SSL/TLS and Why the CA System is Broken

Transcription

1 SSL/TLS and Why the CA System is Broken or: How China can read your James Schwinabart September 6, 2011

2 What is SSL/TLS? Secure Sockets Layer or Transport Layer Security A protocol to allow secure communication over the Internet Used primarily for HTTP (websites), but works for pretty much everything

3 Secure Protocol Secrecy Moxie Marlinspike, SSL and the Future of Authenticity (Black Hat 2011)

4 Secure Protocol Secrecy Integrity Moxie Marlinspike, SSL and the Future of Authenticity (Black Hat 2011)

5 Secure Protocol Secrecy Integrity Authenticity Moxie Marlinspike, SSL and the Future of Authenticity (Black Hat 2011)

6 Secrecy and Integrity How do we achieve secrecy and integrity?

7 Secrecy and Integrity How do we achieve secrecy and integrity? We encrypt traffic.

8 Secrecy and Integrity How do we achieve secrecy and integrity? We encrypt traffic. But what key do we use?

9 Secrecy and Integrity How do we achieve secrecy and integrity? We encrypt traffic. But what key do we use? A shared key, established by sending a message to the server encrypted with the server s public key

10 Attacks on AES XSL attack on block ciphers (Courtois and Pieprzyk) Related key attack on AES-192 and AES-256 (Biryukov and Khovratovich) Chosen key relations in the middle on AES-128 (Rijmen) Biclique cryptanalysis (Bogdanov, Khovratovich, and Rechberger) Wikipedia, Advanced Encryption Standard (https: // secure. wikimedia. org/ wikipedia/ en/ w/ index. php? title= Advanced_ Encryption_ Standard&oldid= )

11 Attacks on AES XSL attack on block ciphers (Courtois and Pieprzyk) Related key attack on AES-192 and AES-256 (Biryukov and Khovratovich) Chosen key relations in the middle on AES-128 (Rijmen) Biclique cryptanalysis (Bogdanov, Khovratovich, and Rechberger) All known attacks are computationally infeasible, so we can trust AES for now. Wikipedia, Advanced Encryption Standard (https: // secure. wikimedia. org/ wikipedia/ en/ w/ index. php? title= Advanced_ Encryption_ Standard&oldid= )

12 Authenticity So, the server s public key is published, and we cant but how can be sure it s the actual server s public key and not an attacker s public key?

13 Web of Trust PGP, OpenPGP, GnuPG You join a web of trust by providing identification and having people sign your public key If you have John s public key, and John has signed Adam s public key, you can securely encrypt a message to Adam without exchanging keys in person If you aren t in a circle, then you get left out of the game

14 A Web of Trust

15 Certification Authorities Include a bunch of certification authorities that are trusted by browsers Website owners submit a signing request to a single certification authority Certification authority signs certificate if the website owner meets their requirements and gives them a certificate to use for communication

16 Certification Authorities Who do you trust?

17 Certification Authorities Who do you trust? VeriSign?

18 Certification Authorities Who do you trust? VeriSign? Comodo?

19 Certification Authorities Who do you trust? VeriSign? Comodo? China Internet Network Information Center?

20 Certification Authorities Who do you trust? VeriSign? Comodo? China Internet Network Information Center? Digicert?

21 Certification Authorities Who do you trust? VeriSign? Comodo? China Internet Network Information Center? Digicert? AffirmTrust?

22 Certification Authorities Who do you trust? VeriSign? Comodo? China Internet Network Information Center? Digicert? AffirmTrust? Microsoft?

23 Certification Authorities Who do you trust? VeriSign? Comodo? China Internet Network Information Center? Digicert? AffirmTrust? Microsoft? GoDaddy?

24 Certification Authorities Who do you trust? VeriSign? Comodo? China Internet Network Information Center? Digicert? AffirmTrust? Microsoft? GoDaddy? Everyone on this list can issue a certificate for any website you visit and your browser will trust it.

25 Certification Authorities

26 The Comodo Hack March 15, Comodo reports that an affiliate registration authority that had been compromised, issuing 9 rogue certificates, including ones for Google, Skype, a global trustee, allowing an attacker to generate more certificates on the fly March 26, A person claming to be the Comodo Hacker posts on Pastebin March 30, Another Comodo affiliate is compromised

27 DigiNotar Gets Owned July 10, rogue certificates were signed, including the one for *.google.com July 18, more rogue certificates signed July 19, rogue certificates July 20, rogue certificates July 27, rogue certificates August 28, A Gmail user from Iran reports seeing a certificate warning in Google Chrome when trying to access Gmail Swa Frantzen, DigiNotar Breach the story so far (https: // isc. sans. edu/ diary. html? storyid= )

28 DigiNotar Response August 29, DigiNotar revokes *.google.com certificate August 29, Browser vendors start pulling the plug on DigiNotar August 30, Vasco, DigiNotar s parent company, issues a press release on the incident September 5, ComodoHacker claims responsibility for this attack on Pastebin and claims to have access to 4 other CAs, including GlobalSign Swa Frantzen, DigiNotar Breach the story so far (https: // isc. sans. edu/ diary. html? storyid= )

29 Revocation Doesn t Work On a Mac? If you enable certificate revocation checking, anything that uses the OS X keychain for SSL will crash OCSP is set to fail-open by default, so a person attacking you can just block all OCSP queries Revocation can only occur after the attack is known; until then, you are vulnerable

30 DNSSEC DNSSEC makes things worse. In DNS, the information is distributed. The trust is worse!

31 DNSSEC DNSSEC makes things worse. In DNS, the information is distributed. The trust is worse! Registrar

32 DNSSEC DNSSEC makes things worse. In DNS, the information is distributed. The trust is worse! Registrar Top-level domain

33 DNSSEC DNSSEC makes things worse. In DNS, the information is distributed. The trust is worse! Registrar Top-level domain The DNS root

34 Perspectives Contact a notary and ask them what certificate they see Notary establishes connection and sends the certificate back to you You can talk to any number of notaries, distributed around the world Implementation is not ideal; supplements, rather than replaces, certification authorities Notaries are hard-coded, so you have to modify the extension manually in order to add notaries

35 Monkeysphere

36 Monkeysphere Extends the OpenPGP web of trust to SSL Website owners publish their servers public key in the monkeysphere that can be verified using standard OpenPGP verification If you don t have a trust path to the owner of the site, the certificate will not be valid Poor implementation; Firefox extension requires a separate validation agent

37 Convergence

38 Convergence Anyone can run a notary, and you can add it to your browser with a single click Eliminates notary lag; you send a certificate to the notary and the notary gives you a positive or negative response Caches certificates to avoid browser lag Uses notary bouncing for privacy reasons Seamless replacement of certification authorities No such thing as self-signed certificates anymore Moxie Marlinspike, SSL and the Future of Authenticity (Black Hat 2011)

39 Problems with Convergence The Citibank Problem : some sites have more than one certificate Captive portals (e.g. VT WLAN) Moxie Marlinspike, SSL and the Future of Authenticity (Black Hat 2011)

40 The Future We do not yet have a perfect solution Right now, Convergence looks to be the best option

41 Questions?