Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

Size: px
Start display at page:

Download "Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016"

Transcription

1 Attacks on SSL/TLS Applied Cryptography Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

2 Timeline of attacks on SSL/TLS 2/41 SSLstrip BEAST POODLE Heartbleed Bar-mitzvah FREAK BREACH Royal Holloway Lucky 13 CRIME NOMORE RC4 Logjam 2002 Padding Oracle

3 SSLstrip Attack (2009) 3/41 Eve wants to read the traffic between Alice and Bob s webserver.

4 SSLstrip Attack (2009) 3/41 Eve wants to read the traffic between Alice and Bob s webserver. Problem: Bob offers http via TLS.

5 SSLstrip Attack (2009) 3/41 Eve wants to read the traffic between Alice and Bob s webserver. Problem: Bob offers http via TLS. Solution: Make sure Alice uses an unencrypted connection.

6 SSLstrip Attack (2009) 3/41 Eve wants to read the traffic between Alice and Bob s webserver. Problem: Bob offers http via TLS. Solution: Make sure Alice uses an unencrypted connection. People usually start SSL connections in two different ways: Click on links that happen to be https. Through HTTP 302 redirects. (Try to enter in your web browser.)

7 SSLstrip Attack (2009) 3/41 Eve wants to read the traffic between Alice and Bob s webserver. Problem: Bob offers http via TLS. Solution: Make sure Alice uses an unencrypted connection. People usually start SSL connections in two different ways: Click on links that happen to be https. Through HTTP 302 redirects. (Try to enter in your web browser.) Idea: Parse web traffic and strip the s from all links to https. https http

8 SSLstrip Attack (2009) 4/41

9 SSLstrip Attack (2009) 4/41

10 SSLstrip Attack (2009) 4/41

11 SSLstrip Attack (2009) 4/41 Watch HTTP traffic go by. Switch <a href=" to <a href=" and remember what has changed. Switch request to and remember what has changed.

12 SSLstrip Attack (2009) 4/41 Watch HTTP traffic go by. If we see an HTTP request for an URL that we had stripped, proxy that as HTTPS. Watch the HTTPS traffic go by; remember relative links, CSS links, JavaScript,...

13 SSLstrip Attack (2009) 4/41 Server does not notice any difference. No warning message displayed to the client; needs to look out for https marks explicitly (and know about it). Eve sees all the traffic.

14 SSLstrip Attack (2009) 5/41 Countermeasure: HTTP Strict Transport Security (HSTS). Inform the browser to always use SSL/TLS to the site. This information is stored by the browser for all future connections. Can also be stripped by attacker; only works if first connection was not intercepted. Some browsers are shipped with static HSTS list for some sites.

15 SSLstrip Attack (2009) 5/41 Countermeasure: HTTP Strict Transport Security (HSTS). Inform the browser to always use SSL/TLS to the site. This information is stored by the browser for all future connections. Can also be stripped by attacker; only works if first connection was not intercepted. Some browsers are shipped with static HSTS list for some sites. Best countermeasure: Carefully check that site is encrypted when handling sensitive information!

16 BEAST Attack (2011) 6/41 Recall the CBC mode of operation: Plaintext Plaintext Plaintext Initialization Vector (IV) Key block cipher encryption Key block cipher encryption Key block cipher encryption Ciphertext Ciphertext Ciphertext Cipher Block Chaining (CBC) mode encryption

17 BEAST Attack (2011) 7/41 Plaintext 0 Plaintext 1 Plaintext 2 Initialization Vector (IV) Key block cipher encryption Key block cipher encryption Key block cipher encryption Ciphertext 0 Ciphertext 1 Ciphertext 2 guessed Plaintext 1 Ciphertext 2 Key block cipher encryption Ciphertext 3

18 BEAST Attack (2011) 7/41 Plaintext 0 Plaintext 1 Plaintext 2 Initialization Vector (IV) Key block cipher encryption Key block cipher encryption Key block cipher encryption Ciphertext 0 Ciphertext 1 Ciphertext 2 guessed Plaintext 1 Ciphertext 2 Ciphertext 2 Ciphertext 0 Key block cipher encryption Ciphertext 1

19 BEAST Attack (2011) 8/41 Idea: De-randomize encryption to verify guess

20 BEAST Attack (2011) 8/41 Idea: De-randomize encryption to verify guess Target: E(k, P2 C 1 ) = C 2

21 BEAST Attack (2011) 8/41 Idea: De-randomize encryption to verify guess Target: E(k, P2 C 1 ) = C 2 Use guess X for P2.

22 BEAST Attack (2011) 8/41 Idea: De-randomize encryption to verify guess Target: E(k, P2 C 1 ) = C 2 Use guess X for P2. Insert X after ith ciphertext Ci :

23 BEAST Attack (2011) 8/41 Idea: De-randomize encryption to verify guess Target: E(k, P2 C 1 ) = C 2 Use guess X for P2. Insert X after ith ciphertext Ci : Ci+1 = E(k, X C i )

24 BEAST Attack (2011) 8/41 Idea: De-randomize encryption to verify guess Target: E(k, P2 C 1 ) = C 2 Use guess X for P2. Insert X after ith ciphertext Ci : Ci+1 = E(k, X C i ) For correct guess C i+1 C 2!

25 BEAST Attack (2011) 8/41 Idea: De-randomize encryption to verify guess Target: E(k, P2 C 1 ) = C 2 Use guess X for P2. Insert X after ith ciphertext Ci : Ci+1 = E(k, X C i ) For correct guess C i+1 C 2! Fix chaining value:

26 BEAST Attack (2011) 8/41 Idea: De-randomize encryption to verify guess Target: E(k, P2 C 1 ) = C 2 Use guess X for P2. Insert X after ith ciphertext Ci : Ci+1 = E(k, X C i ) For correct guess C i+1 C 2! Fix chaining value: Step 1: X = X C i (remove wrong chaining value)

27 BEAST Attack (2011) 8/41 Idea: De-randomize encryption to verify guess Target: E(k, P2 C 1 ) = C 2 Use guess X for P2. Insert X after ith ciphertext Ci : Ci+1 = E(k, X C i ) For correct guess C i+1 C 2! Fix chaining value: Step 1: X = X C i (remove wrong chaining value) Step 2: X = X C 1 (add correct chaining value)

28 BEAST Attack (2011) 8/41 Idea: De-randomize encryption to verify guess Target: E(k, P2 C 1 ) = C 2 Use guess X for P2. Insert X after ith ciphertext Ci : Ci+1 = E(k, X C i ) For correct guess C i+1 C 2! Fix chaining value: Step 1: X = X C i (remove wrong chaining value) Step 2: X = X C 1 (add correct chaining value) Ci+1 = E(k, X C i ) = E(k, X C i C 1 C i ) = E(k, X C 1 )

29 BEAST Attack (2011) 8/41 Idea: De-randomize encryption to verify guess Target: E(k, P2 C 1 ) = C 2 Use guess X for P2. Insert X after ith ciphertext Ci : Ci+1 = E(k, X C i ) For correct guess C i+1 C 2! Fix chaining value: Step 1: X = X C i (remove wrong chaining value) Step 2: X = X C 1 (add correct chaining value) Ci+1 = E(k, X C i ) = E(k, X C i C 1 C i ) = E(k, X C 1 ) For X == P2 we now get C i+1 == C 2!

30 BEAST Attack (2011) 9/41 BEAST: Browser Exploit Against SSL/TLS Attacker must be able to force the client to send deliberate data. There have been proof-of-concepts using cross-site scripting for stealing session cookies (byte by byte). Do we need to worry about information leaking when the attacker can modify or inject data on the client side?

31 BEAST Attack (2011) 9/41 BEAST: Browser Exploit Against SSL/TLS Attacker must be able to force the client to send deliberate data. There have been proof-of-concepts using cross-site scripting for stealing session cookies (byte by byte). Do we need to worry about information leaking when the attacker can modify or inject data on the client side? Countermeasures: For TLS 1.0: send an empty package ahead of each packet. TLS 1.1 and newer are not affected by this attack because each packet has a new IV that is send in plain text.

32 CRIME (2012) and BREACH (2013) Attacks 10/41 CRIME: Compression Ratio Info-leak Made Easy Some parts of the plaintext are VERY predictable. Session cookies can be found on well-defined spots: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Try to send data from the client in the TLS context and see how this affects the ciphertext; guess session cookie character by character.

33 CRIME (2012) and BREACH (2013) Attacks 11/41 CRIME attack: exploit SSL/TLS compression Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=0xxx E.g., with DEFLATE compression, the second occurrence of secret= is encoded as back reference. Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter. Continue with next digit.

34 CRIME (2012) and BREACH (2013) Attacks 11/41 CRIME attack: exploit SSL/TLS compression Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=1xxx E.g., with DEFLATE compression, the second occurrence of secret= is encoded as back reference. Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter. Continue with next digit.

35 CRIME (2012) and BREACH (2013) Attacks 11/41 CRIME attack: exploit SSL/TLS compression Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=2xxx E.g., with DEFLATE compression, the second occurrence of secret= is encoded as back reference. Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter. Continue with next digit.

36 CRIME (2012) and BREACH (2013) Attacks 11/41 CRIME attack: exploit SSL/TLS compression Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=3xxx E.g., with DEFLATE compression, the second occurrence of secret= is encoded as back reference. Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter. Continue with next digit.

37 CRIME (2012) and BREACH (2013) Attacks 11/41 CRIME attack: exploit SSL/TLS compression Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=4xxx E.g., with DEFLATE compression, the second occurrence of secret= is encoded as back reference. Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter. Continue with next digit.

38 CRIME (2012) and BREACH (2013) Attacks 11/41 CRIME attack: exploit SSL/TLS compression Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=5xxx E.g., with DEFLATE compression, the second occurrence of secret= is encoded as back reference. Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter. Continue with next digit.

39 CRIME (2012) and BREACH (2013) Attacks 11/41 CRIME attack: exploit SSL/TLS compression Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=6xxx E.g., with DEFLATE compression, the second occurrence of secret= is encoded as back reference. Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter. Continue with next digit.

40 CRIME (2012) and BREACH (2013) Attacks 11/41 CRIME attack: exploit SSL/TLS compression Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=7xxx E.g., with DEFLATE compression, the second occurrence of secret= is encoded as back reference. Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter. Continue with next digit.

41 CRIME (2012) and BREACH (2013) Attacks 11/41 CRIME attack: exploit SSL/TLS compression Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=70xx E.g., with DEFLATE compression, the second occurrence of secret= is encoded as back reference. Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter. Continue with next digit.

42 CRIME (2012) and BREACH (2013) Attacks 12/41 Countermeasure for CRIME attack: Disable TLS compression (on client or server). Prevent attacker from sending data in user context (prevent cross-site request forgery). There will be no compression for TLS 1.3.

43 CRIME (2012) and BREACH (2013) Attacks 13/41 BREACH: Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext The same attack works on HTTP content for HTTP compression. Will still work with TLS 1.3! Countermeasure for BREACH attack: Disable HTTP compression (on client or server). Prevent attacker from sending data in user context (prevent cross-site request forgery). Disable HTTP compression on cross-site requests.

44 Padding Oracle Attack (2002) 14/41 TLS prior to version 1.1 was susceptible to a padding oracle attack. Before encrypting with AES-CBC, need to pad data MAC-tag to the AES block size (16 bytes). The padding sets each byte in the pad to the pad length, i.e., padding has specific format.

45 Padding Oracle Attack (2002) 14/41 TLS prior to version 1.1 was susceptible to a padding oracle attack. Before encrypting with AES-CBC, need to pad data MAC-tag to the AES block size (16 bytes). The padding sets each byte in the pad to the pad length, i.e., padding has specific format. At the server side on receipt of an encrypted record: decrypt record with the client encryption key, check pad format, if not valid, return decryption_failed alert, if pad format okay, check MAC on fragment if does not verify, return bad_record_mac alert. This introduced different types of errors that an attacker can distinguish.

46 Padding Oracle Attack (2002) 15/41 Padding oracle: Attacker submits ciphertexts of choice, learns whether the last bytes of a plaintext are a valid pad; if not valid, server returns decryption_failed, if valid, server returns bad_record_mac. Gives rise to a chosen-ciphertext attack!

47 Padding oracle attack on CBC encryption 16/41 CBC mode encryption: C0 = IV Ci = E K (C i 1 M i ). CBC mode decryption: C0 = IV, Mi = D K (C i ) C i 1.

48 Padding oracle attack on CBC encryption 16/41 CBC mode encryption: C0 = IV Ci = E K (C i 1 M i ). CBC mode decryption: C0 = IV, Mi = D K (C i ) C i 1. Suppose an attacker wants to find M 2 from ciphertext (C 0, C 1, C 2,... ) M2 = D K (C 2 ) C 1.

49 Padding oracle attack on CBC encryption 16/41 CBC mode encryption: C0 = IV Ci = E K (C i 1 M i ). CBC mode decryption: C0 = IV, Mi = D K (C i ) C i 1. Suppose an attacker wants to find M 2 from ciphertext (C 0, C 1, C 2,... ) M2 = D K (C 2 ) C 1. Guess the last byte of M2 to be g, compute C 1 = C g , submit C = (C 1, C 2 ) to the server and wait for response.

50 Padding oracle attack on CBC encryption 16/41 CBC mode encryption: C0 = IV Ci = E K (C i 1 M i ). CBC mode decryption: C0 = IV, Mi = D K (C i ) C i 1. Suppose an attacker wants to find M 2 from ciphertext (C 0, C 1, C 2,... ) M2 = D K (C 2 ) C 1. Guess the last byte of M2 to be g, compute C 1 = C g , submit C = (C 1, C 2 ) to the server and wait for response. If g is the last byte of M2, the decryption of C will have a valid pad; if not, the pad will not be valid, try all 256 possible bytes for g until the correct one g0 is found.

51 Padding oracle attack on CBC encryption 16/41 CBC mode encryption: C0 = IV Ci = E K (C i 1 M i ). CBC mode decryption: C0 = IV, Mi = D K (C i ) C i 1. Suppose an attacker wants to find M 2 from ciphertext (C 0, C 1, C 2,... ) M2 = D K (C 2 ) C 1. Guess the last byte of M2 to be g, compute C 1 = C g , submit C = (C 1, C 2 ) to the server and wait for response. If g is the last byte of M2, the decryption of C will have a valid pad; if not, the pad will not be valid, try all 256 possible bytes for g until the correct one g0 is found. Go on using C 1 = C g g

52 Padding oracle attack on CBC encryption 17/41 Ciphertext Ciphertext Key block cipher decryption Key block cipher decryption Initialization Vector (IV) Plaintext Plaintext

53 Padding oracle attack on CBC encryption 17/41 Ciphertext Ciphertext Key block cipher decryption Key block cipher decryption Initialization Vector (IV) Plaintext Plaintext

54 Padding oracle attack on CBC encryption 17/41 Ciphertext g 01 Ciphertext Key block cipher decryption Key block cipher decryption Initialization Vector (IV) Plaintext Plaintext 01

55 Padding oracle attack on CBC encryption 17/41 Ciphertext g 02 g 0 02 Ciphertext Key block cipher decryption Key block cipher decryption Initialization Vector (IV) Plaintext Plaintext 02 02

56 Padding oracle attack on CBC encryption 18/41 For AES we can find one plaintext block with at most chosen ciphertext queries to the padding oracle. More complicated in practice: In case of invalid record, session is terminated, new keys need to be negotiated. Still valid attack if the same message is encrypted in various sessions. Example: IMAP over TLS: every few minutes client sends username and password to login. Compute password within a few hours.

57 Padding oracle attack on CBC encryption 19/41 Solutions: Make alert message and time the same in both cases. RFCs: always perform a MAC check as if zero-length padding is applied. Encrypt-then-MAC avoids the problem because change is detected before decryption. MAC-then-CBC is authenticated encryption, but padding oracle destroys it.

58 Lucky 13 Attack (2013) 20/41 Side channel attack: The Lucky 13 attack is a variant of the padding oracle attack, using the timing difference in the MAC computation as side a channel. The TLS 1.1 and 1.2 RFCs recommend checking the MAC as if there was a zero-length pad: This leaves a small timing channel, since MAC performance depends to some extent on the size of the data fragment, but it is not believed to be large enough to be exploitable, due to the large block size of existing MACs and the small size of the timing signal.

59 Lucky 13 Attack (2013) 20/41 Side channel attack: The Lucky 13 attack is a variant of the padding oracle attack, using the timing difference in the MAC computation as side a channel. The TLS 1.1 and 1.2 RFCs recommend checking the MAC as if there was a zero-length pad: This leaves a small timing channel, since MAC performance depends to some extent on the size of the data fragment, but it is not believed to be large enough to be exploitable, due to the large block size of existing MACs and the small size of the timing signal. It turns out that the small timing difference actually can be exploited!

60 Lucky 13 Attack (2013) 21/41 Countermeasures: Add random time delays to CBC-mode decryption processing.

61 Lucky 13 Attack (2013) 21/41 Countermeasures: Add random time delays to CBC-mode decryption processing. Ineffective, attacker just needs more samples!

62 Lucky 13 Attack (2013) 21/41 Countermeasures: Add random time delays to CBC-mode decryption processing. Ineffective, attacker just needs more samples! Switch to using RC4 cipher suites.

63 Lucky 13 Attack (2013) 21/41 Countermeasures: Add random time delays to CBC-mode decryption processing. Ineffective, attacker just needs more samples! Switch to using RC4 cipher suites. RC4 is vulnerable!

64 Lucky 13 Attack (2013) 21/41 Countermeasures: Add random time delays to CBC-mode decryption processing. Ineffective, attacker just needs more samples! Switch to using RC4 cipher suites. RC4 is vulnerable! Modify TLS s CBC-mode decryption procedure so as to remove the timing side channel.

65 Lucky 13 Attack (2013) 21/41 Countermeasures: Add random time delays to CBC-mode decryption processing. Ineffective, attacker just needs more samples! Switch to using RC4 cipher suites. RC4 is vulnerable! Modify TLS s CBC-mode decryption procedure so as to remove the timing side channel. Lucky Microseconds: A Timing Attack on Amazon s s2n Implementation of TLS, Albrecht and Paterson, Nov. 18, 2015.

66 Lucky 13 Attack (2013) 21/41 Countermeasures: Add random time delays to CBC-mode decryption processing. Ineffective, attacker just needs more samples! Switch to using RC4 cipher suites. RC4 is vulnerable! Modify TLS s CBC-mode decryption procedure so as to remove the timing side channel. Lucky Microseconds: A Timing Attack on Amazon s s2n Implementation of TLS, Albrecht and Paterson, Nov. 18, Switch to using authenticated encryption, such as AES-GCM. TLS 1.3 uses authenticated encryption only.

67 POODLE Attack (2014) 22/41 POODLE: Padding Oracle On Downgraded Legacy Encryption Client requests TLS 1.2. Eve lets handshake fail (e.g. with Alert message). The correct behaviour of the server would be to respond with an older SSL/TLS so that the handshake is finished properly and the transcript can be verified by both sides. To work with broken servers, some clients just try again after the handshake was aborted using a lower (less secure) SSL/TLS version. Eve is able to use the padding oracle attack and wins.

68 POODLE Attack (2014) 23/41 Countermeasure: TLS Fallback Signaling Cipher Suite Value (SCSV) When the client tries to connect again, he adds TLS_FALLBACK_SCSV (0x56, 0x00) to his supported ciphers list. When the server sees TLS_FALLBACK_SCSV, he is supposed to check if he actually would have supported the (higher) TLS version.

69 POODLE Attack (2014) 23/41 Countermeasure: TLS Fallback Signaling Cipher Suite Value (SCSV) When the client tries to connect again, he adds TLS_FALLBACK_SCSV (0x56, 0x00) to his supported ciphers list. When the server sees TLS_FALLBACK_SCSV, he is supposed to check if he actually would have supported the (higher) TLS version. Best countermeasure: Do not implement insecure cipher suits either as server or as client! Do not trade interoperability for security and standard compliance!

70 RC4 Attacks 24/41 Roos biases (1995): First byte of the keystream is correlated to the first three bytes of the key. Gives a square-root speedup to brute force key recovery, e.g., O(2 64 ) for 128-bit keys.

71 RC4 Attacks 24/41 Roos biases (1995): First byte of the keystream is correlated to the first three bytes of the key. Gives a square-root speedup to brute force key recovery, e.g., O(2 64 ) for 128-bit keys. Biased outputs of the RC4 (2001): The second output byte of the key stream is biased toward zero with probability 1/128. 2nd byte tends to be plaintext! The XOR value of the 1st and 2nd outputs of RC4 is also non-uniform.

72 RC4 Attacks 25/41 Fluhrer, Mantin and Shamir attack (2001): RC4 is like a pseudo random number generator, generating a key stream from a secret key. RC4 requires a nonce if a long-term key is used. If the nonce and the long-term key are simply concatenated, the long-term key can be discovered. SSL/TLS uses different keys for each session; but this is a problem for WEP, attack requires 10 million messages.

73 RC4 Attacks 25/41 Fluhrer, Mantin and Shamir attack (2001): RC4 is like a pseudo random number generator, generating a key stream from a secret key. RC4 requires a nonce if a long-term key is used. If the nonce and the long-term key are simply concatenated, the long-term key can be discovered. SSL/TLS uses different keys for each session; but this is a problem for WEP, attack requires 10 million messages. Klein s attack (2005): Exploiting more correlations between the RC4 keystream and the key. Breaks 128-bit WEP in under a minute, requires 40,000 frames for 50% success probability, 85,000 frames for 95% probability.

74 RC4 Attacks 26/41 Royal Holloway attack (2013): Extensive study revealed even more correlations in keystream. Requires 2 28 to 2 32 TLS connections for reliable recovery. Only first 220 bytes of application data can be targeted.

75 RC4 Attacks 26/41 Royal Holloway attack (2013): Extensive study revealed even more correlations in keystream. Requires 2 28 to 2 32 TLS connections for reliable recovery. Only first 220 bytes of application data can be targeted. Countermeasures: Discard initial keystream bytes. Add random length padding to records. Limit lifetime of cookies or number of times cookies can be sent. Stop using RC4 in TLS.

76 RC4 Attacks 27/41 Bar-mitzvah attack (2015): Make use of the 13-year old attack by Fluhrer, Mantin and Shamir. Some keys are particularly weak when used with RC4. Attack reveals several hundred bytes in the beginning of the plaintext if a weak key is used.

77 RC4 Attacks 27/41 Bar-mitzvah attack (2015): Make use of the 13-year old attack by Fluhrer, Mantin and Shamir. Some keys are particularly weak when used with RC4. Attack reveals several hundred bytes in the beginning of the plaintext if a weak key is used. Countermeasures: Discard even more initial keystream bytes. Seriously, stop using RC4 in TLS!

78 RC4 Attacks 28/41 NOMORE RC4 attack (2015): Numerous Occurrence MOnitoring & Recovery Exploit: Exploit even more biases, including long-term biases. Exploit Mantin s ABSAB bias: a byte pair (A, B) likely reappears. A B S A B With 94% probability, attack can be preformed using encryptions collected over 75 hours.

79 RC4 Attacks 28/41 NOMORE RC4 attack (2015): Numerous Occurrence MOnitoring & Recovery Exploit: Exploit even more biases, including long-term biases. Exploit Mantin s ABSAB bias: a byte pair (A, B) likely reappears. A B S A B With 94% probability, attack can be preformed using encryptions collected over 75 hours.

80 RC4 Attacks 28/41 NOMORE RC4 attack (2015): Numerous Occurrence MOnitoring & Recovery Exploit: Exploit even more biases, including long-term biases. Exploit Mantin s ABSAB bias: a byte pair (A, B) likely reappears. A B S A B With 94% probability, attack can be preformed using encryptions collected over 75 hours. Countermeasures: NOMORE RC4 in TLS!

81 RC4 Attacks 29/41 How about the NSA? The biases have been known to the NSA, the NSA has the resources to conduct research on their own. Large computing power allows to find even more biases. Chances are the NSA can do better than public research. There are hints in the Snowden leaks that NSA can decrypt some SSL/TLS traffic when RC4 is used?

82 RC4 Attacks 29/41 How about the NSA? The biases have been known to the NSA, the NSA has the resources to conduct research on their own. Large computing power allows to find even more biases. Chances are the NSA can do better than public research. There are hints in the Snowden leaks that NSA can decrypt some SSL/TLS traffic when RC4 is used?

83 FREAK Attack (2014) 30/41 FREAK: Factoring RSA Export Keys There are weak EXPORT ciphers due to export restrictions on cryptography in the Unites States in the 90 (in the meantime loosened due to Bernstein v. United States ). Nowadays, these EXPORT ciphers can be broken with small effort, e.g., RSA-512 (cost: 100USD Amazon Cloud Services). Privacy at risk when EXPORT ciphers are used!

84 FREAK Attack (2014) 31/41 How to convince client and server to use EXPORT ciphers? Hash of transcript in Finished message should prevent MitM to downgrade to insecure ciphers. Some modern TLS clients including Apple s SecureTransport and OpenSSL have a bug in them. This bug causes them to accept RSA export-grade keys even when the client didn t ask for export-grade RSA. (Matthew Green)

85 FREAK Attack (2014) 32/41 Client cr, [..., RSA,... ] Server

86 FREAK Attack (2014) 32/41 Client cr, [..., RSA,... ] sr, RSA cert s, sign(sk s, [cr sr pk]) Server

87 FREAK Attack (2014) 32/41 Client cr, [..., RSA,... ] sr, RSA cert s, sign(sk s, [cr sr pk]) rsaenc pk (pms) Server

88 FREAK Attack (2014) 32/41 (ms, k 1, k 2 ) = kdf(pms, cr sr) Client cr, [..., RSA,... ] sr, RSA cert s, sign(sk s, [cr sr pk]) rsaenc pk (pms) Server (ms, k 1, k 2 ) = kdf(pms, cr sr)

89 FREAK Attack (2014) 32/41 (ms, k 1, k 2 ) = kdf(pms, cr sr) Client cr, [..., RSA,... ] sr, RSA cert s, sign(sk s, [cr sr pk]) rsaenc pk (pms) finished(ms, log C ) Server (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

90 FREAK Attack (2014) 32/41 (ms, k 1, k 2 ) = kdf(pms, cr sr) Client cr, [..., RSA,... ] sr, RSA cert s, sign(sk s, [cr sr pk]) rsaenc pk (pms) finished(ms, log C ) enc(k 1, Data) Server (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

91 FREAK Attack (2014) 32/41 (ms, k 1, k 2 ) = kdf(pms, cr sr) check log S Client cr, [..., RSA,... ] sr, RSA cert s, sign(sk s, [cr sr pk]) rsaenc pk (pms) finished(ms, log C ) enc(k 1, Data) finished(ms, log S ) Server (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

92 FREAK Attack (2014) 32/41 (ms, k 1, k 2 ) = kdf(pms, cr sr) check log S Client cr, [..., RSA,... ] sr, RSA cert s, sign(sk s, [cr sr pk]) rsaenc pk (pms) finished(ms, log C ) enc(k 1, Data) finished(ms, log S ) enc(k 2, Data) Server (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

93 FREAK Attack (2014) 32/41 Client cr, [..., RSA,... ] MitM Server sr, RSA (ms, k 1, k 2 ) = kdf(pms, cr sr) check log S cert s, sign(sk s, [cr sr pk]) rsaenc pk (pms) finished(ms, log C ) enc(k 1, Data) finished(ms, log S ) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

94 FREAK Attack (2014) 32/41 Client cr, [..., RSA,... ] MitM cr, [RSA_EXPORT] Server sr, RSA (ms, k 1, k 2 ) = kdf(pms, cr sr) check log S cert s, sign(sk s, [cr sr pk]) rsaenc pk (pms) finished(ms, log C ) enc(k 1, Data) finished(ms, log S ) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

95 FREAK Attack (2014) 32/41 Client cr, [..., RSA,... ] MitM cr, [RSA_EXPORT] Server sr, RSA sr, RSA_EXPORT (ms, k 1, k 2 ) = kdf(pms, cr sr) check log S cert s, sign(sk s, [cr sr pk]) rsaenc pk (pms) finished(ms, log C ) enc(k 1, Data) finished(ms, log S ) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

96 FREAK Attack (2014) 32/41 Client cr, [..., RSA,... ] MitM cr, [RSA_EXPORT] Server sr, RSA sr, RSA_EXPORT (ms, k 1, k 2 ) = kdf(pms, cr sr) check log S cert s, sign(sk s, [cr sr pk]) rsaenc pk (pms) finished(ms, log C ) enc(k 1, Data) finished(ms, log S ) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

97 FREAK Attack (2014) 32/41 Client cr, [..., RSA,... ] MitM cr, [RSA_EXPORT] Server sr, RSA sr, RSA_EXPORT (ms, k 1, k 2 ) = kdf(pms, cr sr) check log S cert s, s, sign(sk s, s, [cr sr pk]) 512 ]) rsaenc pk (pms) finished(ms, log C ) enc(k 1, Data) finished(ms, log S ) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

98 FREAK Attack (2014) 32/41 Client cr, [..., RSA,... ] MitM cr, [RSA_EXPORT] Server sr, RSA sr, RSA_EXPORT (ms, k 1, k 2 ) = kdf(pms, cr sr) check log S cert s, s, sign(sk s, s, [cr sr pk]) 512 ]) rsaenc pk (pms) finished(ms, log C ) enc(k 1, Data) finished(ms, log S ) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

99 FREAK Attack (2014) 32/41 Client cr, [..., RSA,... ] MitM cr, [RSA_EXPORT] Server sr, RSA sr, RSA_EXPORT (ms, k 1, k 2 ) = kdf(pms, cr sr) check log S cert s, s, sign(sk s, s, [cr sr pk]) 512 ]) rsaenc pk512 (pms) finished(ms, log C ) enc(k 1, Data) finished(ms, log S ) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

100 FREAK Attack (2014) 32/41 Client cr, [..., RSA,... ] MitM cr, [RSA_EXPORT] Server sr, RSA sr, RSA_EXPORT (ms, k 1, k 2 ) = kdf(pms, cr sr) check log S cert s, s, sign(sk s, s, [cr sr pk]) 512 ]) rsaenc pk512 (pms) s 512 factor(pk 512 ) (ms, k 1, k 2 ) = finished(ms, log C ) kdf(pms, cr sr) enc(k 1, Data) finished(ms, log S ) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

101 FREAK Attack (2014) 32/41 Client cr, [..., RSA,... ] MitM cr, [RSA_EXPORT] Server sr, RSA sr, RSA_EXPORT (ms, k 1, k 2 ) = kdf(pms, cr sr) check log S cert s, s, sign(sk s, s, [cr sr pk]) 512 ]) rsaenc pk512 (pms) s 512 = factor(pk 512 )) (ms, k 1, k 2 ) = finished(ms, log C ) kdf(pms, cr sr) enc(k 1, Data) finished(ms, log S ) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

102 FREAK Attack (2014) 32/41 Client cr, [..., RSA,... ] MitM cr, [RSA_EXPORT] Server sr, RSA sr, RSA_EXPORT (ms, k 1, k 2 ) = kdf(pms, cr sr) check log S cert s, s, sign(sk s, s, [cr sr pk]) 512 ]) rsaenc pk512 (pms) s 512 = factor(pk 512 )) (ms, k 1, k 2 ) = finished(ms, log C ) kdf(pms, cr sr) enc(k 1, Data) finished(ms, log S ) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(pms, cr sr) check log C

103 FREAK Attack (2014) 33/41 The MitM attack: 1. In the client s Hello message, it asks for a standard RSA ciphersuite. 2. The MitM attacker changes this message to ask for export RSA. 3. The server responds with a 512-bit export RSA key, signed with its long-term key, MitM forwards the ServerKeyExchange message. 4. The client accepts the unexpected ServerKeyExchange message due to an implementation bug and uses the weak key. 5. The attacker factors the RSA modulus to recover the corresponding RSA decryption key. 6. When the client encrypts the pre-master secret to the server, the attacker can now decrypt it to recover the TLS master secret. 7. From here on out, the attacker can decrypt (recorded) ciphertext.

104 FREAK Attack (2014) 34/41 Countermeasures: Do not offer, do not even implement EXPORT ciphers (neither client nor server). Do not have bugs in SSL/TLS implementations (pretty please). Still a problem for TLS False Start.

105 FREAK Attack (2014) 34/41 Countermeasures: Do not offer, do not even implement EXPORT ciphers (neither client nor server). Do not have bugs in SSL/TLS implementations (pretty please). Still a problem for TLS False Start. Is that enough?

106 Logjam Attack (2015) 35/41 Client cr, [..., DHE,... ] Server

107 Logjam Attack (2015) 35/41 Client cr, [..., DHE,... ] sr, DHE cert s, sign(sk s, [cr sr p g g b ]) Server

108 Logjam Attack (2015) 35/41 Client cr, [..., DHE,... ] sr, DHE cert s, sign(sk s, [cr sr p g g b ]) g a Server

109 Logjam Attack (2015) 35/41 (ms, k 1, k 2 ) = kdf(g ab, cr sr) Client cr, [..., DHE,... ] sr, DHE cert s, sign(sk s, [cr sr p g g b ]) g a Server (ms, k 1, k 2 ) = kdf(g ab, cr sr)

110 Logjam Attack (2015) 35/41 (ms, k 1, k 2 ) = kdf(g ab, cr sr) Client cr, [..., DHE,... ] sr, DHE cert s, sign(sk s, [cr sr p g g b ]) g a finished(ms, log C ) Server (ms, k 1, k 2 ) = kdf(g ab, cr sr)

111 Logjam Attack (2015) 35/41 (ms, k 1, k 2 ) = kdf(g ab, cr sr) Client cr, [..., DHE,... ] sr, DHE cert s, sign(sk s, [cr sr p g g b ]) g a finished(ms, log C ) finished(ms, log S ) Server (ms, k 1, k 2 ) = kdf(g ab, cr sr)

112 Logjam Attack (2015) 35/41 (ms, k 1, k 2 ) = kdf(g ab, cr sr) Client cr, [..., DHE,... ] sr, DHE cert s, sign(sk s, [cr sr p g g b ]) g a finished(ms, log C ) finished(ms, log S ) enc(k 1, Data) Server (ms, k 1, k 2 ) = kdf(g ab, cr sr)

113 Logjam Attack (2015) 35/41 (ms, k 1, k 2 ) = kdf(g ab, cr sr) Client cr, [..., DHE,... ] sr, DHE cert s, sign(sk s, [cr sr p g g b ]) g a finished(ms, log C ) finished(ms, log S ) enc(k 1, Data) enc(k 2, Data) Server (ms, k 1, k 2 ) = kdf(g ab, cr sr)

114 Logjam Attack (2015) 35/41 Client cr, [..., DHE,... ] MitM Server sr, DHE (ms, k 1, k 2 ) = kdf(g ab, cr sr) cert s, sign(sk s, [cr sr p g g b ]) g a finished(ms, log C ) finished(ms, log S ) enc(k 1, Data) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(g ab, cr sr)

115 Logjam Attack (2015) 35/41 Client cr, [..., DHE,... ] MitM cr, [DHE_EXPORT] Server sr, DHE (ms, k 1, k 2 ) = kdf(g ab, cr sr) cert s, sign(sk s, [cr sr p g g b ]) g a finished(ms, log C ) finished(ms, log S ) enc(k 1, Data) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(g ab, cr sr)

116 Logjam Attack (2015) 35/41 Client cr, [..., DHE,... ] MitM cr, [DHE_EXPORT] Server sr, DHE sr, DHE_EXPORT (ms, k 1, k 2 ) = kdf(g ab, cr sr) cert s, sign(sk s, [cr sr p g g b ]) g a finished(ms, log C ) finished(ms, log S ) enc(k 1, Data) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(g ab, cr sr)

117 Logjam Attack (2015) 35/41 Client cr, [..., DHE,... ] MitM cr, [DHE_EXPORT] Server sr, DHE sr, DHE_EXPORT (ms, k 1, k 2 ) = kdf(g ab, cr sr) cert s, sign(sk s, [cr sr p g g b ]) g a finished(ms, log C ) finished(ms, log S ) enc(k 1, Data) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(g ab, cr sr)

118 Logjam Attack (2015) 35/41 Client cr, [..., DHE,... ] MitM cr, [DHE_EXPORT] Server sr, DHE sr, DHE_EXPORT (ms, k 1, k 2 ) = kdf(g ab, cr sr) cert s, s, sign(sk s, s, [cr sr p g g b 512 g g]) b ]) g a finished(ms, log C ) finished(ms, log S ) enc(k 1, Data) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(g ab, cr sr)

119 Logjam Attack (2015) 35/41 Client cr, [..., DHE,... ] MitM cr, [DHE_EXPORT] Server sr, DHE sr, DHE_EXPORT (ms, k 1, k 2 ) = kdf(g ab, cr sr) cert s, s, sign(sk s, s, [cr sr p g g b 512 g g]) b ]) g a finished(ms, log C ) finished(ms, log S ) enc(k 1, Data) enc(k 2, Data) (ms, k 1, k 2 ) = kdf(g ab, cr sr)

120 Logjam Attack (2015) 35/41 Client cr, [..., DHE,... ] MitM cr, [DHE_EXPORT] Server sr, DHE sr, DHE_EXPORT (ms, k 1, k 2 ) = kdf(g ab, cr sr) cert s, s, sign(sk s, s, [cr sr p g g b 512 g g]) b ]) g a finished(ms, log C ) finished(ms, log S ) enc(k 1, Data) enc(k 2, Data) b = dlog(g b mod p 512 ) (ms, k 1, k 2 ) = kdf(g ab, cr sr) (ms, k 1, k 2 ) = kdf(g ab, cr sr)

121 Logjam Attack (2015) 35/41 Client cr, [..., DHE,... ] MitM cr, [DHE_EXPORT] Server sr, DHE sr, DHE_EXPORT (ms, k 1, k 2 ) = kdf(g ab, cr sr) cert s, s, sign(sk s, s, [cr sr p g g b 512 g g]) b ]) g a finished(ms, log C ) finished(ms, log S ) enc(k 1, Data) enc(k 2, Data) b = dlog(g b mod p 512 ) (ms, k 1, k 2 ) = kdf(g ab, cr sr) (ms, k 1, k 2 ) = kdf(g ab, cr sr)

122 Logjam Attack (2015) 36/41 How to break 512-bit DH in real-time? Millions of servers all use the same prime numbers for Diffie-Hellman key exchange. However, the first step in the number field sieve the most efficient algorithm for breaking a Diffie-Hellman connection is dependent only on this prime. After this first step, an attacker can quickly break individual connections. Using precomputation for the most common 512-bit prime, the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_EXPORT. An academic team can break a 768-bit prime; a nation-state can probably break a 1024-bit prime.

123 Logjam Attack (2015) 37/41 Countermeasures: Do not offer EXPORT ciphers on servers. Make a sanity check of presented DH parameters; reject weak parameters. Do not use the standard primes; use individual primes. Use large primes, i.e., 2048-bit or larger primes.

124 OpenSSL Heartbleed Bug (2014) 38/41 Bug in the implementation of the Heartbeat Extension (RFC 6520): struct { HeartbeatMessageType type; uint16 payload_length; opaque payload[heartbeatmessage.payload_length]; opaque padding[padding_length]; } HeartbeatMessage; [...] When a HeartbeatRequest message is received [...], the receiver MUST send a corresponding HeartbeatResponse message carrying an exact copy of the payload of the received HeartbeatRequest. OpenSSL failed to check actual length of payload data.

125 OpenSSL Heartbleed Bug (2014) 39/41

126 OpenSSL Heartbleed Bug (2014) 39/41

127 SSL/TLS Cipher Suites 40/41 Cipher Protocol Version Algorithm Strength (bits) SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 AES GCM N/A N/A N/A N/A Secure Secure AES CCM 256, 128 N/A N/A N/A N/A Secure Secure AES CBC N/A N/A Depends Secure Secure N/A Camellia GCM N/A N/A N/A N/A Secure Secure 256, 128 Camellia CBC N/A N/A Depends Secure Secure N/A ARIA GCM N/A N/A N/A N/A Secure Secure 256, 128 ARIA CBC N/A N/A Depends Secure Secure N/A SEED CBC 128 N/A N/A Depends Secure Secure N/A 3DES EDE CBC 112 Insecure Insecure Low/Dep. Low Low N/A GOST CNT 256 N/A N/A Secure Secure Secure N/A IDEA CBC 128 Insecure Insecure Depends Secure N/A N/A DES CBC 40 Insecure Insecure N/A N/A N/A N/A 56 Insecure Insecure Insecure N/A N/A N/A RC2 CBC 56 Insecure Insecure Insecure N/A N/A N/A ChaCha20-Poly N/A N/A N/A N/A Secure Secure 40 Insecure Insecure Insecure N/A N/A N/A RC4 128 Insecure Insecure Insecure Insecure Insecure N/A NULL N/A Insecure Insecure Insecure Insecure Insecure

128 Conclusion 41/41 Switch to TLS 1.3 will solve all our problems? Barely... Ongoing support for older versions keeps users vulnerable. Disabling old version is a sensitive issue... See for some up-to-date stats.

TLS1.2 IS DEAD BE READY FOR TLS1.3

TLS1.2 IS DEAD BE READY FOR TLS1.3 TLS1.2 IS DEAD BE READY FOR TLS1.3 28 March 2017 Enterprise Architecture Technology & Operations Presenter Photo Motaz Alturayef Jubial Cyber Security Conference 70% Privacy and security concerns are

More information

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney. Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw

More information

Secure Internet Communication

Secure Internet Communication Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG 09.04.2014 Overview Transport Layer Security History Orientation Basic Functionality Key Exchange

More information

TLS Security Where Do We Stand? Kenny Paterson

TLS Security Where Do We Stand? Kenny Paterson TLS Security Where Do We Stand? Kenny Paterson (based on joint work with Nadhem AlFardan, Dan Bernstein, Bertram Poettering, Jacob Schuldt) Information Security Group Outline TLS and the TLS Record Protocol

More information

TLS Security and Future

TLS Security and Future TLS Security and Future Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Fixing issues in practice Trust, Checking certificates and

More information

Defeating All Man-in-the-Middle Attacks

Defeating All Man-in-the-Middle Attacks Defeating All Man-in-the-Middle Attacks PrecisionAccess Vidder, Inc. Defeating All Man-in-the-Middle Attacks 1 Executive Summary The man-in-the-middle attack is a widely used and highly preferred type

More information

Overview of TLS v1.3 What s new, what s removed and what s changed?

Overview of TLS v1.3 What s new, what s removed and what s changed? Overview of TLS v1.3 What s new, what s removed and what s changed? About Me Andy Brodie Solution Architect / Principal Design Engineer. On Worldpay ecommerce Payment Gateways. Based in Cambridge, UK.

More information

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43 0/43 IPsec and SSL/TLS Applied Cryptography 0 Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, 2016 Cryptography in the TCP/IP stack application layer transport layer network layer data-link

More information

TLS 1.1 Security fixes and TLS extensions RFC4346

TLS 1.1 Security fixes and TLS extensions RFC4346 F5 Networks, Inc 2 SSL1 and SSL2 Created by Netscape and contained significant flaws SSL3 Created by Netscape to address SSL2 flaws TLS 1.0 Standardized SSL3 with almost no changes RFC2246 TLS 1.1 Security

More information

Overview of TLS v1.3. What s new, what s removed and what s changed?

Overview of TLS v1.3. What s new, what s removed and what s changed? Overview of TLS v1.3 What s new, what s removed and what s changed? About Me Andy Brodie Worldpay Principal Design Engineer. Based in Cambridge, UK. andy.brodie@owasp.org Neither a cryptographer nor a

More information

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Verifying Real-World Security Protocols from finding attacks to proving security theorems Verifying Real-World Security Protocols from finding attacks to proving security theorems Karthik Bhargavan http://prosecco.inria.fr + many co-authors at INRIA, Microsoft Research, Formal security analysis

More information

Authenticated Encryption

Authenticated Encryption 18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:

More information

Feedback Week 4 - Problem Set

Feedback Week 4 - Problem Set 4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1

More information

Summary on Crypto Primitives and Protocols

Summary on Crypto Primitives and Protocols Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance

More information

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS Mathy Vanhoef and Frank Piessens, KU Leuven USENIX Security 2015 RC4 Intriguingly simple stream cipher WEP WPA-TKIP SSL / TLS PPP/MPPE And

More information

Coming of Age: A Longitudinal Study of TLS Deployment

Coming of Age: A Longitudinal Study of TLS Deployment Coming of Age: A Longitudinal Study of TLS Deployment Accepted at ACM Internet Measurement Conference (IMC) 2018, Boston, MA, USA Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson,

More information

Randomness Extractors. Secure Communication in Practice. Lecture 17

Randomness Extractors. Secure Communication in Practice. Lecture 17 Randomness Extractors. Secure Communication in Practice Lecture 17 11:00-12:30 What is MPC? Manoj Monday 2:00-3:00 Zero Knowledge Muthu 3:30-5:00 Garbled Circuits Arpita Yuval Ishai Technion & UCLA 9:00-10:30

More information

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some 3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption

More information

SSL/TLS: Still Alive? Pascal Junod // HEIG-VD

SSL/TLS: Still Alive? Pascal Junod // HEIG-VD SSL/TLS: Still Alive? Pascal Junod // HEIG-VD 26-03-2015 Agenda SSL/TLS Protocol Attacks What s next? SSL/TLS Protocol SSL/TLS Protocol Family of cryptographic protocols offering following functionalities:

More information

State of TLS usage current and future. Dave Thompson

State of TLS usage current and future. Dave Thompson State of TLS usage current and future Dave Thompson TLS Client/Server surveys Balancing backward compatibility with security. As new vulnerabilities are discovered, when can we shutdown less secure TLS

More information

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018 Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect

More information

TLS (TRANSPORT LAYER SECURITY) PROTOCOL

TLS (TRANSPORT LAYER SECURITY) PROTOCOL TLS ATTACKS CHRISTA PHILIPPOU PROFESOR: ELIAS AHANASOPOULOS UNIVERSITY OF CYPRUS EPL 682 ADVANCED SECURITY TOPICS Ø ON THE EFFECTIVE PREVENTION OF TLS MAN-IN-THE-MIDDLE ATTACKS IN WEB APPLICATIONS. USENIX

More information

Findings for

Findings for Findings for 198.51.100.23 Scan started: 2017-07-11 12:30 UTC Scan ended: 2017-07-11 12:39 UTC Overview Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 80/tcp

More information

Transport Level Security

Transport Level Security 2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,

More information

Protecting TLS from Legacy Crypto

Protecting TLS from Legacy Crypto Protecting TLS from Legacy Crypto http://mitls.org Karthikeyan Bhargavan + many, many others. (INRIA, Microsoft Research, LORIA, IMDEA, Univ of Pennsylvania, Univ of Michigan, JHU) Popular cryptographic

More information

Lecture for February 10, 2016

Lecture for February 10, 2016 Lecture for February 10, 2016 ECS 235A UC Davis Matt Bishop February 10, 2016 ECS 235A, Matt Bishop Slide #1 Supporting Crypto All parts of SSL use them Initial phase: public key system exchanges keys

More information

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010 Network Security: TLS/SSL Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Diffie-Hellman 2. Key exchange using public-key encryption 3. Goals of authenticated key exchange

More information

Version: $Revision: 1142 $

Version: $Revision: 1142 $ Check for SSL Weak Ciphers Application: https Port: 443 ScriptID: 103440 Weak ciphers offered by this service: SSL2_RC4_128_MD5 SSL2_RC4_128_EXPORT40_WITH_MD5 SSL2_RC2_CBC_128_CBC_WITH_MD5 SSL2_RC2_CBC_128_CBC_EXPORT40_WITH_MD5

More information

Transport Layer Security

Transport Layer Security CEN585 Computer and Network Security Transport Layer Security Dr. Mostafa Dahshan Department of Computer Engineering College of Computer and Information Sciences King Saud University mdahshan@ksu.edu.sa

More information

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to 1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats

More information

A Surfeit of SSH Cipher Suites

A Surfeit of SSH Cipher Suites A Surfeit of SSH Cipher Suites Jean Paul Degabriele Information Security Group www.isg.rhul.ac.uk/~psai074 Based in part on slides by Kenny Paterson Outline of this talk Overview of SSH and related work

More information

Plaintext-Recovery Attacks Against Datagram TLS

Plaintext-Recovery Attacks Against Datagram TLS Information Security Group Royal Holloway, University of London 6th Feb 2012 Contents 1 Results 2 3 4 Padding Oracle Realisation Against OpenSSL 5 Attacking the GnuTLS Implementation of DTLS 6 Results

More information

Encryption. INST 346, Section 0201 April 3, 2018

Encryption. INST 346, Section 0201 April 3, 2018 Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:

More information

05 - WLAN Encryption and Data Integrity Protocols

05 - WLAN Encryption and Data Integrity Protocols 05 - WLAN Encryption and Data Integrity Protocols Introduction 802.11i adds new encryption and data integrity methods. includes encryption algorithms to protect the data, cryptographic integrity checks

More information

Chapter 4: Securing TCP connections

Chapter 4: Securing TCP connections Managing and Securing Computer Networks Guy Leduc Chapter 5: Securing TCP connections Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley, March 2012. (section

More information

Cryptography (Overview)

Cryptography (Overview) Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography

More information

Information Security CS 526

Information Security CS 526 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric

More information

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014 Network Security: TLS/SSL Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014 Outline 1. Diffie-Hellman key exchange (recall from earlier) 2. Key exchange using public-key encryption

More information

SSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger

SSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger SSL / TLS Crypto in the Ugly Real World Malvin Gattinger 2016-03-17 SSL/TLS Figure 1: The General Picture SSL or TLS Goal: Authentication and Encryption Secure Sockets Layer SSL 1 (never released), 2 (1995-2011)

More information

Auth. Key Exchange. Dan Boneh

Auth. Key Exchange. Dan Boneh Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key

More information

DROWN - Breaking TLS using SSLv2

DROWN - Breaking TLS using SSLv2 DROWN - Breaking TLS using SSLv2 Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper,

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

CIS 5373 Systems Security

CIS 5373 Systems Security CIS 5373 Systems Security Topic 4.3: Network Security SSL/TLS Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) Analysis of the HTTPS Certificate

More information

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any

More information

Web Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext

More information

Heartbleed Attack Lab

Heartbleed Attack Lab SEED Labs Heartbleed Attack 1 Heartbleed Attack Lab Copyright c 2016 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation under Award

More information

CS 161 Computer Security

CS 161 Computer Security Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be

More information

CSE 127: Computer Security Cryptography. Kirill Levchenko

CSE 127: Computer Security Cryptography. Kirill Levchenko CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified

More information

David Wetherall, with some slides from Radia Perlman s security lectures.

David Wetherall, with some slides from Radia Perlman s security lectures. David Wetherall, with some slides from Radia Perlman s security lectures. djw@cs.washington.edu Networks are shared: Want to secure communication between legitimate participants from others with (passive

More information

32c3. December 28, Nick https://crypto.dance. goto fail;

32c3. December 28, Nick https://crypto.dance. goto fail; 32c3 December 28, 2015 Nick Sullivan @grittygrease nick@cloudflare.com https://crypto.dance goto fail; a compendium of transport security calamities Broken Key 2 Lock 3 Lock 4 5 6 HTTP HTTPS The S stands

More information

Internet security and privacy

Internet security and privacy Internet security and privacy SSL/TLS 1 Application layer App. TCP/UDP IP L2 L1 2 Application layer App. SSL/TLS TCP/UDP IP L2 L1 3 History of SSL/TLS Originally, SSL Secure Socket Layer, was developed

More information

Symmetric Encryption

Symmetric Encryption Symmetric Encryption Ahmed Y. Banihammd & Ihsan, ALTUNDAG Mon November 5, 2007 Advanced Cryptography 1st Semester 2007-2008 University Joseph Fourrier, Verimag Master Of Information Security And Coding

More information

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm

More information

L13. Reviews. Rocky K. C. Chang, April 10, 2015

L13. Reviews. Rocky K. C. Chang, April 10, 2015 L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing

More information

MTAT Applied Cryptography

MTAT Applied Cryptography MTAT.07.017 Applied Cryptography Transport Layer Security (TLS) University of Tartu Spring 2017 1 / 22 Transport Layer Security TLS is cryptographic protocol that provides communication security over the

More information

CS 161 Computer Security

CS 161 Computer Security Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted.

More information

Authenticated Encryption in TLS

Authenticated Encryption in TLS Authenticated Encryption in TLS Same modelling & verification approach concrete security: each lossy step documented by a game and a reduction (or an assumption) on paper Standardized complications - multiple

More information

Your Apps and Evolving Network Security Standards

Your Apps and Evolving Network Security Standards Session System Frameworks #WWDC17 Your Apps and Evolving Network Security Standards 701 Bailey Basile, Secure Transports Engineer Chris Wood, Secure Transports Engineer 2017 Apple Inc. All rights reserved.

More information

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018 Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.

More information

: Practical Cryptographic Systems March 25, Midterm

: Practical Cryptographic Systems March 25, Midterm 650.445: Practical Cryptographic Systems March 25, 2010 Instructor: Matthew Green Midterm Name: As with any exam, please do not collaborate or otherwise share information with any other person. You are

More information

Symmetric Encryption 2: Integrity

Symmetric Encryption 2: Integrity http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational

More information

Chapter 8 Web Security

Chapter 8 Web Security Chapter 8 Web Security Web security includes three parts: security of server, security of client, and network traffic security between a browser and a server. Security of server and security of client

More information

SSL Report: ( )

SSL Report:   ( ) Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > www.workbench.nationaldataservice.org SSL Report: www.workbench.nationaldataservice.org (141.142.210.100) Assessed on:

More information

Transport Layer Security

Transport Layer Security Cryptography and Security in Communication Networks Transport Layer Security ETTI - Master - Advanced Wireless Telecommunications Secure channels Secure data delivery on insecure networks Create a secure

More information

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012 Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries

More information

Stream Ciphers. Stream Ciphers 1

Stream Ciphers. Stream Ciphers 1 Stream Ciphers Stream Ciphers 1 Stream Ciphers Generate a pseudo-random key stream & xor to the plaintext. Key: The seed of the PRNG Traditional PRNGs (e.g. those used for simulations) are not secure.

More information

SSL/TLS Security Assessment of e-vo.ru

SSL/TLS Security Assessment of e-vo.ru SSL/TLS Security Assessment of e-vo.ru Test SSL/TLS implementation of any service on any port for compliance with industry best-practices, NIST guidelines and PCI DSS requirements. The server configuration

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 8 September 28, 2015 CPSC 467, Lecture 8 1/44 Chaining Modes Block chaining modes Extending chaining modes to bytes Public-key Cryptography

More information

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 1 Transport Layer Security The most important crypto protocol HTTP, SMTP, IMAP 2 2 Secure Sockets Layer (SSL), SSLv2 SSLv3 Trasnsport

More information

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer Managing and Securing Computer Networks Guy Leduc Chapter 7: Securing LANs Computer Networking: A Top Down Approach, 7 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2016. (section 8.8) Also

More information

CSE484 Final Study Guide

CSE484 Final Study Guide CSE484 Final Study Guide Winter 2013 NOTE: This study guide presents a list of ideas and topics that the TAs find useful to know, and may not represent all the topics that could appear on the final exam.

More information

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Data Security and Privacy. Topic 14: Authentication and Key Establishment Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt

More information

CSCE 715: Network Systems Security

CSCE 715: Network Systems Security CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Web Security Web is now widely used by business, government, and individuals But Internet and Web are

More information

Securing Internet Communication: TLS

Securing Internet Communication: TLS Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases

More information

Transport Layer Security

Transport Layer Security Transport Layer Security TRANSPORT LAYER SECURITY PERFORMANCE TESTING OVERVIEW Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), are the most popular cryptographic protocols

More information

PROVING WHO YOU ARE TLS & THE PKI

PROVING WHO YOU ARE TLS & THE PKI PROVING WHO YOU ARE TLS & THE PKI CMSC 414 MAR 29 2018 RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they were talking to one another. Therefore,

More information

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography

More information

n-bit Output Feedback

n-bit Output Feedback n-bit Output Feedback Cryptography IV Encrypt Encrypt Encrypt P 1 P 2 P 3 C 1 C 2 C 3 Steven M. Bellovin September 16, 2006 1 Properties of Output Feedback Mode No error propagation Active attacker can

More information

ON THE SECURITY OF TLS RENEGOTIATION

ON THE SECURITY OF TLS RENEGOTIATION ON THE SECURITY OF TLS RENEGOTIATION 2012/11/02 QUT Douglas Stebila European Network of Excellence in Cryptology II (ECRYPT II) Australian Technology Network German Academic Exchange Service (ATN-DAAD)

More information

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018 Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a

More information

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited Securing IoT applications with Mbed TLS Hannes Tschofenig Agenda Theory Threats Security services Hands-on with Arm Keil MDK Pre-shared secret-based authentication (covered in webinar #1) TLS Protocol

More information

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91 Stream ciphers Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 91 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 92 Stream Cipher Suppose you want to encrypt

More information

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography

More information

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD ERIK JONSSON SCHOOL OF ENGINEERING & COMPUTER SCIENCE Cyber Security Research and Education Institute CS 6324: Information Security Dr. Junia Valente Department of Computer Science The University of Texas

More information

Plaintext Recovery Attacks Against WPA/TKIP

Plaintext Recovery Attacks Against WPA/TKIP Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London! The 21st International Workshop on Fast Software Encryption March 4th,

More information

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic. 15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS

More information

Stream Ciphers - RC4. F. Sozzani, G. Bertoni, L. Breveglieri. Foundations of Cryptography - RC4 pp. 1 / 16

Stream Ciphers - RC4. F. Sozzani, G. Bertoni, L. Breveglieri. Foundations of Cryptography - RC4 pp. 1 / 16 Stream Ciphers - RC4 F. Sozzani, G. Bertoni, L. Breveglieri Foundations of Cryptography - RC4 pp. 1 / 16 Overview RC4 is a stream cipher using a symmetric key it was developed in 1987 by Ronald Rivest

More information

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel Security Protocols Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011 CSE545 - Advanced Network Security - Professor McDaniel 1 Case Study: Host Access The first systems used telnet

More information

SSL Server Rating Guide

SSL Server Rating Guide SSL Server Rating Guide version 2009k (14 October 2015) Copyright 2009-2015 Qualys SSL Labs (www.ssllabs.com) Abstract The Secure Sockets Layer (SSL) protocol is a standard for encrypted network communication.

More information

Cryptography Functions

Cryptography Functions Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)

More information

Stream Ciphers An Overview

Stream Ciphers An Overview Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext

More information

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d) Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key

More information

MTAT Applied Cryptography

MTAT Applied Cryptography MTAT.07.017 Applied Cryptography Transport Layer Security (TLS) Advanced Features University of Tartu Spring 2016 1 / 16 Client Server Authenticated TLS ClientHello ServerHello, Certificate, ServerHelloDone

More information

Information Security CS526

Information Security CS526 Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for

More information

THE WORLD OF TLS. Security, Attacks, TLS 1.3

THE WORLD OF TLS. Security, Attacks, TLS 1.3 THE WORLD OF TLS Security, Attacks, TLS 1.3 HTTPS:// AND FTPS:// AND. Have you done any of the following today? E-shopping: Amazon, Ebay, Audible, Checked your Email Visited a social networking site: Facebook,

More information

INSE Lucky 13 attack - continued from previous lecture. Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014)

INSE Lucky 13 attack - continued from previous lecture. Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014) INSE 6150 Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014) Lucky 13 attack - continued from previous lecture The lucky 13 attack on SSL/TLS involves an active attacker who intercepts

More information

DO NOT OPEN UNTIL INSTRUCTED

DO NOT OPEN UNTIL INSTRUCTED CS 378 - Network Security and Privacy Spring 2017 FINAL May 3, 2017 DO NOT OPEN UNTIL INSTRUCTED YOUR NAME: Collaboration policy No collaboration is permitted on this exam. Any cheating (e.g., submitting

More information

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL CS 393 Network Security Nasir Memon Polytechnic University Module 12 SSL Course Logistics HW 4 due today. HW 5 will be posted later today. Due in a week. Group homework. DoD Scholarships? NSF Scholarships?

More information

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer SharkFest 17 Europe SSL/TLS Decryption uncovering secrets Wednesday November 8th, 2017 Peter Wu Wireshark Core Developer peter@lekensteyn.nl 1 About me Wireshark contributor since 2013, core developer

More information

Proving who you are. Passwords and TLS

Proving who you are. Passwords and TLS Proving who you are Passwords and TLS Basic, fundamental problem Client ( user ) How do you prove to someone that you are who you claim to be? Any system with access control must solve this Users and servers

More information