Tales of Fails and Tools for Message Integrity

Presented at BSidesDC 2016, Oct. 23, 2016, 3:30 p.m. (50 minutes).

Cryptographically secure data integrity checking may not receive the same level of attention as encryption, but lies at the core of many security technologies from code signatures to passwords to cryptocurrencies. The problem of verifying that a message has not been modified may seem straightforward, but there is a variety of algorithms used to solve it (some good, some not so good, and some homemade and broken) and even standard approaches can fail if not implemented correctly. In this talk I demonstrate a number of catastrophic failures with notorious past examples, explaining how each one worked and the mistakes that the designers made. Then I briefly review the primitives used in message integrity, such as one-way functions, message authentication codes, authenticated encryption, and digital signatures, showing the capabilities and limitations of each.

Presenters:

• Jacob Thompson - Senior Security Analyst at Independent Security Evaluators
  Jacob Thompson is a Senior Security Analyst for Independent Security Evaluators, where he specializes in high-end, custom security assessments of computer hardware and software products. With 10+ years' experience, a propensity toward hands-on security assessment, and proficiencies in reverse engineering, DRM systems, cryptography, system and application security, and secure system design. Through his 3 years' work with ISE, Mr. Thompson has partaken in multiple major vulnerabilities and assessments, customer visits, and progress presentations. He has presented his research at DEFCON 21, BSides DC 2013 & 2014, DERBYCON 4.0, and ToorCon 2014.

Links:

• https://bsidesdc2016.busyconf.com/schedule#activity_5775c339a804aca7dd000009
• https://www.youtube.com/watch?v=86b_ZuAvKBc