OpenWest 2014/Cargo Cult Security

by Derrick Isaacson

Cargo Cult Security 2014_01_18 - http://www.slideshare.net/DerrickIsaacson/cargo-cult-security-20140118

Github - https://github.com/disaacson/cargo-cult-security

Zimmermann Telegram - Mexico German war

Cypher text, plain text

Symmetric Key Cryptography (Private-key Cryptography)

Blowfish, twofish, serpent, aes (rijndael) cast5, rc4, 3des, idea

Ctrypto Primitives & Goals - https://oracleus.activeevents.com/2013/connect/sessionDetail.ww?SESSION_ID=6325 Crytpo Primitives	Hash		MAC		Symmetric Key	Asymmetric Key	Digital		Digital Salted Hash	HMAC		Crypto		Crypto		Signature	Certificates

Security Goals

Data Integrity		XXX		XXX						XXX

Data Authentication			XXX				XXX		XXX

Non-Repudiation								XXX		XXX

Confidentiality						XXX		XXX*

Trust													XXX
 * Public key can be used to encrypt data that can only be decrypted with private key

Love HMACs

Cargo Cult Programming - Ritualistic inclusion of code or patterns that are unnecessary for the task at hand.

Anti-pattern: authentication
 * using encryption for authentication is bad. Use HMAC instead
 * don't use symmetric key alone, as flipping a bit will just bump IDs to the next
 * Use HMAC

Anti-pattern: Integrity
 * Symmetric key is only good for confidentiality
 * HMAC good for Data Integrity and Data Authentication

Anti-pattern: Encryption Modes
 * Electronic Codebook (ECB) mode encryption
 * can do bit mapping (think picture) hack to get an idea of contained data
 * Cipher Block Chaining (CBC) mode encryption
 * avoids the patterns found among blocks of ECB

Anti-pattern: Initialization Vector
 * Avoid same data being encrypted repeatedly looking the same
 * Cipher-block chaining prevents patterns within messages
 * Correct IV prevents patterns across messages

Anti-pattern: Random Values
 * Finding linear congruential seed

Anti-pattern: Psuedo-random Session IDs
 * really only ~20 bits of entropy
 * HMACs and secure random
 * do not use sessions - use HMACs - seriously

No Cargo Cult Security:
 * 1) Identify true security goal.
 * 2) Find correct crypto primitive.
 * 3) Spend some time to learn about it.
 * 4) Write as little of your own crypto code as possible.