P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg PB173 - Tématický vývoj aplikací v C/C++ Domain specific development in C/C++ Skupina: Aplikovaná kryptografie a bezpečné programování https://is.muni.cz/auth/predmety/uplny_vypis?fakulta=1433;obdobi=6384;predmet=871304 •Petr Švenda svenda@fi.muni.cz •Konzultace: A406, Pondělí 15-15:40 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Something about me... • 2 | PB173 - Group: Applied cryptography boinc_600 D:\Documents\Obrázky\genetics.jpg + D:\Documents\Obrázky\Sensor network\wireless-sensor-node.jpg Genetic programming Secrecy amplification protocols for WSN Random distinguisher for crypto fncs Distributed computing P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg • 3 | PB173 - Group: Applied cryptography D:\Documents\Obrázky\SmartCard\artificialSyndrom_positions.png D:\Documents\Obrázky\SmartCard\apduplay_crop.png D:\Documents\Obrázky\SmartCard\scsat04_board_noboundary.png D:\Documents\Obrázky\cryptojavacard.png Power analysis Security programming P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg • 4 | PB173 - Group: Applied cryptography D:\Documents\Obrázky\astro\rpi_epoc1.jpg C:\Brain\20130630_Kulda_Sleep\cumulative.png C:\Brain\20130605_Kulda_Sleep\capture_map_100001_655574.png D:\Documents\Obrázky\eeg_map.gif P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Something about me... • 5 | PB173 - Group: Applied cryptography D:\Documents\Obrázky\astro\Saturn_20120630.jpg D:\Documents\Obrázky\astro\M45_2009_800x640.jpg D:\Documents\Obrázky\astro\ngc7000_20120623_800px.jpg D:\Documents\Obrázky\astro\SunHalfa2011.12.11_800px.jpg http://astrolight.cz P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg ORGANIZAČNÍ INFORMACE • 6 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Co je cílem předmětu •Získat zkušenosti s implementací většího programu •Používat vývojové nástroje •Naučit se dobré programátorské postupy –programování obecně –ale speciálně v oblasti bezpečnostních aplikací •Získat praktické postřehy z implementací kryptografických aplikací –co nakonec ve firmě vyžadují 7 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Co není cílem předmětu •Detailní ovládnutí konkrétní technologie –zabrousíme do různých oblastí •Pokročilé zvládnutí celého vývojového procesu –to jednoduše nestihneme •Vysvětlovat základy kryptografie nebo srovnávat všechny možné varianty řešení problému –hlavně se budeme snažit prakticky programovat 8 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Organizační •Formality výuky –každotýdenní dvojhodinovka –evidovaná účast, 2 neúčasti bez omluvení OK •Způsob výuky –cca 30 min./týdně úvod do problematiky –zbytek vaše programování přímo na hodině –z mé strany průběžná konzultace nad vznikajícími problémy –default Windows (ale můžete pracovat i na jiné platformě) •Samostatná práce –v týmech, průběžná tvorba většího projektu –dodělávání práce z hodiny –pravidelné bodované předvádění stavu projektu (každé cvičení) 9 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Organizační (2) •Používané nástroje –IDE, verzovací nástroje (git), Doxygen, debugger, analýza a kontrola kódu (CppCheck, Coverity) –GitHub + TravisCI + Coverity –Ne vše je striktně dané – ptejte se a použijte svoje oblíbené •Hodnocení –účast –průběžná práce (10 bodů týdně) –prezentace celého projektu (30 bodů) –možné bonusy –max. 150 bodů, zisk alespoň 100 bodů na kolokvium 10 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Rozdělení do týmů •2-3 osoby •Společná práce, ale každý prezentuje svůj přínos –Iniciální prezentace domácího úkolu na dalším cvičení –zapracování připomínek, prezentace a hodnocení na dalším cvičení •Využití sdíleného repozitáře (GitHub) + CI (Travis) •Rozdělení provedeme až po 14 dnech –Po ustálení zapsaných studentů • 11 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Celkový přehled •Základní podklady v ISu •Může se ale částečně měnit –uvidíme dle reálné obtížnosti, rychlosti postupu a zájmu •Můžete otevřít vlastní řešený problém! 12 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg How good YOU are in English? Apology for all my mistakes, please. 13 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Organization •Seminars + assignments + project •Assignments –Assigned regularly (nearly) every week –Initial assigments individual work –Most of assignments team work –expected workload: 4+ hours/week/participant –Network lab available to students •Project: secure videoconferencing architecture • | PB173 - Group: Applied cryptography 14 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Attendance •Seminars –Attendance obligatory –Absences must be excused at the department of study affairs –2 absences are ok •Assignments and projects –Partially done at seminar –Completed during students free time (e.g. at the dormitory) –Access to network lab and CRoCS lab is possible –Cooperation between team members necessary | PB173 - Group: Applied cryptography 15 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Course resources •Slides (PDF) available in IS –IS = Information System of the Masaryk University •Assignments (what to do) available in IS –Submissions done also via IS •Additional tutorials/papers/materials from time to time will also be provided in IS –To better understand the issues discussed •Recommended literatures –To learn more … | PB173 - Group: Applied cryptography 16 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Plagiarism •Projects –Must be worked out by a team of 3 students –Every team member must show his/her contribution •Plagiarism, cut&paste, etc. is not tolerated –Plagiarism is use of somebody else words/programs or ideas without proper citation –IS helps to recognize plagiarism –If plagiarism is detected student is assigned -5 points –In more serious cases the Disciplinary committee of the faculty will decide | PB173 - Group: Applied cryptography 17 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Short questionnaire •Do you know difference between symmetric and asymmetric cryptography? •Do you known difference between block and stream cipher? •Do you know DES and AES algorithm? •Do you know ECB and CBC encryption mode? •Do you know principle of hash functions? •Do you know MD5, SHA-1/2/3 algorithm? •Do you known concept of digital signature? •Do you know what perfect forward secrecy means? 18 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg "Theme" project – Secure IM •Secure instant messaging and data sharing | PB173 - Group: Applied cryptography wn_rdp_2_0 server wn_rdp_2_0 wn_rdp_2_0 pki_yellow_key icon-teleconference Lock 19 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg | PB173 - Group: Applied cryptography "Theme" project – Secure IM •Certification authority –validates and issue user certificates •IM server –register and faciliate connection between users •Client –provides operations related to end user usage • •Expected at the end: working networking application with security features 20 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg | PB173 - Group: Applied cryptography "Theme" project – some details •Users obtains certificate of identity from Certification authority •Users register with IM server •IM server provides list of connected users, helps to establish connection if necessary •Client maintains user identity, related keys and provides exchange of IM messages and high speed encrypted transfer of data stream 21 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Cryptographic libraries 22 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Cryptographic libraries - overview 1.Why not to implement own crypto algorithm/protocol 2.Adequate complexity of library 3.How to get authentic source code 4.Common libraries: OpenSSL, mbed TLS 5.How to use library • 23 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Do NOT implement your own algorithms •Time consuming (probably already done before) •Functional problems •Low performance •Security problems due to bugs •Security problems due to missing defence against implementation attacks 24 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Do NOT implement your own protocols •Do not design algorithms/protocols by yourself •Try to find existing standards –NIST, RSA PKCS, RFC, ISO/ANSI •Try not to deviate from standards –compatibility and compliance –no need for (time consuming) specification of detailed your scheme –small change can have big security impacts 25 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Use well-known implementations •Use well-known libraries –OpenSSL, PolarSSL, GnuPG, BouncyCastle (Java) •Or implementation of algorithms from well-established authors (for uncommon alg) –Brian Gladman, Eric A. Young … • 26 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Complexity matters •Complexity of library implementation should match your needs –usually, you need only one or two algorithms •Multiprocessor or CPU-independent implementation can be overkill –and just increase risk of error •Do you really need library with object-oriented design? •Large libraries are not always the most suitable ones –OpenSSL is complex and interconnected –e.g., AES is extractable much easier from mbedTLS (PolarSSL) than from OpenSSL • 27 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Code authenticity •Source code signature –Do you really have original binary/source codes? –MD5/SHA1 hash (where to get “correct” hash value?) –GPG/PGP •Generate your own GPG/PGP signature keys –use them for inter-team communication –sign your code releases (on GitHub) • 28 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Which one you like more? Why? • 29 | PB173 - Group: Applied cryptography ARM mbed TLS /** * \brief Output = HMAC-SHA-512( hmac key, input buffer ) * * \param key HMAC secret key * \param keylen length of the HMAC key * \param input buffer holding the data * \param ilen length of the input data * \param output HMAC-SHA-384/512 result * \param is384 0 = use SHA512, 1 = use SHA384 */ void sha512_hmac( const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[64], int is384 ); OPENSSL unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, const unsigned char *d, size_t n, unsigned char *md, unsigned int *md_len); D:\Documents\Obrázky\question.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Common libraries – OpenSSL •Pros: –Very rich library •lots of algorithms, protocols, paddings •not “just” SSL –well tested functionally & security over time! –significant amount of existing examples on web •Cons: –API is complex and sometimes harder to understand –(started as Eric Young’s personal attempt to learn BigInts J) –relatively low-level functions (can be pros!) –code is significantly interconnected •not suitable for extraction of single algorithm –poor official documentation 30 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Common libraries – mbed TLS •(Formely PolarSSL) •Pros: –API is simple and clear –Easy to extract single algorithm –Now widely used, reasonably tested •Cons: –fewer supported algorithms and standards –dual licensing, but not BSD-like license • – 31 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg How to use library 1.Extract code and compile alone –some work with extraction –small, clean and self-containing result 2.Compile against whole library –usually easy to do –but dependence on possibly unused code 3.Link statically against dynamic library –dll/so must be always present to run program – – 32 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg How to use library (2) 4.Link dynamically against dynamic library –try to open dll file and obtain function handle 5.Link against service provider functions –Cryptography Service Providers in particular –API for listing of available service providers (CryptEnumProviders) –standardized functions provided by providers http://msdn.microsoft.com/en-us/library/aa380252%28v=VS.85%29.aspx#service_provider_functions • 33 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Security implications of (dynamic) libraries •Library can be forged and exchanged •Library-in-the-middle attack easy –data flow logging –input/output manipulation •Library outputs can be less checked than user inputs –feeling that library is my “internal” stuff and should play by „my“ rules •Library function call can be behind logical access controls •Library can contain bugs –Serious development also needs 3rd party libraries control process 34 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg OpenSSL - problems •What is wrong with this code? 35 | PB173 - Group: Applied cryptography network_receive(uchar* in_packet, short &in_packet_len); // TLV uchar* in = in_packet + 3; short length = make_short(inpacket + 1); uchar* out_packet = malloc(1 + 2 + length); uchar* out = out_packet + 3; memcpy(out, in, length); network_transmit(out_packet); P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg network_receive(uchar* in_packet, short &in_packet_len); // TLV uchar* in = in_packet + 3; short length = make_short(inpacket + 1); uchar* out_packet = malloc(1 + 2 + length); uchar* out = out_packet + 3; memcpy(out, in, length); network_transmit(out_packet); OpenSSL Heartbeat – “packet repeater” | PB173 - Group: Applied cryptography Payload [length B] length [2B] Type [1B] unsigned char* in Payload (length B) length [2B] Type [1B] unsigned char* out Payload [length B] 36 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg network_receive(uchar* in_packet, short &in_packet_len); // TLV uchar* in = in_packet + 3; uchar* out_packet = malloc(1 + 2 + length); uchar* out = out_packet + 3; memcpy(out, in, length); network_transmit(out_packet); Problem? • | PB173 - Group: Applied cryptography Payload [1B] Type [1B] unsigned char* in Payload (65535B) 0xFFFF [2B] Type [1B] unsigned char* out … Heap memory … Payload [1B] Heap memory (keys, passwords…) 0x0001 [2B] 0xFFFF [2B] devil Problem! in_packet_len != length + 3 37 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg D:\heartbleed.png How serious the bug was? • • • • • • •\ • • • •http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to- heartbleed-bug.html • | PB173 - Group: Applied cryptography 17% SSL web servers (OpenSSL 1.0.1) Twitter, GitHub, Yahoo, Tumblr, Steam, DropBox, DuckDuckGo… https://seznam.cz, https://fi.muni.cz … D:\heartbleed.png 38 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Ponaučení •Vždy VELMI rigidně kontrolujte vstupní argumenty •Nebezpečný není jen zápis za konec pole, ale i čtení •Nedůvěřujte informacím od klienta –Ani když jste vy sami jeho tvůrci (změna na síťové vrstvě) •Pro síťové aplikace preferujte jiné jazyky než C –Např. automatická kontrola mezí polí (Java, C#) –Nenahrazuje kontrolu argumentů! •Open-source sám o sobě nezajišťuje kód bez chyb –"given enough eyeballs, all bugs are shallow" L. Torvalds •(Nedělejte commity ve spěchu před oslavou) | PB173 - Group: Applied cryptography 39 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg • | PB173 - Group: Applied cryptography D:\Documents\Obrázky\hearthbleedcommit.png 40 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Reference •Všeobecné informace –http://heartbleed.com/ •Testování zranitelnosti konkrétní stránky –https://filippo.io/Heartbleed/ •Analýza problému na úrovni zdrojáku –http://nakedsecurity.sophos.com/2014/04/08/anatomy-of-a-data-leak-bug-openssl-heartbleed –http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html • | PB173 - Group: Applied cryptography 41 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg O jak závažnou chybu se jedná? J •XKDC (https://xkcd.com/1353/) | PB173 - Group: Applied cryptography D:\Documents\School\PB071\2014_jaro\heartbleed.png 42 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Practical assignment 43 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg SVN style – central repository 44 | PB173 - Group: Applied cryptography https://programmers.stackexchange.com/questions/35074/im-a-subversion-geek-why-should-i-consider-or -not-consider-mercurial-or-git-or P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg GIT-style – distributed repository 45 | PB173 - Group: Applied cryptography https://programmers.stackexchange.com/questions/35074/im-a-subversion-geek-why-should-i-consider-or -not-consider-mercurial-or-git-or P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Setup your GitHub repository 1.Setup your GitHub account and repository –E.g., PB173 test –.gitignore C++ –License MIT 2.Create first milestone (Issues®Set milestone®Create…) 3.Create first issue (Labels, Milestone, Assignee) –“Setup initial repo files” 4.Install git locally (GitHub client, TortoiseGit…) 5.Git Clone (your repository) –Into local directory – 46 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Use your GitHub repository •Create small project (your favourite IDE) –Commit, Push •Try to modify some files locally –Commit, Push •Try to modify some files in repo via web interface –Simulated parallel modification by other developer –Git Pull / Sync •Close your first issue J • 47 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Practical assignment •Download mbed TLS (formerly PolarSSL) library –and check signature (gpg --verify) •Write small project (mbed TLS based) –read, encrypt and hash supplied file, write into out file –read, verify hash and decrypt file –use AES-128 in CBC mode and SHA2-512 –use PKCS#7 padding method for encryption (RFC 3852) •Start with New Project+mbedTLS+AES 48 | PB173 - Group: Applied cryptography question Questions P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Submissions, deadlines •Commit into your GitHub repository (frequently J) •Upload application source codes as single zip file into IS –Use GitHub’s download ZIP feature –Homework vault (Crypto - 1. homework (AES+SHA2)) •DEADLINE: 29.2. 12:00 (first part) –application capable to read, encrypt, decrypt, hash –Text file containing description how you did PGP signature verification (whole process including import of public keys etc.) –0-5 points assigned •DEADLINE 7.3. 12:00 (second part) –addition of unit tests –0-5 points assigned 49 | PB173 - Group: Applied cryptography