P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg titulka
Security primitives II
Secure channel
Secure storage
Secure envelope
PA193 – Secure coding
•Petr Švenda
•Partially based on slides prepared by Zdeněk Říha
•Faculty of Informatics, Masaryk University, Brno, CZ
I PA193 - Secure channel, storage and envelope
1

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Organizational
•No seminar this week (30.11.)
–Time to work on the parser code review
•4-7.12. Ordinary teaching week (lecture & seminar)
•11.12. no lecture
•14.12. presentation of parser analysis (seminar)
•18.12. 10:00 B410 first possible exam date
–Need to enrol in IS!
–closed book exam, 10 questions with open answers
–(other exam dates soon in IS)
•
2
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Security primitives
•Secure channel
–Communication
•Secure storage
–Storage
•Secure envelope
–Data protection
•Use standard, commonly used mechanisms
–It is very difficult to create your own mechanisms that will be as secure as the standard ones
•
I PA193 - Secure channel, storage and envelope
3

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
SECURE CHANNEL PROTOCOL
•How to authenticate and communicate securely?
4
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Secure channel
•Secure channel is a way of transferring data that is resistant to overhearing and tampering
   Source: https://en.wikipedia.org/wiki/Secure_channel
•Examples
–Secure Messaging (smartcards)
•ISO 7816-4
•Open Platform / Global Platform
–SSL/TLS
–IPSEC
–VPN
I PA193 - Secure channel, storage and envelope
5

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Transport Layer Security (TLS) Protocol
6
I PA193 - Secure channel, storage and envelope
Full TLS handshake (RFC 5246)

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
7
I PA193 - Secure channel, storage and envelope
Credit: Cloudflare
TLS handshake

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Secure channels – questions to ask
•Integrity protection? Encryption? Authentication?
•What attacker model is assumed?
•One-side or mutual authentication?
•What kind of cryptography is used?
•What keys are required/pre-distributed?
•Additional trust hierarchy required?
•Is necessary to generate random numbers/keys?
•What if keys are compromised? Forward secrecy?
8
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Case study SSL/TLS
•Let’s look at the failure of SSL/TLS in more details
–Read more at:
•http://www.ieee-security.org/TC/SP2013/papers/4977a511.pdf
•Basic knowledge of SSL/TLS expected
–Mandatory server authentication
–Optional client authentication
–Authentication based on X.509 certs and private key
–PKI infrastructure to validate certs needed
–Confidentiality and integrity provided
–Non-repudiation not provided
I PA193 - Secure channel, storage and envelope
9

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Weaknesses in Crypto Primitives
•SSL/TLS started with 40/56 bit symmetric keys
–DES, RC2, RC4
–Due to US export regulation
•Slow changes, backward compatibility maintained
•Still possible to see certs with unsecure parameters
–Based on RSA-512 (factorable today!)
–(Google was using RSA-1024 until Nov 2013)
–Based on MD5 (collision attack on certs demonstrated)
•Google/Chrome now active in pushing stronger security
–Certificate Transparency, removed rogue CAs, SHA-1 phase out, post-quantum cipher suite CECPQ1 …
10
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
PRNG problems
•Netscape browser prior 1.22 relied on weak PRNG for SSL
•Debian problems with entropy gathering
–Predictable OpenSSL keys
•Insufficient entropy during device startup
–Factorable TLS keys
•…
I PA193 - Secure channel, storage and envelope
11

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Weak TLS keys (2012)
•Internet wide scans, scans.io/, censys.io/
•Attempts to factorize fraction of keys
–Shared prime between two or more keys (GCD attack), insufficient entropy during device start,
repeated randomness in DSA signatures…
12
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Weak TLS keys remain widespread (2016)
•GCD factorization of TLS keys between 2010-2016
•
•
13
I PA193 - Secure channel, storage and envelope
M. Hastings et. al.: https://dl.acm.org/citation.cfm?id=2987486

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Example: weak TLS keys for Cisco devices
14
I PA193 - Secure channel, storage and envelope
M. Hastings et. al.: https://dl.acm.org/citation.cfm?id=2987486

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Developer defences against weak RNG
•Use statistical randomness test suites
–STS NIST, Dieharder, TestU01
–Usually applied during integration testing
•Add simple runtime checks (self-test, number of 1&0…)
–Can be performed in production code, required by FIPS140-2
•Don’t generate keys during the boot (embedded devices)
–Not enough entropy present yet
•Use more sources of entropy (Intel’s RNDRAND, TPM)
–Should be already utilized by kernel rng, but not always
–Add additional entropy, do NOT replace existing!
•Inject additional entropy continuously
–Significantly harder to reconstruct, recovery from state compromise
•
15
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Remote timing attacks
•Against SSL servers using optimized RSA decryption based on OpenSSL
–Server response correlated with bits of private key
–optimized decryption was default in OpenSSL prior 0.9.7b
•The long term secret of the server was leaking during the SSL/TLS handshake
•Solution 1: decrease measurement precision
–add noise, limit granularity… - generally only limited defense
•Solution 2: constant-time implementations
–E.g., OpenSSL after fix, NaCL library
–Harder to implement, requires detailed analysis!
•More in PV204 Security Technologies (Spring)
•
I PA193 - Secure channel, storage and envelope
16

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Protocol attacks
•Ciphersuite downgrade
–In SSL 2.0, downgrade to 40bit RC4
–Padding Oracle On Downgraded Legacy Encryption (POODLE)
•SSL Version downgrade
–If clients misinterpret higher version error and try to continue with a lower protocol version
•Cross-protocol attacks (DROWN)
–Server supporting SSL 2.0 as oracle to decrypt TLS 1.2
•Renegotiation attack
–Renegotiate security related parameters
–
I PA193 - Secure channel, storage and envelope
17

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Trust model - X.509 Certificates
•Hostname Validation
–Do not skip the hostname validation
•Study: Analysis of Android SSL (in)security
–over 1000 out of 13500 popular free Android applications do not validate the hostname
–http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
•Android SSL guidelines
–https://developer.android.com/training/articles/security-ssl.html
•nogotofail project: https://github.com/google/nogotofail
–MitM tool for correct SSL use
–
18
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Trust model - X.509 Certificates
•Anchoring trust
–X.509 original idea: single world-wide CA
–Reality: multiple non-trusting CAs
–Web browsers include +-150 trust points from +-50 organizations
•What are problems with many CAs?
–CA compromise or negligence (DigiNotar,CNNIC,TURKTRUST…)
–The power of governments over CAs
–Transitivity of trust (basicConstrains – CA:TRUE)
•This flag must be checked otherwise anybody could be validated as any web site (MS CryptoAPI &
Apple iOS did not)
19
I PA193 - Secure channel, storage and envelope
https://sclabs.blogspot.cz/2012/10/ccna-security-chapter-7-cryptographic.html
X

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Trust model - X.509 Certificates
•Parsing attacks
–Binary 0 in CN => google.com0evil.com validated as google.com
•Revocation
–How to authenticate revocation request?
–Blocking the revoked (stolen/incorrect) certificates
•Online Certificate Status Protocol (OCSP)
•Certificate Revocation List (CRL)
–Problem: Is OCSP/CRL provided?
–Problem: Most clients will silently ignore OCSP timeout
•MitM attacker with server’s private key blocks OCSP (on cable)
–OCSP stapling – time-stamped OCSP during initial TLS handshake
–
20
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
HTTP vs. HTTPS
•Stripping TLS
–a man-in-the-middle attack
–relay HTTPS pages over HTTP
–Victim ¬ HTTP ® Attacker ¬ HTTPS ® Server
•The SSLstrip tool
–Potentially running by ISP, gateway, router…
–https://github.com/moxie0/sslstrip
•HTTP Strict Transport Security policy as protection
–
I PA193 - Secure channel, storage and envelope
21

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
HTTP Strict Transport Security (HSTS)
•Web security policy mechanism
–Web server declares that clients should interact only via secure HTTPS connections
–The policy is communicated via a HTTP response header called "Strict-Transport-Security"
•But how to protect initial HTTP header?
–Preloaded list of known HSTS servers in browser
•Now supported by Chrome, Firefox, Edge…
•Non-browser software libraries might be lacking
•
22
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Implementation notes
1.Select proper secure channel for your requirements
2.Select proper library, follow security advisories
3.Understand what checks are performed by library
4.Understand your key management
5.Understand your trust hierarchy
6.Write positive and negative tests (invalid cert…)
7.Don’t forget to (verify) check revocations
8.Make sure your RNG generator is correct (test)
9.Be prepared for future updates
–broken/new ciphers, root of trust, version of library…
23
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
METHODS OF DERIVATION OF SECRETS FROM PASSWORD
•
24
I PA193 - Secure channel, storage and envelope
D:\Documents\Obrázky\is2\Key-icon.png
H(‘Password’) ®

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Problems when password used as a key
•Passwords are usually shorter / longer than key
•If password as a key => low number of distinct keys
•Password does not contain same amount of entropy as binary key (only printable characters…)
•K = SHA-2(“password”)
–Same passwords from multiple users => same key
–Large pre-computed “rainbow” tables allow for quick check
–Solved by addition of random (potentially public) salt
•K = SHA-2(pass | salt)
•Dictionary-based brute-force still possible
•
25
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
D:\Documents\Obrazky\pbkdf2-5002.png
Derivation of secrets from password
•PBKDF2 function, widely used
–Password is HMAC “key”
–Iterations to slow derivation
–Salt added
•
•
•
•Problem with custom-build hardware (GPU, ASIC)
–Repeated iterations not enough to prevent bruteforce
–(or would be too slow on standard CPU – user experience)
•
26
I PA193 - Secure channel, storage and envelope
Source: https://nakedsecurity.sophos.com

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
scrypt – memory hard function
•Design as a protection against cracking hardware (usable against PBKDF2)
–GPU, FPGA, ASICs…
–https://github.com/wg/scrypt/blob/master/src/main/java/com/lambdaworks/crypto/SCrypt.java
•Memory-hard function
–Force computation to hold r (parameter) blocks in memory
–Uses PBKDF2 as outer interface
•Improved version: NeoScrypt (uses full Salsa20)
•
27
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Reuse of external PBKDF2 structure
28
I PA193 - Secure channel, storage and envelope
https://www.reddit.com/r/crypto/comments/3dz285/password_hashing_competition_phc_has_selected/

>

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Argon2
•Password hashing competition (PHC) winner, 2013
•
•
29
I PA193 - Secure channel, storage and envelope
https://www.reddit.com/r/crypto/comments/3dz285/password_hashing_competition_phc_has_selected/

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Problem solved?
•
30
I PA193 - Secure channel, storage and envelope
https://www.ietf.org/mail-archive/web/cfrg/current/msg08439.html

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
SECURE STORAGE
•
31
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Secure storage: how to keep secrets secret
I PA193 - Secure channel, storage and envelope
32
•Secret data
–Symmetric encryption keys, asymmetric private keys
–Passwords…
•Storing secrets in software-only
–Completely securely: IMPOSSIBLE
•Reverse engineering of binaries
•Debugging, paging memory to files
•Malicious administrators…
•Storing secrets in HW (HSMs, smartcards…)
–Option 1: Protection of secret data before use
•Potential compromise during use
–Option 2: Protection of secret data also during use
•Problem with access control (authentication of use of secret)

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Design / implementation notes
1.Understand your use case scenario
–Who should be able to access protected data? (system/user/rec.agent)
–Should data be accessible also on other devices? (device key/sealing)
–Should data be accessible even when device is locked?
–Is user required to insert password before access to data?
2.Select proper system API, application or library
–Your target platform/OS, proper OS layer (kernel vs. user-mode)
–OS provided vs. independent secure storage (e.g., KeePass)
–Protection of file vs. data blob vs. password
3.Understand security model and design
–Who can access files during a recovery?
–What if device is lost/stolen (attacker with physical access)?
–
4.
33
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Secure storage in OSes
•MS Windows: Data Protection API (DPAPI)
–CryptProtectData(), CryptUnprotectData()
•Apple OS X, iOS: Keychain Services API
–SecKeychainAddGenericPassword(), SecKeychainFindGenericPassword()
–FS: NSFileProtectionNone, NSFileProtectionComplete
•Linux kernel: keyutils
–add_key(), request_key()
•Linux GNOME: gnome-keyring-manager
•Linux KDE: kwallet
•
I PA193 - Secure channel, storage and envelope
34

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Example: AWS Key Management Service
I PA193 - Secure channel, storage and envelope
•
35

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Example MS DPAPI
36
I PA193 - Secure channel, storage and envelope
https://msdn.microsoft.com/en-us/library/ms995355.aspx

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
iOS NSFileProtection
37
I PA193 - Secure channel, storage and envelope
https://www.youtube.com/watch?v=RqXOfBg_08o

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Protecting secrets in Windows
•Data Protection API (DPAPI)
–CryptProtectData(), CryptUnprotectData()
•Data available to user
–Bound with user account, available on multiple machines but not on other accounts
•Data available to machine
–Available to any user at the machine, not available at other machines
–Use CRYPTPROTECT_LOCAL_MACHINE flag
I PA193 - Secure channel, storage and envelope
38

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Protecting secrets on Windows
•DAPI does not provide storage of protected blobs
–only encryption/decryption
•You have to manage storage yourself
–Be careful to protect the encrypted data with correct ACLs in files/registry
•
•Any application running on the USER can decrypt the secrets!
•If you do not like this, use pOptionalEntropy field
–To protect your secrets with another secret J
I PA193 - Secure channel, storage and envelope
39

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
LSA interface (old stuff)
•“The Local Security Authority (LSA) is a protected subsystem of Windows that maintains information
about all aspects of local security on a system.”
•LSA secrets:
–
•
I PA193 - Secure channel, storage and envelope
40

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
LSA interface – LSA secrets
•LSA secrets:
–Local data
•Can be read only at the machine storing data (L$)
–Global data
•Created on domain controller and replicated (G$)
–Machine data
•Can be accessed only by OS (M$)
–Private data
•Can be used by your application
I PA193 - Secure channel, storage and envelope
41

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
LSA vs. DPAPI
Source: Writing secure code, 2nd edition
I PA193 - Secure channel, storage and envelope
42

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Managing secrets in memory
•ZeroMemory()
–Macro using memset
•Compiler optimizations can remove the call of the function!!!
•Use SecureZeroMemory() instead
•
I PA193 - Secure channel, storage and envelope
43

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Managing secrets in Memory
•CryptProtectMemory() and CryptUnprotectMemory()
Source: MSDN
I PA193 - Secure channel, storage and envelope
44
What is difference from CryptoProtectData (DAPI)?
Result of CryptoProtectData usually stored into file.
D:\Documents\Obrazky\question.png

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Locking Memory to Prevent Paging
•To keep your sensitive data in RAM memory only
–not in a paging file (security and performance implications)
•Lock memory before storing the secrets
–VirtualLock()
–AllocateUserPhysicalPages()
•Does not prevent dumping memory to disk when hibernating (or crash dump file)
•Does not prevent a debugger to read the memory
45
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Windows credentials manager
•Asking the user for credentials
•CredUIPromptForCredentials()
•CredUIPromptForWindowsCredentials()
–From MS Windows Vista up
CredDialog credentialdialog
I PA193 - Secure channel, storage and envelope
46

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Intel’s SGX : Security enclave
•Intel’s Software Guard Extension (SGX)
–New set of CPU instructions intended for future cloud server CPUs
–EGETKEY, EREPORT
•Protection against privileged attacker
–Server admin with physical access, privileged malware
•Application requests private region of code and data
–Security enclave (4KB for heap, stack, code)
–Encrypted enclave is stored in main RAM memory, decrypted only inside CPU
–Access from outside enclave is prevented on CPU level
–Code for enclave is distributed as part of application
•
| PV204: Trusted boot

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
SGX hardened password verification
| PV204: Trusted boot
https://jbp.io/2016/01/17/using-sgx-to-hash-passwords/

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
SECURE ENVELOPE
•
49
I PA193 - Secure channel, storage and envelope

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Protect data
•For secret/private keys use
–PKCS#8
–PKCS#12 (pfx)
•For digital signatures use
–Cryptographic message Syntax (CMS, PKCS#7)
–Secure email
•S/MIME
–Based on X.509 certificates
–Transparent vs. opaque signing
•PGP
I PA193 - Secure channel, storage and envelope
50

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
PKCS#8
•Format for storing private key
•Independent on private key algorithm
•Key can be encrypted
•File suffix “.pkcs8”
•
PrivateKeyInfo ::= SEQUENCE {
   version Version,
   privateKeyAlgorithm AlgorithmIdentifier {{PrivateKeyAlgorithms}},
   privateKey PrivateKey,
   attributes [0] Attributes OPTIONAL }
I PA193 - Secure channel, storage and envelope
51

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
PKCS#12
•Collection of cryptographic objects
•Privacy/confidentiality
–Public key privacy mode: encrypted by a public key
–Password privacy mode: encrypted by a symmetric key derived from username and password
•Integrity modes
–Public key integrity mode: digital signature
–Password protection mode: MAC based on password
•File suffix “.p12”, “.pfx”.
•
I PA193 - Secure channel, storage and envelope
52

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
PKCS#12
•“SafeContents” is made up of “SafeBags”
•SafeBag types:
–KeyBag: PKCS#8 private key
–PKCS8ShroudedKeyBag: private key, which has been “shrouded” (=encrypted) in accordance with PKCS
#8
–CertBag: certificate (X.509, SDSI – Simple Distributed Security Infrastructure)
–CRLBag: CRL (X.509)
–SecretBag: any other secret of a user
I PA193 - Secure channel, storage and envelope
53

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
PKCS#7 / Crypto Message Syntax (CMS)
•Encapsulated content
•Provides for low-level message functions
•Content types:
–Data (any plaintext)
–Signed Data (digital signature based on X.509 certs)
–Enveloped Data (encrypted data)
•key transport: symmetric key encrypted by the recipient's pub key
•key agreement: pairwise symmetric key created using the recipient's public key and the sender's
private key
•symmetric key-encryption keys: using a previously distributed key
•passwords: key is derived from a password
–Authenticated data (MAC + MAC key)
•OpenSSL, Microsoft CryptMsgXXX() functions…
I PA193 - Secure channel, storage and envelope
54

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Conclusions
•Important to understand what you want to achieve
1.Protection of stream of data in transport
–Secure channel
2.Binding of data to device/user
–Data protection API, secure storage, keyrings
3.Protection of data in memory
–In memory encryption
•Key management is critical (as usual J)
–Where are keys for establishment/storage stored?
•Secure hardware helps (combination with kernel)
–
55
I PA193 - Secure channel, storage and envelope
question
•Questions

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Mandatory reading (PKCS#12 critique)
•Peter Gutmann, PFX - How Not to Design a Crypto Protocol/Standard
–https://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html
–
56
I PA193 - Secure channel, storage and envelope