Secure Internet Communication

Similar documents
Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

TLS 1.1 Security fixes and TLS extensions RFC4346

Information Security CS 526

Summary on Crypto Primitives and Protocols

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Transport Level Security

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

WAP Security. Helsinki University of Technology S Security of Communication Protocols

32c3. December 28, Nick goto fail;

CSCE 715: Network Systems Security

TLS1.2 IS DEAD BE READY FOR TLS1.3

CS 494/594 Computer and Network Security

Transport Layer Security

Verifying Real-World Security Protocols from finding attacks to proving security theorems

E-commerce security: SSL/TLS, SET and others. 4.1

Defeating All Man-in-the-Middle Attacks

TLS Security Where Do We Stand? Kenny Paterson

SSL/TLS: Still Alive? Pascal Junod // HEIG-VD

Transport Layer Security

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

L13. Reviews. Rocky K. C. Chang, April 10, 2015

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

Coming of Age: A Longitudinal Study of TLS Deployment

Real-time protocol. Chapter 16: Real-Time Communication Security

MTAT Applied Cryptography

CSCE 715: Network Systems Security

CIS 5373 Systems Security

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

INSE Lucky 13 attack - continued from previous lecture. Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014)

Overview of TLS v1.3 What s new, what s removed and what s changed?

Information Security CS526

Crypto CS 485/ECE 440/CS 585 Fall 2017

TLS Security and Future

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Auth. Key Exchange. Dan Boneh

State of TLS usage current and future. Dave Thompson

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

ON THE SECURITY OF TLS RENEGOTIATION

Security Protocols and Infrastructures

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Internet security and privacy

10EC832: NETWORK SECURITY

Securing Network Communications

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

TLS (TRANSPORT LAYER SECURITY) PROTOCOL

Total No. of Questions : 09 ] [ Total No.of Pages : 02

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

SSL/TLS. Pehr Söderman Natsak08/DD2495

SSL GOOD PRACTICE GUIDE

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

CMSC 414 S09 Exam 2 Page 1 of 6 Name:

Chapter 4: Securing TCP connections

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Auditing IoT Communications with TLS-RaR

The Security Impact of HTTPS Interception

SSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger

Findings for

Key Establishment and Authentication Protocols EECE 412

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Chapter 9 Public Key Cryptography. WANG YANG

David Wetherall, with some slides from Radia Perlman s security lectures.

CSC 474/574 Information Systems Security

Practical Attacks on Implementations

Transport Layer Security

Lecture for February 10, 2016

PROVING WHO YOU ARE TLS & THE PKI

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

White Paper for Wacom: Cryptography in the STU-541 Tablet

Encryption. INST 346, Section 0201 April 3, 2018

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Advanced Security for Systems Engineering VO 09: Applied Cryptography

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

SSL Server Rating Guide

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Cryptography and Network Security

CSE 127: Computer Security Cryptography. Kirill Levchenko

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Requirements from the. Functional Package for Transport Layer Security (TLS)

CIS 4360 Secure Computer Systems Applied Cryptography

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Public Key Algorithms

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

TLS 1.2 Protocol Execution Transcript

Introduction to Cryptography Lecture 11

Transcription:

Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG 09.04.2014

Overview Transport Layer Security History Orientation Basic Functionality Key Exchange Algorithms Perfect Forward Secrecy Elliptic Curve Cryptography Encrypted Data Exchange Attacks on Algorithms BEAST CRIME BREACH Padding Oracle Lucky 13 Resume 2

Transport Layer Security History Secure Socket Layer (SSL) Developed by Netscape 1993-1995 SSL v3.0 published in RFC 6101 in 1996 still widely in use Transport Layer Security (TLS) Defined in RFC 2246 in 1999 as improvement of SSL v3.0 TLS 1.1 defined in RFC 4346 in 2006 TLS 1.2 defined in RFC 5246 in 2008 The backward-compatibility with SSL was defined in RFC 6176 in 2011 3

TLS Orientation 7. Application Layer (HTTP, ) 6. Presentation Layer (MIME, ) 5. Session Layer (TLS/SSL, ) 4. Transport Layer (TCP, UDP, ) 3. Network Layer (IP,..) 2. Data Link Layer (IEEE 802.3 Ethernet, ) 1. Physical Layer 4

TLS Basic Functionality TLS Handshake Negotiation of Cipher Authentication Negotiation of Keys Client TLS Record Authenticated and Encrypted Data Exchange Server 5

TLS Key Exchange Most commonly used in TLS RSA algorithm (public-key cryptography) Diffie-Hellman key exchange Problems Long-term confidentiality Prime factorization is not considered future-proof Specialized algorithms Availability of computing power 6

TLS Key Exchange II Perfect Forward Secrecy Ensures long-term confidentiality Key cannot be compromised even if private keys compromised in future Elliptic Curve Cryptography Provides better mathematical properties Equivalent protection with lower key lengths Ratio of equivalent key length about 32:1 7

TLS Ephemeral Diffie-Hellman A = g^a mod p Server Key Message (A, p, g) B = g^b mod p Prime Number p Primitive Root g Client Key Exchange (B) Secret a S = B^a mod p S = A^b mod p Secret b Ephemeral DH: Secret a and b chosen randomly for every connection 8

TLS Elliptic Curve DH A = ag Server Key Message (A, G,curve) B = bg Elliptic curve y^2=x^3 + alpha x + beta Base point G S = abg Secret a Client Key Exchange (B) S = abg Secret b Simplified Key Exchange Protocol 9

TLS Elliptic Curve DH Elliptic curve point multiplication A A=B A B=C A C=D A D=E Operation used in ECDH ag = G G G G Graph from http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography 10

TLS Elliptic Curve Cryptography III Up to 20x faster than RSA Doubts 130 patents of EC uses owned by BlackBerry Implementations available thought not to infringe patents Dual Elliptic Curve Deterministic Random Bit NIST standardized EC-based random number generator may have backdoor 11

TLS Attacks on Encrypted Data Exchange BEAST - Browser Exploit Against SSL/TLS CRIME - Compression Ratio Info-leak Made Easy BREACH Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext Padding Oracle Lucky 13 12

TLS BEAST attack What is it? Browser Exploit Against SSL/TLS Adaptive chosen plaintext attack with predictable IV Thai and Rizzo showed exploitability in 2011 How does it work? Based on two mechanisms Cipher block chaining mode Initialization vector Passive network eavesdropping Figure from http://en.wikipedia.org/wiki/block_cipher_modes_of_operation#cipher-block_chaining_.28cbc.29 13

TLS BEAST attack II Applicable to reveal the sessions cookie Session cookie transmitted at known offset Block boundaries (e.g. AES 16 bytes) can be controlled Adjusting URL parameters Block containing cookie secret can be moved Contains only 1 unknown byte 14

TLS BEAST attack III Original HTTP Client Request: POST / HTTP /1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko /20100101 Firefox/14.0.1 Cookie: secretcookie=7xc89f94wa96fd7cb4cb0031ba249ca2 Accept-Language: en-us,en;q=0.8 (... body of the request...) Example from https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf 15

TLS BEAST attack IV Steps of the attack Attacker forces browser to send HTTPS request E(key, request) C1, C2, C3,, Cn Attacker captures encrypted blocks Knows all plaintext bytes except one of e.g. C3 Attacker calculates Pi = guess C2 Cn and appends Pi to the original request Browser calculates E(key, Cn Pi) and attacker checks if Ci == C3 16

TLS BEAST attack V Feasibility Eavesdrop traffic e.g. over wireless network Run malicious code in user s browser Bypass browser s same-origin-policy Counter Measures Mitigated in TLS 1.1 and 1.2 If back-compatibility with TLS 1.0 or SSL is required ensure that browser implements countermeasures e.g. 1/n-1 record splitting 17

TLS CRIME attack What is it? Compression Ratio Info-leak Made Easy Rizzo and Doung showed exploitability in 2012 How does it work? Brute force attack Exploits data compression properties DEFLATE is the most common used compression in TLS Removes redundancy of repeating symbols Applicable to reveal the sessions cookie 18

TLS CRIME attack II Exploits length of encrypted message length(encrypt(compress(header+body))) Original HTTP Client Request: POST / HTTP /1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv :14.0) Gecko /20100101 Firefox/14.0.1 Cookie: secretcookie=7xc89f94wa96fd7cb4cb0031ba249ca2 Accept-Language: en-us,en;q=0.8 (... body of the request...) Example from https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf 19

TLS CRIME attack III HTTP request modified by attacker POST / secretcookie=0 HTTP /1.1 Host: example.com User-Agent: Mozilla /5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko /20100101 Firefox /14.0.1 Cookie: secretcookie=7xc89f94wa96fd7cb4cb0031ba249ca2 Accept-Language: en-us,en;q=0.8 Example from https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf 20

TLS CRIME attack IV Feasibility Affects all browsers and servers supporting TLS compression 42% of servers, 45% of browsers Needs way to execute code in user s browser Counter Measures Disable TLS compression! 21

TLS BREACH attack What is it? Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext Demonstrated by Gluck, Harris, Prado in 2013 Application of CRIME attack based on HTTP compression How does it work? Inject controlled information in HTTP requests Eavesdrop HTTP response 22

TLS BREACH attack II Modified HTTP request GET /product/?id =12345&user=CSRFtoken=<guess> HTTP /1.1 Host: example.com Server s response <form target="https://example.com:443/products/catalogue.aspx?id= 12345& user=csrftoken=<guess >" >... <td nowrap id="tderrlgf"> <a href="logoff.aspx?csrftoken=4bd634cda846fd7cb4cb0031ba249ca2"> Log Off</a></td> Example from https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf 23

TLS BREACH attack III Feasibility Monitor server responses ARP spoofing Run code in user s browser 3 Requirements Application supports HTTP compression Response reflects user s input Response has sensitive information embedded 24

TLS BREACH attack IV Countermeasures Disable HTTP compression Separating secrets from user input Masking secrets Request rate-limiting and monitoring Length hiding Add garbage to the response Proposal for TLS extension in development 25

TLS Padding oracle attack Padding oracle attack Chosen cipher text attack Side-channel attack Exploits leaked information about validity of format Server leaks information if padding format is correct Works for Cipher-block chaining (CBC) mode of operation Independent of encryption algorithm and key 26

TLS Padding oracle attack II Encryption (Normal operation) Plaintext is split in blocks Last block is padded to fill up block RC5-CBC-PAD algorithm proposes padding: Padded n bytes are filled with the value of n e.g. for n=5 the last bytes are,5,5,5,5,5 Padded plaintext is encrypted Decryption (Normal operation) Cipher text is decrypted Correct format of padding is checked 27

TLS Padding oracle attack III Figure from http://en.wikipedia.org/wiki/block_cipher_modes_of_operation#cipher-block_chaining_.28cbc.29 28

TLS Lucky13 What is it? Padding oracle attack Man-in-the middle can recover plaintext from TLS connection When using CBC-mode Exploits timing bug of TLS data decryption How does it work? Message Authentication Code (MAC) is used to provide integrity TLS encrypts block: plaintext + MAC of plaintext + padding Decryption check padding, then checks correct MAC 29

TLS Lucky13 II Problem in TLS 1.0 Invalid padding Explicit error returned Made padding oracle attacks possible Fixed in TLS 1.1 Problem in TLS 1.1 Invalid padding Server kills the session to prevent attacks Server s reaction time measureable Padding oracle attacks also work across sessions 30

TLS Lucky13 III Current version TLS 1.2 If padding fails, whole message used to calculate MAC Should resolve previous problems But: takes slightly longer! Lucky 13 exploits this subtle time difference 31

TLS Lucky13 IV Feasibility Intercept client-server communication, Inject malware to the client Repetition to eliminate noise and network jitter in time measurement Slow attack needs lots of connections to succeed All TLS cipher suites including CBC-mode encryption vulnerable Countermeasures Implement uniform processing time Add random server-side delays 32

Resume Use Secure Key Exchange Algorithms in TLS 1.2 Ephemeral Diffie Hellman Ephemeral Elliptic Curve Diffie Hellman Security of Ciphers defined in TLS 1.2 HTTP compression makes any algorithm attackable Try to avoid HTTP compression or take counter measures against BREACH Don t use RC4 as alternative algorithm Full plaintext recovery attack shown by Bernstein et al. in 2013 Use AES Galois/Counter Mode (AES GCM) 33

Take-Home Message Yes, we can prevent the Cryptocalypse for the moment Update your Servers Use latest versions of libraries Enable secure algorithms Update your Browser Latest browser version support TLS 1.2 Chrome >= 30, Firefox >= 28, Internet Explorer >= 11 Opera >= 17, Safari >= 5 (ios), >= 7 (Mac OS X) 34

Thank You Dr. Gregor Koenig gkoenig@barracuda.com

Comic from http://xkcd.com/538/ 36

References General 1. P. Bright, Crypto experts issue a call to arms to avert the cryptopocalypse http://arstechnica.com/security/2013/08/crytpo-experts-issue-a-call-to-arms-to-avert-the-cryptopocalypse/ 2. Wikipedia, Transport Layer Security. http://en.wikipedia.org/wiki/transport_layer_security Key Exchange 1. Wikipedia, Perfect Forward Secrecy http://en.wikipedia.org/wiki/perfect_forward_secrecy 2. N. Sullivan, A primer on elliptic curve cryptography, 2013 http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography Ciphers 1. P. Sarkar, S. Fitzgerald,. Attacks on SSL, A comprehensive Study of BEAST, CRIME, TIME, BREACH, LUCK13 & RC4 BIAS, 2013 https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf 2. S. Vaudenay, Security Flaws Induced by CBC padding, Applications to SSL, IPSEC, WTLS http://lasec.epfl.ch/pub/lasec/doc/vau02a.ps 3. S. Gueron, AES - GCM for Efficient Authenticated Encryption, 2013. https://crypto.stanford.edu/realworldcrypto/slides/gueron.pdf 4. D. Goodin, Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages 5. N. AlFardan et al., On the security of RC4 in TLS and WPA, 2013. http://www.isg.rhul.ac.uk/tls 6. Wikipedia, Galois/Counter Mode http://en.wikipedia.org/wiki/galois/counter_mode 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback