Plaintext-Recovery Attacks Against Datagram TLS

Similar documents
TLS Security Where Do We Stand? Kenny Paterson

Implementing Cryptography: Good Theory vs. Bad Practice

Chapter 8 Web Security

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Transport Level Security

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky

Authenticated Encryption

Findings for

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

CSCE 715: Network Systems Security

CSCE 715: Network Systems Security

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Authenticated Encryption in TLS

Securing Network Communications

OpenSSL is a project comprising (1) a core library and (2) a toolkit. The core library offers an API for developers of secure applications.

New attacks on the MacDES MAC Algorithm. 1st July Two new attacks are given on a CBC-MAC algorithm due to Knudsen and Preneel, [2],

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

A Surfeit of SSH Cipher Suites

Transport Layer Security

Block Cipher Modes of Operation

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Message authentication codes

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

IPSec. Overview. Overview. Levente Buttyán

The IPsec protocols. Overview

There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has

HAI Network Communication Protocol Description

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

Advanced security notions for the SSH secure channel: theory and practice

Plaintext Recovery Attacks Against WPA/TKIP

Block Cipher Modes of Operation

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

CIS 4360 Secure Computer Systems Symmetric Cryptography

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Secure Internet Communication

Authenticated Encryption and Secure Channels. Kenny Paterson Information Security ;

Block Cipher Operation. CS 6313 Fall ASU

Lithe: Lightweight Secure CoAP for the Internet of Things

(2½ hours) Total Marks: 75

TLS connection management & application support. Giuseppe Bianchi

MatrixDTLS Developer s Guide

: Practical Cryptographic Systems March 25, Midterm

Symmetric key cryptography

Release note Tornaborate

OpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12

Request for Comments: 2420 Category: Standards Track September The PPP Triple-DES Encryption Protocol (3DESE)

Design and Implementation of SCTP-aware DTLS

CIP Security Phase 1 Secure Transport for EtherNet/IP

SSL/TLS: Still Alive? Pascal Junod // HEIG-VD

E-commerce security: SSL/TLS, SET and others. 4.1

Feedback Week 4 - Problem Set

Lecture 1 Applied Cryptography (Part 1)

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Summary on Crypto Primitives and Protocols

Overview of TLS v1.3 What s new, what s removed and what s changed?

Information Security CS 526

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

Network Working Group Request for Comments: Nokia Siemens Networks February 2009

TLS1.2 IS DEAD BE READY FOR TLS1.3

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Lecture for February 10, 2016

CS 356 Internet Security Protocols. Fall 2013

Practical Attacks on Implementations

8. Network Layer Contents

Workshop Challenges Startup code in PyCharm Projects

An SCTP-Protocol Data Unit with several chunks

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

Security analysis of DTLS 1.2 implementations

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Key Management Interoperability Protocol Crypto Profile Version 1.0

SSL/TLS. How to send your credit card number securely over the internet

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Transport Layer Security

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Extended Package for Secure Shell (SSH) Version: National Information Assurance Partnership

CIS 5373 Systems Security

Stream Ciphers. Stream Ciphers 1

INSE Lucky 13 attack - continued from previous lecture. Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014)

CSE 127: Computer Security Cryptography. Kirill Levchenko

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

DROWN - Breaking TLS using SSLv2

OpenSSL is a project comprising (1) a core library and (2) a toolkit. The core library offers an API for developers of secure applications.

Stream Control Transmission Protocol

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Symmetric encrypbon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

SSL/TLS. Pehr Söderman Natsak08/DD2495

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Internet security and privacy

Transcription:

Information Security Group Royal Holloway, University of London 6th Feb 2012

Contents 1 Results 2 3 4 Padding Oracle Realisation Against OpenSSL 5 Attacking the GnuTLS Implementation of DTLS 6

Results 1 Results 2 3 4 Padding Oracle Realisation Against OpenSSL 5 Attacking the GnuTLS Implementation of DTLS 6

Plaintext-recovery attacks through which we were able to: Decrypt arbitrary amount of ciphertext in the case of the OpenSSL implementation of DTLS. Decrypt the four most significant bits of the last byte in every block in the case of the GnuTLS implementation of DTLS.

Background DTLS versus TLS 1 Results 2 Background DTLS versus TLS 4 Padding Oracle Realisation Against OpenSSL 5 Attacking the GnuTLS Implementation of DTLS 6 3

Background DTLS versus TLS Datagram Transport Layer Security (DTLS) was first introduced in NDSS 2004. IETF assigned RFC 4347 to DTLS 1.0 in 2006. RFC 6347 updates RFC 4347 and was published in Jan 2012 under DTLS 1.2. By design, DTLS 1.0 is very similar to TLS 1.1. RFC 4347 presents only the changes to TLS 1.1 and refers to RFC 4346 for the rest of the specification. A number of RFC documents have been published on DTLS. DTLS is used in a number of implementations.

Background DTLS versus TLS DTLS runs over an unreliable protocol such as Unreliable Datagram Protocol (UDP). Handshake Protocol Change Cipher Spec Alert Protocol Record Protocol Applications TLS! Reliable Transport Protocol Handshake Protocol Change Cipher Spec Alert Protocol Applications Record Protocol DTLS! Unreliable Transport Protocol

Background DTLS versus TLS Changes to TLS 1.1 also include: Implementations of DTLS should silently discard data with bad MACs or padding. No error messages are generated in both cases. In DTLS, connections are not terminated in the case of an error. In DTLS, fragmentation of record messages is not permitted. DTLS optionally supports record replay protection. There are other changes, but they are not of relevance.

Vaudenay s Padding Oracle Canvel et al. Work 1 Results 2 4 Padding Oracle Realisation Against OpenSSL 5 Attacking the GnuTLS Implementation of DTLS 3 Vaudenay s Padding Oracle Canvel et al. Work 6

Vaudenay s Padding Oracle Canvel et al. Work Vaudenay s padding oracle, (PO) applies to CBC-mode encryption. PO returns VALID if the padding is correct and INVALID otherwise. The realisation of this oracle relies on the attacker having access to TLS error messages; decryption failed and bad record mac which are classified as fatal. In the case of TLS 1.0, both of these error messages are encrypted. Connections are terminated immediately whenever such errors are encountered. Algorithm 1: Decrypting a block using a padding oracle PO for TL- S/DTLS. Data: Ct 1, C t Result: Pt = D k (Ct ) C t 1 Let R be a random b-byte block.; for i =0to b 1 do for byte =0to 255 do R[i] =byte; C = R Ct ; if PO(C) = VALID then P[i] =R[i] Ct 1 [i] i; Break; Output P; for j =0to i do R[j] =R[j] (i) (i +1);

Vaudenay s Padding Oracle Canvel et al. Work The work of Canvel et al. exploits the fact that processing a message with valid padding may take longer than the processing of a message with invalid padding: The timing difference comes from the MAC verification process. Canvel et al. were able to extract fixed plaintext in the form of TLS-encrypted passwords. Connections had to be re-established after being terminated, making the attack difficult to implement. Countermeasures were introduced in TLS 1.1: One of them is to perform MAC verification on packets that fail the padding check.

OpenSSL Implementation of DTLS Timing and Packet Processing Results 1 Results 2 3 4 Padding Oracle Realisation Against OpenSSL OpenSSL Implementation of DTLS Timing and Packet Processing Results 5 Attacking the GnuTLS Implementation of DTLS 6

OpenSSL Implementation of DTLS Timing and Packet Processing Results DTLS Packets with invalid padding are silently discarded and MAC verification is not performed. No error messages are generated when the padding error is encountered. This protects the system from the attack introduced by Canvel et al. We constructed a new realisation for the padding oracle to exploit the OpenSSL implementation of DTLS. Algorithm 2: Padding Oracle for OpenSSL implementation of DTLS Data: C Result: VALID or INVALID for q =1to m do RTT q = Timer(C); RTT =Mean(RTT 1, RTT 2,...,RTT m); if RTT T then return VALID; else return INVALID; Timer(C) Set T s =currenttime; Send n copies of P C,aDTLSpacketcontainingC, to the targeted system; Send a Heartbeat request packet to the targeted system; Set T e = time when Heartbeat response packet is seen; return (T e T s )

OpenSSL Implementation of DTLS Timing and Packet Processing Results We were able to use Heartbeat messages to compensate the lack of error messages. The advisory sends a Heartbeat request message right after the attack message(s). The advisory calculates the time from sending the first message to receiving the Heartbeat response message. To amplify the timing difference we used a train of packets.

OpenSSL Implementation of DTLS Timing and Packet Processing Results packet 1 t 1,0 t 1,1 t 1,2 t 1,3 packet 2 Time-line for packet train with valid padding t 2,0 t 2,1 t 2,2 t 2,3 Heartbeat Request Heartbeat Response T s T f T e packet 1 Time-line for packet train with invalid padding t 1,0 t 1,1 t 1,3 packet 2 t 2,0 t 2,1 t 2,3 Heartbeat Request Heartbeat Response T s T f T e

OpenSSL Implementation of DTLS Timing and Packet Processing Results 0.30 0.25 0.20 0.08 0.06 0.06 0.05 0.04 0.15 0.04 0.03 0.10 0.05 0.02 0.02 0.01 540 560 580 600 620 640 (a) l =256 1240 1260 1280 1300 1320 1340 (b) l =1024 1660 1680 1700 1720 (c) l =1456 Figure: 3DES PDFs for trains of 10 packets and varying the DTLS payload length, l. 0.20 0.15 0.10 0.15 0.10 0.12 0.10 0.08 0.06 0.05 0.05 0.04 0.02 520 530 540 550 560 570 580 (a) l =256 1210 1215 1220 1225 1230 (b) l =1024 1580 1590 1600 1610 1620 1630 (c) l =1456 Figure: AES-256 PDFs for trains of 10 packets and varying the DTLS payload length, l.

OpenSSL Implementation of DTLS Timing and Packet Processing Results n and l 128 160 192 224 256 288 1 0.99 0.99 1.00 0.99 1.00 0.99 2 0.99 1.00 0.99 1.00 1.00 0.98 5 0.99 1.00 1.00 1.00 1.00 0.98 10 0.98 1.00 0.99 1.00 1.00 0.99 20 0.99 0.99 1.00 1.00 1.00 0.99 50 0.99 0.99 1.00 1.00 0.98 0.95 Table: Success probabilities per byte for AES, for various attack parameters (with anti-replay disabled). n is the train size and l is the DTLS payload size in bytes.

1 Results 2 4 Padding Oracle Realisation Against OpenSSL 5 Attacking the GnuTLS Implementation of DTLS 3 6

Unlike OpenSSL, GnuTLS share the same code for TLS and DTLS. GnuTLS implements the fix introduced in TLS 1.1 and hence is not vulnerable to our attack against OpenSSL. We were able to recover the four most significant bits of the last byte in each ciphertext block by exploiting a different issue in the code and using the same technique. 0.014 0.012 0.010 0.008 0.006 0.004 0.002 100 200 300 400 Figure: PDFs for AES-256 with HMAC-SHA256, l =176,n =5,based on 1000 trials, with outliers removed.

Fixes On 4th of Jan 2012, OpenSSL issued releases 1.0.0f and 0.9.8s which included a fix. On 6th of Jan 2012, GnuTLS issued release 3.0.11 which included a fix.

1 Results 2 3 4 Padding Oracle Realisation Against OpenSSL 5 Attacking the GnuTLS Implementation of DTLS 6

Lack of error messages does not necessarily mean that the system is not vulnerable. Although the GnuTLS implementation of DTLS follows the standard, we were able to deploy similar techniques to attack the implementation and recover a limited amount plaintext. Features of lower layer protocols can have a major influence on security at higher layers.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback