Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG 09.04.2014
Overview Transport Layer Security History Orientation Basic Functionality Key Exchange Algorithms Perfect Forward Secrecy Elliptic Curve Cryptography Encrypted Data Exchange Attacks on Algorithms BEAST CRIME BREACH Padding Oracle Lucky 13 Resume 2
Transport Layer Security History Secure Socket Layer (SSL) Developed by Netscape 1993-1995 SSL v3.0 published in RFC 6101 in 1996 still widely in use Transport Layer Security (TLS) Defined in RFC 2246 in 1999 as improvement of SSL v3.0 TLS 1.1 defined in RFC 4346 in 2006 TLS 1.2 defined in RFC 5246 in 2008 The backward-compatibility with SSL was defined in RFC 6176 in 2011 3
TLS Orientation 7. Application Layer (HTTP, ) 6. Presentation Layer (MIME, ) 5. Session Layer (TLS/SSL, ) 4. Transport Layer (TCP, UDP, ) 3. Network Layer (IP,..) 2. Data Link Layer (IEEE 802.3 Ethernet, ) 1. Physical Layer 4
TLS Basic Functionality TLS Handshake Negotiation of Cipher Authentication Negotiation of Keys Client TLS Record Authenticated and Encrypted Data Exchange Server 5
TLS Key Exchange Most commonly used in TLS RSA algorithm (public-key cryptography) Diffie-Hellman key exchange Problems Long-term confidentiality Prime factorization is not considered future-proof Specialized algorithms Availability of computing power 6
TLS Key Exchange II Perfect Forward Secrecy Ensures long-term confidentiality Key cannot be compromised even if private keys compromised in future Elliptic Curve Cryptography Provides better mathematical properties Equivalent protection with lower key lengths Ratio of equivalent key length about 32:1 7
TLS Ephemeral Diffie-Hellman A = g^a mod p Server Key Message (A, p, g) B = g^b mod p Prime Number p Primitive Root g Client Key Exchange (B) Secret a S = B^a mod p S = A^b mod p Secret b Ephemeral DH: Secret a and b chosen randomly for every connection 8
TLS Elliptic Curve DH A = ag Server Key Message (A, G,curve) B = bg Elliptic curve y^2=x^3 + alpha x + beta Base point G S = abg Secret a Client Key Exchange (B) S = abg Secret b Simplified Key Exchange Protocol 9
TLS Elliptic Curve DH Elliptic curve point multiplication A A=B A B=C A C=D A D=E Operation used in ECDH ag = G G G G Graph from http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography 10
TLS Elliptic Curve Cryptography III Up to 20x faster than RSA Doubts 130 patents of EC uses owned by BlackBerry Implementations available thought not to infringe patents Dual Elliptic Curve Deterministic Random Bit NIST standardized EC-based random number generator may have backdoor 11
TLS Attacks on Encrypted Data Exchange BEAST - Browser Exploit Against SSL/TLS CRIME - Compression Ratio Info-leak Made Easy BREACH Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext Padding Oracle Lucky 13 12
TLS BEAST attack What is it? Browser Exploit Against SSL/TLS Adaptive chosen plaintext attack with predictable IV Thai and Rizzo showed exploitability in 2011 How does it work? Based on two mechanisms Cipher block chaining mode Initialization vector Passive network eavesdropping Figure from http://en.wikipedia.org/wiki/block_cipher_modes_of_operation#cipher-block_chaining_.28cbc.29 13
TLS BEAST attack II Applicable to reveal the sessions cookie Session cookie transmitted at known offset Block boundaries (e.g. AES 16 bytes) can be controlled Adjusting URL parameters Block containing cookie secret can be moved Contains only 1 unknown byte 14
TLS BEAST attack III Original HTTP Client Request: POST / HTTP /1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko /20100101 Firefox/14.0.1 Cookie: secretcookie=7xc89f94wa96fd7cb4cb0031ba249ca2 Accept-Language: en-us,en;q=0.8 (... body of the request...) Example from https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf 15
TLS BEAST attack IV Steps of the attack Attacker forces browser to send HTTPS request E(key, request) C1, C2, C3,, Cn Attacker captures encrypted blocks Knows all plaintext bytes except one of e.g. C3 Attacker calculates Pi = guess C2 Cn and appends Pi to the original request Browser calculates E(key, Cn Pi) and attacker checks if Ci == C3 16
TLS BEAST attack V Feasibility Eavesdrop traffic e.g. over wireless network Run malicious code in user s browser Bypass browser s same-origin-policy Counter Measures Mitigated in TLS 1.1 and 1.2 If back-compatibility with TLS 1.0 or SSL is required ensure that browser implements countermeasures e.g. 1/n-1 record splitting 17
TLS CRIME attack What is it? Compression Ratio Info-leak Made Easy Rizzo and Doung showed exploitability in 2012 How does it work? Brute force attack Exploits data compression properties DEFLATE is the most common used compression in TLS Removes redundancy of repeating symbols Applicable to reveal the sessions cookie 18
TLS CRIME attack II Exploits length of encrypted message length(encrypt(compress(header+body))) Original HTTP Client Request: POST / HTTP /1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv :14.0) Gecko /20100101 Firefox/14.0.1 Cookie: secretcookie=7xc89f94wa96fd7cb4cb0031ba249ca2 Accept-Language: en-us,en;q=0.8 (... body of the request...) Example from https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf 19
TLS CRIME attack III HTTP request modified by attacker POST / secretcookie=0 HTTP /1.1 Host: example.com User-Agent: Mozilla /5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko /20100101 Firefox /14.0.1 Cookie: secretcookie=7xc89f94wa96fd7cb4cb0031ba249ca2 Accept-Language: en-us,en;q=0.8 Example from https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf 20
TLS CRIME attack IV Feasibility Affects all browsers and servers supporting TLS compression 42% of servers, 45% of browsers Needs way to execute code in user s browser Counter Measures Disable TLS compression! 21
TLS BREACH attack What is it? Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext Demonstrated by Gluck, Harris, Prado in 2013 Application of CRIME attack based on HTTP compression How does it work? Inject controlled information in HTTP requests Eavesdrop HTTP response 22
TLS BREACH attack II Modified HTTP request GET /product/?id =12345&user=CSRFtoken=<guess> HTTP /1.1 Host: example.com Server s response <form target="https://example.com:443/products/catalogue.aspx?id= 12345& user=csrftoken=<guess >" >... <td nowrap id="tderrlgf"> <a href="logoff.aspx?csrftoken=4bd634cda846fd7cb4cb0031ba249ca2"> Log Off</a></td> Example from https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf 23
TLS BREACH attack III Feasibility Monitor server responses ARP spoofing Run code in user s browser 3 Requirements Application supports HTTP compression Response reflects user s input Response has sensitive information embedded 24
TLS BREACH attack IV Countermeasures Disable HTTP compression Separating secrets from user input Masking secrets Request rate-limiting and monitoring Length hiding Add garbage to the response Proposal for TLS extension in development 25
TLS Padding oracle attack Padding oracle attack Chosen cipher text attack Side-channel attack Exploits leaked information about validity of format Server leaks information if padding format is correct Works for Cipher-block chaining (CBC) mode of operation Independent of encryption algorithm and key 26
TLS Padding oracle attack II Encryption (Normal operation) Plaintext is split in blocks Last block is padded to fill up block RC5-CBC-PAD algorithm proposes padding: Padded n bytes are filled with the value of n e.g. for n=5 the last bytes are,5,5,5,5,5 Padded plaintext is encrypted Decryption (Normal operation) Cipher text is decrypted Correct format of padding is checked 27
TLS Padding oracle attack III Figure from http://en.wikipedia.org/wiki/block_cipher_modes_of_operation#cipher-block_chaining_.28cbc.29 28
TLS Lucky13 What is it? Padding oracle attack Man-in-the middle can recover plaintext from TLS connection When using CBC-mode Exploits timing bug of TLS data decryption How does it work? Message Authentication Code (MAC) is used to provide integrity TLS encrypts block: plaintext + MAC of plaintext + padding Decryption check padding, then checks correct MAC 29
TLS Lucky13 II Problem in TLS 1.0 Invalid padding Explicit error returned Made padding oracle attacks possible Fixed in TLS 1.1 Problem in TLS 1.1 Invalid padding Server kills the session to prevent attacks Server s reaction time measureable Padding oracle attacks also work across sessions 30
TLS Lucky13 III Current version TLS 1.2 If padding fails, whole message used to calculate MAC Should resolve previous problems But: takes slightly longer! Lucky 13 exploits this subtle time difference 31
TLS Lucky13 IV Feasibility Intercept client-server communication, Inject malware to the client Repetition to eliminate noise and network jitter in time measurement Slow attack needs lots of connections to succeed All TLS cipher suites including CBC-mode encryption vulnerable Countermeasures Implement uniform processing time Add random server-side delays 32
Resume Use Secure Key Exchange Algorithms in TLS 1.2 Ephemeral Diffie Hellman Ephemeral Elliptic Curve Diffie Hellman Security of Ciphers defined in TLS 1.2 HTTP compression makes any algorithm attackable Try to avoid HTTP compression or take counter measures against BREACH Don t use RC4 as alternative algorithm Full plaintext recovery attack shown by Bernstein et al. in 2013 Use AES Galois/Counter Mode (AES GCM) 33
Take-Home Message Yes, we can prevent the Cryptocalypse for the moment Update your Servers Use latest versions of libraries Enable secure algorithms Update your Browser Latest browser version support TLS 1.2 Chrome >= 30, Firefox >= 28, Internet Explorer >= 11 Opera >= 17, Safari >= 5 (ios), >= 7 (Mac OS X) 34
Thank You Dr. Gregor Koenig gkoenig@barracuda.com
Comic from http://xkcd.com/538/ 36
References General 1. P. Bright, Crypto experts issue a call to arms to avert the cryptopocalypse http://arstechnica.com/security/2013/08/crytpo-experts-issue-a-call-to-arms-to-avert-the-cryptopocalypse/ 2. Wikipedia, Transport Layer Security. http://en.wikipedia.org/wiki/transport_layer_security Key Exchange 1. Wikipedia, Perfect Forward Secrecy http://en.wikipedia.org/wiki/perfect_forward_secrecy 2. N. Sullivan, A primer on elliptic curve cryptography, 2013 http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography Ciphers 1. P. Sarkar, S. Fitzgerald,. Attacks on SSL, A comprehensive Study of BEAST, CRIME, TIME, BREACH, LUCK13 & RC4 BIAS, 2013 https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf 2. S. Vaudenay, Security Flaws Induced by CBC padding, Applications to SSL, IPSEC, WTLS http://lasec.epfl.ch/pub/lasec/doc/vau02a.ps 3. S. Gueron, AES - GCM for Efficient Authenticated Encryption, 2013. https://crypto.stanford.edu/realworldcrypto/slides/gueron.pdf 4. D. Goodin, Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages 5. N. AlFardan et al., On the security of RC4 in TLS and WPA, 2013. http://www.isg.rhul.ac.uk/tls 6. Wikipedia, Galois/Counter Mode http://en.wikipedia.org/wiki/galois/counter_mode 37