CIS 5373 Systems Security

Similar documents
Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Secure Socket Layer. Security Threat Classifications

Information Security CS 526

SSL/TLS CONT Lecture 9a

Overview. SSL Cryptography Overview CHAPTER 1

CSCE 715: Network Systems Security

Chapter 4: Securing TCP connections

Coming of Age: A Longitudinal Study of TLS Deployment

TLS1.2 IS DEAD BE READY FOR TLS1.3

Data Security and Privacy. Topic 14: Authentication and Key Establishment

MTAT Applied Cryptography

Transport Layer Security

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

WAP Security. Helsinki University of Technology S Security of Communication Protocols

PROVING WHO YOU ARE TLS & THE PKI

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Crypto meets Web Security: Certificates and SSL/TLS

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

E-commerce security: SSL/TLS, SET and others. 4.1

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

SSL/TLS Security Assessment of e-vo.ru

Cryptography (Overview)

Transport Layer Security

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Internet security and privacy

Transport Level Security

MTAT Applied Cryptography

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Defeating All Man-in-the-Middle Attacks

Chapter 8 Web Security

SSL/TLS: Still Alive? Pascal Junod // HEIG-VD

SSL/TLS. Pehr Söderman Natsak08/DD2495

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

CS 356 Internet Security Protocols. Fall 2013

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Overview of TLS v1.3 What s new, what s removed and what s changed?

cs526: Information Security Cristina Nita-Rotaru

One Year of SSL Internet Measurement ACSAC 2012

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

SSL/TLS Server Test of

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

32c3. December 28, Nick goto fail;

TLS 1.1 Security fixes and TLS extensions RFC4346

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

But where'd that extra "s" come from, and what does it mean?

Secure Internet Communication

Chapter 5. Transport Level Security

SSL/TLS Deployment Best Practices

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Security Protocols and Infrastructures

TLS Security and Future

Findings for

CIS 5373 Systems Security

Security Protocols and Infrastructures. Winter Term 2010/2011

Let's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX

SSL Report: ( )

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky

Progressively Securing RIOT-OS!

Auth. Key Exchange. Dan Boneh

CS 161 Computer Security

SSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger

Security Protocols and Infrastructures. Winter Term 2015/2016

Lecture for February 10, 2016

Summary on Crypto Primitives and Protocols

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

Proving who you are. Passwords and TLS

SSL Report: bourdiol.xyz ( )

Protocol Comparisons: OpenSSH, SSL/TLS (AT-TLS), IPSec

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

SSL Report: printware.co.uk ( )

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

SSL/TLS Server Test of grupoconsultorefe.com

Managing SSL certificates in the ServerView Suite

White Paper for Wacom: Cryptography in the STU-541 Tablet

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Installation and usage of SSL certificates: Your guide to getting it right

SSL/TLS Vulnerability Detection Using Black Box Approach

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

SSL Report: cartridgeworld.co.uk ( )

Understanding Traffic Decryption

Securing Network Communications

Securing Internet Communication: TLS

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Authenticated Encryption in TLS

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

David Wetherall, with some slides from Radia Perlman s security lectures.

CSE484 Final Study Guide

Transport Layer Security

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

CS November 2018

Configuring Secure Socket Layer HTTP

Transcription:

CIS 5373 Systems Security Topic 4.3: Network Security SSL/TLS Endadul Hoque

Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) Analysis of the HTTPS Certificate Ecosystem, IMC 2013: https://jhalderm.com/pub/papers/httpsimc13.pdf Analysis of SSL certificate reissues and revocations in the wake of Heartbleed, IMC 2014: http://www.ccs.neu.edu/home/cbw/pdf/imc254- zhang.pdf 2

Network Security SSL/TLS 3

Revisit: Internet Protocol - IP IP is the current delivery protocol on the Internet, between hosts. IP provides best effort, unreliable delivery of packets. There are two versions: IPv4 is the current routing protocol on the Internet IPv6, a newer version, still not totally embraced by the community 4

Revisit: Transport Protocols Provides communication between processes running on hosts The most common transport protocols are UDP and TCP OS provides support for developing applications on top of UDP and TCP 5

Establishing a Secure Channel Services provide: confidentiality, integrity and authentication At what level in the network stack? What are advantages and disadvantages based on the level Two protocols: SSL (TLS) and IPSec 6

Providing Security 7

Transport Layer Security (TLS) SSL = Secure Socket Layer (predecessor) TLS = Transport Layer Security (standard) Both terms used interchangeably Provide means to secure any application that uses TCP Confidentiality, integrity, authentication (of server) SSL2.0 SSL3.0 TLS1.0 TLS1.1 TLS1.2 TLS1.3 (draft) 1995 1996 1999 2006 2008, 2011 2014 - * Timeline 8

Transport Layer Security (TLS) Protocol that allows to establish an end-to-end secure channel, providing: confidentiality, integrity and authentication Defines how the characteristics of the channel are negotiated: key establishment, encryption cipher, authentication mechanism Requires reliable end-to-end protocol, so it runs on top of TCP It can be used by other session protocols (such as HTTPS) Several implementations: OpenSSL, GnuTLS, etc. 9

TLS goals Confidentiality: Achieved by encryption Integrity: Achieved by computing a MAC and send it with the message Key exchange: relies on public key encryption 10

TLS in action (Example) TLS steps 11

TLS in action (Example) TLS steps Exchanged messages A nice website with visual examples of TLS messages: http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session 12

Session and Connection Session: association between a client and a server; created by the Handshake Protocol; defines secure cryptographic parameters that can be shared by multiple connections. Connection: end-to-end reliable secure communication; every connection is associated with a session 13

Session Session identifier: generated by the server to identify an active or resumable session. Peer certificate: X 509v3 certificate. Compression method: algorithm used to compress the data before encryption. Cipher spec: encryption and hash algorithm, including hash size. Master secret: 48 byte secret shared between the client and server. Can be resumed?: indicates if the session can be used to initiate new connections. 14

Connection Server and client random: chosen for each connection. Server write MAC secret: shared key used to compute MAC on data sent by the server. Client write MAC secret: same as above for the client Server write key: shared key used by encryption when server sends data. Client write key: same as above for the client. Initialization vector: initialization vectors required by encryption. Sequence numbers: both server and client maintains such a counter to prevent replay, cycle is 2^64-1. 15

Protocol Architecture 16

TLS Record Protocol Provides confidentiality and message integrity using shared keys established by the Handshake Protocol 17

TLS Alert Protocol Used to send TLS related alerts to peers Alert messages are compressed and encrypted Message: two bytes, one defines fatal/warnings, other defines the code of alert Fatal errors: decryption_failed, record_overflow, unknown_ca, access_denied, decode_error, export_restriction, protocol_version, insufficient_security, internal_error Other errors: decrypt_error, user_cancelled, no_renegotiation 18

TLS Handshake Protocol Negotiate Cipher-Suite Algorithms Symmetric cipher to use Key exchange method Message digest function Establish the shared master secret Optionally authenticate server and/or client 19

TLS Handshake Protocol S BofA Both sides derive symmetric session key K from the PreMasterK ey ClientHello(Version, Prefs, Nonce c ) ServerHello(Version, Prefs, Nonce s ) Certificates({C BofA, C Verisign }) ServerHelloDone ClientKeyExchange({PreMasterKey} ) P BofA ChangeCipherSpec {Finished} K ChangeCipherSpec BofA Certificate chain Encrypted using server s public key Encrypted using symmetric session key {Finished} K 20

TLS Handshake Protocol: Hello Client_hello_message has the following parameters: Version Random: timestamp + 28-bytes random Session ID CipherSuite: cipher algorithms supported by the client, first is key exchange Compression method Server responds with the same Client may request use of cached session Server chooses whether to accept or not 21

RSA: TLS Handshake Protocol: Supported Key exchange shared key encrypted with RSA public key Fixed Diffie-Hellman: public parameters provided in a certificate Ephemeral Diffie-Hellman: the best; Diffie-Hellman with temporary secret key, messages signed using RSA or DSS Anonymous Diffie-Hellman: vulnerable to man-in-the-middle 22

TLS Handshake Protocol: Authentication Verify identities of participants Client authentication is optional Certificate is used to associate identity with public key and other attributes, more about this later A Certificate B Certificate 23

TLS Change Cipher Spec (CCS) Protocol This is the simplest protocol: it has only one message The ChangeCipherSpec (CCS) message signals the activation of encryption Encryption is done on a per record basis Why is it a separate protocol? Because of the Record Layer encapsulation Several messages of the same type can be encapsulated together in one record After CCS, a new record should begin immediately afterwards, so that the new cipher settings are immediately applied 24

TLS Handshake Protocol: Finished Signals that the TLS negotiation is complete and the CipherSuite is activated It should be sent encrypted since the negotiation is successfully done A ChangeCipherSpec protocol message must be sent before this one to activate the encryption The Finished message contains a hash of all previous handshake messages combined followed by a special number identifying server/client role the master secret and padding 25

TLS requires Digital Certificates We need a certificate. How do you get one? Option 1: generate a certificate yourself Use openssl to generate a new asymmetric keypair Use openssl to generate a certificate that includes your new public key Drawback: Your new cert is self-signed, i.e. not signed by a trusted CA Browsers cannot validate that the cert is trustworthy Option 2: Pay a well-known CA to sign your certificate Any browser that trusts the CA will also trust your new cert 26

X.509 Certificates 27

Certificate Authorities (CA) CAs are the roots of trust in the TLS PKI Symantec, Verisign, Thawte, Geotrust, Comodo, GlobalSign, Go Daddy, Digicert, Entrust, and hundreds of others Issue signed certs on behalf of third-parties How do you become a CA? 1. Create a self-signed root certificate 2. Get all the major browser vendors to include your cert with their software 3. Keep your private key secret at all costs What is the key responsibility of being a CA? Verify that someone buying a cert for example.com actually controls example.com 28

TLS Certificate Authentication During the TLS handshake, the client receives a certificate chain, i.e. the server s cert, as well as the certs of the signing CA(s) The client must validate the certificate chain to establish trust Does the server s DNS name match the common name in the cert? E.g. example.com cannot serve a cert with common name google.com Are any certs in the chain expired? Is the CA s signature cryptographically valid? Is the cert of the root CA in the chain present in the client s trusted key store? Is any cert in the chain revoked? (more on this later) 29

Network Security PROBLEMS WITH SSL/TLS 30

SSL/TLS in News 31

Problems with TLS TLS is a widely deployed and extremely successful protocol but its not perfect Problems with TLS: 1. CA trustworthiness 2. Weak cyphers and keys 3. Protocol attacks 4. Man-in-the-middle attacks 5. Secret key compromise 6. Implementation bugs 32

Revisit: CAs A CA is essentially a trusted third party Certificate signatures are attestations of authenticity for the server and (optionally) the client Remember: trust is bad and should be minimized! If a CA mistakenly (or purposefully) signs a certificate for a domain and provides it to a malicious principal, TLS can be subverted Recall: any CA can sign a cert for any domain Not only must we trust root CAs, but also intermediate CAs that have been delegated signing authority 33

CA Trustworthiness Clearly, the CA secret key must be protected at all costs Possession of the CA secret key grants adversaries the ability to sign any domain Attractive target for adversaries Signatures should only be issued after verifying the identity of the requester Basic verification = Domain Validation Expensive verification = Extended Validation Should be easy, right? 34

CA Failures Issued to: Microsoft Corporation Issued by: VeriSign Commercial Software Publishers CA Valid from 1/29/2001 to 1/30/2002 Serial number is 1B51 90F7 3724 399C 9254 CD42 4637 996A Issued to: Microsoft Corporation Issued by: VeriSign Commercial Software Publishers CA Valid from 1/30/2001 to 1/31/2002 Serial number is 750E 40FF 97F0 47ED F556 C708 4EB1 ABFD In 2001, Verisign issued two executable signing certificates to someone claiming to be from Microsoft Could be used to issue untrusted software updates 35

Weak cipher suites TLS allows the use of different cryptographic algorithms Known weaknesses in RC4 and MD5 Cipher Suite RC4-MD5 2.8% Usage in Certs (as of 2013) RC4-SHA1 48.9% AES128- SHA1 AES256- SHA1 1.2% 46.3% 36

Protocol attacks Renegotiation attacks Allows attacker to renegotiate a connection to the NULL algorithm and inject plaintext data Fixed by requiring cryptographic verification of previous TLS handshakes Version downgrade attacks False Start TLS extension allows attackers to modify the cipher suite list the client sends to server during handshake Can force the usage of a known insecure cipher 37

Protocol attacks Padding Oracle On Downgraded Legacy Encryption (POODLE) Cryptographic attack against CBC-mode ciphers when used with SSL 3.0 Attacker can use a downgrade attack to force TLS connections into SSL 3.0 Allowing security degradation for the sake of interoperability is dangerous 38

TLS Man-in-the-Middle attack Does C e validate? S e S BofA ClientHello e ClientHello BofA e BofA If C e is self-signed, the user will be shown a warning If the attacker steals C BofA and S BofA, then this attack will succeed unless: 1. Bank of America revokes the stolen cert 2. The client checks to see if the cert has been revoked If the attacker manages to buy a valid BofA cert from a CA, then the only defense against this attack is certificate pinning 39

Certificate pinning Certificate pinning is a technique for detecting sophisticated MitM attacks Browser includes certs from well-known websites in the trusted key store by default Usually, only certs from root CAs are included in the trusted key store Example: Chrome ships with pinned copies of the *.google.com certificate Pinning isn t just for browsers Many Android and iphone apps now include pinned certificates E.g. Facebook s apps include a pinned cert Trusted Key Store Verisign BofA Google 40

Secret Key compromise Secret key compromise leads to many devastating attacks Attacker can successfully MitM TLS connections (i.e. future connections) Attacker can decrypt historical TLS packets encrypted using the stolen key Changing to a new keypair/cert does not solve the problem! The old, stolen key is still valid! Attacker can still MitM connections! 41

Certificate expiration Certificate expiration is the simplest, most fundamental defense against secret key compromise All certificates have an expiration date A stolen key is only useful before it expires All certs should have a short lifetime Months, weeks, or even days X.509 Certificate Validity Not Before: Apr 8 00:00:00 2014 GMT Not After : Apr 12 12:00:00 2016 GMT In reality most certs have a one year lifetime This gives an attacker plenty of time to abuse a stolen key 42

Certificate Lifetimes 43

Perfect forward secrecy Perfect Forward Secrecy (PFS) addresses the issue of an attacker decrypting past TLS sessions after a secret key compromise Uses Diffie-Hellman to compute the TLS session key Session key is never sent over the wire, and is discarded after the session completes Since the session key cannot be recovered, the attacker cannot decrypt historical TLS packets, even if they hold the secret key PFS does not prevent MiTM attacks; future TLS sessions are still in danger 44

Implementation bugs Cryptography often assumed to be perfect Usually the math is solid, but the implementation can be imperfect Some examples of security vulnerabilities due to TLS implementation bugs Apple's goto Fail Heartbleed 45

Apple s goto fail Found in February 2014, present in ios 6 and OS X 46 http://zd.net/1mlouxz

Heartbleed Serious vulnerability OpenSSL versions 1.0.1 1.0.1f Publicly revealed April 7, 2014 Exploits a bug in the TLS heartbeat extension Allows adversaries to read memory of vulnerable services i.e., buffer over-read vulnerability Discloses addresses, sensitive data, potentially TLS secret keys Major impact OpenSSL is the de facto standard implementation of TLS, so used everywhere Many exposed services, often on difficult-to-patch devices Trivial to exploit 47

Heartbleed Heartbeat(str= Hello, len=5) Heartbeat(str=, len=65535) Echo( Hello ) BofA S BofA Echo( A$fskndvknla CERTIFICATE PRIVATE KEY 234nwlkw3rFAF *$DvdsaeE ) 48

Heartbleed-vulnerable servers 23 days after Heartbleed, 5% of servers still unpatched 49

Other TLS Attacks Other interesting attacks on TLS TLS stripping BEAST CRIME BREACH Lucky Thirteen 50

Takeaways TLS is crucial for maintaining security and privacy on the Web Mature, well supported protocol Its security was proven as of 2014 Unfortunately, TLS is plagued by many issues Many different protocol-level issues that enable MitM attacks TLS implementations are buggy Human beings fail to reissue/revoke certificates properly Browsers fail to perform revocation checks 51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback