SSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger

Similar documents
Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

SSL/TLS Security Assessment of e-vo.ru

Defeating All Man-in-the-Middle Attacks

Your Apps and Evolving Network Security Standards

SSL Report: ( )

Securing Internet Communication: TLS

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

TLS Security and Future

SSL/TLS Server Test of grupoconsultorefe.com

Crypto meets Web Security: Certificates and SSL/TLS

SSL/TLS and Why the CA System is Broken

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

CS November 2018

32c3. December 28, Nick goto fail;

But where'd that extra "s" come from, and what does it mean?

SSL Report: printware.co.uk ( )

SSL/TLS Server Test of

TLS1.2 IS DEAD BE READY FOR TLS1.3

SSL Report: bourdiol.xyz ( )

CIS 5373 Systems Security

PROVING WHO YOU ARE TLS & THE PKI

Information Security CS 526

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Verifying Real-World Security Protocols from finding attacks to proving security theorems

HTTPS and the Lock Icon

SSL/TLS: Still Alive? Pascal Junod // HEIG-VD

Randomness Extractors. Secure Communication in Practice. Lecture 17

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

SSL Report: sharplesgroup.com ( )

Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

Secure Internet Communication

SSL Report: cartridgeworld.co.uk ( )

Cryptography (Overview)

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

SSL/TLS Deployment Best Practices

securing a host Matsuzaki maz Yoshinobu

Authentication CHAPTER 17

and Web Security

CS Certificates, part 2. Prof. Clarkson Spring 2017

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

Legacy of Heartbleed: MITM and Revoked Certificates. Alexey Busygin NeoBIT

Garantía y Seguridad en Sistemas y Redes

Installation and usage of SSL certificates: Your guide to getting it right

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Transport Level Security

Chapter 4: Securing TCP connections

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Configuring Secure Socket Layer HTTP

Configuring Secure Socket Layer HTTP

Let's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Securing Internet Communication

Cryptographic Protocols 1

Datasäkerhetsmetoder föreläsning 7

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Data Security and Privacy. Topic 14: Authentication and Key Establishment

SSL Server Rating Guide

Distributed Systems. Fall 2017 Exam 3 Review. Paul Krzyzanowski. Rutgers University. Fall 2017

Configuring Secure Socket Layer HTTP

Progressively Securing RIOT-OS!

HSTS Supports Targeted Surveillance

Diffie-Hellman. Part 1 Cryptography 136

SSL/TLS FOR MORTALS.

CS 161 Computer Security

Lecture 10: Communications Security

Introduction. INF3510 Information Security. Lecture 10: Communications Security. Outline. Network Security Concepts. University of Oslo Spring 2018

Crypto Basics: History, Applied Cryptography in IT Security Today and in the Next Year

CSE 127: Computer Security Cryptography. Kirill Levchenko

Internet security and privacy

TLS 1.1 Security fixes and TLS extensions RFC4346

Access Control. Tom Chothia Computer Security, Lecture 5

WHITE PAPER. Authentication and Encryption Design

Digital Certificates Demystified

CSE 565 Computer Security Fall 2018

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Key Exchange. Secure Software Systems

Encryption 2. Tom Chothia Computer Security: Lecture 3

Requirements from the. Functional Package for Transport Layer Security (TLS)

Uniform Resource Locators (URL)

IBM Education Assistance for z/os V2R1

HTTPS is Fast and Hassle-free with Cloudflare

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

SSL Accelerated Services. Feature Description

Transport Layer Security

David Wetherall, with some slides from Radia Perlman s security lectures.

Overview of TLS v1.3 What s new, what s removed and what s changed?

Introduction to Information Security Miscellaneous

BetterCrypto org Applied Crypto Hardening

Most Common Security Threats (cont.)

One Year of SSL Internet Measurement ACSAC 2012

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Findings for

Unit 8 Review. Secure your network! CS144, Stanford University

Verification of security protocols introduction

Proving who you are. Passwords and TLS

APNIC elearning: Cryptography Basics

Transcription:

SSL / TLS Crypto in the Ugly Real World Malvin Gattinger 2016-03-17

SSL/TLS Figure 1: The General Picture

SSL or TLS Goal: Authentication and Encryption Secure Sockets Layer SSL 1 (never released), 2 (1995-2011) and 3 (1996-2015) Transport Layer Security TLS, current version 1.2 from August 2008 still problems, but the best we have for now draft 1.3

Cipher Suites because abbreviations are fun! https://www.illc.uva.nl/ https://www.cwi.nl/ https://www.w4eg.de/

Cipher Suites because abbreviations are fun! https://www.illc.uva.nl/ https://www.cwi.nl/ https://www.w4eg.de/ What the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA? 1. ECDHE_RSA Elliptic Curve Diffie-Hellman to establish a session key Server authenticates itself with a RSA public key 2. AES_256_CBC symmetric AES encryption is used for the actual data block size is 256 mode of operation is CBC 3. SHA256 hash function used as a MAC Note: What is is used depends on the server and the client. Refusing to use old ciphers will exclude old devices!

Trust is global! Question: Alice connects to www.bob.pro who uses a certificate signed by authority COOL. Whom does she have to trust?

Trust is global! Question: Alice connects to www.bob.pro who uses a certificate signed by authority COOL. Whom does she have to trust? Answer: COOL, and all other CAs in her browser!

Some entries from my browsers list of CAs: Amazon AS Sertifitseerimiskeskus? China Internet Network Information Center DFN-Verein german universities DigiNotar wait, why are you still here? Equifax, GeoTrust, GlobalSign,... professional CAs GoDaddy hosting company Government Root Certification Authority Taiwan Hongkong Post Staat der Nederlanden Startcom infamous for handing out free certificates TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı Swisscom VISA

Which CAs get into browsers and operating systems? Mozilla Bug 647959 - Add Honest Achmed s root certificate

What do CAs actually do? How to verify that someone really is who they claim to be?

What do CAs actually do? How to verify that someone really is who they claim to be owns a certain domain?

What do CAs actually do? How to verify that someone really is who they claim to be owns a certain domain? Please enter the code we just sent to webmaster@bob.pro. A bit more advanced: Please add a DNS record bob.pro. IN TXT "09AKE903. Please put LA8SOPWAQ231SDJ2KJXOQS1234KDJI12WI at http://bob.pro/9823404534598.html.

What do CAs actually do? How to verify that someone really is who they claim to be owns a certain domain? Please enter the code we just sent to webmaster@bob.pro. A bit more advanced: Please add a DNS record bob.pro. IN TXT "09AKE903. Please put LA8SOPWAQ231SDJ2KJXOQS1234KDJI12WI at http://bob.pro/9823404534598.html. New: ACME protocol, Let s Encrypt fully automated issuance and renewal awesome

What do CAs actually do? How to verify that someone really is who they claim to be owns a certain domain? Please enter the code we just sent to webmaster@bob.pro. A bit more advanced: Please add a DNS record bob.pro. IN TXT "09AKE903. Please put LA8SOPWAQ231SDJ2KJXOQS1234KDJI12WI at http://bob.pro/9823404534598.html. New: ACME protocol, Let s Encrypt fully automated issuance and renewal awesome Extended Validation (EV) is more expensive for this someone from TÜRKTRUST might actually visit Bob at his office (or at least send a letter there) Example: https://posteo.de/

Why you really have to trust all CAs Nothing stops any CA from signing a certificate for any domain. Question: You are (or have access to the private key of) a trusted CA and want to do an MitM attack between Alice and www.bob.pro. Can you hide the fact that you are listening in from both of them?

Why you really have to trust all CAs Nothing stops any CA from signing a certificate for any domain. Question: You are (or have access to the private key of) a trusted CA and want to do an MitM attack between Alice and www.bob.pro. Can you hide the fact that you are listening in from both of them? How?

But who would do such a thing?

But who would do such a thing? TOP SECRETI/SJ//NOFORN Current Efforts- Google (r f E., lro "'3 \.Q. f'n 1\ ~ e.n~ Ser~er TOP SECRETI/SJ/INOFORN

Problems and Attacks Things can go wrong in two ways: in the protocol in the implementation Both happen. And happen again. Nowadays attacks come with fancy names and their own websites: BEAST, CRIME, BREACH, POODLE, FREAK, Logjam, Heartbleed, DROWN,... Stay tuned for more.

Unencrypted Fallback Problem: If you type www.triodos.nl and press enter, your browser will first try http:// and it is up to the (MitM-attacker s) server to redirect you to https://.

Unencrypted Fallback Problem: If you type www.triodos.nl and press enter, your browser will first try http:// and it is up to the (MitM-attacker s) server to redirect you to https://. Fix: HTTP Strict Transport Security (HSTS): After the first https connection, remember to never contact this website via plain http.

Unencrypted Fallback Problem: If you type www.triodos.nl and press enter, your browser will first try http:// and it is up to the (MitM-attacker s) server to redirect you to https://. Fix: HTTP Strict Transport Security (HSTS): After the first https connection, remember to never contact this website via plain http. New Problem: This can be used to track and identify users.

All CAs are equal Problem: We have to trust lots of CAs even when we already know the CA or public key from previous connections.

All CAs are equal Problem: We have to trust lots of CAs even when we already know the CA or public key from previous connections. Fix: Pinning: the CA: Only Türktrust may issue certificates for erdogan.tr. the public key: Only 89:4F:DD:... :8F:84:65 is w4eg.de. When? after the first connection FF Extension Certificate Patrol before any connection via DNS See DANE, currently no browser does this built into the browser Google is doing that now keep a public list of SSL links: HTTPS everywhere by EFF

What about revocation? Problem: If a private key gets into the wrong hands, the certificate should not be accepted anymore.

What about revocation? Problem: If a private key gets into the wrong hands, the certificate should not be accepted anymore. Fix: Online Certificate Status Protocol (OCSP): The Certificate contains a URL where the browser should ask whether it has been revoked. Most browsers do this, but Chrome disabled it again in 2012.

What about revocation? Problem: If a private key gets into the wrong hands, the certificate should not be accepted anymore. Fix: Online Certificate Status Protocol (OCSP): The Certificate contains a URL where the browser should ask whether it has been revoked. Most browsers do this, but Chrome disabled it again in 2012. New Problems: If the OCSP server is down, the website becomes unreachable. The OCSP server learns who is visiting the website when etc.

Attack Example: Heartbleed CC-BY-NC https://xkcd.com/1354/

CC-BY-NC https://xkcd.com/1354/

CC-BY-NC https://xkcd.com/1354/

Best Practices As a server: read the news use open source software test your servers expect failure follow experts recommendations, e.g. cipherli.st As a client (or product... ): demand strong crypto from your providers There are several online tests which show many details: https://www.ssllabs.com/ssltest/index.html Good: mijn.overheid.nl Bad: facebook.com Worse: www.cwi.nl https://ssldecoder.org

More Worries about the Internet Even if TLS would work perfectly, the Internet is a weird place. Most people can be identified by a combination of IP, User-Agent, Cookies, Local Storage, HSTS,... 145.108.80.128 -- VU 92.108.60.57 -- UPC Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/48.0.2564.116 Chrome/48.0.2564.116 Safari/537.36 Test your own brower at https://panopticlick.eff.org/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback