A messy state of the union:

Similar documents
A Messy State of the Union: Taming the Composite State Machines of TLS

Protecting TLS from Legacy Crypto

*the Everest VERified End-to-end Secure Transport. Verified Secure Implementations for the HTTPS Ecosystem mitls & Everest*

for Compound Authentication

Coming of Age: A Longitudinal Study of TLS Deployment

Expires: September 10, 2015 Inria Paris-Rocquencourt A. Langley Google Inc. M. Ray Microsoft Corp. March 9, 2015

Internet Engineering Task Force (IETF) Google Inc. M. Ray Microsoft Corp. September 2015

MTAT Applied Cryptography

Introduction to cryptology (GBIN8U16) Introduction

Internet security and privacy

The Road to TLS 1.3. Eric Rescorla Mozilla The Road to TLS 1.3 1

Cryptology complementary. Introduction

Verifying Real-World Security Protocols from finding attacks to proving security theorems

CPSC 467: Cryptography and Computer Security

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

What s in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky

What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS

History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0

Network-based Origin Confusion Attacks against HTTPS Virtual Hosting

Auth. Key Exchange. Dan Boneh

TLS 1.3: A Collision of Implementation, Standards, and Cryptography

DROWN - Breaking TLS using SSLv2

Not-quite-so-broken TLS 1.3 mechanised conformance checking

TLS 1.2. Modular Code-Based Cryptographic Verification for. Cédric Fournet, Markulf Kohlweiss Microsoft Research

32c3. December 28, Nick goto fail;

Information Security CS 526

Version: $Revision: 1142 $

Chapter 4: Securing TCP connections

State of TLS usage current and future. Dave Thompson

HACL* in Mozilla Firefox Formal methods and high assurance applications for the web

What s new in TLS 1.3 (and OpenSSL as a result) Rich Salz

OPTLS and TLS 1.3. Hugo Krawczyk, Hoeteck Wee. TRON Workshop 2/21/2016

SSL Report: ( )

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Semantic Insecurity: Security and the Semantic Web

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates. Felix Günther. Technische Universität Darmstadt, Germany

CPSC 467b: Cryptography and Computer Security

Elaine Barker and Allen Roginsky NIST June 29, 2010

ON THE SECURITY OF TLS RENEGOTIATION

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7

Configuring OpenVPN on pfsense

Findings for

Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

TLS1.2 IS DEAD BE READY FOR TLS1.3

Let's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX

A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol. Felix Günther. Technische Universität Darmstadt, Germany

: Practical Cryptographic Systems March 25, Midterm

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Draft. Thierry ZOLLER Principal Security Consultant

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila

CS 161 Computer Security

Protocol Comparisons: OpenSSH, SSL/TLS (AT-TLS), IPSec

Preventing Attackers From Using Verifiers: A-PAKE With PK-Id

SSL/TLS. Pehr Söderman Natsak08/DD2495

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

INF672/ACN910 Protocol Safety and Verification

SSL/TLS: Still Alive? Pascal Junod // HEIG-VD

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Protocol state machines & session languages. Erik Poll Joeri de Ruiter Aleksy Schubert

Understanding Traffic Decryption

Verfying the SSH TLP with ProVerif

CSCE 715: Network Systems Security

Securely Deploying TLS 1.3. September 2017

TLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key

SSL Report: bourdiol.xyz ( )

Transport Layer Security

Part III TLS 1.3 and other Protocols

Crypto meets Web Security: Certificates and SSL/TLS

TLS 1.1 Security fixes and TLS extensions RFC4346

Overview of TLS v1.3 What s new, what s removed and what s changed?

Making Verifiable Computation Useful

Measuring small subgroup attacks against Diffie-Hellman

CSE 127: Computer Security Cryptography. Kirill Levchenko

Overview of TLS v1.3. What s new, what s removed and what s changed?

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

Practical Issues with TLS Client Certificate Authentication

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

How to Configure SSL Interception in the Firewall

Release Notes for Snare Enterprise Agent for MSSQL Release Notes for Snare Enterprise Agent for MSSQL v1.2/1.3

Diffie-Hellman, discrete logs, the NSA, and you. J. Alex Halderman University of Michigan

Perfect forward not so secrecy

CS 494/594 Computer and Network Security

Securing Internet Communication: TLS

Real-time protocol. Chapter 16: Real-Time Communication Security

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

no more downgrades: protec)ng TLS from legacy crypto

U.S. E-Authentication Interoperability Lab Engineer

Internet Engineering Task Force (IETF) Request for Comments: Google Inc. October 2018

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

Cryptography (Overview)

SSL Visibility and Troubleshooting

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

A Roadmap for High Assurance Cryptography

Transcription:

A messy state of the union: Taming the Composite State Machines of TLS http://smacktls.com Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, Jean Karim Zinzindohoue

Modern protocols negotiate crypto parameters (RSA, DHE, PSK) (Cert, Password) (AEAD, RC4-HMAC) How do we implement such protocols correctly?

2015 TLS1.3? OpenSSL, SecureTransport, NSS, SChannel, GnuTLS, JSSE, PolarSSL, many bugs, attacks, patches every year mostly for small simplified models of TLS

Client Server

Client Server

Client Server

RSA (EC)DHE

RSA + DHE + ECDHE + Session Resumption + Client Authentication mitls [IEEE S&P 13, CRYPTO 14] http://mitls.org Can this proof technique be applied to OpenSSL? State machine for common Web configurations

+ Fixed_DH + DH_anon + PSK + SRP + Kerberos + *_EXPORT + We cannot ignore all these because they share code/keys with RSA/DHE

Does OpenSSL conform to the mitls state machine? We built a test framework State machine for common Web configurations

Unexpected state transitions in OpenSSL, NSS, Java, SecureTransport, Required messages are allowed to be skipped Unexpected messages are allowed to be received CVEs for many libraries How come all these bugs? In independent code bases, sitting in there for years Are they exploitable?

Unexpected state transitions in OpenSSL, NSS, Java, SecureTransport, Required messages are allowed to be skipped Unexpected messages are allowed to be received CVEs for many libraries How come all these bugs? In independent code bases, sitting in there for years Are they exploitable?

Culprit: TLS specifies a ladder diagram with optional messages Handshake ends with agreement on transcript

RSA (EC)DHE

Clients should reject these cases In practice: clients accept and perform unexpected cryptographic computations, breaking the security of TLS Treat ServerKeyExchange as optional Server decides to send it or not Client tries to handle both cases Consistent with Postel s principle: be liberal in what you accept Unexpected cases at the client

Network attacker impersonates S.com to a Java TLS client 1. Send S s cert 2. SKIP ServerKeyExchange (bypass server signature) 3. SKIP ServerHelloDone 4. SKIP ServerCCS (bypass encryption) 5. Send ServerFinished using uninitialized MAC key (bypass handshake integrity) 6. Send ApplicationData (unencrypted) as S.com

TLS 1.0 supported weakened ciphers to comply with export regulations in 1990s EXPORT deprecated in 2000 Can be triggered by sending an unexpected ServerKeyExchange

A man-in-the-middle attacker can: impersonate servers that support RSA_EXPORT, at buggy clients that allow ServerKeyExchange in RSA

Many servers in 2015 offer RSA_EXPORT 37% of browser-trusted servers in March 2015 After FREAK: came down to 6.5% [Zmap team, 2015] See: www.smacktls.com/#freak Vulnerable sites included nsa.gov, hsbc.com, Factoring 512-bit RSA keys is easy First broken with CADO-NFS in 2000 [EuroCrypt 00] Now: 12 hours and $100 on Amazon EC2 [N. Heninger] Client-side state machine bugs are widespread Same bug in SChannel, SecureTransport, IBM JSSE, CVEs for all major libraries and web browsers

OpenSSL has two state machines (client/server) A bit of a mess: many protocol versions, extensions, optional, and experimental features We rewrote this code and verified it with Frama-C 750 lines of code, 460 lines of specification 1 month of a PhD student s time Reused logical specification from mitls Eliminates all state machine bugs in OpenSSL No impact on performance.

Cryptographic protocol testing needs work We used a specification-driven fuzzing tool to find critical state machine bugs in a number of libraries This should be done systematically by developers Open source code is not immune from attack Security bugs can hide in plain sight for years Verification of production code is feasible We focused on the core state machine, one small step towards verifying OpenSSL Beware of deliberately weakened cryptography Backdoors come back to bite you even decades later

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback