Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic

Similar documents
Misuse-resistant crypto for JOSE/JWT

Summary on Crypto Primitives and Protocols

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Multiple forgery attacks against Message Authentication Codes

TLS Security Where Do We Stand? Kenny Paterson

TLS1.2 IS DEAD BE READY FOR TLS1.3

State of TLS usage current and future. Dave Thompson

Cipher Suite Configuration Mode Commands

Findings for

Coming of Age: A Longitudinal Study of TLS Deployment

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

CSCE 715: Network Systems Security

CIS 4360 Secure Computer Systems Symmetric Cryptography

DROWN - Breaking TLS using SSLv2

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Advanced Security for Systems Engineering VO 09: Applied Cryptography

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Protecting TLS from Legacy Crypto

symmetric cryptography s642 computer security adam everspaugh

Feedback Week 4 - Problem Set

Symmetric Crypto MAC. Pierre-Alain Fouque

Ecosystem at Large

Return Of Bleichenbacher s Oracle Threat (ROBOT)

Deep Tech Analysis to AES-GCM in TLS 1.2 and IPSec-v3. Richard Wang and Ed Morris May 20, 2016 International Crypto Module Conference

Plaintext-Recovery Attacks Against Datagram TLS

Lecture 9 Authenticated Encryption

Permutation-based Authenticated Encryption

Message authentication codes

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

TLS 1.1 Security fixes and TLS extensions RFC4346

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Block Cipher Modes of Operation

Advanced security notions for the SSH secure channel: theory and practice

A Surfeit of SSH Cipher Suites

Overview of TLS v1.3 What s new, what s removed and what s changed?

COMP4109 : Applied Cryptography

CSE484 Final Study Guide

Cipher Suite Practices and Pitfalls:

: Practical Cryptographic Systems March 25, Midterm

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Authenticated Encryption in TLS

How to Configure SSL Interception in the Firewall

ECE 646 Lecture 8. Modes of operation of block ciphers

Secure Internet Communication

6 Cryptographic Operations API

Authenticated Encryption in the Face of Protocol and Side-Channel Leakage

CSE 127: Computer Security Cryptography. Kirill Levchenko

Understanding how to prevent. Sensitive Data Exposure. Dr Simon Greatrix

FUJITSU Software BS2000 internet Services. Version 3.4A May Readme

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

History of message integrity techniques

Practical Attacks on Implementations

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

OpenSSL is a standard tool that we used in encryption. It supports many of the standard symmetric key methods, including AES, 3DES and ChaCha20.

Datapath. Encryption

Overview of TLS v1.3. What s new, what s removed and what s changed?

IKEv2-SCSI (06-449) Update

Version: $Revision: 1142 $

Introduction to cryptology (GBIN8U16) Introduction

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Datapath. Encryption

Permutation-based symmetric cryptography

Randomness Extractors. Secure Communication in Practice. Lecture 17

05 - WLAN Encryption and Data Integrity Protocols

Deploying high-security cryptography Daniel J. Bernstein University of Illinois at Chicago

Authenticated Encryption and Secure Channels. Kenny Paterson Information Security ;

Concrete cryptographic security in F*

CSCE 715: Network Systems Security

Protect Yourself Against Security Challenges with Next-Generation Encryption

Symmetric encrypbon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

Block Cipher Modes of Operation

OpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12

HACL* in Mozilla Firefox Formal methods and high assurance applications for the web

32c3. December 28, Nick goto fail;

Cryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers

Appendix A: Introduction to cryptographic algorithms and protocols

Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013

Cryptology complementary. Introduction

Authenticated Encryption

Information Security CS526

Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

The Galois/Counter Mode of Operation (GCM)

Oracle Solaris Userland Cryptographic Framework Software Version 1.0 and 1.1

Implementing Cryptography: Good Theory vs. Bad Practice

Refresher: Applied Cryptography

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

On the (in-)security of JavaScript Object Signing and Encryption. Dennis Detering

n-bit Output Feedback

Introduction to Public-Key Cryptography

CS155. Cryptography Overview

CLOC: Authenticated Encryption

RSA BSAFE Crypto-C Micro Edition Security Policy

Transcription:

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1

TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption CBC/HMAC RC4 (stream cipher) (new: ChaCha20/Poly1305) AES-GCM 3

CBC / HMAC Arbitrary padding in SSLv3 Implicit IVs in TLS 1.0 MAC-then-Pad-then-Encrypt 2002 Padding Oracles 5

TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption CBC/HMAC RC4 (stream cipher) (new: ChaCha20/Poly1305) AES-GCM 7

RC4 Generates a key stream Some bytes more likely to occur 2013: AlFardan et al. https://www.rc4nomore.com/ RFC 7465: Prohibiting RC4 Cipher Suites 8

TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption CBC/HMAC RC4 (stream cipher) (new: ChaCha20/Poly1305) AES-GCM 9

TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption CBC/HMAC RC4 (stream cipher) (new: ChaCha20/Poly1305) AES-GCM 10

Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario

AES Counter Mode Nonce Counter J 1 J 2 AES-Enc AES-Enc P 1 P 2 C 1 C 2 13

Bit Flipping in AES Counter Mode J 1 J 2 AES-Enc AES-Enc C 1 C 2 P 1 P 2 Attacker can modify messages 14

AES-GCM GCM Galois Counter Mode AEAD (Authenticated Encryption with Additional Data) Only in TLS 1.2 Combination of Counter Mode and GHASH authentication Computed over Galois field 15

AES-GCM J 0 J 1 J 2 AES-Enc AES-Enc AES-Enc P 1 P 2 C 1 C 2 Gmul H Gmul H Gmul H Hash key H A len(a) len(c) Encryption of 128 zero bits: H=Enc(0) Gmul H Output: C T T 16

GCM: Opinions of Cryptographers "Do not use GCM. Consider using one of the other authenticated encryption modes, such as CWC, OCB, or CCM." (Niels Ferguson) "We conclude that common implementations of GCM are potentially vulnerable to authentication key recovery via cache timing attacks." (Emilia Käsper, Peter Schwabe, 2009) "AES-GCM so easily leads to timing side-channels that I'd like to put it into Room 101." (Adam Langley, 2013) "The fragility of AES-GCM authentication algorithm" (Shay Gueron, Vlad Krasnov, 2013) "GCM is extremely fragile" (Kenny Paterson, 2015) 17

Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario

The Forbidden Attack Nonce: Number used once TLS: 8 Byte / 64 Bit nonce Joux (2006): Nonce reuse allows an attacker to recover the authentication key Attacker can modify messages 19

Consider one block H = AES (0) J 0 AES-Enc J 1 AES-Enc T = ( C 1 * H + L) * H + AES (J 0 ) P 1 T = C 1 * H 2 + L * H + AES (J 0 ) C 1 Gmul H Unknown values: H AES (J 0 ) len(a) len(c) Gmul H T 21

Duplicate nonce H = AES (0) J 0 AES-Enc J 1 AES-Enc T 1 = C 1,1 * H 2 + L 1 * H + AES (J 0 ) T 2 = C 2,1 * H 2 + L 2 * H + AES (J 0 ) P 1 C 1 Gmul H T 1 - T 2 = (C 1,1 C 2,1 ) * H 2 + (L 1 L 2 ) * H len(a) len(c) Gmul H T 22

Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario

TLS 1.2 / RFC 5288 "Each value of the nonce_explicit must be distinct for each distinct invocation of the GCM encrypt function for any fixed key. Failure to meet this uniqueness requirement can significantly degrade security. The nonce_explicit may be the 64-bit sequence number. Two problems: Random nonces: Collision probability Repeating nonces 24

Internet-wide Scan 184 hosts with repeating nonces Radware (Cavium chip) Several pages from VISA Europe 72445 hosts with random looking nonces A10, IBM Lotus Domino (both published updates) Sangfor (no response) More devices that we were unable to identify 26

Example: Radware OpenSSL 1.0.1j 0100000003001741 0100000003001741 f118cd0fa6ff5a15 f118cd0fa6ff5a16 f118cd0fa6ff5a74 e_aes.c (EVP_CIPHER_CTX_ctrl/aes_gcm_ctrl): if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) return 0; t1_enc.c: if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { EVP_CipherInit_ex(dd,c,NULL,key,NULL,(which & SSL3_CC_WRITE)); EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv); } 27

Open Source Libraries Botan, BouncyCastle, MatrixSSL, SunJCE, OpenSSL No real problems Counter overflows in Botan and MatrixSSL 28

Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario 29

Attacking Vulnerable Websites GET visa.dk/index.html HTTP 1.1 200 OK <html> <script> </script> </html> HTTP 1.1 200 OK <html> <h1>hello Visa</h1> </html> 30

Demo 32

Attacking mi5.gov.uk 33

Conclusions TLS 1.2: no guidance how to use nonces correctly Some people get it wrong Implicit nonces needed: Chacha20/Poly1305 and TLS 1.3 based on record number Better test tools for TLS implementation flaws 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback