I started with something that's due tomorrow. You're going to say thank you thank you must testing out. That's why you've earned the right to ask questions. But I do mean that split up and I'll just say you guys should have the positive evolved around you know just like I just mentioned I think I've raised my voice How small that maybe it would take me a long time. I think for a while I don't have any of the servers like I mean like you're going to get a server error maybe wouldn't be able to know if it's crashed your. No I don't think anything like from volume of people doing that right. Vesicle I'm happy. I don't think we're going to do is to divide 600 team prosperity or whatever else you probably crash especially is like 24 hours or something And now I'm happy with that. Okay so today's lecture probably feels weird is compared to all of the rest of them in my opinion. And probably because it belongs kind of network security class we browse Maybe the style of it. I wrestle last night and maybe saying I thinking like It is totally rewrite this lecture when I said it's cool if I can sort of charismatic lead you to do it the right way and if I fail at that which ice you know whatever it is we elsewhere. If I fail it occurs months it's mocking me doing it the right way worst-case scenarios right probably halfway work on productivity. But so these guys were asking about what does it do D. Now just calling them out a little bit because literally they had enough deadline deal was including ours for that over spring break here. Maybe How did life you crack the guys Org says Okay alright I apologize that you track two to us. That's cool for 6070 mentioning problems here. So I think that yeah. Alright cool. So yeah it feels like it. She'd probably need to Monday. Because Monday we're start public-key crypto. Yeah I don't want your minds still and blockchain world or whatever else. Statement on the last day of symmetric key crypto and from here on the Course would be I didn't top right I again did project too because if you can do that project two I now trust you deploy that loss that occurs crackled those or whatever else. You can also join the CTF Team and may legitimate sort of top ten contributions and solve those problems you can find those or variations on those. Every single CTF ever putting the six that are on this. We then three today. One starts with this class and you suddenly jump onto our Slack channel and be like no. What I'd like to apply the skills they just learn Project two and realize setting really. But suddenly my career in some way. Right after this class yeah Yeah cool Google so it's Monday. Today. Check them on that. If you do the cool. Next try happening. So you give a shift like that. But you guys you're like it's all psychology sociology. So it's due money. Okay it's your own personal journey right oh hey look So there's two things I want to accomplish with today's lecture and I feel accomplished and master then then you can come or or maybe I should say this now do you have project to questions that you know the right to ask. How many of you have cracks the padding oracle attack problem whole Hayes. I'm happy about that like that's great your body language when I did not expect that hand up that's wonderful. That's one. Okay cool. That one is really often the padding oracle attack because that has been haunting HTTPS for like decades right Now what I'd like you to build a whole career a padding oracle attacks. And I know how dealer DDP you could probably hack into like Lexus isn't BMWs something. That's you right like because because the RFID communication going on like the key fobs there on this. Certainly seems like a thing whatever Oswald while they sing like the crypto as we manage these depot he said it's more about like your ability to kind of jump in and my hair's gotten leakages. Please like that. Yeah Mafia knows these tricks. Some researchers are related to these attack. So if you happen to started a lucrative business On the second hand car industry don't tell me. It was like week three times or whatever else and some were investigated. And again. So cool that's really cool horse or the other ones in there. I like challenge since it's a bit like the one that's pretty cool. How did you guys got problem one final okay how many of you have no idea how to prompt okay. Alright cool. So Let's do it. Let's do something real quick. Here is TTF-1 optical gel or C2H2 at that jumped back. So here's this thing was soon this way that I love about. This is the encryption of the flag and ECB right clearly it's like one log ECB means that every time you get the same number I'm going to add a single character a right. When I add a single character a lucky to encrypt their well I got two blocks now right I know that the code that what that encrypted with the letter a followed by the flag. And and presuming that the flag ends and like a closed brace probably that last long it's like a close brace pad. In fact let's just validate that. Let's just validate that crypto that brought them to. Where our problem one here's the paddling I read his pad they enlist Star Wars. It's not that I had a crush on me when I was a kid in a wire somewhere there's paddling. So he had me of a single closing brace. And I say that encode x. My prediction is that the second law but I did just a single character there. Alright so I'm looking at an end into three to two on the on the same block Really start somewhere and so for that let's see 66 C 12 without