Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
Introduction to and survey of TLS Security
Aaron [email protected]
BetterCrypto.org
FIRST Conference 2015 - Berlin / June
Table of Contents
Motivation
BackgroundInformation Security and CryptographyTransport Layer SecurityExtensions and Trust
History & Attacks
IETF efforts
Mitigation
Conclusion
Motivation BetterCrypto.org
TLS is something we deal with on a daily basis, so this is anobvious topic for education.
Keep in mind that these attacks are not only possible fornation-state actors, some of them I can mount on this very laptop.
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 1/91
Motivation BetterCrypto.org
https://www.trustworthyinternet.org/ssl-pulse
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 2/91
Motivation BetterCrypto.org
https://www.trustworthyinternet.org/ssl-pulse
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 3/91
Motivation BetterCrypto.org
https://www.trustworthyinternet.org/ssl-pulse
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 4/91
Motivation BetterCrypto.org
https://www.trustworthyinternet.org/ssl-pulse
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 5/91
BackgroundDisclaimer
BetterCrypto.org
Unfortunately this is not a talk about InfoSec nor cryptography, so Iwill only cover the very basics needed to understand the topicproperly. Background information on Information Security andCryptography herein is fitted to TLS only.
I will recommend appropriate resources for those who want to gaina deeper understanding at the end of my talk.
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 6/91
BackgroundBasics
BetterCrypto.org
Information Security mandates at minimum the following threeproperties in a secure protocol:
I ConfidentialityI IntegrityI Availability (discussed later)
..this is commonly known as the “CIA triad” (seriously). You will seelater on why these are paramount. The triad is usually extended by:
I Authenticity & Non-repudiation
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 7/91
BackgroundConfidentiallity
BetterCrypto.org
I Prevent unauthorized disclosure of informationI Encryption and Decryption of confidential data
Example: Rijndael cipher. Later renamed AES (AdvancedEncryption Standard) after winning a NIST challenge by the samename.
I Symmetric 128, 192 or 256 bit block cipherI Stick figure guide to AES: http://www.moserware.com/
2009/09/stick-figure-guide-to-advanced.html
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 8/91
BackgroundConfidentiallity: Block cipher modes
BetterCrypto.org
Block ciphers operate on fixed size blocks of data.Online communication is defined by streams of data.
Block cipher modes repeatedly apply a given cipher to a stream ofdata. Examples include:
I Cipher-Block Chaining Mode (CBC)I Counter Mode (CTR)I Galois-Counter Mode (GCM) [authenticated]I Counter with CBC-MAC (CCM) [authenticated]I Offset Codebook Mode (OCB) [authenticated]
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 9/91
BackgroundConfidentiallity: Block cipher modes
BetterCrypto.org
I CBC Mode (sequential):
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 10/91
BackgroundConfidentiallity: Block cipher modes
BetterCrypto.org
I CTR Mode (parallel):
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 11/91
BackgroundIntegrity
BetterCrypto.org
I Assures consistency of dataI e.g. tampered data will be detected (and may be discarded)I Cryptographic hash functions like SHA can provide integrity by
acting as a Hash based Message Authentication Code (HMAC)on the message to be sent and recieved
I Hash-functions need to be collission-resistant: Two differentinputs should never produce the same hash!
I Ideally messages should be encrypted first then MACed(encrypt-then-mac, ETM) to prevent against attacks (CCA,CPA) and to provide for integrity of ciphertexts and plaintexts.See: http://bit.ly/1kZA6WR
I Authenticated Encryption with Associated Data (AEAD) can beused instead (e.g. GCM, CCM, OCB)
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 12/91
BackgroundAuthenticity & Non-repudiation
BetterCrypto.org
I Assures that the involved parties are genuineI i.e. are who they say they are
I Injection attacksI Man-In-The-Middle (MITM) attacksI Various cryptographic attack vectors
Examples:I RSA (Rivest, Shamir, Adleman)I DSA (Digital Signature Algorithm)I ECDSA (Elliptic Curve DSA)I Ed25519 (http://ed25519.cr.yp.to)I ElGamal Signature System
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 13/91
BackgroundAuthenticity & Non-repudiation: RSA
BetterCrypto.org
RSAI Used for:
I SignaturesI CertificatesI Authenticated Key-Exchanges (don’t)I Encryption
I Security based on the difficulty of factoring integers:I p, q are large prime numbers (e.g. ≈ 1024bits)I N = p × qI find factors of N
I Best known algorithm (∼1994): General Number Field SieveI Computational complexity for n-bits: O
(exp
((64
9 n) 13 (log n) 2
3))
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 14/91
BackgroundAuthenticity & Non-repudiation: RSA
BetterCrypto.org
RSA Key GenerationI integer N is the product of two large primes p and qI φ(N) = (p − 1)(q − 1)I choose an integer e (usually 65537), such that
I 1 < e < φ(N)I gcd(e, φ(N)) = 1
I Public Key: N (modulus), e (public exponent)I Private Key: d ≡ e−1 (mod φ(N))
gcd and φ denote the Greatest Common Divisor (Euclidian algorithm) and Euler totient function, respectively.
Math background: Modular arithmetic.Proof: Euler’s theorem and Fermat’s little theorem.
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 15/91
BackgroundAuthenticity & Non-repudiation: RSA
BetterCrypto.org
Alice sends her public key (modulus N and exponent e) to BobBob sends his public key (modulus N and exponent e) to Alice
RSA Encryption:I Bob wants to send a
message M to Alice, turns Minto an integer m(0 ≤ m < N) using acommon padding-scheme
I ..computes ciphertextc ≡ me (mod N)
RSA Decryption:I Bob sends ciphertext to AliceI Alice computes
m ≡ cd (mod N)I ..recoveres Bob’s message M
by reversing the commonpadding-scheme
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 16/91
BackgroundAuthenticity & Non-repudiation: RSA padding
BetterCrypto.org
..a secure padding scheme is really important.
Example: Bleichenbacher attack on PKCS#1http://tinyurl.com/bleichenbacher (real world SSLv3 attack)
Not going into that here has been explained in detail in a 31c3 talkyesterday, see also: http://tinyurl.com/rsa-padding
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 17/91
BackgroundKey Agreement
BetterCrypto.org
A key exchange algorithm exchanges cryptographic keys (i.e. sharedsecrets) among parties which want to communicate confidentialy.
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 18/91
BackgroundKey Agreement: Diffie-Hellman
BetterCrypto.org
The Diffie-Hellman key exchange algorithm (1976) was the firstscheme devised to exchange cryptographic keys among multipleparties. It is the most widely used key exchange algorithm to thisdate.
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 19/91
BackgroundKey Agreement: Diffie-Hellman
BetterCrypto.org
Alice and Bob want to communicate with each other and thus agreeon a large prime number p and a generator g (0 < g < p)
I Alice choses a secret integer x (private key)..and calculates g x (mod p) as her public key
I Bob choses a secret integer y (private key)..and calculates g y (mod p) as his public key
Math Background: Multiplicative group of integers modulo phttps://en.wikipedia.org/wiki/Multiplicative_group_of_integers_modulo_nhttp://tinyurl.com/multiplicativegroupmodp
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 20/91
BackgroundKey Agreement: Diffie-Hellman
BetterCrypto.org
Alice and Bob exchange their public keysI Alice doesn’t know Bob’s yI Bob doesn’t know Alice’s x
But,..I Alice however knows x and g y
..therefore calculates (g y )x (mod p) = g yx (mod p)I Bob however knows y and g x
..therefore calculates (g x )y (mod p) = g xy (mod p)
They now have established a shared secret: g xy (mod p)
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 21/91
BackgroundKey Agreement: Forward secrecy
BetterCrypto.org
Forward secrecy (aka Perfect Forward Secrecy - PFS) ensures thatonly ephemeral session keys are used.
Even if a key is compromised in the future, not all communicationthat may have been recorded is compromised.
Simple, at the end of a session:I Alice discards her public-key xI Bob discards his public-key y
Hence: Ephemeral Diffie-Hellman (DHE and ECDHE).
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 22/91
BackgroundCiphersuites
BetterCrypto.org
In SSL/TLS terminology; a ciphersuite combines the previouslymentioned cryptographic techniques to work together and forms partof a secure (online) communication protocol
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 23/91
BackgroundCiphersuites
BetterCrypto.org
Example:I Elliptic Curve Diffie-Hellman (Ephemeral - PFS)I RSAI AES128I in Galois Counter Mode (GCM)I SHA256
IANA standardized TLS parameters:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 24/91
BackgroundCiphersuites
BetterCrypto.org
OpenSSL:ECDHE-RSA-AES128-GCM-SHA256
PolarSSL:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
GnuTLS:TLS_ECDHE_RSA_AES_128_GCM_SHA256
Apple Crypto Framework:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Microsoft SChannel:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256(No ECDHE with RSA and GCM for Microsoft users, you get crappy ECDSA instead.)
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 25/91
BackgroundTransport Layer Security
BetterCrypto.org
Before talking about the history and attacks of TLS it just makessense to point out how TLS actually works (TLS 1.2).
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 26/91
BackgroundTransport Layer Security: TLS records
BetterCrypto.org
TLS deals in “records”. Different types of records exist: Handshake,ChangeCipherSpec, Application data and Alert.
In general TLS record looks like this:1 Byte 1 Byte 1 Byte 1 Byte
+−−−−−−−−+−−−−−−−−+−−−−−−−−+−−−−−−−−+| type | |+−−−−−−−−+−−−−−−−−+−−−−−−−−−−−−−−−−−+| v e r s i o n | l e n g t h |+−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−+| message N |+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+| . |
.
.
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 27/91
BackgroundTransport Layer Security: TLS records
BetterCrypto.org
I Handshake records do have a different message structureI Alert records basically just send an error code (1 byte) and
description (1 byte) instead of a full message.
Besides Handshake and ChangeCipherSpec records - any recordsmay optionally contain a MAC and padding (up to 4 bytes each) atthe end, depending on the previously negotiated ciphersuite.
For reference, see: https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_record
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 28/91
BackgroundTransport Layer Security: Handshake
BetterCrypto.org
[ C l i e n t ] [ S e r v e r ]
C l i e n t H e l l o −−−−−−−−>
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 29/91
BackgroundTransport Layer Security: Handshake
BetterCrypto.org
[ C l i e n t ] [ S e r v e r ]
C l i e n t H e l l o −−−−−−−−>S e r v e r H e l l oC e r t i f i c a t e ∗ServerKeyExchange ∗C e r t i f i c a t e R e q u e s t ∗
<−−−−−−−− Serve rHe l loDone
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 30/91
BackgroundTransport Layer Security: Handshake
BetterCrypto.org
[ C l i e n t ] [ S e r v e r ]
C l i e n t H e l l o −−−−−−−−>S e r v e r H e l l oC e r t i f i c a t e ∗ServerKeyExchange ∗C e r t i f i c a t e R e q u e s t ∗
<−−−−−−−− Serve rHe l loDoneC e r t i f i c a t e ∗Cl ien tKeyExchangeC e r t i f i c a t e V e r i f y ∗[ ChangeCipherSpec ]F i n i s h ed −−−−−−−−>
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 31/91
BackgroundTransport Layer Security: Handshake
BetterCrypto.org
[ C l i e n t ] [ S e r v e r ]
C l i e n t H e l l o −−−−−−−−>S e r v e r H e l l oC e r t i f i c a t e ∗ServerKeyExchange ∗C e r t i f i c a t e R e q u e s t ∗
<−−−−−−−− Serve rHe l loDoneC e r t i f i c a t e ∗Cl ien tKeyExchangeC e r t i f i c a t e V e r i f y ∗[ ChangeCipherSpec ]F i n i s h ed −−−−−−−−>
[ ChangeCipherSpec ]<−−−−−−−− F in i s hed
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 32/91
BackgroundTransport Layer Security: Handshake
BetterCrypto.org
[ C l i e n t ] [ S e r v e r ]
C l i e n t H e l l o −−−−−−−−>S e r v e r H e l l oC e r t i f i c a t e ∗ServerKeyExchange ∗C e r t i f i c a t e R e q u e s t ∗
<−−−−−−−− Serve rHe l loDoneC e r t i f i c a t e ∗Cl ien tKeyExchangeC e r t i f i c a t e V e r i f y ∗[ ChangeCipherSpec ]F i n i s h ed −−−−−−−−>
[ ChangeCipherSpec ]<−−−−−−−− F in i s hed
A p p l i c a t i o n Data <−−−−−−−> A p p l i c a t i o n Data
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 33/91
BackgroundSession Resumption and False-start
BetterCrypto.org
Session-resumption and False-start are TLS extensions minimizinground-trip time and CPU cost.
Session-resumption:I An “abbreviated handshake” is usedI Previously negotiated Handshake parameters are reused
False-start (somewhat deprecated):I Optional extension to send data before the Handshake is
completedI After ChangeCipherSpec and Finished messages Client or
Server data may be sentI Even if the other side has not acknowledged yet
For a good description see: http://chimera.labs.oreilly.com/books/1230000000545/ch04.htmlhttp://blog.cryptographyengineering.com/2012/04/so-long-false-start-we-hardly-knew-ya.htmlFIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 34/91
BackgroundOCSP
BetterCrypto.org
Online Certificate Status Protocol (OCSP) is a mechanism to checkfor the validity and revocation of certificates.
OCSP has recieved a lot of critique:I MITM attackers may also interfere with OCSP requestsI OCSP stapling can be used to mitigate this problemI OCSP latency for large CAs is usually in the hundreds of
millisecondsI OCSP infrastructure completely broke down during Heartbleed
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 35/91
BackgroundHTTP Strict Transport Security
BetterCrypto.org
HTTP Strict Transport Security (HSTS) is a security policy thatenforces HTTPS connections on following requests (e.g. upgradeevery HTTP requests to HTTPS).
A small downside: the first HSTS header must be sent over HTTPSto ensure it cannot be tampered with.
Effectively disables ssl-stripping attacks.
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 36/91
BackgroundTLS Renegotiation Indication Extension
BetterCrypto.org
RFC5746 defines a TLS extension that prevents for TLS Handshakerenegotiaton attacks by sending a special Signaling Cipher SuiteValue (SCSV) in the ClientHello which ties a renegotiation requestto a TLS connection.
Called “Secure Renegotiation”.
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 37/91
BackgroundSPDY, NPN, ALPN and so forth
BetterCrypto.org
Google drafted specifications for protocol upgrade to SPDYincluding NPN and ALPN which SPDY effectively relies on. SPDYis the basis for the work in the IETF HTTPBIS-WG that willstandardize HTTP2.
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 38/91
BackgroundWeb-of-Trust and X.509
BetterCrypto.org
X.509, and Web-of-(mis)trust and ASN.1 would require a two hourtalk on their own.
Certificate Authorities should and can not be trusted, they areknown to behave maliciously at times, give away sub-CAs for DPIto large companies and nations and regularly fuck up their ownsecurity processes.
Read for example:http://www.certificate-transparency.org/what-is-ct
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 39/91
History & Attacks BetterCrypto.org
Now that you have an idea of the necessary background, let’s takea look at the history of TLS (in)security.
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 40/91
History & AttacksInternet Dark Ages
BetterCrypto.org
I SSLv1 engineered at Netscape, never released to the publicI Kipp Hickman of Netscape introduces SSLv2 as an IETF draft
back in 1995:
The SSL Protocol is designed to provide privacybetween two communicating applications (a clientand a server). Second, the protocol is designedto authenticate the server, and optionally theclient. [...]
http://tools.ietf.org/html/draft-hickman-netscape-ssl-00
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 41/91
History & AttacksInternet Dark Ages
BetterCrypto.org
I SSLv2 was fundamentally broken and badly designed.Basically full loss of Confidentiallity and integrity of on-wiredata thus susceptible to MITM attacks, see:http://osvdb.org/56387
I CipherSpec is sent in the clearI Size of Block-cipher padding is sent in the clear
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 42/91
History & AttacksInternet Dark Ages
BetterCrypto.org
I SSLv3 was introduced in 1996 by Paul Kocher, Phil Karltonand Alan Freier, utilizing an algoritm by Taher ElGamal, aknown cryptographer and Chief Scientist at Netscape at thetime: https://tools.ietf.org/html/rfc6101
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 43/91
History & AttacksInternet Dark Ages
BetterCrypto.org
On a side note; back then the choice algorithms was limited andexport ciphers (low security) common as recommended by NSA andmandated by US law. Google: “Bernstein vs. United States”
I encryption algorithms (Confidentiality): NULL,FORTEZZA-CBC (NSA), IDEA-CBC, RC2-CBC-40 (40bitsecurity), RC4-128, DES40-CBC (40bit security), DES-CBC(56bit security), Triple-DES-EDE-CBC
I hash functions (integrity): NULL, MD5 and SHA
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 44/91
History & AttacksInternet Dark Ages
BetterCrypto.org
David Wagner and Bruce Schneier publish a paper entitled“Analysis of the SSL 3.0 protocol”:
I Keyexchange algorithm rollbackI Protocol fallback to SSLv2I Protocol leaks known plaintexts - may be used in cryptanalysisI Replay attacks on Anonymous DH (don’t use it anyway!)
https://www.schneier.com/paper-ssl.pdf
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 45/91
History & AttacksTLS appears
BetterCrypto.org
1999. The SSL protocol is renamed to TLS (version 1) with littleimprovements over SSLv3. The spec. is almost identical.
I Diffie-Hellman, DSS and Triple-DES are now required byimplementors
I most SSLv3 security issues are still present in TLS 1.0(RFC2246)
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 46/91
History & AttacksTLS gets padding attacks
BetterCrypto.org
2002. Vaudenay publishes a paper entitled “Security Flaws Inducedby CBC Padding Applications to SSL, IPSEC, WTLS...”
I Side-channel attack on CBC mode paddingI valid/invalid padding causes different reactionsI can be used to influence decryption operationsI introduces “padding oracle attacks” in SSL
http://www.iacr.org/cryptodb/archive/2002/EUROCRYPT/2850/2850.pdf
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 47/91
History & AttacksTLS gets extended
BetterCrypto.org
2003. TLS extensions get specified in RFC3546.I General: Extended Handshake, ClientHello and ServerHelloI Server Name Indication (SNI) for virtual hosting
(SNI leaks metadata!)I Certificate Status Request (CSR) support via OCSPI (...)
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 48/91
History & AttacksTLS gets timing attacks
BetterCrypto.org
2003. Brumley and Boneh publish a paper entitled “Remote timingattacks are practical”.
Timing attack on RSA in SSL/TLS implementations (OpenSSL):I Send specially crafted ClientKeyExchange messageI Mesure time between ClienyKeyExchange and Alert responseI do a bit of statisticsI retrieve Private Key
http://dl.acm.org/citation.cfm?id=1251354
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 49/91
History & AttacksTLS gets padding oracle password retrieval
BetterCrypto.org
2003. Canvel, Hiltgen, Vaudenay, Vuagnoux publish “PasswordInterception in a SSL/TLS Channel”.
Extend earlier work of Vaudenay and successfully intercept IMAPpasswords in TLS channels.
http://www.iacr.org/cryptodb/archive/2003/CRYPTO/1069/1069.pdf
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 50/91
History & AttacksTLS gets chosen plaintext attacks
BetterCrypto.org
2004 & 2006. Bard demonstrates Chosen-Plaintext Attacks againstSSL and TLS1.0
Attack on CBC:I CBC exchanges an Initialization Vector (IV) during HandshakeI these IVs turn out to be predictableI PINs and Passwords can be decryptedI VPNs/Proxies can also be used to accomplish this task
https://eprint.iacr.org/2004/111https://eprint.iacr.org/2006/136
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 51/91
History & AttacksTLS gets updated
BetterCrypto.org
2006. A new TLS protocol version is standardized: TLS 1.1I EXPORT ciphers removedI Session resumptionI Protection against the CBC attacks by BardI IANA TLS parameters standardizedI (...)
(RFC4346)
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 52/91
History & AttacksTLS gets modern crypto
BetterCrypto.org
2008. A new TLS protocol version is standardized: TLS 1.2I MD5/SHA1 removed as pseudorandom function (PRF)I configurable PRFs in ciphersuites (e.g. SHA256)I Authenticated encryption: CCM, GCMI AES ciphersuitesI (...)
(RFC5246)
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 53/91
History & AttacksRouge CA Certificates
BetterCrypto.org
2008. Sotirov, Stevens, Appelbaum, Lenstra, Molnar, Osvik and deWeger present a paper based on earlier work by Lenstra et al. at25c3 entitled “MD5 considered harmful today”
I MD5 Hash-collision of a CA CertificateI Create colliding (rouge) CA CertificatesI Generate any Certificate for MITM you want
http://www.win.tue.nl/hashclash/rogue-ca/https://www.youtube.com/watch?v=PQcWyDgGUVg
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 54/91
History & Attackssslstrip
BetterCrypto.org
2009. Moxie Marlinspike releases sslstrip at BlackHat DC 2009.I Client connects to serverI Attacker intercepts session via MITMI Attacker sends HTTP 301 (moved permanently)I Attacker forwards requests to/from server via SSL/TLSI Client receives data via unencrypted channelI Attacker reads plaintext
http://www.thoughtcrime.org/software/sslstriphttp://vimeo.com/50018478
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 55/91
History & AttacksNull-prefix attacks against Certificates
BetterCrypto.org
2009. Moxie Marlinspike publishes “Null prefix Attacks againstSSL/TLS Certificates”.
I Specially crafted domain strings trick CA checkingI null-terminate stuff in a domain nameI ex.: www.paypal.com\0.thoughtcrime.org is validI ex.: *\0.thoughtcrime.org is validI CA ignores prefixI Client does not -> Certificate valid for prefix
Moxie updated his sslsniff project to carry out this attack.
http://www.thoughtcrime.org/papers/null-prefix-attacks.pdfhttp://thoughtcrime.org/software/sslsniff
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 56/91
History & AttacksSSLv2 Forbidden
BetterCrypto.org
2011. IETF publishes and standardized a RFC to prohibitnegotiation and thus compatibility of SSLv2 in TLS1.0-1.2 entirely.
https://tools.ietf.org/html/rfc6176
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 57/91
History & AttacksComodo
BetterCrypto.org
2011. Comodo CA: Attacker issues 9 certificates via reseller accountfor popular domains (google.com, yahoo.com, live.com, skype.com [...])
https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 58/91
History & AttacksBEAST
BetterCrypto.org
2011. Doung and Rizzo publish the BEAST attack at ekoparty anddemo a live attack on PayPal. Based on Bards earlier work onpredictable IVs in CBC:
I Phishing gets victim to visit a certain websiteI Script on said website makes request to genuine siteI Attacker records encrypted cookie informationI Tries to guess session-cookie with known CBC attack
Same Origin Policy (SOP) forbids this attack in client software. IfSOP can be bypassed (as shown by the authors with Java’s SOP)this attack is still practical.
http://vnhacker.blogspot.co.at/2011/09/beast.html
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 59/91
History & AttacksTrustwave
BetterCrypto.org
2012. Trustwave CA: Trustwave sells subordinate CAs to bigcorporations to be used for Deep Packet Inspection.
A sub-CA can issue and fake any certificate for MITM attacks.
http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.htmlhttp://arstechnica.com/business/2012/02/critics-slam-ssl-authority-for-minting-cert-used-to-impersonate-sites/
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 60/91
History & AttacksDigiNotar
BetterCrypto.org
2012. DigiNotar CA: Attackers compromise DigiNotar in it’sentirety.
I attackers generate tons of certificatesI Google Chromes certificate store detects mismatchesI DigiNotar acknowledges breachI DigiNotar files for bankrupcyI FOX-IT never gets paid for the investigation
https://en.wikipedia.org/wiki/DigiNotarhttp://cryptome.org/0005/diginotar-insec.pdfhttp://nakedsecurity.sophos.com/2011/09/05/operation-black-tulip-fox-its-report-on-the-diginotar-breach
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 61/91
History & AttacksCertificate validation in non-browser software
BetterCrypto.org
2012. Georgiev, Iyengar, Jana, Anubhai, Boneh and Shmatikovpublish a paper entitled “The most dangerous code in the world:validating SSL certificates in non-browser software”
Certificate validation vulnerabilities in:I OpenSSLI GnuTLSI JSSEI EC2 Java libraries & Amazon SDKsI PayPal SDKsI eCommerce/WebShop softwareI ..cURL, PHP, Python, tons of Java middleware
https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 62/91
History & AttacksCRIME
BetterCrypto.org
2012. Doung and Rizzo publish an attack against TLS Compressionand SPDY titled CRIME.
I MITM attacker sees length of compressed ciphertextI compression has direct affect on the lengthI attacker makes client compress/encrypt data (or uses known
data) with secret dataI attacker comparesI correct guesses yield shorter messages due to compressionI repeat until done
This is only feasible for small amounts of data, e.g. session strings,cookies and so forth.https://isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 63/91
History & AttacksTIME
BetterCrypto.org
2013. Be’ery and Shulman present TIME at BlackHat Europe.Extend on the CRIME Attack:
I Attacker generates HTTP requests (XSS, injection,..)I Attacker exploits SOP design flaw and measures RTT
differencesI determines correct or failed guesses by SOP timing leak
https://media.blackhat.com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.pdfhttps://www.youtube.com/watch?v=rTIpFfTp3-w
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 64/91
History & AttacksLucky13
BetterCrypto.org
2013. AlFardan and Paterson present a novel attack against CBCfor TLS and DTLS based on timing analysis.
I Attacker intercepts and modifies a message including paddingI Attacker tempers with the padding of the messageI MAC computation takes longer during decryption processI Attacker repeats and measuresI Attacker performs padding oracle attack described earlierI (Extremely latency sensitive attack)
http://www.isg.rhul.ac.uk/tls/Lucky13.htmlhttp://www.isg.rhul.ac.uk/tls/TLStiming.pdf
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 65/91
History & AttacksRC4 Biases
BetterCrypto.org
2013. AlFardan, Bernstein, Paterson, Poettering and Schuldtpublish a generic attack on the RC4 cipher for TLS and WPA.
I Statistical biases in the first 257 bytes of ciphertextI Recovery of the first 200 bytes after 228 to 232 encryption
operations of the same plaintextI A broadcast attack: mounted on unique keysI May also be mounted with a single key with repeating target
plaintextsI Only feasible for large amounts of data and very time
consuming
http://www.isg.rhul.ac.uk/tlshttp://www.isg.rhul.ac.uk/tls/RC4biases.pdf
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 66/91
History & AttacksNIST curves
BetterCrypto.org
2013 & 2014. Daniel J. Bernstein and Tanja Lange voice concernabout the NIST Elliptic Cuves that are widely implemented andused in TLS for ECDH and ECDSA
I NIST curves defined on recommendations by NSA’s JerrySolinas
I Unclear why these curves and their parameters were chosenI NIST cites efficiency: more efficient and secure curves
availableI Possible mathematical backdoor through previous analysis and
carefully chosen and unexplained parametersI Start SafeCurves project (ongoing)
http://www.hyperelliptic.org/tanja/vortraege/20130531.pdfhttp://cr.yp.to/talks/2013.09.16/slides-djb-20130916-a4.pdfhttp://safecurves.cr.yp.tohttps://archive.org/details/ShmooCon2014_SafeCurves
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 67/91
History & AttacksBREACH
BetterCrypto.org
2013. Gluck, Harris and Prado demonstrate yet another attackbased on CRIME at BlackHat USA.
Very similar to CRIME but the attack works based on informationleaks from HTTP compression instead of TLS compression.
http://breachattack.comhttps://www.youtube.com/watch?v=CoNKarq1IYA
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 68/91
History & AttacksUnused Certificates in Truststores
BetterCrypto.org
2014. Perl, Fahl, Smith publish a paper entitled “You Won’t BeNeeding These Any More: On Removing Unused Certificates FromTrust Stores”
I Compared 48 mio. HTTP certificatesI 140 CA Certificates are unused in all major trust storesI Of 426 trusted root certificates only 66% are even used
http://fc14.ifca.ai/papers/fc14_submission_100.pdf
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 69/91
History & AttacksTriple Handshakes Considered Harmful
BetterCrypto.org
2014. Bhargavan, Delignat-Lavaud, Pironti, Langley and Raypresent an attack one day before the IETF’89 meeting in London.
I Limited to client-certificate authentication with renegotiationI MITM attack on renegotiation with a three-way handshakeI Variations of the attack also discussed on their websiteI Can’t possibly fit this into one slide, homework: understand the
attack by reading their excellent description on the website
https://secure-resumption.comhttps://secure-resumption.com/IETF-triple-handshakes.pdf
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 70/91
History & AttacksFrankencerts
BetterCrypto.org
2014. Brubaker, Jana, Ray, Khurshid and Shmatikovy publish apaper entitled “Using Frankencerts for Automated AdversarialTesting of Certificate Validation in SSL/TLS Implementations”
I Fuzzing of X.509 related code in all major implementationsshows serious weaknesses in certificate validation and handling
I OpenSSL, NSS, GnuTLS, MatrixSSL, PolarSSL, CyaSSL,cyptlib [...]
https://www.cs.utexas.edu/~shmat/shmat_oak14.pdfhttps://github.com/sumanj/frankencert
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 71/91
History & AttacksHeartbleed
BetterCrypto.org
2014. Heartbleed is independently discovered by Codenomicon anda Google Security engineer.
Faulty implementation in OpenSSL of the TLS Heartbleedextension leaks memory content over the wire. This has been allover the media and discussed in detail all over the internet. Peoplehave successfully extracted sensitive information (password files etcetera) from victim memory.
I wrote an nmap plugin to scan for Heartbleed:https://github.com/azet/nmap-heartbleed
http://heartbleed.com
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 72/91
History & AttacksVirtual Host Confusion
BetterCrypto.org
2014. At BlackHat Delignat-Lavaud presents an attack based onSSLv3 downgrade and sharing of session caches
I Attacker forces downgrade to SSLv3I For SSLv3: larger deployments share session cachesI attacker exploits a server vulnerability where session caches
are reusedI attacker requests different subdomain with SSLv3 using the
same sessionI vulnerable server will allow connection w/o authenticationI www.company.com vs git.company.com
https://bh.ht.vc
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 73/91
History & AttacksPOODLE
BetterCrypto.org
2014. POODLE: Padding Oracle On Downgraded LegacyEncryption - OpenSSL/Google
I MITM attacker downgrades to SSLv3 (once again)I attacker does block duplicationI takes on average 256 requests to decrypt 1 byte (!)I disabling SSLv3 or using the FALLBACK_SCSV TLS
extension (draft) mitigates this issue entirely
https://www.openssl.org/~bodo/ssl-poodle.pdf
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 74/91
History & AttacksSChannel RCE
BetterCrypto.org
Patch tuesday Nov. 2014: Remote Code Execution in MicrosoftSChannel
Enables malicious attackers to initiate ClientCertificate exchange(even if unsupported) with payload in the signature
http://blog.beyondtrust.com/triggering-ms14-066
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 75/91
History & AttacksPOODLE again
BetterCrypto.org
2014. POODLE on TLS 1.0-1.2I turns out some implementations (e.g. F5 load balancers) are
vulnerable to POODLE even for TLS 1.0 - TLS 1.2I since TLS 1.1 this should have been mitigated entirely, but
3.6% of servers vulnerable
https://www.imperialviolet.org/2014/12/08/poodleagain.htmlhttps://vivaldi.net/blogs/entry/not-out-of-the-woods-yet-there-are-more-poodles
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 76/91
History & AttacksImplementation Issues
BetterCrypto.org
There are tons of other issues with TLS stacks and softwareimplementations that have not been discussed.
OpenSSL alone published 24 security advisories in 2014 untiltoday.
I Apple’s GOTO failI GnuTLS GOTO failI various GnuTLS vulnerabilitiesI wrong use of OpenSSL API in server and client software
...Clearly; a lot of people current have their eyes on this very topic.
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 77/91
History & AttacksImplementation Issues
BetterCrypto.org
For this crowd: It’s up to you to find them and improve existingimplementations, protocols and standards.
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 78/91
IETF efforts BetterCrypto.org
I n t e r n e t S o c i e t y|
I n t e r n e t A r c h i t e c t u r e Board| |
IETF ( 1 ) IRTF ( 2 )| |
S t e e r i n g Group S t e e r i n g Group| | | | | |
WG WG WG . . WG WG WG . .
1 − I n t e r n e t Eng i nee r i ng Task Force2 − I n t e r n e t Research Task Force
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 79/91
IETF effortspost-Snowden
BetterCrypto.org
I After the Snowden Leaks appeared in press the IETF begandiscussion on how ‘’pervaisive monitoring” can be prevented
I In September 2013 the ‘’PERPASS” (pervaisive, passivemonitoring) mailing list was started
I People started working on drafts to circumvent ‘’pervaisivemonitoring”: http://down.dsg.cs.tcd.ie/misc/perpass.txt
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 80/91
IETF efforts BetterCrypto.org
I IETF 89 was accompanied by a meeting on the topic (STRINT)with invited speakers on privacy, security and cryptography:https://www.w3.org/2014/strint/
I ‘’strenghtening the internet against pervaisive monitoring”I a lot of good feedback and ideasI main takeaways: threat modeling, CFRG was tasked with
TLS-WG guidance on choices of ciphers and whichcurves/parameters (ECC) to use
http://tools.ietf.org/html/draft-iab-strint-report-00
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 81/91
IETF effortsNew WGs and documents being worked on
BetterCrypto.org
I UTA-WG (utilizing TLS in applications): working BCPs onhow to properly use/implement TLS
I TLS-WG (transport layer security): TLS 1.3,chacha20-poly1305, DJB curves (ECC), FALLBACK_SCSVextension,..
