32c3. December 28, Nick https://crypto.dance. goto fail;

Similar documents
Defeating All Man-in-the-Middle Attacks

TLS Security and Future

Coming of Age: A Longitudinal Study of TLS Deployment

TLS1.2 IS DEAD BE READY FOR TLS1.3

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

TLS 1.1 Security fixes and TLS extensions RFC4346

Secure Internet Communication

CIS 5373 Systems Security

State of TLS usage current and future. Dave Thompson

SSL/TLS Server Test of

SSL/TLS: Still Alive? Pascal Junod // HEIG-VD

Verifying Real-World Security Protocols from finding attacks to proving security theorems

SSL Report: ( )

Protecting TLS from Legacy Crypto

SSL/TLS Security Assessment of e-vo.ru

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

SSL/TLS Server Test of grupoconsultorefe.com

SSL Report: bourdiol.xyz ( )

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky

Overview of TLS v1.3 What s new, what s removed and what s changed?

How to Configure SSL Interception in the Firewall

DROWN - Breaking TLS using SSLv2

SSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger

SSL Report: printware.co.uk ( )

SSL Server Rating Guide

Overview of TLS v1.3. What s new, what s removed and what s changed?

One Year of SSL Internet Measurement ACSAC 2012

SSL Report: cartridgeworld.co.uk ( )

CSE484 Final Study Guide

Summary on Crypto Primitives and Protocols

Information Security CS 526

The Security Impact of HTTPS Interception

SSL Report: sharplesgroup.com ( )

Findings for

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Your Apps and Evolving Network Security Standards

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Transport Level Security

Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

SSL/TLS. Pehr Söderman Natsak08/DD2495

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Let's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX

Authenticated Encryption in TLS

History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0

Cryptography and Network Security

ON THE SECURITY OF TLS RENEGOTIATION

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Randomness Extractors. Secure Communication in Practice. Lecture 17

Data Security and Privacy. Topic 14: Authentication and Key Establishment

PROVING WHO YOU ARE TLS & THE PKI

Countering Cryptographic Subversion. Post-Snowden Cryptography Workshop Brussels 8/12/2015

Internet security and privacy

So.ware Defined Perimeter Internet- scale Security for the Internet2 Community. Junaid Islam Co- Chair SDP Workgroup Cloud Security Alliance

Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 8

But where'd that extra "s" come from, and what does it mean?

Transport Layer Security

Workshop Challenges Startup code in PyCharm Projects

Cipher Suite Practices and Pitfalls:

Install the ExtraHop session key forwarder on a Windows server

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Transport Layer Security

Cryptography (Overview)

Lecture for February 10, 2016

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Encrypted Phone Configuration File Setup

INSE Lucky 13 attack - continued from previous lecture. Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014)

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Cryptography MIS

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

BCA III Network security and Cryptography Examination-2016 Model Paper 1

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Version: $Revision: 1142 $

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

SSL Accelerated Services. Feature Description

Crypto meets Web Security: Certificates and SSL/TLS

High-Tech Bridge s Free SSL Server Test API Developer Documentation Version v1.2 24th of January 2018

MTAT Applied Cryptography

Norbert Muehr (Siemens PLM GTAC EMEA)

A messy state of the union:

Securing Internet Communication: TLS

FUJITSU Software BS2000 internet Services. Version 3.4A May Readme

SSL Visibility and Troubleshooting

Ecosystem at Large

Contents. Configuring SSH 1

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Security Protocols and Infrastructures

TLS Security Where Do We Stand? Kenny Paterson

CSCE 715: Network Systems Security

Understanding Traffic Decryption

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Datapath. Encryption

E-commerce security: SSL/TLS, SET and others. 4.1

Chapter 8 Web Security

Auditing IoT Communications with TLS-RaR

Proving who you are. Passwords and TLS

Transcription:

32c3 December 28, 2015 Nick Sullivan @grittygrease nick@cloudflare.com https://crypto.dance goto fail; a compendium of transport security calamities

Broken Key 2

Lock 3

Lock 4

5

6

HTTP

HTTPS The S stands for Secure

HTTPS = HTTP + Security Transport Layer Security (TLS) Data encryption and integrity Server authentication Negotiation of keys happens in the handshake 10

A bit of history SSL version 1 Kipp E.B. Hickman at Netscape in 1993-1994 11

A bit of history Marc Andressen presented it to about six of us. John Klensin, Tim Berners-Lee, Alan Schiffman and myself were the only ones I can remember, but there were two other seats filled. - Phillip Hallam-Baker 12

A bit of history The original protocol had no authenticity checks in whatsoever. - Phillip Hallam-Baker 13

How does it work? Public-key crypto: establish shared keys, server identity Data encapsulation: encrypt and HMAC with shared keys 14

