Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky
|
|
|
- Chastity Hunter
- 6 years ago
- Views:
Transcription
1 Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 1
2 Transport Layer Security The most important crypto protocol HTTP, SMTP, IMAP 2 2
3 Secure Sockets Layer (SSL), SSLv2 SSLv3 Trasnsport Layer Security TLS History Wagner, Schneier: Analysis of SSLv3 Bleichenbacher s attack Padding oracle attack 2005 TLS 1.1 TLS BEAST, CRIME, BREACH, Lucky 13 TLS
4 Questions How can we test these attacks? Can we find such attacks automatically? 5 5
5 Approach [SP2-17] 1. Collect TLS libraries Profit 6 6
![Approach [SP2-17] 1.](/docs-images/71/66121555/images/6-1.jpg "Collect TLS libraries 2. 3.")
6 Approach [SP2-17] 1. Collect TLS libraries Profit 7 7
7 Contributions Flexible TLS framework Fuzzing, testing, writing attacks High impact vulnerability in OpenSSL Additional vulnerabilities in Botan, MatrixSSL 8 8
8 Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 9 9
9 TLS RSA Handshake ClientHello ServerHello Certificate ClientKeyExchange ChangeCipherSpec (Client-) Finished ServerHelloDone ChangeCipherSpec (Server-) Finished Application Application 10 10
10 TLS is complex Different versions Crypto primitives: RSA, EC, AES, 3DES, RC4, Chacha, Poly1305, New Hope Extensions Protocol flows 11 11
11 TLS is complex ClientHello Certificate ClientKeyExchange CertificateVerify ChangeCipherSpec (Client-) Finished ServerHello Certificate ServerKeyExchange ServerHelloDone ChangeCipherSpec (Server-) Finished Application Heartbeat Application Heartbeat 12 12
12 Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 13
13 Secure Sockets Layer (SSL), SSLv2 SSLv3 TLS History 1995 Wagner, Schneier: Analysis of SSLv3 Bleichenbacher s attack Trasnsport Layer Security 2000 Padding oracle attack TLS 1.1 TLS BEAST, CRIME, BREACH, Lucky 13 TLS
14 Early CCS ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec (Client-) Finished ChangeCipherSpec (Server-) Finished Server computes the master key based on a zero value 15 15
15 Early CCS Man-in-the-Middle attacks Further state machine attacks in 2015: Beurdouche et al.: FREAK de Ruiter and Poll 16 16
16 Heartbleed [TLS Handshake] Server Heartbeat DeepSec Heartbeat DeepSec 17 17
![Heartbleed [TLS Handshake] Server Heartbeat 10 00](/docs-images/71/66121555/images/17-4.jpg "DeepSec Heartbeat 18 10 00 DeepSec. [rsa key]. 18")
17 Heartbleed [TLS Handshake] Server Heartbeat DeepSec Heartbeat DeepSec. [rsa key]. 18
18 Padding oracle attacks Adaptive chosen-ciphertext attacks Ciphertext C = Enc(M) C 1 valid/invalid C 2 valid/invalid M = Dec(C) (repeated several times) AES-CBC: Vaudenay s attack RSA-PKCS#1: Bleichenbacher s attack 20 20
19 Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 21
20 Recent Attacks on TLS Not only crypto attacks Attacks on TLS state machines FREAK Early CCS Buffer overflows / overreads Heartbleed CVE (High) -> CVE (Critical) Tool for flexible protocol executions needed 22 22
21 Framework Prerequisites Flexible protocol flow definition Message modifications Invalid behavior detection Protocol flow reproduction ClientHello ClientKeyExchange ClientKeyExchange ChangeCipherSpec (Client-) Finished ServerHello Certificate ServerHelloDone ChangeCipherSpec (Server-) Finished Application Application 23
22 Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 24
23 High-Level Overview 25 25
24 Modifiable variables Define basic data types (integer, byte, arrays) with modifications Example: ModifiableInteger i = new ModifiableInteger(); i.setvalue( 30 ); i.setmodification(new AddModification( 20 )); System.out.println(i.getValue()); // 50 Further modifications: xor, shuffle, delete, 26 26
25 Protocol messages ClientHello ClientHelloMessage ciphersuites: ModifiableByteArray ciphersuitelength: ModifiableInteger getciphersuites() getciphersuitelength() Stored in a message list Serializable in XML 27 27
26 Defining a protocol flow <protocolmessages> <ClientHello> <supportedciphersuites> <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite> </supportedciphersuites> </ClientHello> <ServerHello/> <Certificate/> <ServerHelloDone/> <RSAClientKeyExchange/> <RSAClientKeyExchange/> <ChangeCipherSpec/> <Finished/> <ChangeCipherSpec/> <Finished/> <Application/> </protocolmessages> 29 29
27 Defining a protocol flow <protocolmessages> <ClientHello> <supportedciphersuites> <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite> </supportedciphersuites> </ClientHello> <ServerHello/> <Certificate/> <ServerHelloDone/> <RSAClientKeyExchange/> <ChangeCipherSpec/> <Finished/> <ChangeCipherSpec/> <Finished/> <Heartbeat/> </protocolmessages> <Heartbeat> <payloadlength> <integeraddmodification> </integeraddmodification> </payloadlength> </Heartbeat> 30 30
28 Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 32
29 Vulnerability detection How do we detect invalid server behavior? 1. Different TLS alerts Useful by padding oracle attacks 2. Address Sanitizer (ASan) Detects memory errors at runtime Available in recent compilers, e.g. GCC Vulnerability found -> protocol stored in XML 33 33
30 Two-stage concept Currently only server evaluation 1. Crypto Padding oracles, Bleichenbacher attack, invalid curve attacks, POODLE 2. Fuzzing for boundary violations 3 phases 34 34
31 Fuzzing for boundary violations 1. Variable filtering Not all variables suitable 2. Fuzzing with filtered variables ClientHelloMessage ciphersuites ciphersuitelength clientrandom extensions extensionlength. Random modifications (add, delete, xor) Boundary values (-128, -1, 0, 32768, ) 3. Fuzzing with modified protocol flows 35 35
32 Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 36
33 Results Padding oracle attack OpenSSL (CVE ) Botan (CVE ) MatrixSSL Bleichenbacher attack MatrixSSL Missing length checks GnuTLS OpenSSL Out-of-bound reads / writes OpenSSL pre1 (stack overflow) Botan (Out-of-bound read) 37 37
34 Padding oracle attack Ciphertext C Decryption failed Valid / Invalid Server Applicable to AES-CBC Challenge: not to reveal padding validity 1. Same error message 2. Constant time padding and HMAC validation 38 38
35 AES-CBC in TLS MAC-Pad-Encrypt Example: Two blocks Message: Hello MAC size: 20 bytes (SHA-1) Padding size: = 7 pad mac H e l l o
36 AES-CBC in TLS Challenge: not to reveal padding validity Always: Padding validation MAC validation Same error message and timing pad mac H e l l o
37 Constant Time Validation pad mac Decrypted data H e l l o Mask data H e l l o
38 Constant Time Validation Decrypted data H e l l o Mask data H e l l o
39 OpenSSL Vulnerability Decrypted data 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F Mask data 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 45 45
40 OpenSSL Vulnerability (CVE ) Introduced by patching Lucky 13 Only when using AES-NI Leads to a different server response C RECORD OVERFLOW / BAD RECORD MAC Can this be even worse? 46 46
41 Yes MatrixSSL Timing attack -> buffer overflow 47 47
42 Overview 1. TLS Protocol 2. Attacks 3. Framework Prerequisites 4. TLS-Attacker Design 5. Fuzzing 6. Results 7. Conclusions 48
43 Conclusions and future work Maintaining a crypto library is hard New code / patches can introduce new flaws Systematic fuzzing and evaluation needed TLS-Attacker For researchers, pentesters For developers Development / fuzzing improvements needed TLS client-side tests Better fuzzing strategies 49 49
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair
Practical Attacks on Implementations
Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 1 Recent years revealed many crypto attacks ESORICS 2004, Bard: The Vulnerability of SSL to
Coming of Age: A Longitudinal Study of TLS Deployment
Coming of Age: A Longitudinal Study of TLS Deployment Accepted at ACM Internet Measurement Conference (IMC) 2018, Boston, MA, USA Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson,
CSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Web Security Web is now widely used by business, government, and individuals But Internet and Web are
Internet security and privacy
Internet security and privacy SSL/TLS 1 Application layer App. TCP/UDP IP L2 L1 2 Application layer App. SSL/TLS TCP/UDP IP L2 L1 3 History of SSL/TLS Originally, SSL Secure Socket Layer, was developed
Findings for
Findings for 198.51.100.23 Scan started: 2017-07-11 12:30 UTC Scan ended: 2017-07-11 12:39 UTC Overview Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 80/tcp
DROWN - Breaking TLS using SSLv2
DROWN - Breaking TLS using SSLv2 Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper,
IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43
0/43 IPsec and SSL/TLS Applied Cryptography 0 Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, 2016 Cryptography in the TCP/IP stack application layer transport layer network layer data-link
TLS1.2 IS DEAD BE READY FOR TLS1.3
TLS1.2 IS DEAD BE READY FOR TLS1.3 28 March 2017 Enterprise Architecture Technology & Operations Presenter Photo Motaz Alturayef Jubial Cyber Security Conference 70% Privacy and security concerns are
ON THE SECURITY OF TLS RENEGOTIATION
ON THE SECURITY OF TLS RENEGOTIATION 2012/11/02 QUT Douglas Stebila European Network of Excellence in Cryptology II (ECRYPT II) Australian Technology Network German Academic Exchange Service (ATN-DAAD)
SSL/TLS. Pehr Söderman Natsak08/DD2495
SSL/TLS Pehr Söderman Pehrs@kth.se Natsak08/DD2495 1 Historical problems No general purpose security wrapper Kerberos doesn't cut it! Each protocol has it's own security layer SNMP, Ktelnet Or none at
Plaintext-Recovery Attacks Against Datagram TLS
Information Security Group Royal Holloway, University of London 6th Feb 2012 Contents 1 Results 2 3 4 Padding Oracle Realisation Against OpenSSL 5 Attacking the GnuTLS Implementation of DTLS 6 Results
MTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Transport Layer Security (TLS) University of Tartu Spring 2017 1 / 22 Transport Layer Security TLS is cryptographic protocol that provides communication security over the
32c3. December 28, Nick https://crypto.dance. goto fail;
32c3 December 28, 2015 Nick Sullivan @grittygrease nick@cloudflare.com https://crypto.dance goto fail; a compendium of transport security calamities Broken Key 2 Lock 3 Lock 4 5 6 HTTP HTTPS The S stands
MTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Transport Layer Security (TLS) Advanced Features University of Tartu Spring 2016 1 / 16 Client Server Authenticated TLS ClientHello ServerHello, Certificate, ServerHelloDone
Chapter 4: Securing TCP connections
Managing and Securing Computer Networks Guy Leduc Chapter 5: Securing TCP connections Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley, March 2012. (section
Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2
Universität Hamburg SSL & Company Fachbereich Informatik SVS Sicherheit in Verteilten Systemen Security in TCP/IP UH, FB Inf, SVS, 18-Okt-04 2 SSL/TLS Overview SSL/TLS provides security at TCP layer. Uses
Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
Authenticated Encryption in TLS
Authenticated Encryption in TLS Same modelling & verification approach concrete security: each lossy step documented by a game and a reduction (or an assumption) on paper Standardized complications - multiple
CS 161 Computer Security
Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 6 Week of February 26, 2018 Question 1 TLS threats (10 min) An attacker is trying to attack the company Boogle and its users. Assume that
CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL
CS 393 Network Security Nasir Memon Polytechnic University Module 12 SSL Course Logistics HW 4 due today. HW 5 will be posted later today. Due in a week. Group homework. DoD Scholarships? NSF Scholarships?
Transport Layer Security
CEN585 Computer and Network Security Transport Layer Security Dr. Mostafa Dahshan Department of Computer Engineering College of Computer and Information Sciences King Saud University mdahshan@ksu.edu.sa
Return Of Bleichenbacher s Oracle Threat (ROBOT)
Return Of Bleichenbacher s Oracle Threat (ROBOT) Hanno Böck, unaffiliated; Juraj Somorovsky, Ruhr University Bochum, Hackmanit GmbH; Craig Young, Tripwire VERT https://www.usenix.org/conference/usenixsecurity18/presentation/bock
CIS 5373 Systems Security
CIS 5373 Systems Security Topic 4.3: Network Security SSL/TLS Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) Analysis of the HTTPS Certificate
Securely Deploying TLS 1.3. September 2017
Securely Deploying TLS 1.3 September 2017 Agenda Why TLS 1.3? Zero Round Trip Time (0-RTT) requests Forward secrecy Resumption key management Why TLS 1.3? Speed TLS impacts latency, not thoroughput Protocol
Security Protocols and Infrastructures
Security Protocols and Infrastructures Dr. Michael Schneider michael.schneider@h-da.de Chapter 8: The Transport Layer Security Protocol (TLS) December 4, 2017 h_da WS2017/18 Dr. Michael Schneider 1 1 Overview
CS 356 Internet Security Protocols. Fall 2013
CS 356 Internet Security Protocols Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5
Overview of TLS v1.3 What s new, what s removed and what s changed?
Overview of TLS v1.3 What s new, what s removed and what s changed? About Me Andy Brodie Solution Architect / Principal Design Engineer. On Worldpay ecommerce Payment Gateways. Based in Cambridge, UK.
SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer
SharkFest 17 Europe SSL/TLS Decryption uncovering secrets Wednesday November 8th, 2017 Peter Wu Wireshark Core Developer peter@lekensteyn.nl 1 About me Wireshark contributor since 2013, core developer
Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption
and secure channel May 17, 2018 1 / 45 1 2 3 4 5 2 / 45 Introduction Simplified model for and decryption key decryption key plain text X KE algorithm KD Y = E(KE, X ) decryption ciphertext algorithm X
TLS Security and Future
TLS Security and Future Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Fixing issues in practice Trust, Checking certificates and
Security analysis of DTLS 1.2 implementations
Bachelor thesis Computing Science Radboud University Security analysis of DTLS 1.2 implementations Author: Niels van Drueten s4496604 First supervisor/assessor: dr.ir. Joeri de Ruiter joeri@cs.ru.nl Second
One Year of SSL Internet Measurement ACSAC 2012
One Year of SSL Internet Measurement ACSAC 2012 Olivier Levillain, Arnaud Ébalard, Benjamin Morin and Hervé Debar ANSSI / Télécom SudParis December 5th 2012 Outline 1 SSL/TLS: a brief tour 2 Methodology
SSL/TLS: Still Alive? Pascal Junod // HEIG-VD
SSL/TLS: Still Alive? Pascal Junod // HEIG-VD 26-03-2015 Agenda SSL/TLS Protocol Attacks What s next? SSL/TLS Protocol SSL/TLS Protocol Family of cryptographic protocols offering following functionalities:
TLS 1.1 Security fixes and TLS extensions RFC4346
F5 Networks, Inc 2 SSL1 and SSL2 Created by Netscape and contained significant flaws SSL3 Created by Netscape to address SSL2 flaws TLS 1.0 Standardized SSL3 with almost no changes RFC2246 TLS 1.1 Security
Security Protocols and Infrastructures. Winter Term 2010/2011
Winter Term 2010/2011 Chapter 4: Transport Layer Security Protocol Contents Overview Record Protocol Cipher Suites in TLS 1.2 Handshaking Protocols Final Discussion 2 Contents Overview Record Protocol
Secure Internet Communication
Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG 09.04.2014 Overview Transport Layer Security History Orientation Basic Functionality Key Exchange
Overview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
Transport Layer Security
Cryptography and Security in Communication Networks Transport Layer Security ETTI - Master - Advanced Wireless Telecommunications Secure channels Secure data delivery on insecure networks Create a secure
Misuse Patterns for the SSL/TLS Protocol. Ali Alkazimi. A Dissertation Submitted to the Faculty of. College of Engineering & Computer Science
Misuse Patterns for the SSL/TLS Protocol by Ali Alkazimi A Dissertation Submitted to the Faculty of College of Engineering & Computer Science In Partial Fulfillment of the Requirements for the Degree of
Defeating All Man-in-the-Middle Attacks
Defeating All Man-in-the-Middle Attacks PrecisionAccess Vidder, Inc. Defeating All Man-in-the-Middle Attacks 1 Executive Summary The man-in-the-middle attack is a widely used and highly preferred type
Transport Layer Security
Transport Layer Security TRANSPORT LAYER SECURITY PERFORMANCE TESTING OVERVIEW Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), are the most popular cryptographic protocols
On the (in-)security of JavaScript Object Signing and Encryption. Dennis Detering
On the (in-)security of JavaScript Object Signing and Encryption Dennis Detering 2 Introduction Dennis Detering IT Security Consultant dennis.detering@cspi.com dennis.detering@rub.de @Merenon Christian
Security Protocols and Infrastructures. Winter Term 2015/2016
Winter Term 2015/2016 Nicolas Buchmann (Harald Baier) Chapter 8: Transport Layer Security Protocol Key Questions Application context of TLS? Which security goals shall be achieved? Approaches? 2 Contents
Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014
Network Security: TLS/SSL Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014 Outline 1. Diffie-Hellman key exchange (recall from earlier) 2. Key exchange using public-key encryption
Summary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0
PRESENTED BY: History SSL developed by Netscape SSLv1.0 Never released SSLv2.0 1995 SSLv3.0 1996 Moved governance to the IETF and renamed TLS TLSv1.0 1999 TLSv1.1 2006 TLSv1.2 2008 TLSv1.3 2018 TLS 1.3
Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016
Attacks on SSL/TLS Applied Cryptography Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016 Timeline of attacks on SSL/TLS 2/41 SSLstrip 2010 2011 2012 2013 2014 2015 2016 BEAST POODLE
DROWN: Breaking TLS using SSLv2
DROWN: Breaking TLS using SSLv2 Nimrod Aviram, Tel Aviv University; Sebastian Schinzel, Münster University of Applied Sciences; Juraj Somorovsky, Ruhr University Bochum; Nadia Heninger, University of Pennsylvania;
Cryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited
Securing IoT applications with Mbed TLS Hannes Tschofenig Agenda Theory Threats Security services Hands-on with Arm Keil MDK Pre-shared secret-based authentication (covered in webinar #1) TLS Protocol
State of TLS usage current and future. Dave Thompson
State of TLS usage current and future Dave Thompson TLS Client/Server surveys Balancing backward compatibility with security. As new vulnerabilities are discovered, when can we shutdown less secure TLS
Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
DROWN: Breaking TLS using SSLv2
Proceedings of the 25th USENIX Security Symposium, August 2016 https://drownattack.com DROWN: Breaking TLS using SSLv2 Nimrod Aviram 1, Sebastian Schinzel 2, Juraj Somorovsky 3, Nadia Heninger 4, Maik
Overview of TLS v1.3. What s new, what s removed and what s changed?
Overview of TLS v1.3 What s new, what s removed and what s changed? About Me Andy Brodie Worldpay Principal Design Engineer. Based in Cambridge, UK. andy.brodie@owasp.org Neither a cryptographer nor a
Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010
Network Security: TLS/SSL Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Diffie-Hellman 2. Key exchange using public-key encryption 3. Goals of authenticated key exchange
E-commerce security: SSL/TLS, SET and others. 4.1
E-commerce security: SSL/TLS, SET and others. 4.1 1 Electronic payment systems Purpose: facilitate the safe and secure transfer of monetary value electronically between multiple parties Participating parties:
Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.
P2 Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE 802.11i, IEEE 802.1X P2.2 IP Security IPsec transport mode (host-to-host), ESP and
A messy state of the union:
A messy state of the union: Taming the Composite State Machines of TLS http://smacktls.com Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo
Protecting TLS from Legacy Crypto
Protecting TLS from Legacy Crypto http://mitls.org Karthikeyan Bhargavan + many, many others. (INRIA, Microsoft Research, LORIA, IMDEA, Univ of Pennsylvania, Univ of Michigan, JHU) Popular cryptographic
TLS 1.2 Protocol Execution Transcript
Appendix C TLS 1.2 Protocol Execution Transcript In Section 2.3, we overviewed a relatively simple protocol execution transcript for SSL 3.0. In this appendix, we do something similar for TLS 1.2. Since
TLS Security Where Do We Stand? Kenny Paterson
TLS Security Where Do We Stand? Kenny Paterson (based on joint work with Nadhem AlFardan, Dan Bernstein, Bertram Poettering, Jacob Schuldt) Information Security Group Outline TLS and the TLS Record Protocol
Verifying Real-World Security Protocols from finding attacks to proving security theorems
Verifying Real-World Security Protocols from finding attacks to proving security theorems Karthik Bhargavan http://prosecco.inria.fr + many co-authors at INRIA, Microsoft Research, Formal security analysis
Version: $Revision: 1142 $
Check for SSL Weak Ciphers Application: https Port: 443 ScriptID: 103440 Weak ciphers offered by this service: SSL2_RC4_128_MD5 SSL2_RC4_128_EXPORT40_WITH_MD5 SSL2_RC2_CBC_128_CBC_WITH_MD5 SSL2_RC2_CBC_128_CBC_EXPORT40_WITH_MD5
SSL/TLS Security Assessment of e-vo.ru
SSL/TLS Security Assessment of e-vo.ru Test SSL/TLS implementation of any service on any port for compliance with industry best-practices, NIST guidelines and PCI DSS requirements. The server configuration
Secure Socket Layer. Security Threat Classifications
Secure Socket Layer 1 Security Threat Classifications One way to classify Web security threats in terms of the type of the threat: Passive threats Active threats Another way to classify Web security threats
WAP Security. Helsinki University of Technology S Security of Communication Protocols
WAP Security Helsinki University of Technology S-38.153 Security of Communication Protocols Mikko.Kerava@iki.fi 15.4.2003 Contents 1. Introduction to WAP 2. Wireless Transport Layer Security 3. Other WAP
Transport Level Security
2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE,
Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel
Security Protocols Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011 CSE545 - Advanced Network Security - Professor McDaniel 1 Case Study: Host Access The first systems used telnet
Lecture for February 10, 2016
Lecture for February 10, 2016 ECS 235A UC Davis Matt Bishop February 10, 2016 ECS 235A, Matt Bishop Slide #1 Supporting Crypto All parts of SSL use them Initial phase: public key system exchanges keys
concerto: A Methodology Towards Reproducible Analyses of TLS Datasets
concerto: A Methodology Towards Reproducible Analyses of TLS Datasets Olivier Levillain, Maxence Tury and Nicolas Vivet ANSSI Real World Crypto January 6th 2017 Levillain, Tury, Vivet (ANSSI) concerto
SSL/TLS Server Test of
SSL/TLS Server Test of www.rotenburger-gruene.de Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. WWW.ROTENBURGER-GRUENE.DE
The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to
1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats
Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University
Chapter 7 WEB Security Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University +91 9426669020 bhargavigoswami@gmail.com Topic List 1. Web Security Considerations 2. Secure Socket Layer
Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics
T-110.5211 Cryptosystems RFC 2246: Transport Layer Security 1.0 IPsec Outline Transport Layer Security (TLS) 1.0 basics TLS 1.0 specification (RFC 2246) walk-through IPSec and (short) comparison of TLS
Was ist neu bei TLS 1.3?
Was ist neu bei TLS 1.3? TSLv1.3 21nd Century Internet Transmission Security Dr. Erwin Hoffmann November, 20th, 2018 1 / 23 Todays Agenda History of TLS and it s cryptographic concepts Working model of
: Practical Cryptographic Systems March 25, Midterm
650.445: Practical Cryptographic Systems March 25, 2010 Instructor: Matthew Green Midterm Name: As with any exam, please do not collaborate or otherwise share information with any other person. You are
SSL/TLS FOR MORTALS.
SSL/TLS FOR MORTALS maartenm@infosupport.com @mthmulders Exception in thread "main" javax.net.ssl.sslhandshakeexception: sun.security.validator.validatorexception: PKIX path building failed: sun at sun.security.ssl.alerts.getsslexception(alerts.java:192)
There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has
1 There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has unpatched buffer-overflow vulnerabilities. New projects should
Auth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography
Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography Key Management The first key in a new connection or association is always delivered via a courier Once you have a key, you
Securing IoT applications with Mbed TLS Hannes Tschofenig
Securing IoT applications with Mbed TLS Hannes Tschofenig Part#2: Public Key-based authentication March 2018 Munich Agenda For Part #2 of the webinar we are moving from Pre-Shared Secrets (PSKs) to certificated-based
TRANSPORT-LEVEL SECURITY
CHAPTER TRANSPORT-LEVEL SECURITY 5.1 Web Security Considerations Web Security Threats Web Traffic Security Approaches 5.2 Secure Socket Layer and Transport Layer Security SSL Architecture SSL Record Protocol
Institutionen för datavetenskap Department of Computer and Information Science
Institutionen för datavetenskap Department of Computer and Information Science Examensarbete On the security of TLS and IPsec - Mitigation through physical constraints av Erik Reimers LIU-IDA/LITH-EX-G--15/050--SE
Chapter 8 Web Security
Chapter 8 Web Security Web security includes three parts: security of server, security of client, and network traffic security between a browser and a server. Security of server and security of client
Introduction to cryptology (GBIN8U16) Introduction
Introduction to cryptology (GBIN8U16) Introduction Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 01 24 Introduction 2018 01 24 1/27 First
Chapter 12 Security Protocols of the Transport Layer
Chapter 12 Security Protocols of the Transport Layer Secure Socket Layer (SSL) Transport Layer Security (TLS) Secure Shell (SSH) [NetSec], WS 2009/2010 12.1 Scope of Transport Layer Security Protocols
Information Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
SSL Report: ( )
Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > www.workbench.nationaldataservice.org SSL Report: www.workbench.nationaldataservice.org (141.142.210.100) Assessed on:
Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics
T 110.5211 Cryptosystems RFC 2246: Transport Layer Security 1.0 Comparison to IPsec 16.10.2008 Transport Layer Security (TLS) 1.0 basics Kaufman et al: Chapters 18 / 19 Stallings: Chapters 16 / 17.2 T
The Road to TLS 1.3. Eric Rescorla Mozilla The Road to TLS 1.3 1
The Road to TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com The Road to TLS 1.3 1 Overview How we got to the point of doing TLS 1.3 Overview of TLS 1.3 Interaction with the real world What can we learn? The
Chapter 5. Transport Level Security
Chapter 5 Transport Level Security Bhargavi H Goswami Assistant Professor Sunshine Group of Institutes Rajkot, Gujarat, India. Email: bhargavigoswami@gmail.com Topic List 1. Web Security Considerations
TLS. RFC2246: The TLS Protocol. (c) A. Mariën -
TLS RFC2246: The TLS Protocol What does it achieve? Confidentiality and integrity of the communication Server authentication Eventually: client authentication What is does not do Protect the server Protect
SSL/TLS CONT Lecture 9a
SSL/TLS CONT Lecture 9a COMPSCI 726 Network Defence and Countermeasures Muhammad Rizwan Asghar August 11, 2017 Source of some slides: University of Twente 2 HANDSHAKE PROTOCOL: KEY EXCHANGE AND AUTHENTICATION
Your Apps and Evolving Network Security Standards
Session System Frameworks #WWDC17 Your Apps and Evolving Network Security Standards 701 Bailey Basile, Secure Transports Engineer Chris Wood, Secure Transports Engineer 2017 Apple Inc. All rights reserved.
SSL/TLS Server Test of grupoconsultorefe.com
SSL/TLS Server Test of grupoconsultorefe.com Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. GRUPOCONSULTOREFE.COM FINAL
Randomness Extractors. Secure Communication in Practice. Lecture 17
Randomness Extractors. Secure Communication in Practice Lecture 17 11:00-12:30 What is MPC? Manoj Monday 2:00-3:00 Zero Knowledge Muthu 3:30-5:00 Garbled Circuits Arpita Yuval Ishai Technion & UCLA 9:00-10:30
Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE
Outline 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE 2 Securing Real-time Communications 0 In a real-time protocol, two parties negotiate
Workshop Challenges Startup code in PyCharm Projects
INTRODUCTION TO CRYPTOGRAPHIC ATTACKS EXERCISE LOGISTICS Workshop Challenges Startup code in PyCharm Projects BLOCK CIPHERS Fixed sized input Random looking output for each message and key Block Cipher