SSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger

Transcription

1 SSL / TLS Crypto in the Ugly Real World Malvin Gattinger

2 SSL/TLS Figure 1: The General Picture

3 SSL or TLS Goal: Authentication and Encryption Secure Sockets Layer SSL 1 (never released), 2 ( ) and 3 ( ) Transport Layer Security TLS, current version 1.2 from August 2008 still problems, but the best we have for now draft 1.3

4 Cipher Suites because abbreviations are fun!

5 Cipher Suites because abbreviations are fun! What the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA? 1. ECDHE_RSA Elliptic Curve Diffie-Hellman to establish a session key Server authenticates itself with a RSA public key 2. AES_256_CBC symmetric AES encryption is used for the actual data block size is 256 mode of operation is CBC 3. SHA256 hash function used as a MAC Note: What is is used depends on the server and the client. Refusing to use old ciphers will exclude old devices!

6 Trust is global! Question: Alice connects to who uses a certificate signed by authority COOL. Whom does she have to trust?

7 Trust is global! Question: Alice connects to who uses a certificate signed by authority COOL. Whom does she have to trust? Answer: COOL, and all other CAs in her browser!

8 Some entries from my browsers list of CAs: Amazon AS Sertifitseerimiskeskus? China Internet Network Information Center DFN-Verein german universities DigiNotar wait, why are you still here? Equifax, GeoTrust, GlobalSign,... professional CAs GoDaddy hosting company Government Root Certification Authority Taiwan Hongkong Post Staat der Nederlanden Startcom infamous for handing out free certificates TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı Swisscom VISA

9 Which CAs get into browsers and operating systems? Mozilla Bug Add Honest Achmed s root certificate

10 What do CAs actually do? How to verify that someone really is who they claim to be?

11 What do CAs actually do? How to verify that someone really is who they claim to be owns a certain domain?

12 What do CAs actually do? How to verify that someone really is who they claim to be owns a certain domain? Please enter the code we just sent to webmaster@bob.pro. A bit more advanced: Please add a DNS record bob.pro. IN TXT "09AKE903. Please put LA8SOPWAQ231SDJ2KJXOQS1234KDJI12WI at

13 What do CAs actually do? How to verify that someone really is who they claim to be owns a certain domain? Please enter the code we just sent to webmaster@bob.pro. A bit more advanced: Please add a DNS record bob.pro. IN TXT "09AKE903. Please put LA8SOPWAQ231SDJ2KJXOQS1234KDJI12WI at New: ACME protocol, Let s Encrypt fully automated issuance and renewal awesome

14 What do CAs actually do? How to verify that someone really is who they claim to be owns a certain domain? Please enter the code we just sent to webmaster@bob.pro. A bit more advanced: Please add a DNS record bob.pro. IN TXT "09AKE903. Please put LA8SOPWAQ231SDJ2KJXOQS1234KDJI12WI at New: ACME protocol, Let s Encrypt fully automated issuance and renewal awesome Extended Validation (EV) is more expensive for this someone from TÜRKTRUST might actually visit Bob at his office (or at least send a letter there) Example:

15 Why you really have to trust all CAs Nothing stops any CA from signing a certificate for any domain. Question: You are (or have access to the private key of) a trusted CA and want to do an MitM attack between Alice and Can you hide the fact that you are listening in from both of them?

16 Why you really have to trust all CAs Nothing stops any CA from signing a certificate for any domain. Question: You are (or have access to the private key of) a trusted CA and want to do an MitM attack between Alice and Can you hide the fact that you are listening in from both of them? How?

17 But who would do such a thing?

18 But who would do such a thing? TOP SECRETI/SJ//NOFORN Current Efforts- Google (r f E., lro "'3 \.Q. f'n 1\ ~ e.n~ Ser~er TOP SECRETI/SJ/INOFORN

19 Problems and Attacks Things can go wrong in two ways: in the protocol in the implementation Both happen. And happen again. Nowadays attacks come with fancy names and their own websites: BEAST, CRIME, BREACH, POODLE, FREAK, Logjam, Heartbleed, DROWN,... Stay tuned for more.

20 Unencrypted Fallback Problem: If you type and press enter, your browser will first try and it is up to the (MitM-attacker s) server to redirect you to

21 Unencrypted Fallback Problem: If you type and press enter, your browser will first try and it is up to the (MitM-attacker s) server to redirect you to Fix: HTTP Strict Transport Security (HSTS): After the first https connection, remember to never contact this website via plain http.

22 Unencrypted Fallback Problem: If you type and press enter, your browser will first try and it is up to the (MitM-attacker s) server to redirect you to Fix: HTTP Strict Transport Security (HSTS): After the first https connection, remember to never contact this website via plain http. New Problem: This can be used to track and identify users.

23 All CAs are equal Problem: We have to trust lots of CAs even when we already know the CA or public key from previous connections.

24 All CAs are equal Problem: We have to trust lots of CAs even when we already know the CA or public key from previous connections. Fix: Pinning: the CA: Only Türktrust may issue certificates for erdogan.tr. the public key: Only 89:4F:DD:... :8F:84:65 is w4eg.de. When? after the first connection FF Extension Certificate Patrol before any connection via DNS See DANE, currently no browser does this built into the browser Google is doing that now keep a public list of SSL links: HTTPS everywhere by EFF

25 What about revocation? Problem: If a private key gets into the wrong hands, the certificate should not be accepted anymore.

26 What about revocation? Problem: If a private key gets into the wrong hands, the certificate should not be accepted anymore. Fix: Online Certificate Status Protocol (OCSP): The Certificate contains a URL where the browser should ask whether it has been revoked. Most browsers do this, but Chrome disabled it again in 2012.

27 What about revocation? Problem: If a private key gets into the wrong hands, the certificate should not be accepted anymore. Fix: Online Certificate Status Protocol (OCSP): The Certificate contains a URL where the browser should ask whether it has been revoked. Most browsers do this, but Chrome disabled it again in New Problems: If the OCSP server is down, the website becomes unreachable. The OCSP server learns who is visiting the website when etc.

28 Attack Example: Heartbleed CC-BY-NC

29 CC-BY-NC

30 CC-BY-NC

31 Best Practices As a server: read the news use open source software test your servers expect failure follow experts recommendations, e.g. cipherli.st As a client (or product... ): demand strong crypto from your providers There are several online tests which show many details: Good: mijn.overheid.nl Bad: facebook.com Worse:

32 More Worries about the Internet Even if TLS would work perfectly, the Internet is a weird place. Most people can be identified by a combination of IP, User-Agent, Cookies, Local Storage, HSTS, VU UPC Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/ (KHTML, like Gecko) Ubuntu Chromium/ Chrome/ Safari/ Test your own brower at

33