Secure Internet Communication

Transcription

1 Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG

2 Overview Transport Layer Security History Orientation Basic Functionality Key Exchange Algorithms Perfect Forward Secrecy Elliptic Curve Cryptography Encrypted Data Exchange Attacks on Algorithms BEAST CRIME BREACH Padding Oracle Lucky 13 Resume 2

3 Transport Layer Security History Secure Socket Layer (SSL) Developed by Netscape SSL v3.0 published in RFC 6101 in 1996 still widely in use Transport Layer Security (TLS) Defined in RFC 2246 in 1999 as improvement of SSL v3.0 TLS 1.1 defined in RFC 4346 in 2006 TLS 1.2 defined in RFC 5246 in 2008 The backward-compatibility with SSL was defined in RFC 6176 in

4 TLS Orientation 7. Application Layer (HTTP, ) 6. Presentation Layer (MIME, ) 5. Session Layer (TLS/SSL, ) 4. Transport Layer (TCP, UDP, ) 3. Network Layer (IP,..) 2. Data Link Layer (IEEE Ethernet, ) 1. Physical Layer 4

5 TLS Basic Functionality TLS Handshake Negotiation of Cipher Authentication Negotiation of Keys Client TLS Record Authenticated and Encrypted Data Exchange Server 5

6 TLS Key Exchange Most commonly used in TLS RSA algorithm (public-key cryptography) Diffie-Hellman key exchange Problems Long-term confidentiality Prime factorization is not considered future-proof Specialized algorithms Availability of computing power 6

7 TLS Key Exchange II Perfect Forward Secrecy Ensures long-term confidentiality Key cannot be compromised even if private keys compromised in future Elliptic Curve Cryptography Provides better mathematical properties Equivalent protection with lower key lengths Ratio of equivalent key length about 32:1 7

8 TLS Ephemeral Diffie-Hellman A = g^a mod p Server Key Message (A, p, g) B = g^b mod p Prime Number p Primitive Root g Client Key Exchange (B) Secret a S = B^a mod p S = A^b mod p Secret b Ephemeral DH: Secret a and b chosen randomly for every connection 8

9 TLS Elliptic Curve DH A = ag Server Key Message (A, G,curve) B = bg Elliptic curve y^2=x^3 + alpha x + beta Base point G S = abg Secret a Client Key Exchange (B) S = abg Secret b Simplified Key Exchange Protocol 9

10 TLS Elliptic Curve DH Elliptic curve point multiplication A A=B A B=C A C=D A D=E Operation used in ECDH ag = G G G G Graph from 10

11 TLS Elliptic Curve Cryptography III Up to 20x faster than RSA Doubts 130 patents of EC uses owned by BlackBerry Implementations available thought not to infringe patents Dual Elliptic Curve Deterministic Random Bit NIST standardized EC-based random number generator may have backdoor 11

12 TLS Attacks on Encrypted Data Exchange BEAST - Browser Exploit Against SSL/TLS CRIME - Compression Ratio Info-leak Made Easy BREACH Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext Padding Oracle Lucky 13 12

13 TLS BEAST attack What is it? Browser Exploit Against SSL/TLS Adaptive chosen plaintext attack with predictable IV Thai and Rizzo showed exploitability in 2011 How does it work? Based on two mechanisms Cipher block chaining mode Initialization vector Passive network eavesdropping Figure from 13

14 TLS BEAST attack II Applicable to reveal the sessions cookie Session cookie transmitted at known offset Block boundaries (e.g. AES 16 bytes) can be controlled Adjusting URL parameters Block containing cookie secret can be moved Contains only 1 unknown byte 14

15 TLS BEAST attack III Original HTTP Client Request: POST / HTTP /1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko / Firefox/ Cookie: secretcookie=7xc89f94wa96fd7cb4cb0031ba249ca2 Accept-Language: en-us,en;q=0.8 (... body of the request...) Example from 15

16 TLS BEAST attack IV Steps of the attack Attacker forces browser to send HTTPS request E(key, request) C1, C2, C3,, Cn Attacker captures encrypted blocks Knows all plaintext bytes except one of e.g. C3 Attacker calculates Pi = guess C2 Cn and appends Pi to the original request Browser calculates E(key, Cn Pi) and attacker checks if Ci == C3 16

17 TLS BEAST attack V Feasibility Eavesdrop traffic e.g. over wireless network Run malicious code in user s browser Bypass browser s same-origin-policy Counter Measures Mitigated in TLS 1.1 and 1.2 If back-compatibility with TLS 1.0 or SSL is required ensure that browser implements countermeasures e.g. 1/n-1 record splitting 17

18 TLS CRIME attack What is it? Compression Ratio Info-leak Made Easy Rizzo and Doung showed exploitability in 2012 How does it work? Brute force attack Exploits data compression properties DEFLATE is the most common used compression in TLS Removes redundancy of repeating symbols Applicable to reveal the sessions cookie 18

19 TLS CRIME attack II Exploits length of encrypted message length(encrypt(compress(header+body))) Original HTTP Client Request: POST / HTTP /1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv :14.0) Gecko / Firefox/ Cookie: secretcookie=7xc89f94wa96fd7cb4cb0031ba249ca2 Accept-Language: en-us,en;q=0.8 (... body of the request...) Example from 19

20 TLS CRIME attack III HTTP request modified by attacker POST / secretcookie=0 HTTP /1.1 Host: example.com User-Agent: Mozilla /5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko / Firefox / Cookie: secretcookie=7xc89f94wa96fd7cb4cb0031ba249ca2 Accept-Language: en-us,en;q=0.8 Example from 20

21 TLS CRIME attack IV Feasibility Affects all browsers and servers supporting TLS compression 42% of servers, 45% of browsers Needs way to execute code in user s browser Counter Measures Disable TLS compression! 21

22 TLS BREACH attack What is it? Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext Demonstrated by Gluck, Harris, Prado in 2013 Application of CRIME attack based on HTTP compression How does it work? Inject controlled information in HTTP requests Eavesdrop HTTP response 22

23 TLS BREACH attack II Modified HTTP request GET /product/?id =12345&user=CSRFtoken=<guess> HTTP /1.1 Host: example.com Server s response <form target=" & user=csrftoken=<guess >" >... <td nowrap id="tderrlgf"> <a href="logoff.aspx?csrftoken=4bd634cda846fd7cb4cb0031ba249ca2"> Log Off</a></td> Example from 23

24 TLS BREACH attack III Feasibility Monitor server responses ARP spoofing Run code in user s browser 3 Requirements Application supports HTTP compression Response reflects user s input Response has sensitive information embedded 24

25 TLS BREACH attack IV Countermeasures Disable HTTP compression Separating secrets from user input Masking secrets Request rate-limiting and monitoring Length hiding Add garbage to the response Proposal for TLS extension in development 25

26 TLS Padding oracle attack Padding oracle attack Chosen cipher text attack Side-channel attack Exploits leaked information about validity of format Server leaks information if padding format is correct Works for Cipher-block chaining (CBC) mode of operation Independent of encryption algorithm and key 26

27 TLS Padding oracle attack II Encryption (Normal operation) Plaintext is split in blocks Last block is padded to fill up block RC5-CBC-PAD algorithm proposes padding: Padded n bytes are filled with the value of n e.g. for n=5 the last bytes are,5,5,5,5,5 Padded plaintext is encrypted Decryption (Normal operation) Cipher text is decrypted Correct format of padding is checked 27

28 TLS Padding oracle attack III Figure from 28

29 TLS Lucky13 What is it? Padding oracle attack Man-in-the middle can recover plaintext from TLS connection When using CBC-mode Exploits timing bug of TLS data decryption How does it work? Message Authentication Code (MAC) is used to provide integrity TLS encrypts block: plaintext + MAC of plaintext + padding Decryption check padding, then checks correct MAC 29

30 TLS Lucky13 II Problem in TLS 1.0 Invalid padding Explicit error returned Made padding oracle attacks possible Fixed in TLS 1.1 Problem in TLS 1.1 Invalid padding Server kills the session to prevent attacks Server s reaction time measureable Padding oracle attacks also work across sessions 30

31 TLS Lucky13 III Current version TLS 1.2 If padding fails, whole message used to calculate MAC Should resolve previous problems But: takes slightly longer! Lucky 13 exploits this subtle time difference 31

32 TLS Lucky13 IV Feasibility Intercept client-server communication, Inject malware to the client Repetition to eliminate noise and network jitter in time measurement Slow attack needs lots of connections to succeed All TLS cipher suites including CBC-mode encryption vulnerable Countermeasures Implement uniform processing time Add random server-side delays 32

33 Resume Use Secure Key Exchange Algorithms in TLS 1.2 Ephemeral Diffie Hellman Ephemeral Elliptic Curve Diffie Hellman Security of Ciphers defined in TLS 1.2 HTTP compression makes any algorithm attackable Try to avoid HTTP compression or take counter measures against BREACH Don t use RC4 as alternative algorithm Full plaintext recovery attack shown by Bernstein et al. in 2013 Use AES Galois/Counter Mode (AES GCM) 33

34 Take-Home Message Yes, we can prevent the Cryptocalypse for the moment Update your Servers Use latest versions of libraries Enable secure algorithms Update your Browser Latest browser version support TLS 1.2 Chrome >= 30, Firefox >= 28, Internet Explorer >= 11 Opera >= 17, Safari >= 5 (ios), >= 7 (Mac OS X) 34

35 Thank You Dr. Gregor Koenig

36 Comic from 36

37 References General 1. P. Bright, Crypto experts issue a call to arms to avert the cryptopocalypse 2. Wikipedia, Transport Layer Security. Key Exchange 1. Wikipedia, Perfect Forward Secrecy 2. N. Sullivan, A primer on elliptic curve cryptography, Ciphers 1. P. Sarkar, S. Fitzgerald,. Attacks on SSL, A comprehensive Study of BEAST, CRIME, TIME, BREACH, LUCK13 & RC4 BIAS, S. Vaudenay, Security Flaws Induced by CBC padding, Applications to SSL, IPSEC, WTLS 3. S. Gueron, AES - GCM for Efficient Authenticated Encryption, D. Goodin, Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages 5. N. AlFardan et al., On the security of RC4 in TLS and WPA, Wikipedia, Galois/Counter Mode 37