look for e,d,n such that med ≡ mkφ(n)+1 ≡ m (mod n) ed = k φ(n) +1
k φ(n)+1 k (n − (p+q−1)) +1
• d= =
e e
• Select e, small integer and k such that GCD(d, φ(n)) = 1
• e is usually 3 or 65537
• adjust k to make d an integer
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
DH –Diffie-Hellman
Alice Bob
The group definition
Select a generator g and a modulus p
Pick a random number a Apub, (g, p)
Keep a secret!!
Compute Apub = ga mod p
Attacker can not guess a
Attacker can not guess b
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
DH is sensitive to a Man-in-the-Middle Attack
Alice Mallet Bob
Apub = ga mod p I’m Bob I’m Alice Bpub = gb mod p
Apub Mpub
Mpub = gm mod p
Mpub Bpub
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
ECC
Elliptic Curve Cryptography
What is an elliptic curve ?
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
O
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
The scalar multiplication n*P
O
2P
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
0
0
mod 4 3 3 3
• Remember… modulo arithmetic
• Galois Field = Finite Field 2
2
2
• Let E be an elliptic curve defined over a finite field Fm (modulo m):
• E(Fm):{∞} U {(x,y) in FmxFm | y2=x3+ax+b , a,b in Fm}
• E(Fm) is the set of points whose coordinates belong to FmxFm and satisfy the equation + point at infinity
• The set along group operations (+, x) seen before form an Abelian Group under multiplication a field.
• For cryptography, m should be a prime number
• It seems (seemed ?) more computationally efficient if m = 2k-1 yielding the notation F2k
• Multiplication supposed to be more efficient very important for ECDH and ECDS
• In this case, the Koblitz curve is used: y2 + xy = x3 + ax2 + 1 where a=0 or a=1
• For cryptography, k should be a prime number
• m should remain a prime – it would be called a Mersenne Prime
• There is debate about the actual security and efficiency of these curves!
• The order of a group G is the cardinality of that group written ord(G) or |G|.
• The order of a point P in a group G is the value n such that n*P = O written ord(p) or |p|
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Example Curve
E(F11): y2 = x3 + x +2
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Example on F31 – Complexity Increases
m = 25-1 = 31
E(F31): y2 = x3 + x +2
|E(F31)| = 24
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
The same on F127 – Complexity Further Increases
3*P = 2*P+P
|E(F127)| = 136
7*P
6*P
Let P be [40,62]
8*P
Easy to compute on Fm
n*P
Difficult problem :
Knowing E&P, what is n
for this point ?
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
ECDH – Elliptic Curve Diffie-Hellman
Alice The curve definition f Bob
and point P
Select a curve f and a point P on the curve
Pick a random number a Apub, (P, f(x), m)
Keep a secret!!
Compute Apub = a*P
Attacker can not guess a
Attacker can not guess b
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
P-256 from "NIST routines"
• Where
• p is the prime modulus
• G is the generator (base point) of the curve
• n is the order of G. i.e n*G=O
• a, b are the coefficient of y2 + xy = x3 + ax + b (mod p)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cryptographic Curves, Public and Private Keys
• To define a public/private key pair, Alice…
• Selects a Curve
• C=(p, a, b, G, n, h) or C=(m, f(x), a, b, G, n, h)
• Picks an integer kA ∈ [1, n-1] – this is her private key
• Compute QA = kA * G – this is her public key
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Performance and Security
Comparisons
Security Level of Symmetric Crypto Algorithms
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
ECDH Gains in Security
The Table Below Shows the Comparable Key Lengths Required in DH/RSA as
Compared to ECC Based DH to Secure a Symmetric Key of a Given Length
80 163 1024
112 233 2048
128 283 3072
192 409 7680
256 571 15360
Reference: draft-ietf-ipsec-ike-ecc-groups-05.txt with Further Reference Contained Therein
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Rough Performance Comparison
Very rough comparison – orders of magnitude only (*)
Optimizations...