Certificate Validation 15

How does TLS provide authenticity? Why the Public Key Infrastructure (PKI) of course 16

X.509 Certificates 17

18

Chain of trust 19

Implementation bugs Intentional flaws Issues of trust 20

Client Logic Phase 1: Validate certificate 1. Parse the certificate 2. Find the parent certificate 3. Validate signature against parent s public key 4. If parent is in trust store, accept 5. If not, repeat 21

Client Logic Phase 2: Tie certificate to channel For RSA: Encrypt the key material with public key Verify shared key using final message For Diffie-Hellman: Server signs the key derivation parameters (Server DH Parameter, Client Random, Server Random) Verify signature with certificate public key 22

Man-in-the-middle attack Phase 1 (trust verification fail): Use untrusted cert Phase 2 (channel verification fail): Use a real certificate, but fake the signature 23

check_if_ca /* Checks if the issuer of a certificate is a * Certificate Authority, or if the certificate is the same * as the issuer (and therefore it doesn't need to be a CA). * * Returns true or false, if the issuer is a CA, * or not. */ static int check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, unsigned int flags) { int result; result = _gnutls_x509_get_signed_data (issuer->cert, "tbscertificate", &issuer_signed_data); if (result < 0) { gnutls_assert (); goto cleanup; } result = 0; cleanup: // cleanup type stuff return result; } 24

SSLVerifySignedServerKeyExchange static OSStatus SSLVerifySignedServerKeyExchange( SSLContext *ctx, bool isrsa, SSLBuffer signedparams, uint8_t *signature, UInt16 signaturelen) { OSStatus err;... if ((err = SSLHashSHA1.update(&hashCtx, &clientrandom))!= 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverrandom))!= 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedparams))!= 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashout))!= 0) goto fail;... fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err; } 25

PKCS #1 v1.5 RSA Signature Format 00 01 FF FF FF FF FF FF FF 00 DigestInfo MessageDigest Encrypted with private key DigestInfo: ASN-1 data containing Digest Type 26

Bleichenbacher 2006 RSA Signature Verification allows: 00 01 FF FF FF FF FF FF FF 00 DigestInfo MessageDigest Garbage Pick garbage so that: DigestInfo + MessageDigest + Garbage = Cube of forged message 27

BERserk (2014) RSA Signature Format: 00 01 FF FF FF FF FF FF FF 00 DigestInfo MessageDigest Bug in NSS: Integer overflow in ASN-1 length: initial bytes of length are ignored 00 01 FF FF FF FF FF FF FF 00 Garbage DI Len DI Val MessageDigest DigestInfo (with garbage length) + MessageDigest = Cube of forged message 28

BERserk 29

Issues of Trust 30

How many CAs do you trust? How many countries have a valid CA? 31

How many CAs do you trust? How many countries have a valid CA? 46 (EFF s SSL Observatory) 32

Superfish and friends Local man-in-the-middle proxy installed by your OEM anti-virus software corporate IT department country-level inspection proxy 33

Superfish and friends Some proxies don t validate certificates correctly. Oops! Bonus: Locally installed roots bypass key pinning! 34

The TLS software ecosystem Client TLS PKI OS PKI Chrome NSS/ BoringSSL Native Windows schannel Firefox NSS mozilla::pkix Safari Common Crypto Common Crypto Linux OpenSSL/GnuTLS Internet Explorer schannel schannel OS X/iOS Common Crypto 35

Server Problems 36

Server Libraries Server TLS Apache OpenSSL nginx OpenSSL Microsoft IIS Schannel 37

Key generation requires random numbers 38

Dual EC DRBG 39

Heartbleed (2014) 40

Protocol Bugs 41

SSLv2 SSLv3 TLSv1.2 TLSv1.3 SSLv1 TLSv1 TLSv1.1 1994 1998 2002 2006 2010 2014 2018

HTTP is great for crypto attacks repeated plaintext = Cookies, passwords, CSRF tokens chosen plaintext = URI GET /<chosen plaintext> Cookie: <repeated plaintext> 43

Attacker on the local network ARP spoofing to get MiTM position Inject random JS to make cross-origin request TLS errors can trigger browsers to re-send request 44

Compression Oracles 45

CRIME & BREACH 46

CRIME & BREACH 47

Padding Oracles CBC mode MAC-then-Encrypt 48

Cipher Block Chaining 49

Cipher Block Chaining 50

MAC-then-encrypt 51

MAC-then-encrypt Valid padding SSLv3: 0x00 0xXX, 0x01 0xXX, 0xXX, 0x02 etc. 52

MAC-then-encrypt Valid padding TLS: 0x00 0x01, 0x01 0x02, 0x02, 0x02 etc. 53

Padding Oracle Step 1 54

Padding Oracle Step 2 55

Padding Oracle History Error code as a side channel Timing as a side channel Timing redux: Lucky 13 56

Error code side channel incorrect guess: bad padding correct guess: bad HMAC 57

Timing side-channel incorrect guess: no HMAC computation (fast) correct guess: HMAC computation (slow) 58

Lucky 13 59

Lucky 13 60

Downgrade attacks 61

Downgrade attacks If you support something old, someone s going to trick you into using it. 62

Cipher Suites Complicated string describing the type of crypto used Check your ciphers with $ openssl ciphers Example: ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256: 63

Cipher Suites ECDHE-RSA-AES256-GCM-SHA384 Key Exchange - Certificate Key - Transport Cipher - Integrity/KDF 64

Cipher Suite Negotiation AES256-GCM-SHA384: ECDHE-RSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-SHA: ECDHE-RSA-AES128-SHA256: AES256-GCM-SHA384: ECDHE-RSA-AES256-GCM-SHA384 AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 65

Export Ciphers RSA-EXPORT-WITH-RC4-40-MD5 RSA-EXPORT-WITH-DES40-CBC-SHA DHE-DSS-EXPORT-WITH-RC4-56-SHA 66

Enter FREAK, LogJam, WeakDH 67

Only the key generation material is signed, not the negotiation 68

Swap Supported Ciphers with Export Ciphers Crack Export Key 69

Swap Supported Ciphers with DHE Export Ciphers Crack Export DH Param 70

Crack DH Param 71

LogJam, WeakDH, FREAK Unauthenticated protocol data in handshake More to come on this 72

POODLE Padding oracle and a downgrade attack Downgrade dance (thanks browsers!) Line things up so that padding is in last block Swap target block with padding block Around 256 guesses per byte 73

TLS POODLE Padding oracle, Downgrade attack, Implementation bug 74

Aging Crypto 75

MD5 Collision 76

77

How do these fit on a timeline? 78

SSLv2 SSLv3 TLSv1.2 TLSv1.3 SSLv1 TLSv1 TLSv1.1 1994 1998 2002 2006 2010 2014 2018

SSLv2 Broken SSLv3 SSLv2 Vaudenay Padding Oracle Boney/Brumley Padding Oracle Bleichenbacher e=3 MD5 CA TLSv1.2 BEAST CRIME BREACH RC4 Lucky 13 FREAK Heartbleed BERserk SSLv3 Broken (POODLE) LogJam WeakDH TLSv1.3 SSLv1 TLSv1 TLSv1.1 1994 1998 2002 2006 2010 2014 2018

SSLv2 Broken SSLv3 SSLv2 Vaudenay Padding Oracle Boney/Brumley Padding Oracle Bleichenbacher e=3 MD5 CA Backronym Trend Begins TLSv1.2 BEAST CRIME BREACH RC4 Lucky 13 FREAK Heartbleed BERserk SSLv3 Broken (POODLE) LogJam WeakDH TLSv1.3 SSLv1 TLSv1 TLSv1.1 Logo Trend Begins 1994 1998 2002 2006 2010 2014 2018

May 2012 Feb 2014 Dec 2015 Data: SSL Pulse

TLS 1.2 Client Support Google Chrome 30 and later Google Android Browser for Android 5.0 and later Mozilla: Firefox 27 and and later Microsoft: Internet Explorer 11 and later Internet Explorer Mobile 11 and later Microsoft Edge all versions Apple Safari on OS X 10.9 and later Safari on ios 5 and later

Lessons Learned? If an attacker can identify one bit of information, it s over Copious side channels Trusting unauthenticated data is a bad idea Don t MAC-then-encrypt - use AEADs X.509 and ASN-1 are hard to implement correctly Support insecure crypto/protocols for backwards compatibility at your own risk 84

Issues Skipped BEAST Blechenbacher RSA Decryption oracle Schannel RCE Triple Handshake CA problems (DigiNotar, Comodo, Symantec) RC4 weaknesses Bignum vulnerabilities Forward Secrecy More 85

One more thing 86

Other unauthenticated negotiations in the handshake NPN/ALPN Supported elliptic curves 87

Other unauthenticated negotiations in the handshake NPN/ALPN Supported elliptic curves 88

Introducing: CurveSwap 89

Swap Supported Curves with Small Curves Solve DLP 90

Practicality What is the weakest curve supported by clients and servers sect163k? Client support: 4.3% Alexa top 100,000: 0.13% 91

The good news Nobody has publicly broken DLP for ~160bit curves But There s a reason we don t use binary curves 92

The Future TLS 1.3? 93

32c3 December 28, 2015 Nick Sullivan @grittygrease nick@cloudflare.com https://crypto.dance goto fail; a compendium of transport security calamities

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback