Ecosystem at Large

Transcription

1 Testing TLS in the Ecosystem at Large IT-SeCX 2015 Wilfried Mayer, Aaron Zauner, Martin Schmiedecker, Markus Huber

2 Overview Background Methodology Results Mitigation 2

3 Background

4 Transport Layer Security Most widely used cryptographic protocol Lots of research for HTTP + TLS = HTTPS Not for other application layer protocols Especially on high-confidentiality / traffic systems like 3

5 Many people use public mail services (E.g. Gmail) Millions of smaller mail-daemons on the Internet not invented with security in mind Crypto settings? 4

6 Flow 5

7 Protocols and TCP Ports Port TLS Protocol Usage 25 STARTTLS SMTP Transmission 110 STARTTLS POP3 Retrieval 143 STARTTLS IMAP Retrieval 465 Implicit SMTPS Submission 587 STARTTLS SMTP Submission 993 Implicit IMAPS Retrieval 995 Implicit POP3S Retrieval 6

8 STARTTLS & SMTP 7

9 TLS Handshake 8

10 Concept of Cipher Suites 9

11 Methodology

12 So we scanned the entire IPv4 space! masscan for discovery scans and X.509 Certificate collection SSLyze (customized) with queueing framework around it More than 10 billion TLS handshakes over the course of a couple of months (not counting discovery scans) 10

13 TLS enumeration 11

14 Input dataset / collection 12

15 Scan Flow 13

16 Organizational and Ethical Considerations Get an upstream ISP that is willing to help your research Randomize target networks Be transparent! Inform all responsible people WHOIS / RIPE entry explaining the research project Webpage on the scan host explaining the research project Abuse contact 14

17 Abuse Complaints People will complain!...they even might write to your management or unrelated 3rd parties Introduce an abuse contact! Handle each mail request professionally 15

18 Some Statistics Received 89 mails in total 52 auto generated by IDS / Ops tooling 16 simple blacklisting requests (sometimes large CIDR ranges) A few were blatantly rude A few very interested in our work 16

19 Results

20 Data Overview Conducted 20,270,768 scans 7 different TCP ports April to August

21 Data Overview 18,381,936 valid reponses 551 TLS handshakes per host/port combination 89.78% handshakes rejected 8.26% accepted 1.95% error 18

22 Protocol Version Support % SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 19

23 Protocol Version Support Only SSLv2 and SSLv3 0.2% for SMTP, < 0.1% for others Only TLSv1.1 and TLSv1.2 < 0.5% for all protocols Only TLSv1 upwards 8% for SMTP, 18 45% for others 20

24 Key Exchange Methods RSA 25: 92% 465: 95% 587: 93% Retrieval: 99% DHE-RSA 25: 86% 465: 86% 587: 65% Retrieval: 74% ECDHE-RSA 25: 41% 465: 12% 587: 25% Retrieval: 8% 21

25 Key Exchange Security Diffie-Hellman - DH(E): Large amount of 512-bit DH primes in SMTP (EXPORT!) DH group size below or equal to 1024 bit is very common in all protocols Elliptic Curve Diffie-Hellman - ECDH(E): SMTP: 99% use secp256r1 curve POP/IMAP: 70% use secp384r1 cuve 22

26 Key Exchange Security: Common Primes SMTP: a 512-bit prime used by 64%, a 1024-bit prime used by 69% (Postfix) 512-bit Postfix prime: 0x00883f00affc0c8ab835cde5c20f55d f063f1607bfce1335e41c1e03f3ab17f e10d73eb4eb468c4050e691a 56e0145dec9b11f6454fad9ab4f70ba5b 23

27 Key Exchange Security: Perfect Forward Secrecy % PFS 24

28 Accepted Ciphers % RC4 AES-256 (GCM) Export grade 25

29 X.509 Certificates: Self vs. CA-signed % ok self signed unable Compared to Mozilla Truststore: ok: CA signed, unable: unable to get local issuer 26

30 X.509 Certificates (cont.) 99% of leafs use RSA (vs. e.g. ECDSA) Most SMTP(S) leafs and intermediates above 1024-bit RSA (most 2k) Less than 10% use 4096-bit RSA public keys 27

31 X.509 Certificates: Volatility 4.5M 4.0M 3.5M 3.0M Certificates 2.5M 2.0M 1.5M 1.0M 0.5M SMTP 1024 SMTP 2048 SMTP M based on scans.io data 28

32 X.509 Certificates (cont.) Name IPs Parallels Panel - Parallels 306,852 imap.example.com - IMAP server (1024bit) 261,741 Automatic...POP3 SSL key - Courier...(1024bit) 87,246 Automatic...IMAP SSL key - Courier...(1024bit) 83,976 localhost - Dovecot mail server 13,134 29

33 X.509 Certificates (cont.) Common Name Port IPs *.nazwa.pl (nazwassl) 25 40,568 b16c...6e , , , ,451 *.pair.com (USERTrust RSA Organization...) 25 15,573 a42d...768f , , , , , ,

34 X.509 Certificates: Weak RSA Keys Analyzed 40,268,806 certificates Similar to Heninger et al. Mining Your Ps and Qs Fast-GCD [algo. djb, impl. Heninger et al.] 456 GCDs found (= RSA private keys recovered) 31

35 Collateral Damage Open-source mail daemons are easily DoS ed - test carefully (Re)discovered a dovecot bug: (CVE , investigated and reported by Hanno Boeck) OpenSSL will establish EXPORT ciphersuites with TLS 1.1 and 1.2 RFC: MUST NOT AFAIK unfixed 32

36 Mitigation

37 Solid Server Configurations & Awareness Activate TLS / STARTTLS bettercrypto.org Mozilla Server TLS Security guide: RFC 7457 Summarizing Known Attacks on TLS... RFC 7525 Recommendations for Secure Use of TLS... Educating administrators and managers 33

38 Key Pinning Public keys get pinned on first use (TOFU) Elegant solution but difficult deployment model HPKP (for HTTPS) available, not really deployed yet TACK(.io) is a universal TLS extension that would also fit e.g. STARTTLS protocols (deadlock) 34

39 DNSSEC / DANE DANE is a nice protocol DNSSEC shifts trust to TLDs instead of CAs DNSSEC has deployment problems It s still one option that could work, so why not deploy in addition? 35

40 DKIM, SPF, DMARC Especially if you are hosting a large environment you MUST deploy: DKIM (DomainKeys Identified Mail) SPF (Sender Policy Framework) DMARC (Domain-based Message Authentication, Reporting, and Conformance) 36

41 Beyond Let s Encrypt by EFF et al. DEEP (Deployable Enhanced Privacy) Similar to how HSTS works for HTTPS Continued scans necessary to track change over time Published data sets: Full paper: 37

42 Questions? 38