DROWN - Breaking TLS using SSLv2

Similar documents
DROWN: Breaking TLS using SSLv2

DROWN: Breaking TLS using SSLv2

Practical Attacks on Implementations

Verifying Real-World Security Protocols from finding attacks to proving security theorems

TLS1.2 IS DEAD BE READY FOR TLS1.3

TLS Security and Future

Which Secure Transport Protocol for a Reliable HTTP/2-based Web Service : TLS or QUIC?

In search of CurveSwap: Measuring elliptic curve implementations in the wild

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Diffie-Hellman, discrete logs, the NSA, and you. J. Alex Halderman University of Michigan

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

32c3. December 28, Nick goto fail;

Protecting TLS from Legacy Crypto

Defeating All Man-in-the-Middle Attacks

Which Secure Transport Protocol for a Reliable HTTP/2-based Web Service : TLS or QUIC?

Findings for

Randomness Extractors. Secure Communication in Practice. Lecture 17

Introduction to Public-Key Cryptography

What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS

Measuring small subgroup attacks against Diffie-Hellman

Cryptography (Overview)

What s in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS

Critical Review of Imperfect Forward Secrecy

There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has

Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

: Practical Cryptographic Systems March 25, Midterm

1.264 Lecture 28. Cryptography: Asymmetric keys

Overview of TLS v1.3 What s new, what s removed and what s changed?

On the (in-)security of JavaScript Object Signing and Encryption. Dennis Detering

CSE 127: Computer Security Cryptography. Kirill Levchenko

INSE Lucky 13 attack - continued from previous lecture. Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014)

How to Configure SSL Interception in the Firewall

PROTECTING CONVERSATIONS

TLS 1.1 Security fixes and TLS extensions RFC4346

SSL Report: ( )

State of TLS usage current and future. Dave Thompson

Authenticated Encryption in TLS

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

SSL/TLS. Pehr Söderman Natsak08/DD2495

Encryption. INST 346, Section 0201 April 3, 2018

Version: $Revision: 1142 $

David Wetherall, with some slides from Radia Perlman s security lectures.

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Chapter 8 Web Security

Workshop Challenges Startup code in PyCharm Projects

Overview of TLS v1.3. What s new, what s removed and what s changed?

Chapter 4: Securing TCP connections

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

TLSnotary - a mechanism for independently audited https sessions

SECURE YOUR INTEGRATIONS. Maarten Smeets

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

The Security Impact of HTTPS Interception

Return Of Bleichenbacher s Oracle Threat (ROBOT)

SSL/TLS Security Assessment of e-vo.ru

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

SSL Visibility and Troubleshooting

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

Plaintext-Recovery Attacks Against Datagram TLS

But where'd that extra "s" come from, and what does it mean?

Cryptographic Concepts

Your Apps and Evolving Network Security Standards

no more downgrades: protec)ng TLS from legacy crypto

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic

Noise Protocol Framework. Trevor Perrin

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

How to Configure SSL Interception in the Firewall

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Coming of Age: A Longitudinal Study of TLS Deployment

MTAT Applied Cryptography

Xerox Product Security

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE

A messy state of the union:

Refresher: Applied Cryptography

Internet security and privacy

Cryptography. Lecture 12. Arpita Patra

Lecture 3: Symmetric Key Encryption

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Configuring SSL Security

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

SSL/TLS Server Test of

Public Key Cryptography, OpenPGP, and Enigmail. 31/5/ Geek Girls Carrffots GVA

SSL Server Rating Guide

CS 161 Computer Security

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Remote E-Voting System

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Securing Internet Communication: TLS

18-642: Cryptography 11/15/ Philip Koopman

The Security Impact of HTTPS Interception

Transcription:

DROWN - Breaking TLS using SSLv2 Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, Yuval Shavitt

A history of obsolete crypto SSLv2 published in 1995, immediately broken Devastating MitM attacks Common wisdom: SSLv2 is better than plaintext Before DROWN: OK to keep SSLv2 enabled, esp. for email. 2

Our results: SSLv2 breaks TLS 3

DROWN - Overview Attacker decrypts intercepted TLS traffic Cross-protocol attack Attack TLS server using SSLv2 server Attack HTTPS server using email server - SSLv2 much more prevalent on email ports 22% of trusted HTTPS hosts vulnerable with cross-protocol use 4

TLS RSA Handshake 5

PKCS #1 v1.5 Textbook RSA: k e mod N Problem: No randomization In real-life: PKCS #1 v1.5: pad k to length of N with random padding 6

Bleichenbacher s Attack If padding is incorrect after decryption, then Send an error message Attacker can deduce if padding was correct. Conclusion: The server has to behave as if the padding was valid! 7

Bleichenbacher s Attack If padding is incorrect after decryption, then The server has to behave as if the padding was valid! Solution: Server generates a random replacement plaintext, continues as usual. 8

Differences between SSLv2 and TLS Server authenticates first (sends first message encrypted with symmetric key) Short secrets for export grade crypto: SSLv2: 40 bit key. TLS: 48 byte (384 bit) key. 9

An important observation Attacker connects twice with same RSA ciphertext. Ciphertext valid: 2 server replies encrypted with same key. 10

An important observation Attacker connects twice with same RSA ciphertext. Ciphertext not valid: 2 server replies encrypted with different keys. 11

The SSLv2 RSA Decryption Oracle Attacker breaks 40 bit key for both messages. Ciphertext valid: Both keys will be the unpadded RSA plaintext -> keys will be identical. 12

The SSLv2 RSA Decryption Oracle Attacker breaks 40 bit key for both messages. If ciphertext is invalid: Both keys will be randomly generated -> keys will be different. Reminder: If attacker can distinguish between valid/invalid RSA message, attacker can decrypt TLS! 13

DROWN: Attack Outline Attacker records ~1,000 modern TLS connections. Attacker morphs TLS RSA ciphertext to SSLv2 ciphertext Uses SSLv2 Bleichenbacher oracle to decrypt. Client never makes an SSLv2 connection. 14

Offline work Attacker executes ~10K queries, breaks 40-bit key for each Bleichenbacher query. 2 50 keys tested overall. Feasible on modern hardware: Naive CPU implementation: $21K of CPU, 114 days. Highly optimized GPU implementation: $18K of GPUs, 18 hours, or $440 on AWS, 8 hours. Special DROWN: Implementation vulnerability in OpenSSL 22% of trusted HTTPS servers are vulnerable Negligible computation, see paper 15

Key reuse Attack HTTPS server using email server Widespread key reuse: No protocol version in certificates Certificates cost money (EV) 16

Impact of Key Reuse 17

Takeaways Export crypto weakens modern protocols Export RSA (FREAK), DH (Logjam), symmetric crypto (DROWN) More weakened crypto seems ill-advised. Should remove obsolete crypto. Long history of attacks: POODLE, Fake CA, RC4, FREAK, Logjam, Lucky 13, Sloth,... Is DROWN the last? Mac-then-Encrypt, SHA-1,...? 18

Thank you! drownattack.com Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, Yuval Shavitt

Special DROWN Implementation vulnerability in OpenSSL because of added complexity from export ciphers. Present in 22% of trusted HTTPS. No symmetric key brute-forcing, negligible computation. Runs in a minute on a laptop. Allows MitM attack against DH TLS: Downgrade the key exchange to RSA, use special DROWN to decrypt RSA ciphertext online. 20

QUIC Experimental TLS-like protocol by Google. 0-RTT Server signs a static config block, containing DH parameters, supported ciphersuites etc. If the client knows nothing, it prompts for the config block. Otherwise, it calculates shared keys and starts talking. Server indicates QUIC support, client will henceforth connect with QUIC Can indicate support over plaintext. 21

QUIC MitM Attack Static signatures -> Forge a signature once, use it forever. Discovery over plaintext -> Server doesn t even support QUIC, attacker fakes support over plaintext. Google plans to fix both these issues. Attack cost with general DROWN: ~$10M. Attack cost with special DROWN: 2 25 SSLv2 connections, no large computation. 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback