TLS: Past, Present, Future

Outline Background Past Present Future

TLS: Past, Present, Future

Thyla van der Merwe

Royal Holloway, University of London

2 May 2016

TLS: Past, Present, Future – Thyla van der Merwe 1/ 30


Outline

2011$ 2016$

1 Background (what is TLS?)

2 The Past

3 The Present

Password recovery attacks against RC4 in TLS

4 The Future



Outline

2011$ 2016$


2 The Past

3 The Present


4 The Future



Outline

2011$ 2016$


2 The Past

3 The Present


4 The Future



Outline

2011$ 2016$


2 The Past

3 The Present


4 The Future



Outline

2011$ 2016$


2 The Past

3 The Present


4 The Future



Outline

2011$ 2015$

PAST$ PRESENT$ FUTURE$

2011$ 2016$


2 The Past

3 The Present


4 The Future



Importance of TLS [KP]

Originally designed for secure e-commerce, now widely used

Access to online bankingAcesss to Gmail, Facebook, etc.Mobile applications, including banking apps

TLS has become the de facto secure protocol of choice

Used by millions (billions?) of devices dailyAnalysis is crucial



Highly Simplified View of TLS

Ku,$Kd$

Data$Link$

Internet$

Transport$

Applica7on$ TLS$h:p$tcp$

hello, let’s chat

okay, let’s agree on algorithms, establish keys to communicate

securely and here’s some assurance as to my identity

Ku,$Kd$

let’s exchange application data

Handshake$protocol$

Record$protocol$

C S

Nego7ate$ciphersuite,$authen7cate$en77es$and$establish$keys$for$record$protocol$

Provide$confiden7ality$and$authen7city$of$applica7on$data$using$keys$established$in$the$Handshake$protocol$



The TLS Ecosystem

TLS versions TLS extensions

DTLS

TLS Ecosystem

Servers Clients

Cer1fica1on Authori1es (CAs)

So:ware vendors

Hardware vendors

Researchers

Standards



Past

Started life as SSL, developed by Netscape

SSL 2.0 released in 1995 and SSL 3.0 in 1996

TLS 1.0 released in 1999, TLS 1.1 in 2006 and TLS 1.2 in2008

Bleichenbacher Attack in 1998, against RSA using PKCS#1

Renegotiation Attack by Ray and Dispensa in 2009,impersonation attack



Past

2011$

1995$

1996$

1999$

2006$

2008$

2016$2009$

1998$








Past

2011$

1995$

1996$

1999$

2006$

2008$

2016$2009$

1998$

2002$








As of 21 April, 2016. Available at:https://www.trustworthyinternet.org/ssl-pulse/



Present

BEAST by Duong and Rizzo in 2011

CRIME by Duong and Rizzo in 2012

Lucky Thirteen by Al Fardan and Paterson, and RC4 Attacksby Al Fardan et al. in 2013

Cookie Cutter and Triple Handshake attacks by Bhargavan etal., Heartbleed bug and POODLE by Moller et al. in 2014



Present

2011$

1995$

1996$

1999$

2006$

2008$

2016$2009$

2012$

2013$

2014$

1998$

2002$

2015$







Present

2011$

1995$

1996$

1999$

2006$

2008$

2016$2009$

2012$

2013$

2014$

1998$

2002$

2015$







Password Recovery Attacks Against RC4 in TLS

Password Recovery Attacks Against RC4 in TLS [GPV15]

Despite work such as On the Security of RC4 in TLS, AlFardan et al. (USENIX 2013) RC4 usage stood at 35% ofTLS connections

ICSI$Notary$Sta+s+cs$[Dec.,$2014]$

h9p://notary.icsi.berkeley.edu/$




Password Recovery Attacks Against RC4 in TLS [GPV15]

Despite work such as On the Security of RC4 in TLS, AlFardan et al. (USENIX 2013) RC4 usage stood at 35% ofTLS connections

Can we strengthen these attacks?

Passwords are widely used for authentication and the fact thatthey are not uniformly distributed may give us a boost

Get RC4 closer to the point where it needs to be abandoned!




RC4

RC4 State Byte permutation and indices i and j

RC4 Key scheduling RC4 Keystream generation




RC4 in TLS

Ku, Kd

Data Link

Internet

Transport

Applica7on TLS h:p tcp

ClientHello(…,[RC4,…])

ServerHello(…,RC4)

.

.

.

ClientFinshed

.

Ku, Kd

ServerFinshed

applica7on data

.

.

.

Handshake protocol

Record protocol (encrypted with RC4, keys Ku and Kd) Integrity, HMAC-‐SHA1

Cr = Pr Zr

C S

36 protected FINISHED bytes




RC4 Biases

0

32

64

96

128

160

192

224

255

0 32 64 96 128 160 192 224 255

Byte

val

ue, P

ositi

on 2

[0...

255]

Byte value, Position 1 [0...255]

INFILE using 1:2:(max(min(4194304*$3,1.0),-1.0))

-1

-0.5

0

0.5

1

��

��

��

��

��

��

��

��

��

��

��

��

��

� !�"#��$��%�%&'�(&'��&��)*��+�,��++

,�

,��

��

��

��




Attack Setting

First described by Mantin and Shamir in 2001

A fixed plaintext, P, is encrypted multiple times underindependent RC4 keys, Ki

P,#K1#

P,#KS#




Plaintext Recovery via Bayesian Analysis

We want to maximize (for a position in the plaintext stream r):

Pr(X = x | C = c)

X is the random variable corresponding to a plaintext byte, x

C is the random variable corresponding to a vector of ciphertextbytes





Using Bayes’ Theorem:

Pr(X = x | C = c) =Pr(C = c | X = x) · Pr(X = x)

Pr(C = c)

=Pr(C = c | X = x) · Pr(X = x)∑

x ′∈X Pr(C = c | X = x ′) · Pr(X = x ′)





So we actually want to maximize this:

Pr(C = c | X = x) · Pr(X = x)

However,

Pr(C = c | X = x) = Pr(Z = z)

and it suffices to maximize:

Pr(X = x) · Pr(Z = z)





a"posteriori"likelihood(of(x(being((correct(byte(

Recovery(algorithm:((Compute(most(likely(byte(by((considering(all(byte(possibili7es((

C1(

C2(

C3(

CS(

...((

r""

encryp7ons(of(fixed(byte((under(different(keys(

byte(candidate(((x("

x"

...((

yields(induced(distribu7on(on(keystream(bytes(Zr"

combine(with(known(distribu7on(

Combine(with(a"priori"plaintext(distribu7on((

x"

x"

x"




Attacking Cookies [ABPPS13]

a"posteriori"likelihood(of(x(being((correct(byte(

Recovery(algorithm:((Compute(most(likely(byte(by((considering(all(byte(possibili7es((Repeat(for(all(bytes(of(the(cookie(

C1(

C2(

C3(

CS(

...((

r""

encryp7ons(of(fixed(byte((under(different(keys(

byte(candidate(((x("

x"

...((

yields(induced(distribu7on(on(keystream(bytes(Zr"


assume(a"priori"plaintext(distribu7on(uniform(

x"

x"

x"

✗((256(posi7ons,(234(encryp7ons,(2000(hrs!(TLS: Past, Present, Future – Thyla van der Merwe 16/ 30



Attacking Passwords

Widely used for authentication on the web, NOT uniformlydistributed

RockYou leak of 32 million passwords in 2009, about 14million unique, 123456 most popular

Have a priori information from leaked datasets

Multiple bytes, not just one...




Attacking Passwords

For n bytes we want to maximize

Pr(X = x) · Pr(Z = z)

where X is the random variable corresponding to a vector ofplaintext bytes, x = (x0, x1, . . . , xn−1)

Z is the random variable corresponding to the matrix of keystreambytes

?? Pr(Z = z)??




Attacking Passwords

For n bytes we want to maximize

Pr(X = x) · Pr(Z = z)

where X is the random variable corresponding to a vector ofplaintext bytes, x = (x0, x1, . . . , xn−1)

Z is the random variable corresponding to the matrix of keystreambytes

?? Pr(Z = z)??




Approximations

Pr(Z%=%z)%%

A"ack&1:&&Assume&keystream&bytes&behave&independently&–&use&single6byte&probabili8es&(product&distribu8on)&

A"ack&2:&&Assume&keystream&byte&is&influenced&only&by&byte&directly&adjacent&to&it&–&use&double6&and&single6byte&probabili8es&




Approximations

a"posteriori"likelihood(of(x(being((correct(password(

!Recovery!algorithm:!((Compute(most(likely(password(from(((((dic8onary(of(N(passwords(

C1(

C2(

C3(

CS(

...((

r,"r+1,…,"r+n11"

encryp8ons(of(fixed(password((under(different(keys(

password(candidate(((x(=(x0",x1",…,"xn"

x0,"x1,"…,"xn"

...((

x0,"x1,"…,"xn"

x0,"x1,"…,"xn"

x0,"x1,"…,"xn"

yields(induced(distribu8on(on(keystream(bytes(Zr,Zr+1,…,Zr+n11""


approximate!using!known!!distribu:on!

combine(with(a"priori"password(distribu8on(




What’s different?

n bytes instead of one

T attempts before lockout

dictionary of size N

single-byte vs double-byte estimator

Base64 or ASCII

r starting position

S ciphertexts

guessing attacks




Simulation Results

Use a dictionary built from RockYou leak dataset to attackSingles.org dataset

More realistic but limits our success rate

Default parameters, n = 6, T = 5, S = 220, 222, . . . , 228

Success rate based on 256 experiments




Simulation Results

Single-byte vs double-byte, n = 6,T = 5

0

0.2

0.4

0.6

0.8

1

0 64 128 192 256

Succ

ess

Rate

Starting Position

db, 220

db, 222

db, 224

db, 226

db, 228

sb, 220

sb, 222

sb, 224

sb, 226

sb, 228




Simulation Results

T vs success rate, n = 6, r = 133 - double-byte and guessing

0

5

10

15

20

25

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

log

2(T

)

Recovery Rate

214

216

218

220

222

224

226

228

optimal guessing




Practical Validation

Applicable to BasicAuth and IMAP

We need multiple, independent encryptions of the password

We need the password to be encrypted at a favourableposition




Practical Validation

www.evil.com!

www.good.com!

PW = 123456!

PW!

TLS channel!

r = 133!

Resumption latency of 250ms, 226, 6 parallel connections, 776hours (at 100ms, 312 hours)




ICSI$Notary$Sta+s+cs$[Jul./Aug.,$2015]$

h=p://notary.icsi.berkeley.edu/$

RC4$at$12.8$%$$

ICSI$Notary$Sta+s+cs$[Mar./Apr.,$2016]$

RC4$at$2.4$%$$




Present

Password Recovery Attacks Against RC4 in TLS by Garman etal. (OUR WORK)

FREAK by Beurdouche et al., Bar Mitzva Attack by Mantin,LOGJAM, RC4 attack by Vanhoef and Piessens

Attack by Jager et. al, SLOTH and DROWN




Present

2011$ 2015$

1995$

1996$

1999$

2006$

2008$

2016$$$10$20

09$

2012$

2013$

2014$

1998$

2002$

Password Recovery Attacks Against RC4 in TLS by Garman etal. (OUR WORK)

FREAK by Beurdouche et al., Bar Mitzva Attack by Mantin,LOGJAM, RC4 attack by Vanhoef and Piessens

Attack by Jager et. al, SLOTH and DROWN



Future

2011$ 2015$

1995$

1996$

1999$

2006$

2008$

2016$$$10$20

09$

2012$

2013$

2014$

1998$

2002$

See my next talk :-)

Draft 1 of TLS 1.3 released in March 2015, draft 12 releasedin March 2016

Encrypt as much of the handshake as possible

Re-evaluate the handshake contents - different handshakes,renegotiation handshake removed, resumption done differently

1-RTT for initial handshake, 0-RTT for repeated handshakes,also 0.5-RTT

Update the record protection mechanisms



Future

2011$ 2015$

1995$

1996$

1999$

2006$

2008$

2016$$$10$20

09$

2012$

2013$

2014$

1998$

2002$

See my next talk :-)

Draft 1 of TLS 1.3 released in March 2015, draft 12 releasedin March 2016

Encrypt as much of the handshake as possible

Re-evaluate the handshake contents - different handshakes,renegotiation handshake removed, resumption done differently

1-RTT for initial handshake, 0-RTT for repeated handshakes,also 0.5-RTT

Update the record protection mechanisms



Takeaways

2011$ 2015$ 2016$

2009$

2012$

2013$

2014$

1998$

2002$