I TCPINC (TCP increased security): working on standardizationof opportunistic encryption on the TCP layer (similar totcpcrypt)
I DPRIVE (DNS private exchange): working on DNS privacyfeatures
I IAB (internet architecture board): threat model, see:https://tools.ietf.org/html/draft-iab-privsec-confidentiality-threat
I TRANS (Public Notary Transparency): fight maliciouscertificate authorities with certificate transparency, see:www.certificate-transparency.org
...FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 82/91
IETF effortsCurves Curves Curves
BetterCrypto.org
I CFRG (cryptography forum research group within IRTF) isworking on a standardized set of curves and curve parametersfor IETF WGs: expected by the end of 2014
I + Curve25519 (dan bernstein, et al.)I + NUMS (microsoft)I + ed448goldilocks (michael hamburg)
In comparison to NIST curves: most new proposals are plugableinto existing standards and can be reused within protocols andIETF documents.
Good summary (by the Brainpool authors, so a bit biased):http://eprint.iacr.org/2014/832.pdfFIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 83/91
IETF efforts BetterCrypto.org
I Certificate Transparency is now being worked on as an IETFstandard: https://datatracker.ietf.org/wg/trans/charter/
I discussion on mandatory encryption in HTTP2 (HTTPBIS-WG)
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 84/91
IETF efforts BetterCrypto.org
On Nov. 14, 2014 Internet Architecture Board issued a statementrecommending deploying encryption by default throughout theprotocol stack in further developments.
Commended by Internet Society a day later.
https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/http://www.internetsociety.org/news/internet-society-commends-internet-architecture-board-recommendation-encryption-default
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 85/91
MitigationGet informed!
BetterCrypto.org
Luckily Mitigation does not require as much slides. Because it’srather simple:
I Use current software and update regularly:Most of these attacks are fixed upstream
I Use peer-reviewed and solid configurations:Check out https://bettercrypto.org
I Listen to recommendations by security expertsI Audit your infrastructure (possibly even pay external
contractors to take a look)I Keep track of TLS security and evolving security standards and
recommendations
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 86/91
MitigationFuture work
BetterCrypto.org
IETF TLS-WG is currently working on TLS 1.3 to mitigate some ofthe issues and concerns raised.
Drafts like new SCSVs would effectively prevent protocoldowngrade attacks. (constant-time) ciphers and curves and DHparameter negotiation have been proposed along with protocolimprovements for efficiency, security and privacy. It’s still in themaking and worth to keep track of.
Cryptography libraries seem to be more actively audited now, whichhas resulted in some of the disclosures in the paths months.
http://www.ietf.org/proceedings/89/slides/slides-89-tls-5.pdfhttps://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsvhttp://tools.ietf.org/html/draft-agl-tls-chacha20poly1305https://datatracker.ietf.org/doc/draft-gillmor-tls-negotiated-dl-dhe/?include_text=1
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 87/91
MitigationFuture work
BetterCrypto.org
..and in Dec. 2014 W3C has established a working group to “securethe web through encryption”:https://w3ctag.github.io/web-https
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 88/91
MitigationDistribute Trust
BetterCrypto.org
Certificate Transparency and HPKP are only a few examples ofproposed solutions to tackle the issue of malicious certificateauthorities, certificate forgery and MITM attacks.
I Letsencrypt: Free, Secure, audited and distribtued CA byCisco, Akamai, UMichigan, EFF and others
I Cloudflare Keyless SSL: Have keys on central HSMs/serversinstead on each frontend.
I Certificate Transparency: distributed consent, monitoring andauditability of certificates and CAs in the wild
I HPKP pins keys to certificates to prevent MITM andcertificate based attacks
https://letsencrypt.org/https://www.cloudflare.com/keyless-sslhttp://www.certificate-transparency.orghttps://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 89/91
Conclusion BetterCrypto.org
I “Trust the Math” (Schneier)I Implementation is still a big issueI Software bugs are a big issueI Protocol design is hard and longsomeI We’re going to see many more attacks on TLSI TLS and Crypto improvements are being constantly worked on
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 90/91
Thanks for your patience. Are there any questions?
Twitter:@a_z_e_t
E-Mail:[email protected]
XMPP:[email protected]
GitHub:https://github.com/azet
GPG Fingerprint:7CB6 197E 385A 02DC 15D8 E223 E4DB 6492 FDB9 B5D5
[I have ECDSA (Brainpool) & EdDSA (Curve25519) subkeys as well.]
FIRST Conference 2015 - Berlin / June Introduction to and survey of TLS SecurityAaron Zauner 91/91