Matasano Chargen - Latest Comments in Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

kamagra kaufen — Thu, 03 Nov 2011 08:11:06 -0000

hicago. “My band is playing” notices line the wall. A hipster in a tight t-shirt hands

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Propecia — Thu, 03 Nov 2011 04:53:55 -0000

I'm sure you're right. But I'm not writing about SSO. I'm writing about web crypto.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

smarry — Tue, 14 Jul 2009 01:21:59 -0000

I don't think Coding Horror wants the attribution.

___________________
Smarry
Get 28 movie channals for 3 months free

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Nobody Nohow — Sat, 13 Jun 2009 02:01:58 -0000

Regarding this:
"You could tell how many bytes of the MAC matched by watching how long the function took."

It seems like I have two options:
1. discard invalid data in the minimal amount of time, thereby mitigating potential DOS attacks.
2. discard data in the maximal amount of time, thereby eliminating a "timeable function" attack.

Is there any middle ground here? Because, given the two options, I think I'd go with #1. Seems better to minimize the attack surface to millions of script kiddies at the cost of presenting a (small?) attack surface to hardened pros.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Dan — Fri, 12 Jun 2009 17:33:18 -0000

Hey, I'm trying to improve my understanding of security related issues, and I can't tell if you are meaning that the example you gave would be a good, or a bad implementation. I would like it if you could comment on which it is, and why.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Seth — Fri, 12 Jun 2009 17:25:58 -0000

that was informative and entertaining

always know were your towel is!

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

caf — Mon, 08 Jun 2009 23:15:44 -0000

You can come up with all sorts of interesting ideas, but at the end of the day the problems have been solved already: use the existing primitives.

If you want authenticity, use a HMAC or a signature. If you want privacy, use encryption. If you want both, use both. With different keys. Trying to make the encryption step do both is setting yourself up for a failure.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

gbensn — Sun, 07 Jun 2009 06:39:32 -0000

I've never had to use encrypted session cookies, but I can see why they could be useful, and I've been thinking about how you could secure them. My first idea was to put a hash in there, such that:

cookie = ENCRYPT(plaintext + HASH(plaintext))

When the server receives the cookie, it decrypts it, separates the plaintext from the hash, and checks the plaintext against the hash. That would stop attackers from feeding you modified cookies, because the plaintext wouldn't even get parsed if the hash didn't match.

Then I got to thinking that you can assume that the attacker can guess at least some of the plaintext, so I wondered if prepending it all with some randomness to get the started EBC would fix that. Say the blocksize is 16 bytes, so add 16 bytes of randomness to the start of the plaintext:

cookie = ENCRYPT(random_bytes + plaintext + HASH(random_bytes + plaintext))

Would that protect against known plaintext? I don't really know my stuff here, so this could be the ramblings of an idiot, but I'm interested to know what flaws are in here :)

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Nate — Fri, 05 Jun 2009 15:14:33 -0000

Now you have a zero-day in any system you've seen that does that.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Nate — Fri, 05 Jun 2009 15:13:18 -0000

I'm Nate Lawson, and I disavow any association with any modifications to the post since I read it.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Nate — Fri, 05 Jun 2009 15:11:18 -0000

Well, the question is valid. You could just zero-pad the password string and use it as a key instead of hashing it. Hashing never adds entropy, merely discards a little and shuffles it around equally.

But, it feels wrong, doesn't it? Your password sitting at the left side of the buffer, a bunch of zeros on the right... Could this be a problem? In some cases, YES.

If you were using AES, you'd be fine. Its key scheduling algorithm is good at handling all manner of keys. But if this was RC4, you just recreated the same problem as WEP.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

socrates — Fri, 05 Jun 2009 13:02:57 -0000

Thanks for the article.

I've been coding for a very long time and I didn't understand anything but the math, which was quite clearly presented.

From your article, I learned something about crypto, but more importantly I learned that I have no safe understanding of how to implement crypto whatsoever.

That's a very good thing to know.

You may have saved lives and fortunes with this post.

(Overkill? I don't know, maybe I'm just pumped up on laser unicorns in space)

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Thomas Ptacek — Fri, 05 Jun 2009 11:56:14 -0000

It's assumed that a lot of SSO tokens are encrypted and are therefore a good excuse to talk about why generalist programmers shouldn't be directly working with AES.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Bell — Fri, 05 Jun 2009 11:15:23 -0000

Why is any more than a digital signature necessary here? All that's required is that the session data can't be tampered with and that the source of the data is a trusted server. The payload encryption seems to be unnecessary and seems to have distracted from the problem of authenticating the messages contents and origin.

Or is it assumed that there's something confidential in the payload?

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

caf — Fri, 05 Jun 2009 08:41:59 -0000

Yeah, like I said, once seen it written out in my comment the length extension attack was immediately apparent.

(and I certainly wouldn't have ever done it that way myself, mainly because I remember rule #1 - don't do it yourself, call the damn library function you fool. Just something I've seen)

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Nate — Thu, 04 Jun 2009 22:32:50 -0000

No, go directly to Jail, do not pass Go.

Assuming by "MAC" you mean "HASH" (e.g., SHA), there is a length extension attack where you can append data and calculate the updated hash once you've seen one hash result. That's the reason HMAC has two layers (hash message w/ key, then hash the hash w/ key).

For %!$&^%$!! sake, even WIKIPEDIA gets this one right:
http://en.wikipedia.org/wiki/H...

Seriously, I love the work but please stop creating new work via old mistakes.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Thomas Ptacek — Thu, 04 Jun 2009 22:20:50 -0000

You would never use a straight ASCII string as a crypto key. The hash gives you 128 bits of key material to use.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

caf — Thu, 04 Jun 2009 21:53:45 -0000

Never mind, once I see it written down, it's actually obvious why it's not.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Jeremiah Blatz — Thu, 04 Jun 2009 21:49:46 -0000

OMG, so many comments. Probably one of them says this:
"Wait, you're using crypto? Fool! Generate 128 bits of random data, stuff it in a CGI parameter, then have the second web server make a SOAP call to the first one to validate that the data is valid, fresh, and has only been used once."

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

caf — Thu, 04 Jun 2009 19:16:48 -0000

This brings to mind a question I've had for a while.

It's reasonably common to see people implementing their own HMAC as:

HMAC(M, K) = MAC( K | M )

(Where K is a block-sized key).

Is that actually OK?

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Daniel — Thu, 04 Jun 2009 17:32:56 -0000

I have the same question. No idea why that helps.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Thom — Thu, 04 Jun 2009 13:55:42 -0000

You can easily get much worse. See the PHP manual pages for proof.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Thomas H. Ptacek — Thu, 04 Jun 2009 08:37:41 -0000

I'm sure you're right. But I'm not writing about SSO. I'm writing about web crypto.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

Thomas H. Ptacek — Thu, 04 Jun 2009 08:37:07 -0000

You are missing the point. I really could care less how you choose to implement SSO. This isn't an article about SSO.

Re: Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!

chandler — Thu, 04 Jun 2009 07:45:12 -0000

Thanks for the morning laughs.

But I'm still having trouble with the premise here, so believability suffers a bit. Crypto should be a last resort. Not sharing the information is a much better solution. Why is it necessary to give the client this kind of information in the first place? Maybe the two servers are in different parallel universes, and only the client can pass between them? Otherwise I'd expect the client just to have a cookie that validates that server A is sending him/her/it to server B, which is at best just a random number generated by a sufficiently good PRNG.

Why does an attacker get unlimited tries? That seems like a problem in and of itself. Maybe, through the use of a botnet, they can get "enough" tries, but "unlimited" seems like a stretch. And without a botnet, that shouldn't be an assumption at all.

Also, the cookie contains an encrypted password? Really? I guess it's inevitable once you assume that the two servers aren't talking, but it's a bit obvious. It's like the old guy telling the teenage couple that they're going to get it, then watching a zombie werewolf toaster picking the teenagers out of their teeth a few scenes later. Yeah, we saw that coming.