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
See Performances for Yourself 😀
• openssl speed aes
• openssl speed des-cbc
• openssl speed des-ede3 3-DES (Encrypt-Decrypt-Encrypt)
• openssl speed rsa
• openssl speed ecdsa
• openssl speed dh does not exist 🤔
• openssl speed ecdh
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Practical Use...
The Crypto Angle
Certificates – Just an example…
Version: 3 (0x2)
Serial Number: 302543474681041022 (0x432d9aff179d07e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Validity
Not Before: Dec 10 17:52:51 2015 GMT
Not After : Mar 9 00:00:00 2016 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com
SHA-256 Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey If r is an unknown secret integer (private key), this big number is r*G mod p.
Public-Key: (256 bit)
pub:
04:b5:64:5b:fa:48:ed:b7:f5:57:ba:24:d4:cc:b0:d8:74:5d:a3:6f:90:6a:37:e6:df:d8:6f:46:71:6a:
09:e8:e3:64:b6:28:31:20:b4:9d:24:7f:6b:81:09:4b:b1:7d:3b:98:68:b5:4a:02:28:fe:b7:40:46:65: 5b:f6:9d:a0:38
ASN1 OID: prime256v1
This is a "named curve"
NIST CURVE: P-256 NIST Routines defines (p, a, b, G, n)
X509v3 extensions: [SKIPPED]
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
IKEv2
Initiator Responder
KDF(gab, Nonces)SKEYSEED
SK_d, SK_ai, SK_ar, SK_ei, IDi, Certificate Chain, Auth,
SK_er, SK_pi, SK_pr TSi, TSr, Sai2
KDF(gab, Nonces)SKEYSEED
IDr, Auth, TSi, TSr, Sar2 SK_d, SK_ai, SK_ar, SK_ei,
SK_er, SK_pi, SK_pr
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Hash DRBG for Key Derivation and Authentication
prf+ (K,S) = T1 | T2 | T3 | T4 | ...
where:
T1 = prf (K, S | 0x01)
T2 = prf (K, T1 | S | 0x02)
Hash DRBG prf+: T3 = prf (K, T2 | S | 0x03)
T4 = prf (K, T3 | S | 0x04)
...
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
IPsec: ESP packet format IPsec HMAC and Encryption keys independent of IKE sessions keys.
Sequence Number
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
SSL/TLS with Pre-Master Secret (no DH)
Client Server
Hello, Client Random, Proposed Security Suites (incl. DH)
PreMaster = DecServerPub(…)
Change Cipher Spec
KDF(PreMaster, randoms)
kmc, kms, ke
Client finished: PRF (dialog)
traffic
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
SSL/TLS with Ephemeral Diffie-Hellman
Client Server
Hello, Client Random, Proposed Security Suites (incl. DH)
PreMaster = gab
Master = PRF(PreMaster, randoms)
Kcm, Ksm, Kce, Kse, …
gb mod p
traffic
While TLS offers and recommends regular rekey, tickets span for the lifetime of the
application [Blackhat.com US-13-Daigniere-TLS-Secrets-Slides]
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
TLS Key Derivation and Authentication
P_hash(secret, seed) = HMAC_hash (secret, A(1) + seed) +
HMAC_hash (secret, A(2) + seed) +…
A() is defined as
Hash DRBG prf: A(0) = seed
A(i) = HMAC_hash(secret, A(i-1))
the conversation
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Recommendations and Conclusion
Reassurance
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Recommendations
• Protocols
• IKEv2 is cool – use it if you can (not always possible)
• Keep an eye on TLS1.3 for improvements
• Public Key Infrastructure (PKI)
• Prefer ECDSA (> 256) or RSA (modulus size >> 1024 ; 1536 or 2048 preferred)
• SHA-256-HMAC or better is a must
• Key Exchange
• Use PFS
• Prefer ECDH 263 bits for mid term security (~15 years) or MODP 3184 bits for 15+ years
• If MODP, use DH group >> 1024 (1536 or 2048 preferred).
• IKEv2: group 5 (~1500 bits) or better
• TLS 1.2: FIX YOUR SERVERS!! https://weakdh.org/sysadmin.html
• Upgrade to TLS 1.3 whenever possible (still draft)
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Reputedly Safe Elliptic Curves
source: http://safecurves.cr.yp.to
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Some Random Software… FlexVPN (IOS)
Keypair for certificates
crypto key generate ec keysize 256
crypto key generate rsa 1536 (or better)
IKEv2 Profile
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Some Random Software… WSA
See BRKSEC-3006 – Tobias Mayer on TLS Decryption using the Web Security Appliance
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Some Random Software… OpenSSH
/etc/ssh/ssh_config
KexAlgorithms curve25519-sha256@libssh.org
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Some Random Software… Apache (mod_ssl)
/etc/dovecot.conf
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-
GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-
SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-
SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-
SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-
GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-
SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-
SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
Regenerate DH Parameters
#regenerates every week ssl_dh_parameters_length = 2048
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
A Short Bibliography
• NIST SP 800-90A : Recommendations for Random Number Generation Using Deterministic Random Bit Generators
• NIST SP 800-38D : Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
• NIST SP 800-56A (R2): Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (i.e. DH, ECDH + key derivation methods)
• NIST 800-131Ar1: Transitions: Recommendations fro Transitioning the Use of Cryptographic Algorithms and Key Lengths
• NIST FIPS 140-2: Security Requirements for Cryptographic Modules
• NIST FIPS 186-4: Digital Signature Standard (DSS) (DSA, RSA (PKCS#1), ECDSA,…)
• NIST FIPS 180-4: Secure Hash Standard (SHA-1, SHA-256,…, SHA-512)
• NIST Routines: https://www.nsa.gov/ia/_files/nist-routines.pdf (Curve P-192, P-224, P-256 etc.)
• Safe Curves: http://safecurves.cr.yp.to
• Transcript Collision Attacks: Breaking authentication in TLS, IKE and SSH: http://www.mitls.org/downloads/transcript-collisions.pdf
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Complete Your Online Session Evaluation
• Please complete your Online
Session Evaluations after each
session
• Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
• All surveys can be completed via the
Cisco Live Mobile App or the
Don’t forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Q&A
Thank You
Here go backup slides
Blom Scheme
aka ESON
Blom Scheme Overview
• P is a PUBLIC matrix (t+1) x N in Gf(q) with q a prime number
1 1 … 1
• N is the number of participants
n1 n2 nN
• t is the “secure parameter” related to the security of the system.
P= n12 n22 … nN2 • t << N A Vandermonde matrix
• t is the number of colluding participants needed to break the system fits the bill…
… … … …
n1t n2t … nNt • P columns are linearly independent
• i.e. there exists {x1, x2,…,xN} such that x1.P1+x2.P2+…+XN.PN = 0 where Pi is a column of P
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
For example… t=2, N=10, q=127
For t=2, N=10, q=127
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Hashes and HMAC
Attacks, Weaknesses & Self-Inflicted
Pain
A back door’ed PRNG: Dual EC DRBG source: NIST 800-90A
Issue #1: extract too many bits –
only 16 bits to guess leads to s*Q.
Not a problem in itself…
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Yep…
xkcd.com
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
SLOTH: MD-5 is dead; SHA-1 in state of grace
• SLOTH: Security Loss from Obsolete and Truncated Hashes
• Impersonation and authentication attacks!
MD-5 SHA-1 SHA-1 | MD5 (*)
digest size 128 bits 160 bits 288 bits
collision 216 261 267
second pre-image 239 277 277
(*) used up to TLS 1.1
within reach of a large enterprise,
within reach of a dedicated government
university…
• This means…
• MD5-HMAC not suitable for anything
• SHA-1 not suitable for anything long term (e.g. certificates)
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
NIST SP 800-131A Revision 1
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
WeakDH: The Number Field Sieve Algorithm
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Enters Logjam
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
In practice…
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Quantum Computers & Post Quantum Cryptography
• Common crypto relies on one one of three hard mathematical problems:
• Integer factorization problem
• Discrete logarithm problem
• Elliptic Curve discrete logarithm problem
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Shor's Algorithm to factorize N
Compute ≠1
r is odd a is a non trivial factor of N
GCD(a, N)
or a r /2 ≡ −1 mod N
=1 Done!
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110