Scribd
Upload
134 views90 pages

Brksec 3005

Uploaded by

Khalid Uchiha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
134 views90 pages

Brksec 3005

Uploaded by

Khalid Uchiha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 90

Cryptographic Protocols

and Algorithms

Frederic Detienne, Distinguished Engineer

BRKSEC-3005
Cisco Webex Teams

Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
My Professional Life

• Belgian
• Iives in Aywaille (NOT Hawaii)
• Joined Cisco on January 1, 1997
[email protected]
• Distinguished Engineer (TAC)
• Web Content, AAA, Firewalls, VPNs, IPTV
• Bit of everything (stuff nobody else
wanted)
• Made DMVPN, then FlexVPN
• Focus on Serviceability

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda

• A Brief Introduction
• Hash and HMAC's
• Symmetric Encryption
• MODP: Multiplicative Group of Integers Modulo P
• ECC: Elliptic Curve Cryptography
• Performances and Security
• Practical Applications; IKEv2, SSL and PKI
• Attacks, Weaknesses & Self-Inflicted Pain
• Conclusion and Recommendations

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Introduction
An infinite number of mathematicians…
7 8 … Ok but you pay
upfront
6

4 Riemann Zeta function:



1
𝜁𝜁 𝑠𝑠 = � 𝑠𝑠
3 beers 𝑛𝑛
𝑛𝑛=1
Total number of beers:
∞ ∞
1
� 𝑛𝑛 = � −1 = 𝜁𝜁 −1
2 beers 𝑛𝑛=1
𝑛𝑛
𝑛𝑛=1

1 beer Total price:


3€ × 𝜁𝜁 −1
But…
𝟏𝟏
𝜻𝜻 −𝟏𝟏 = −
𝟏𝟏𝟏𝟏
BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Cryptographic Mechanisms

Encryption Signatures

Data Authentication Random Number


(HMAC) Generation

Key Establishment Hashing

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Key Strength

Strong

Weak

Sources: Lenstra and Verheul, NIST

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Attacker Strength

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Algorithms Never Get Stronger

SHA-1

Sources: FIPS-180-1, Wang, Yin, Yu ‘05, Cochran ‘07

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Strength increases by steps

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Prevalent

AES-128-
CBC

DH-1024 RSA-1024
SHA-1

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Next Generation Encryption

AES-128- ECDSA-
128-bit  ±30 years ECDH-P256 SHA-256
GCM P256

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
NGE higher security levels

AES-256- ECDSA-
Long term  ECDH-P521 SHA-512
GCM P521

AES-192- ECDSA-
“Foreseeable future” ECDH-P384 SHA-384
GCM P384

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Next Generation Encryption

Authenticated
AES-GCM
Encryption
Authentication HMAC-SHA-2

Key Establishment ECDH

Digital Signatures ECDSA

Hashing SHA-2

Entropy SP800-90
TLSv1.2, IKEv2,
Protocols
IPsec, MACSec
BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Hashes and
HMAC’s
Focus on SHA-2
What is a Cryptographic Hash Function

Hash
Legitimate Message
Function
Hash Fixed length output
Any Length Easy & Fast Fixed Length

Hash
Legitimate MesSage
Function
*!@#% Avalanche effect
Easy & Fast (small change in message, big change in hash)

Hash
Legitimate Message
Function
Hash Pre-image resistance
very hard (message can not be found from hash)

Legitimate Message Hash


Illegitimate Message Function
Hash Second pre-image resistance
very hard (legitimate message and hash are imposed; find new message)

Bogus Message 1 Hash Some


Bogus Message 2 Function Hash Collision resistance
very hard Unchanged (attacker gets to select message 1 and 2 ; hash must match)

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
The Merkle–Damgård Construction

IV F F F ... F Fin H

Block 1 Block 2 Block 3 … N Pad

Data …

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
MD-5 vs SHA-2 – Hash Functions
MD-5 SHA-2
(60 rounds) (64-80 rounds)

Reference: Wikipedia
BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Rough Hash Algorithms Comparison

Algorithm/variant Output Max msg Collisions


size size found
MD-5 128 264-1 yes
SHA-1 160 264-1 yes (hard)
SHA-256 256 264-1 no
SHA-2 SHA-384 512 2128-1 no
SHA-512 512 2128-1 no

Note the increasing output size !

IPsec truncates output to 128, 192


or 256 bits (16, 24 or 32 bytes).

Reference: Wikipedia, RFC4868 Not IKE

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Using a Hash or an HMAC

Alice Bob
Must send a message m
Goal: data does not get corrupted in transit
h, m Computes h'=HASH(m)
Computes h=HASH(m) Checks h' = h
If yes  message is valid
if no  message was damaged
Attacker could modify m
and recompute h Collision Resistance

Share pre-shared key k with Bob Share pre-shared key k with Alice
Must send a message m
Goal: Bob assured data comes from Alice
hmac, m
Computes hmac=HASH(m|k) Computes h'=HASH(m|k)
Checks h' = h
Attacker CAN NOT modify If yes  message is valid
m and recompute h if no  message was damaged
Unforgeability

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
SHA-1 Collisions with SHAttered
good.pdf bad.pdf

This attack required over 9,223,372,036,854,775,808


SHA1 computations.

This took the equivalent processing power as 6,500 years


of single-CPU computations or 110 years of single-GPU
computations.
-SHAttered.io

The SHAttered attack is 100,000 faster than the brute


force attack that relies on the birthday paradox. The brute
force attack would require 12,000,000 GPU years to
complete, and it is therefore impractical.

-SHAttered.io

SHA-1 checksum: SHA-1 checksum:

d00bbe65d80f6d53d5c15da7c6b4f0a655c5a86a d00bbe65d80f6d53d5c15da7c6b4f0a655c5a86a

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
In practice, for PDF

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Applied hashing:
Blockchain & bitcoin &

Blockchain
class Block(object):
Block # 1 Block #2 def __init__(self, hashPrevBlock, payload):
self.hashPrevBlock = hashPrevBlock
(genesis block) self.payload = payload
self.timestamp = datetime.now()
self.Nonce = self.mine()
Timestamp Timestamp
Payload Payload def hash(self, Nonce=None):
Nonce Nonce
hashPrevBlock = None hashPrevBlock = H(#1) def mine(self):

Block # 3 class BlockChain(object):


def __init__(self, size):

def verify(self):

Timestamp
Payload
Nonce
hashPrevBlock = H(#2)

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Mining

def mine(self):
# let's calculate hash until we have "0000" at the beginning
for nonce in range(1, 10000000):
attempt = self.hash(nonce)

if attempt.startswith("0000"): # Mathematical challenge (find hash that starts with x-number of 0’s
logger.debug("We found matching hash and we are setting it as Nonce: " + attempt)
self.Nonce = attempt
return self.Nonce

logger.error("We couldn't find nonce satisfying 0’s condition")


exit(1)

Purpose of mining is to reach a secure, tamper-resistant consensus

Reward: Transaction fee + Reward (initially 50BTC, nowadays 12.5)

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Symmetric Encryption
Algorithms:
One Time Pad & AES
One Time Pad

• A Pad is a truly random sequence of numbers

• Pad is used as encryption and decryption key through modular addition

• The Pad must be as long as the message

• The Pad must be used ONLY ONCE

• If used properly, this is the strongest possible encryption scheme

M 1 0 0 1 1 0 1 1 1 …
Pad 0 1 1 0 0 0 1 0 1 …
Cypher 1 1 1 1 1 0 0 1 0 …

A One Time Pad (here using XOR)

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
One Time Pad - example

H E L L O message
7 4 11 11 14
+ 23 12 2 10 11 key
= 30 16 13 21 25 m+k
mod 26 4 16 13 21 25 (m+k) mod 26
E Q N V Z ciphertext

E Q N V Z ciphertext
4 16 13 21 25
- 23 12 2 10 11 key
= - 4 11 11 14 c-k
19
mod 26 7 4 11 11 14 (c-k) mod 26
H E L L O message
BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Issue 1 – Key Length

H E L L O message
7 4 11 11 14
+ 23 12 2 10 11 key Key must have the same
size as message… Key
= 30 16 13 21 25 m+k exchange is a problem!
mod 26 4 16 13 21 25 (m+k) mod 26
E Q N V Z ciphertext

Use high quality Deterministic Random


Bit Generator (DRBG)

Select Carefully… 

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Issue 2 – Key Re-use & Known Plain Text Attack

H E L L O message Assumption #1: Attacker


knows some plain text
7 4 11 11 14 (e.g. injection, guess,…)
+ 23 12 2 10 11 key
= 30 16 13 21 25 m+k
mod 26 4 16 13 21 25 (m+k) mod 26
E Q N V Z ciphertext Assumption #2: Attacker
can wiretap ciphertext

H E L L O known message
4 16 13 21 25 ciphertext
- 7 4 11 11 14 known message Conclusion: Attacker can
= -3 12 2 10 11 c-m compute the key easily

mod 26 23 12 2 10 11 (c - m) mod 26
 DO NOT REUSE KEY !!
= KEY

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
AES – The Advanced Encryption Standard

• The block size is large (128 bits standardized)


• The key size is large (128, 192 or 256 bits)
• AES operates on full bytes (faster on general purpose CPU’s)
• National Institute of Standards and Technology:
• “A machine that cracks 56 bits DES in 1 seconds takes 149 trillions years to crack 128-bits AES”
• Summary:
• AES is faster and more secure than DES or 3-DES
• AES is easier to implement than DES on tight hardware
• IS THIS TRUE ?

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
AES: Individual Rounds
Input

Note: Last Round Is Slightly Different from the Rest of the Sub
Rounds (no Mix Columns) Bytes

Shift
Input
Rows
Key 1
Round 0
Mix
Key 2
Round 1 Columns
Key
Schedule

Add Round Key


Key Nr
Round Nr
(10-12-14)

Output

Output

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Block Cipher Mode of Operation (ECB, CBC, counter)

ECB CBC CTR


m= 1 2 3 1 4 m= 1 2 3 1 4 m= 1 2 3 1 4 IV IV IV+1 IV+2 IV+3 IV+4
DRBG seeded by IV

ENC

ENC

ENC

ENC

ENC
ENC

ENC

ENC

ENC

ENC
ENC

ENC

ENC

ENC
ENC
IV
6 5 4 3 9
One Time Pad
m= 1 2 3 1 4 depends on IV

Make IV unique to
c= 1 2 3 1 4 c= 5 9 1 5 3 c= 7 2 6 0 8 c= 5 6 3 9 7 ensure unique pad

Parallel encryption pipelines.


Efficient implementation
possible

Penguin source: Wikipedia

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
AES GCM Fed from Initialization
Vector

AES Based PRNG


generate pad…
One Time Pad Secure CTR DRBG
Algorithm

One Time Pad…


Parallelization possible
GF(2128)
Polynomial x128+x7+x2+x+1
GHASH(H, A, C) = Xm+n+1
u,v bits in Am, Pn
Galois HMAC

Weak but
fast HMAC

AES GCM in summary


• AES is more secure than 3DES Encrypted HMAC  Very strong !
• AES-CTR CAN be much faster (implementation…) ICV can be 8, 12 or 16 bytes
• GMAC consumes less than SHA-2 (or even SHA-1) BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
MODP
Multiplicative
Group of Integers
Modulo P
RSA

• Rivest, Shamir, Adleman (1977)


• Patented but expired => no more royalty

• Public key cryptosystem


• Variable key length (usually 512-2048 bits)
• Based on the (current) difficulty of factoring very large numbers

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Modular Arithmetic
0
0
• Modulo is like a clock 0

1 1 1
0 1 2 3 4 5 6 7 8 9 10 11… mod 4 3 3 3

2
2
2
• bx mod n = r also written as bx ≡ r (mod n)
• b is the base
• x is the exponent
• n is the modulus
• r is the remainder
• Knowing b, x & n, it is very easy to compute r
• Knowing x, r & n, it is very difficult to compute b = x√ r mod n aka the RSA problem
• Knowing b, r & n, it is very difficult to compute x = logb(r) mod n aka the discrete log problem

unless there are trapdoors

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Encryption with Modular Arithmetic

Alice Bob
Must send a private message m Selects three numbers n, d & e
n & e are public, d is secret
Takes n & e from Bob e, d are chosen such as ed ≡ 1 mod n
c
(we assume m < n)
Computes c = me mod n Computes m' = cd mod n
Attacker can not guess m m' = cd mod n
just knowing c, n and e = (me)d mod n
= med mod n
To decrypt, the attacker would = m1 mod n
need to compute m= d√ m' mod n =m
 RSA Problem Bob has reversed the operation !!
Bob knows d but nobody else…
We have an encryption scheme

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Signature with Modular Arithmetic

Alice Bob
Selects three numbers n, d & e
n & e are public, d is secret
Attacker can not guess d e, d are chosen such as ed ≡ 1 mod n
just knowing m, n and e
Must send a signed message m
Takes n & e from Bob
c, m
Computes c = md mod n
(we assume m < n)
Computes m' = ce mod n
m' = ce mod n To forge the signature, the
= (md)e mod n attacker would need to compute
= mde mod n d = loge(m') mod n
= m1 mod n  Discrete Logarithm Problem
= m mod n
=m Now how can we find such e, d and n ?
Bob must have sent the c,m

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Regular Exponentiation –Dichotomy to reverse

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
MODP Exponentiation – dichotomy is broken

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Where Quantum Computers Come In

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Quantum computers in practice…

Schrödinger’s cat

qubit on a Bloch sphere

Electron spin can be up or down


at the same time (superposition)
BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Quantum computers in practice…

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
About Prime Numbers

• A number is prime if it can be divided by one or itself


• A number is composite is it can be divided by 2 or more prime numbers picture: Khan Academy

• Factorization is a hard problem. Best algorithm yields


• Fundamental Theorem of Arithmetic: a given number has a single factorization
• Euclid's theorems: there are infinitely many primes
• prime density (ratio of primes per composite up to x) is 1/ln(x)
• density drops off rapidly in the beginning but very slowly after a few powers of 10
• π(x) = x/ln(x) : number of primes < x
• Euler's φ(n) function or Euleur's totient
• # of integers in [1,n] that are relatively prime to n: |k ∈ [2,n] | GCD(k,n) = 1|, {1}
• 2 numbers are coprime if they share no factor other than 1.
• Property: n1, n2, GCD(n1,n2)=1  φ(n1*n2)= φ(n1)* φ(n2) – Totient is multiplicative
• if x is prime  φ(n) = n-1 since 1…n-1 coprime with n and n divisible by itself
• Euler's theorem: mφ(n) ≡ 1 (mod n) if m and n are co-prime.

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
RSA keys – finding e,d,n | med ≡ m (mod n)

• Choose two distinct prime numbers p, q and hide them forever!


• n = p.q  n is hard to factor if p & q are very large
• φ(n) = n-(p+q-1)
• p & q are prime  φ(p)=p-1 φ(q)=q-1 m – arbitrary message
• φ(n) = φ(pq) = φ(p) φ(q) = (p-1)(q-1) = n-(p+q-1) n – the modulus
e – the public key
• Final steps Euler theorem… d – the private key
• 1k = 1  (mφ(n))k ≡ 1k (mod n)  mkφ(n) ≡ 1 (mod n)
• 1m = m  m mkφ(n) ≡ m (mod n)  mkφ(n)+1 ≡ m (mod n)
• we look for e,d,n such that med ≡ mkφ(n)+1 ≡ m (mod n)  ed = k φ(n) +1

k φ(n)+1 k (n − (p+q−1)) +1
• d= =
e e
• Select e, small integer and k such that GCD(d, φ(n)) = 1 (i.e. d & φ(n) are co-prime)
• e is usually 3 or 65537
• adjust k to make d an integer

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
DH –Diffie-Hellman

Alice Bob
The group definition
Select a generator g and a modulus p
Pick a random number a Apub, (g, p)
Keep a secret!!
Compute Apub = ga mod p
Attacker can not guess a
Attacker can not guess b

Bpub Using the same g and p as Alice


Pick a random number b
Keep b secret!!
Compute Bpub = gb mod p

SecretAlice = (Bpub)a mod p Secret =Length


ga.b mod p SecretBob = (Apub)b mod p

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
DH is sensitive to a Man-in-the-Middle Attack

Alice Mallet Bob


Apub = ga mod p I’m Bob I’m Alice Bpub = gb mod p

Apub Mpub
Mpub = gm mod p
Mpub Bpub

ga.Mpub mod p gb.Mpub mod p

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
ECC
Elliptic Curve
Cryptography
What is an elliptic curve ?

• A curve of general equation y2=x3+ax+b


• It MUST be a smooth curve
• Its discriminant MUST BE NON ZERO:
• The Elliptic Curve is the set of points
• that satisfy the equation of the curve (ie. that “belong” to the curve)
• Plus a special point at infinity that we call O (the letter O)

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Elliptic Curve Addition O

P+Q
• Let P and Q be two points on the curve
P
• A line (P,Q) cuts the curve at a third point R
If the line is parallel to the Y axis, this point is O
Q
If the line is tangent to the curve, the tangent point is counted twice

• The group operator + is defined such as R


P+Q+R = O; O is the identity

• The reflected point from R is P+Q

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
The scalar multiplication n*P

• Let’s start with P+P = 2*P R'


R
• For drawing (P,P)
P
• draw a tangent to the curve  R
• (O,R) cuts in P+P=2P

• This is a scalar multiplication 2P


• One can derive 3P = 2P+P, 4P = 3P+P,…nP = (n-1)P+P
3P

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Fast Forward – the finite fields Fm & F2k 0
0
0

1 1 1
mod 4 3 3 3
• Remember… modulo arithmetic
• Galois Field = Finite Field 2
2
• Let E be an elliptic curve defined over a finite field Fm (modulo m): 2
• E(Fm):{∞} U {(x,y) in FmxFm | y2=x3+ax+b , a,b in Fm}
• E(Fm) is the set of points whose coordinates belong to FmxFm and satisfy the equation + point at infinity
• The set along group operations (+, x) seen before form an Abelian Group under multiplication  a field.
• For cryptography, m should be a prime number

• It seems (seemed ?) more computationally efficient if m = 2k-1 yielding the notation F2k
• Multiplication supposed to be more efficient  very important for ECDH and ECDS
• In this case, the Koblitz curve is used: y2 + xy = x3 + ax2 + 1 where a=0 or a=1
• For cryptography, k should be a prime number
• m should remain a prime – it would be called a Mersenne Prime
• There is debate about the actual security and efficiency of these curves!

• The order of a group G is the cardinality of that group written ord(G) or |G|.
• The order of a point P in a group G is the value n such that n*P = O written ord(p) or |p|

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Example Curve

E(F11): y2 = x3 + x +2

|E(F11)| = 16 (i.e. 15+O)


E(R): y2 = x3 + x +2

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Example on F31 – Complexity Increases

m = 25-1 = 31

E(F31): y2 = x3 + x +2

|E(F31)| = 24

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
The same on F127 – Complexity Further Increases
3*P = 2*P+P

4*P = 3*P+P m = 27-1 = 127

5*P = 4*P+P 2*P = P+P E(F127): y2 = x3 + x +2

|E(F127)| = 136
7*P

Let P be [40,62] 6*P


8*P

Easy to compute on Fm
n*P
Difficult problem :
Knowing E&P, what is n
for this point ?
BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
ECDH – Elliptic Curve Diffie-Hellman

Alice The curve definition f Bob


and point P
Select a curve f and a point P on the curve
Pick a random number a Apub, (P, f(x), m)
Keep a secret!!
Compute Apub = a*P
Attacker can not guess a
Attacker can not guess b

Bpub Using the same curve f and point P


Pick a random number b
Keep b secret!!
Compute Bpub = b*P

SecretInit = a * Bpub Secret = a*b*P


Length SecretResp = b * Apub

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Representation of
P-256 from "NIST routines"

Elliptic Curves
• Elliptic curve domain parameters
• (p, a, b, G, n, h) for a curve over a prime field Fp
• (m, f(x), a, b, G, n, h) for a curve over a binary field F2m

• Where
• p is the prime modulus
• G is the generator (base point) of the curve
• n is the order of G. i.e n*G=O
• a, b are the coefficient of y2 + xy = x3 + ax + b (mod p)

• Who defines elliptic curves ?


• National Institute of Standards and Technology (NIST)
• American National Standard Institute (ANSI)
• Agence Nationale pour la Securité des Systèmes
Informatiques(ANSSI)
• Institute of Electrical and Electronics Engineers (IEEE)
• Certicom
• Brainpool ECC

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
A back door’ed PRNG: Dual EC DRBG
source: NIST 800-90A
Issue #1: extract too many bits –
only 16 bits to guess leads to s*Q.
Not a problem in itself…

Issue #2: NSA managed to make


baked P&Q values a standard.
The last nail in the coffin
if P=eQ, knowing sQ means sP=seQ  once you know sQ, you
know what is going to be the next sP: just compute e*sQ !!
By breaking the PRNG, the attacker can
Then you know sQ effortlessly  compute the next sP etc. break all other crypto mechanisms. New
forever!! asymmetric or symmetric keys, DH
secrets, pre-master secrets, etc.
P & Q are supposed to be truly random point but the NSA cheated
the process and cooked P & Q to have a relationship P=eQ. Of
course, e is super secret and very hard (impossible) to find. NSA did NOT break cryptography.
NSA abused a PROCESS !!

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Performance and
Security
Comparisons
Security Level of Symmetric Crypto Algorithms

Security Level Work Factor Algorithms

Weak O(240) DES, MD5

Legacy O(264) RC4, SHA1

Minimum O(280) 3DES, SEAL, SKIPJACK

Standard O(2128) AES-128, SHA-256, GHASH

High O(2192) AES-192, SHA-384, GHASH

Ultra O(2256) AES-256, SHA-512, GHASH

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
ECDH Gains in Security

The Table Below Shows the Comparable Key Lengths Required in DH/RSA as
Compared to ECC Based DH to Secure a Symmetric Key of a Given Length

Symmetric Key Length ECC Key Length DH/RSA Key Length

80 163 1024
112 233 2048
128 283 3072
192 409 7680
256 571 15360

Reference: draft-ietf-ipsec-ike-ecc-groups-05.txt with Further Reference Contained Therein

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Quantum Strength (for comparison)

Classical Bit Quantum Bit


Algorithm Key Length
Strength Strength
RSA/DH 1024 1024 bits O(80) O(1)
RSA/DH 2048 2048 bits O(112) O(1)
ECC/ECDH 256 256 bits O(128) O(1)
ECC/ECDH 521 521 bits O(256) O(1)
AES 128 128 bits O(128) O(64)
AES 256 256 bits O(256) O(128)
SHA 256 256 bits O(256) O(128)

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
IOS IKEv2 New Smart Defaults

Router#show crypto ikev2 proposal default


IKEv2 proposal: default Today
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

Router#show crypto ikev2 proposal default CSCuy44786


Encryption : AES-CBC-256 16.8.1
Integrity : SHA512 SHA384
PRF : SHA512 SHA384
DH Group : DH_GROUP_256_ECP/Group 19 DH_GROUP_2048_MODP/Group 14
DH_GROUP_521_ECP/Group 21 DH_GROUP_1536_MODP/Group 5

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
IOS IKEv2 Smart Defaults Performance

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Rough Performance Comparison

Very rough comparison – orders of magnitude only (*)

Strength AES-CBC DES / 3DES CBC RSA ECDSA


Key 16 B 8192 B Key 16 B 8192 B Modulus Sign Verify Field Sign Verify
size size
< 80 bits - - - 56 (DES) 64 MBps 66 MBps 512 bits 18K /s 194K /s - - -
80 bits - - - 168 (3DES) 25MBps 25MBps 1024 bits 6.5K /s 90K /s p160 13K /s 4K /s
112 bits - - - - - - 2048 bits 1.5K /s 30K /s p256 20K /s 8.5K /s

128 bits 128 116MBps 130MBps - - - 4096 bits 136 /s 8.5K /s k283 1.6K /s 1K /s
192 bits 192 98.5 MBps 109 MBps - - - 7680 bits - - k409 723 /s 568 /s
256 bits 256 85 MBps 94 MBps - - - 15360 bits - - k571 348 /s 249 /s

Optimizations...

(*) computed on my laptop – whatever that means

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
See Performances for Yourself 😀😀

• openssl speed aes

• openssl speed des-cbc

• openssl speed des-ede3  3-DES (Encrypt-Decrypt-Encrypt)

• openssl speed rsa

• openssl speed ecdsa

• openssl speed dh  does not exist 🤔🤔

• openssl speed ecdh

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Practical Use...
The Crypto Angle
Certificates – Just an example…
Version: 3 (0x2)
Serial Number: 302543474681041022 (0x432d9aff179d07e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Validity
Not Before: Dec 10 17:52:51 2015 GMT
Not After : Mar 9 00:00:00 2016 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com
SHA-256 Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit) If r is an unknown secret integer (private key), this big number is r*G mod p.
pub:
04:b5:64:5b:fa:48:ed:b7:f5:57:ba:24:d4:cc:b0:d8:74:5d:a3:6f:90:6a:37:e6:df:d8:6f:46:71:6a:
09:e8:e3:64:b6:28:31:20:b4:9d:24:7f:6b:81:09:4b:b1:7d:3b:98:68:b5:4a:02:28:fe:b7:40:46:65:
5b:f6:9d:a0:38
ASN1 OID: prime256v1
NIST CURVE: P-256 This is a "named curve"
NIST Routines defines (p, a, b, G, n)
X509v3 extensions: [SKIPPED]

Signature Algorithm: sha256WithRSAEncryption


87:b6:a5:f7:e4:f2:ac:0c:57:c5:f3:a1:ab:3c:f5:44:32:7d:8e:27:b5:f4:aa:c5:f8:f3:a3:f6:d9:f9:d9:19:1e:a8:aa:d4:
8b:c6:9f:f7:ff:ce:84:41:78:cc:c3:5d:a6:cf:e2:b2:1c:54:c9:cb:f0:f5:b9:61:05:2a:dd:cd:bc:6b:e4:9d:0b:bd:b1:fd:
RSAEncCAPub
87:a1:03:50:18:d2:b8:31:2e:82:9f:10:77:bb:a8:fc:84:bd:71:03:b2:42:9f:b9:65:60:20:3a:16:1f:83:7e:17:f5:fd:40:
3a:f4:b8:97:97:8b:ba:a4:90:88:76:a7:f7:28:71:68:2a:d7:42:f6:af:d4:13:7b:89:4c:f0:d1:5f:de:25:ba:1d:cf:61:bd:
f1:6d:aa:b4:20:a9:e2:29:f0:b0:5b:97:1a:a8:da:2d:bd:2e:b6:f9:7c:5c:fb:51:69:53:eb:fd:a5:c1:ee:e8:d4:10:79:03:
[More hexadecimal…]
BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Source: The Viability of Post-QuantumX.509 Certificates

Quantum Resistant Hybrid Certificate


Panos Kampanakis
Peter Panburana
Ellie Daw
Daniel Van Geest

Basic Fields
Subject Name
Issuer Name
Validity
Public Key
Extensions
QR Public Key Non Critical
QR Signature Extensions

Signature

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
IKEv2

Initiator Responder
Proposed Security Suites, Ni, ga mod p (KEi)

Nr, Selected Security Suite, Cert Chain,


Cert Request, gb mod p (KEr)

KDF(gab, Nonces)SKEYSEED
 SK_d, SK_ai, SK_ar, SK_ei, IDi, Certificate Chain, Auth,
SK_er, SK_pi, SK_pr TSi, TSr, Sai2
KDF(gab, Nonces)SKEYSEED
 SK_d, SK_ai, SK_ar, SK_ei,
IDr, Auth, TSi, TSr, Sar2
SK_er, SK_pi, SK_pr

Diffie-Hellman ensures Perfect Forward Secrecy: the ephemeral


keys are independent of the authentication keys.

Ephemeral keys for IPsec SA's) can be regenerated at regular


interval using a fresh Diffie-Hellman exchange.

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Hash DRBG for Key Derivation and Authentication For post-quantum, see:
• draft-tjhai-ipsecme-hybrid-qske-ikev2
• draft-fluhrer-qr-ikev2

prf+ (K,S) = T1 | T2 | T3 | T4 | ...


where:
T1 = prf (K, S | 0x01)

Hash DRBG prf+:


T2 = prf (K, T1 | S | 0x02)
T3 = prf (K, T2 | S | 0x03)
T4 = prf (K, T3 | S | 0x04)
...

Key Derivation Function


SKEYSEED = prf (Ni | Nr, g^ir)
Key Generation: {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr} = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )

Let's call all this the "conversation"

InitiatorSignedOctets = RealMessage1 | NonceRData | MACedIDForI


GenIKEHDR = [ four octets 0 if using port 4500 ] | RealIKEHDR
RealIKEHDR = SPIi | SPIr | . . . | Length
RealMessage1 = RealIKEHDR | RestOfMessage1
Authentication: RSAPriv prf NonceRPayload = PayloadHeader | NonceRData
InitiatorIDPayload = PayloadHeader | RestOfInitIDPayload
RestOfInitIDPayload = IDType | RESERVED | InitIDData
MACedIDForI = prf(SK_pi, RestOfInitIDPayload)

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
IPsec: ESP packet format
IPsec HMAC and Encryption keys independent of IKE sessions keys.

IPsec keys can be derived from a fresh DH exchange (aka PFS)

Security Parameter Index (SPI)

Sequence Number

Seeding for CBC, CTR,…


Initialization Vector (IV)

Signed with HMAC


e.g. Galois MAC or SHA-1-HMAC
Encrypted with Protected Data
symmetric algorithm
e.g. AES-128
Next
Padding Pad Len.
Protocol

Integrity Check Value (ICV)

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
SSL/TLS with Pre-Master Secret (no DH)

Client Server
Hello, Client Random, Proposed Security Suites (incl. DH)

Hello, Server Random, Security Suite, Server Certificate Chain

Picks random PreMaster


KDF(PreMaster, randoms)
 kmc, kms, ke EncServerPriv(PreMaster)

PreMaster = DecServerPub(…)
Change Cipher Spec
KDF(PreMaster, randoms)
 kmc, kms, ke
Client finished: PRF (dialog)

Server finished: PRF (dialog)

traffic

No Perfect Forward Secrecy…

A compromised RSA key allows easy traffic decryption.

Even an expired or revoked key/certificate can mean troubles!

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
SSL/TLS with Ephemeral Diffie-Hellman

Client Server
Hello, Client Random, Proposed Security Suites (incl. DH)

Hello, Server Random, Security Suite, Server Certificate Chain


p, g, ga mod p, SignRSAkey(p, g, ga mod p)

PreMaster = gab
Master = PRF(PreMaster, randoms)
 Kcm, Ksm, Kce, Kse, …
gb mod p

Change Cipher Spec PreMaster = gba


Master = PRF(PreMaster, randoms)
 Kce, Kse, Kcm, Kce, …
Client finished: PRF (dialog)

Server finished: PRF (dialog)

traffic

Offers Perfect Forward Secrecy since SSLv3.


In everyday practice many implementations have refused to offer forward secrecy
or only provide it with very low encryption grade. [Wikipedia]

While TLS offers and recommends regular rekey, tickets span for the lifetime of
the application [Blackhat.com US-13-Daigniere-TLS-Secrets-Slides]
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
TLS Key Derivation and Authentication
P_hash(secret, seed) = HMAC_hash (secret, A(1) + seed) +
HMAC_hash (secret, A(2) + seed) +…
A() is defined as
A(0) = seed
Hash DRBG prf: A(i) = HMAC_hash(secret, A(i-1))

PRF(secret, label, seed) = P_<hash>(secret, label + seed)

Key Derivation Function

Key Generation: key_block = PRF(master_secret, "key expansion", server_random, client_random)


{Kcm, Ksm, Kce, Kse,…} = key_block

the conversation

Server Authentication: RSAPriv prf client_random[32] | server_random[32] | server_DH_parms

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Recommendations
and Conclusion
Reassurance

• Crypto is not broken but it has to be used intelligently


• Post quantum cryptography
• Supersingular isogeny key exchange
• Learning With Errors (LWE) challenge
• Lattice Based Cryptography
• All the problems cited were known or expected

• Snowden's revelations only showed how dedicated attackers are

• We should not be scared, we should simply act!

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Recommendations

• Protocols
• IKEv2 is cool – use it if you can (not always possible)
• Keep an eye on TLS1.3 for improvements

• Public Key Infrastructure (PKI)


• Prefer ECDSA (> 256) or RSA (modulus size >> 1024 ; 2048 or above preferred)
• SHA-256-HMAC or better is a must

• Key Exchange
• Use PFS
• Prefer ECDH 263 bits for mid term security (~15 years) or MODP 3184 bits for 15+ years
• If MODP, use DH group >> 1024 (1536 or 2048 preferred).
• IKEv2: group 5 (~1500 bits) or better
• TLS 1.2: FIX YOUR SERVERS!! https://weakdh.org/sysadmin.html
• Upgrade to TLS 1.3 whenever possible (still draft)

• Symmetric key cryptography


• AES-128 (or better) CBC or Counter mode
• SHA-1 is still ok for data crypto but plan moving to GCM, GMAC or SHA-2 (256 or above)

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Reputedly Safe Elliptic Curves

source: http://safecurves.cr.yp.to

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Some Random Software… FlexVPN (IOS)

Keypair for certificates


crypto key generate ec keysize 256
crypto key generate rsa 1536 (or better)

IKEv2 Profile

crypto ikev2 proposal default


encryption aes-256 aes-cbc-192 aes-cbc-128 Defaults are good
integrity sha512 sha384 sha256
show crypto ikev2 proposal
prf sha512 sha384 sha256 IKEv2 proposal: default
Encryption : AES-CBC-256
group 14 5 Integrity : SHA512 SHA384
PRF : SHA512 SHA384
DH Group : DH_GROUP_256_ECP/Group 19 DH_GROUP_2048_MODP/Group
14 DH_GROUP_521_ECP/Group 21 DH_GROUP_1536_MODP/Group 5

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
A Short Bibliography

• NIST SP 800-90A : Recommendations for Random Number Generation Using Deterministic Random Bit Generators

• NIST SP 800-38D : Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC

• NIST SP 800-56A (R2): Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (i.e. DH, ECDH + key derivation methods)

• NIST 800-131Ar1: Transitions: Recommendations fro Transitioning the Use of Cryptographic Algorithms and Key Lengths

• NIST FIPS 140-2: Security Requirements for Cryptographic Modules

• NIST FIPS 186-4: Digital Signature Standard (DSS) (DSA, RSA (PKCS#1), ECDSA,…)

• NIST FIPS 180-4: Secure Hash Standard (SHA-1, SHA-256,…, SHA-512)

• NIST Routines: https://www.nsa.gov/ia/_files/nist-routines.pdf (Curve P-192, P-224, P-256 etc.)

• Safe Curves: http://safecurves.cr.yp.to

• Transcript Collision Attacks: Breaking authentication in TLS, IKE and SSH: http://www.mitls.org/downloads/transcript-collisions.pdf

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Related Sessions

• BRKSEC-3001 – Advanced IKEv2 Protocol


• Jay Young– Technical Leader

• BRKEWN-2006 – Advancements in Wireless Security


• Stephen Orr

• BRKSEC-3054 – IOS FlexVPN Remote Access, IoT and Site-to-Site advanced Crypto VPN Designs
• Piotr Kupisiewicz

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on


demand after the event at ciscolive.com.

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Continue your education

Demos in the
Walk-in labs
Cisco campus

Meet the engineer


Related sessions
1:1 meetings

BRKSEC-3005 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Thank you

You might also like