revealing. So now I'm going to do. So here's here's a cool little trick right I just made a hex digest of 16 characters. Well cool. Oh there's my C6 six cc 12 whatever it into 3C two at the end. That validates to me that the second block then the flagging back ends and the closing brace. I now know because like I encrypt a closing brace pad And exactly match the second half of light when I'm just encrypted a singular a followed by the fly because the second to last character reply got Pat. So I now know the last character of this ciphertext which is going to be closing brace. Lets do that. The other way. If I look at this guy now. If I look at this second b1 bA 17 into a three etcetera. If I do the letters 61 I don't know two times. This is going to go over the pipe on say the letter A times So here's good team litter days. It could be anywhere but here's 50 Larry's right. Now 15 letter A's has the five-ninths you see as the opening. If I think about what just got encrypted it was a 15 times. And then the first letter of the flag. Now any guesses based on the form it n right ninja is a one-block flag. I don't really have a lot of room to cutesy messages around it. So let's validate that Doing a plus m z. So that is as succeeded very very n. If I'm right the next block i c should be identical. First block of this guy. Oh yeah they might check into that actually run that refresh. Oh yeah by the nine whatever. So what I'm saying is that you encrypt 15 days the flag or by the letter n. Now IN 15 days and the letterhead I provided the entire first block. That's enough venting Yeah but toward the end of life isn't it it's the beginning of the flag right so I did this two ways once I did I had to kinda check against the end of the second block. And once I did against I just put an arbitrary number of characters like just look at one character at a time. So now I could ask you this question. If I go for 15 a's i'm going to take one more awake. I'm gonna go to 14 aids. Okay that's 14 eighties encrypted. That first block is the encryption of 14 days followed by the first two letters of fly. Okay what You guess the value of the first n. So now by 14 days and n What other letter but after the n to match this I write Azar. That's true. 66 Now turn that into sort of an algorithm with room for size of it is never that hot. Like there's still some brute forcing once you get past like knowing a ninja. But it's never more than one byte at a time. Course estimates anytime. So there's there's the athletic ponder that for a second. Sit right. Now I'll tap my intellectual goals for the day. So one what I wanted to tie up today is that We did not mix authentication and encryption. So the first thing I want to point out it's a little bit straw man like I don't like normally doing a straw man argument. But let's say that it is non-trivial in the way that you authenticate encrypted material. Alright so to get you to see that I'm going to show you three different universes and make a case for why I like one of the more than any of the others universe one encrypt and authenticate. So here's the universe. Looks like I need to take an encrypted message and an authentication tags that I know my encrypted message gets to you but nobody flip bits like an problem since actually problem six problem. For maybe 300 there was a lovely bit flipping plenty get down. Alright so in order to validate that I wanted to sort of a tag so that I get a ciphertext and some way to validate that second sex was not screwed with. So this one this solution is to take the message encrypt it take the message sign it and send the signature and a ciphertext. That's like the first kind of school both solution and loving is you do want independent keys on these. And I've asked why does that matter What if I use the same key and message authentication and the same key encryption. Let me deal. Can the Blumberg Yes yes so in the authentication the person needs to know it. So like it might be. I now really need to know that the other person is like totally trusted. I could I could I no longer have a degrees of trust. All right say your trusted authenticated message are not trusted to read it. That might be true. But it doesn't have the information could be lead by the idea. And again yeah Wikipedia reads like CBC MAC or something like that like well you know I was thinking like what kind of city or fragment of this whatever I'm thoughtfully doing whole Kcat pilots and a whole bunch of packets that were sent back and forth something like that as signatures. And and they happen to be encrypted CBC MAC signatures over here. And your job is to do some forgeries whatever else. Well if you've got CBC MAC same key and this is the same either paranoid mash them up. They don't unlike C. So that's an issue. Let me show you this movie finished second So one Imagine that you were reading with Wireshark a whole bunch of encrypted packets going across the wire here. And every package signed by something. They'd gotten 90 that they use in the crypto in order to avoid problem of encrypting the word yes over and over and over again or I like to think of it as a stock market thing by by by cell cell by cell if my encryption allows me to read buy and sell like in plain text even though I don't I don't even know what scheme you can see that it's the same ciphertext like okay that that wind up by that cell that lighted by boundary right That's what the ideas therefore. Well if I'm signing the plain text Macs are deterministic. That's enough leakage to end the conversation in my mind. That means that if I'm looking at by me the bye message to encrypt it really well. But they're signing the word by. And now they're sighting now the next one is encrypted as randomly as whatever they're signing the word by again. And the next one they're signing word cell so I can just ignore the cipher texts. Read the tags only. I'm going to see only two types of tags iPads itself right done you're done. So that one's out. Alright. Here's the other Strawman scheme. And this one is not as bad as this is actually like debatable. Here you would authenticate and then imprint assay that decrypt whatever. So I take my plain text message sign it and that will take the plaintext message concatenated with the signature of plaintext message encrypted that whole thing. Alright sign that. And so what you get is a ciphertext and then decrypts and you would split it. And you will verify the message to that is the tag. And then you go We have three or four textbooks in this class naming you get any of them. I'm sure. Maybe only the most dedicated suit is looked at any of them. But two of our textbooks disagree on exactly this point. So caps and Lindell is they are much more like academic writing and Schneier his buddies are like in the trenches practical Schneier legs as one and Catholic. The next one I actually agree with cats in this case just like I think Schneier his reasonings a little bit too like I kinda classic Bordeaux. There's no reason not to do it once more academically secure. But so this so but here's here's the problem. I've got all this. You're eating the formatting of the ensemble UP young signature. So you're angry or presenting the signature right right and n more or less than we say that this opens itself up to like a class a padding oracle style attack which is that you've got a couple of different places that the errors to happen about that. So like because this bit flipping in there you can click this and The thing about the padding oracle attack something. Maybe maybe let's watch this thing is. The worst-case scenario we're encryption model has your signatures of those later decrypting it sounds Vegas. Sorry say that again bursty scenario where you're signatures so that when you interject here sort of leaking information by encouraging. Well if you've done problem was it four as my work will be done problem for there are three different outcomes that happen from that thing. Myself sort of textbook padding oracle. And the reason I was going to watch this video with you real quick is that Anything that gives you the ability to get more than one error message out of a system is enough to do and it's higher decryption attack and that style. And the way that you get different signals could be as much as like temperature changes in the room right like like so this is something that really starts to take your next level crypto which is that side-channel attacks are really great deal and side-channel attacks that we have not really addressed. And I think Nick is doing a embedded security system way class right now and doing some shirtless verse or whatever. In a side-channel sense if this computer takes longer to process if it goes through two steps and that's leaking information. So like if I can say oh failure one failure to failure one failure to that's enough for me to like start flipping bits and figure out what's going on or whatever. And and how do you hide that like either you force your code to always run the same amount of time the same intensity or whatever. But when you start looking at like a side channel attack that's just paying attention to how much processing is going on. You know you can do machine learning like profiles of when to use on and off and on off and the memory accesses and stuff like that just to see sort of the timing of it all. And if the timing is enough to reveal one's I'm there there's another type of barrier all bucks right like. So that's why I disagree with Schneier on this on or whatever is that life is really really paranoid but this is a this is a class in which paranoia is important to your success as a CTF or flavonoids. Yeah like I like it better because I've constructed this to say there's always when I read that. But if you're on the blue hat psi as a way for them to win. Necessarily buggy and bring the eyeball it. Yes. Yeah like what eight yes even because the S box I didn't dive in the guts of how ES builds. Maybe maybe we should or I don't know that. But we also have this whole world of public-key crypto we gave it. So I got my lectures planned out you know so that was that was a pined away sight loss I did. But the S boxes are more expensive than the other ones because it's not a hardware thing like it's this. So nb the actual weight of CPU chips are cells. Now that's a really fun thing to think about two sorry I don't know wildly badly about this small length but That is to say that if you wanted to do like a PhD kind of thing or whatever we can do like FPGAs on eight yes. And and your goals like alright let's make the hardware stuff different. What's fast and the hardware and look at how that thwarts the side-channel attacks whatever its way. And the reality is that China had this super tiny chip on all of the processors and all of the data centers for like Amazon for a long time until they've figured out. And that's only recent news in the last year but that was why exactly the thing he's doing is is side-channel attacks side-channel attacks me excuse me reading the key straight up So this is supply chains. You could say that to kind of read it exactly like like. And but that's why I like protecting small businesses. If I have to go up against somebody who's in my hardware I've already lost right but at least the nation states aren't selling the small business data from the hardware they hatch from the time it was built to like the black market. So at least if I protect small targets it's easier to protect the country is much much harder to that cell The last row groups but thinking about like oh something's done in this class. We've had with any of these things. If I start trying random keys per eight yes you could just win like you could just get lucky like winning the lottery like I just try to write a key at work and be like what's really the odds of that are 12 to the 256. While the madness A better auxiliary water mainly No no it's not and students do better on. So yes exactly. I'm much much better other than the lottery. Because your odds of getting the upper bound Kias well yeah yeah it's like totally crazy but they are right so the point is that maybe just maybe while we're doing crypto somebody's guess your random ascii. You can go with a damn. That's the that's a possibility. Do you plan for that possibility no wish you know like so. You can go as deep into paranoia as you want. Maybe that's the lesson that this little guy. And you can get paid to go as deep as you want But what I'm all about is helping you guys live a life time where you're the boss of your hours in order to pay for going to super deep paranoia it's not going to be a mom and pop shops their pain or if it's not mom and pop shops that are paying you this skill set is institutional NOT like imagine and build their skills as institutional The world the game plays a lot were being thrown z or whatever. If it's just like mom and pops up you go to any company ever and just make your fortune right like a small business scales weight easier you'd write your own check. Institutional scale you can do it you can get paid but now you're in a much different sort of like type of capitalism and a smartphone. But it's something it's something I like I like my style but it has just the right question isn't CLS worker parameter. Here that backup I didn't show you up here is that any prediction that we use which is called CBC mode. Engineer at all hazard requirement. We can only encrypt method or a multiple of if we're using AES 16 sites. So if I encrypt a message where this whole thing comes to the whole rewind sites. What are we going to do good simple in some ways. They're constantly myopia so we'll get an answer. Now we have we have an acid trip time was we can encrypt the message. Rapid half a peripheral snip Opera Opera temperature and then we'll build without hat which means we need a patent. Adding automatically recognize the music yourself. And how do you comment though so it looks like you're just for possible padding values. I'm not like that. In the light grey breaks your expenses at. So we would start putting nine by actually coordinate the lighting fight that doesn't doesn't itself. So it was like oh wait away. Yeah yeah. And then they would put eight bytes hate Europeans. I'll just put in bars RZ with equals I present. Here Professor just that there's there's a particular modulation abroad. And this is actually a picture of the book. So Robert no padding somebody discovered that actually the structure I'm trying to catch something. So what happens is that people do is they take off the already enriching. The first thing we're always able to impact hat. And in this case it happens happens very securities which he felt if he peripheral first along the way. And then like before I form because planning how to gather together all my life I should've happened that a child protective. And that worked worked restricted altered often goes on with the rest of the retina digestive track. Back. In 1908 he usually returns an error error typical erythrocytic like that. Now now what would be with that average fantasies well burns out at the CDC movie version is now. And what they might see the site the site turns out that items that I want to get some new site a ciphertext that we'll pause exactly. Anything is true this year here in the underline underline after it's decrypted. And so what this guy is let's give you a very very big. For example. Let's imagine that at the last byte draw line I wanted to illustrate illustrate what's happening to my last life. The messages asymptotes act isn't all thy mind. But so what would happen if I send a message I'd I'd I'd I'd get my camera recipe. That's what this limit is 99. Well this message last check. Okay okay. Well let's say that I don't actually want all the valid values. Using the same example I can just be contributed by the pleasure to call it all. Now You can say yes yes including his last blah but so I think it'll go every time you say okay I'm sorry it's way off. Well maybe I'll turn on international level website. So so this is a very very cementoenamel one-on-one as valid valid. Clerical you're blowing my record directly. One-on-one values will turn out turn actually record directly last five or greater. So for all of them or they've had it. But for the one that actually has five about I'll guess I'll get on get polio. Just edition. I've learned one by encrypted information to make up for that. So turned out that I basically say it'll say hey well it's I don't think he's bragging or ten tens and hundreds like hands land where I saw something right there I actually like to do is like as I do and I don't know if this is actual value. Now he's right. Check check and sort ideas figure out what your own values. So this is the this is fed isn't necessarily complicated. I thought that you could work this out. This is not something I'm trying to get a PhD scientists very scenarios high. After that because it requires 500 kilograms terabyte which is actually pretty easy. Well it's like oh. Yes yes absolutely we're going to go up here up here. That's exactly exactly what XOR a bit certain cipher texts back. And that same deck near the change. Hank left-click Candy Crush origin exit exit one block brought Robin. You lookups witness that well versus turns out that I never say we say we ask here let's say this is about and why lots let's say that the draw nine and not even that would this this. So I can flip evolved in a valid valid year here. I actually like this that saw something. I'll say well actually that's not why it will come out equal though not developed out of that. So it's something that actually works or with some Y equals o. And we think why why why why why why why why why that causes me to pan and once we know well well we know that family that particular value of algebra So this obeys a very anxious but yes it doesn't matter that it just doesn't get bounced back. Pretty much pretty much works against against them. It's a very very nice industrial aspects. So so to fix this attacker our recommended way way way way TLS us. Recognize. This is the last all Casey order or whether you later matter Mac you do something falling melodic script then then after that all that all the data for flourished pattern that we are on the outside. That prevents anybody any good to us because the map package that prevent that why aren't they did You didn't do that so they actually acknowledge that not all cases empowerment and wonder what this is basically if you assign a as I always say to anybody here so this is was Einstein first semester rivalry and computer scientists IQs do to fix this causal model out. There they're lazy. Well the first thing we're going to say it wasn't up the description. Let's just give it one wire pair that fix the problem. Roosevelt. Very good. Yeah yeah yeah so what someone's aligns lies is this actually exaggerated theory except for the fact that what happens apples emojis in Beijing firstly originally tried to tap and adding the patent but with opens bed bail. If it's not then you go onto this map. And I can't accidentally pushing somebody actually yeah you instead because you've helped me either failed failed and then they do something like this and actually actually Rebel Without because he was there also altered vision this this assay kind of sacroiliac delay. We need another another patch patch. Alright. Alright. Hotspots. I'm probably gonna do we make sure that in fact they all veils were built on that map. That should that should be pretty good. It's still time. Still by the time this isn't turned out out in the fact that you don't know how long a message message that is focused. So that if you ever doing by by by flight validation measurement. So yeah the battle about it doing it by having you might not want to buy an ethanol by a huge amount of job or having grown up as a filter to Twitter or positive I just don't know about emphatic. So no common factor that yeah we go out and rob man or something. Magical happens without including living matter black at all this poverty and all null. Values Turns out that that evoking broken right here okay and then that and then after this this this is my favorite headline recently stuff because it gives us the words often not even. This isn't it's had gotten to know. Dave date at the bottom the buses asked these February wearing out there. This is a disease of the elastically and lucky once smokers. And the attack attack takes advantage of this is it it turns out that designing squashed it all we build recursively time behind. But by blinding and international European Gillette you can detect the fact that in that room every night This is this our urban Ron's class back. So the past matters and they're write them right. Yes. So I I like that because monolithic as real researcher and teacher whatever. So real researchers anyone's real research is really like it's a lot easier said go. Where it's like okay here's a real thing. It's broken. Why do you guys keep sucking just do this. So that's all to say that this argument here is. So this argument here is subtle and the correct move. Soon grids then tag. Alright that's it. But also a kind of cues you waited that kind of craziness that can happen. And you just have to be careful for any world which you have more than one outcome from your intuition. Okay so here's what I want to do on this. And so this is this is I'm going to say is the winner you encrypt then tied guys internalize that out. That's akin to mix these two ideas from. There are three reasons. Alright last thing. Even when you get all that right and I thought again CTF challenge like along these lines. Remember else will do it this other way on CT evidence. So now you've got super high-quality encryption super high quality Message Authentication. You're going to mix it all together and whatever else things like that. Here are the ways that people could still fuck with you. And they are the we attacks in my mind. This is now you've got your packets that go from person a person B set up a secure channel where we can communicate nobody could read anything So what they can sell the DNS the Internet right person a versus B. There's other crazy people handling your stuff in between the thought like E. This is you know like there's a 100 thousand yields between you and your person is not enough time. But there's there's people who are handling your packet transfer. So what can they do they can reorder your back it's nothing to do but that is still the message authentication. We find the encryption when you read it you'll just get things out of order. You can replay messages see you just like listen to them beyond these bicep words whatever you're like hey you know what I'm going to screw with marketing take all these buy orders Side and then I'm just going to send a bunch of others later. Now Goldman-Sachs buying hey everybody to Bull Run whatever and you just like bought some options middle of money. Or you can reflect it. You can take a message. It was going this way and you say send it back this way and make them haven't fake conversation. I don't know what they're saying but you know they're saying to themselves in a weird way whatever you know what the benefit is that you can imagine some CIA scenario or if you want to go view consultant in Hollywood to help him write realistic things happening in movies where else is the thing you know this this script is one. So we English people go oh yes. Or to go back on the offensive. You take this. So so what I mean is even the best encryption here or whatever else it's just like one part of the chain right so you've gotten encryption we've got you up and occasionally hopefully has secure channel. And I'm just going to put this part in bold here which is authenticate with a mean not exactly what they say and this is good advice for software engineers for entrepreneurial. All getting Anthony the entrepreneur. This probably some others in the room but when you deal with a client you sell them in a new idea. They think He wants but most the time your imagination a little bit better than theirs. And so you kind of have to like walk them or like do a little bit more than that. They say they want whatever else it gets a little bit too late not tied about the rigorous dispatch something. It's like unless it nasa workhorses are like embedded devices something probably like okay well I think you're going to want a little bit different than what you're saying you want. And so what I mean to say is that even in this view probably want to have some sort of like secure channel headers that are involved in your encryption packets or something else like that to avoid these attacks. So here's my last little like baby assignment for the day. At your tables I want you to make a secure channel that sort of fights against these attacks. And so what are you actually going to send across here so I want you to make a chaplain of sorts just on paper like like what is it that you're going to put in there so that you know how to handle or how will fully replay attacks reflection attacks. Reordering how you make sure that you get writes for rejects correctly. And as robust as possible would like extra metadata. So get a little creative and design their first year Laws that say yeah I understand that you have acknowledged. The sandwich are like And he said he would claim that we slide. It has like this I guess I think civil cells. While they are talking about Well yes and holiday and it's just like. Yeah you cannot efficiently. You already know how to do that. When we design tiring. Yeah. Yeah. Yeah. Yeah. Yeah but i five days a year. Core curriculum will say well here's how you would build a database express. Offering that and understand how it works Now he's getting fired and mobility SQL cycle. Then chances are that the explanation for why doesn't dissolve table take your best site yeah kinda meant by it or whatever. I mean throughout the chat maybe that's the way I say that this across or are you just go around like maybe talking faster I say if let them know that it's a batch thinking alright. I who feels like they have some decent solutions here. But you can use message numbers or your gradient hands. So what event for them or if I kind of like an issue and like an MMORPG used to be like that. I'm initiating my messages on this computer. When I do my encryption I might not be able to get the numbers right in the sense that I'm typing Enter and typing entertaining enter your typing entertaining entertaining effort. That requires synchronization across disparate advices. Please tell him that he had a university numbers relatively number. Alright so do be mindful advice. It might a your white shorts at all but it's my mail prefixing system. That's maybe like session-based and probably some sort of names on this key. Andy message why neediness is shooting with Danny. All right. Paul saying automatic handed encrypted message that packet number. And we're just start prefixing on that. Yes. Hi I'm Sam and a destination tag. Timestamps very timestamp regal a somewhat on the replay right like if I were to abroad is that there is some legal or illegal Ruben that if I want to make a bold run from Goldman Sachs and I'm doing the algorithmic trading and I like receiving in sight de do de do ask them out. You can still say yeah maybe we have to say
cpeg472-010-20190412-101000.mp4
From Andrew Novocin April 12, 2019
30 plays
30
0 comments
0
You unliked the media.