no more downgrades: protec)ng TLS from legacy crypto

Similar documents
Protecting TLS from Legacy Crypto

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Deploying a New Hash Algorithm. Presented By Archana Viswanath

for Compound Authentication

DROWN - Breaking TLS using SSLv2

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Summary on Crypto Primitives and Protocols

Introduction to Cryptography. Lecture 6

Downgrade Resilience in Key-Exchange Protocols

Real-time protocol. Chapter 16: Real-Time Communication Security

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Chapter 4: Securing TCP connections

Diffie-Hellman, discrete logs, the NSA, and you. J. Alex Halderman University of Michigan

CS 494/594 Computer and Network Security

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Crypto meets Web Security: Certificates and SSL/TLS

Online Cryptography Course. Basic key exchange. Trusted 3 rd par7es. Dan Boneh

Encryption. INST 346, Section 0201 April 3, 2018

Hash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6

The ElGamal Public- key System

32c3. December 28, Nick goto fail;

TLS1.2 IS DEAD BE READY FOR TLS1.3

CSE 127: Computer Security Cryptography. Kirill Levchenko

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Expires: September 10, 2015 Inria Paris-Rocquencourt A. Langley Google Inc. M. Ray Microsoft Corp. March 9, 2015

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates. Felix Günther. Technische Universität Darmstadt, Germany

Defeating All Man-in-the-Middle Attacks

What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS

Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

HACL* in Mozilla Firefox Formal methods and high assurance applications for the web

Authenticated Encryption in TLS

Version: $Revision: 1142 $

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

WAP Security. Helsinki University of Technology S Security of Communication Protocols

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

Sensitive Information in a Wired World

A messy state of the union:

Cryptographic Hash Functions

A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol. Felix Günther. Technische Universität Darmstadt, Germany

Randomness Extractors. Secure Communication in Practice. Lecture 17

What s in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS

Information Security CS 526

Findings for

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

Cryptography and Network Security

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Cryptographic Hash Functions

Coming of Age: A Longitudinal Study of TLS Deployment

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

David Wetherall, with some slides from Radia Perlman s security lectures.

CS Computer Networks 1: Authentication

Internet Engineering Task Force (IETF) Google Inc. M. Ray Microsoft Corp. September 2015

CSCE 715: Network Systems Security

SSL/TLS. Pehr Söderman Natsak08/DD2495

Cryptography. Lecture 12. Arpita Patra

Your Apps and Evolving Network Security Standards

CSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Noise Protocol Framework. Trevor Perrin

*the Everest VERified End-to-end Secure Transport. Verified Secure Implementations for the HTTPS Ecosystem mitls & Everest*

Breaking and Fixing Public-Key Kerberos

Outline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question

Outline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.

Lecture 1: Course Introduction

SSL/TLS Security Assessment of e-vo.ru

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

State of TLS usage current and future. Dave Thompson

CLEARPASS CONFIGURING IPsec TUNNELS

Data Security and Privacy. Topic 14: Authentication and Key Establishment

OpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12

CIS 4360 Secure Computer Systems Applied Cryptography

Securing Internet Communication: TLS

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

The OpenSSH Protocol under the Hood

Data Integrity. Modified by: Dr. Ramzi Saifan

Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 8

Lecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422

In search of CurveSwap: Measuring elliptic curve implementations in the wild

Crypto Basics: History, Applied Cryptography in IT Security Today and in the Next Year

Crypto Background & Concepts SGX Software Attestation

CSCE 715: Network Systems Security

Lecture 4: Authentication and Hashing

Security Analysis of Extended Sponge Functions. Thomas Peyrin

VPN Overview. VPN Types

Homework 3: Solution

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

CS 395T. Formal Model for Secure Key Exchange

Cryptography: More Primitives

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Overview of TLS v1.3. What s new, what s removed and what s changed?

Introduction to Public-Key Cryptography

CS6750: Cryptography and Communica7on Security

Jaap van Ginkel Security of Systems and Networks

Overview of TLS v1.3 What s new, what s removed and what s changed?

CIT 480: Securing Computer Systems. Hashes and Random Numbers

ENEE 459-C Computer Security. Message authentication

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

PGP: An Algorithmic Overview

CSE484 Final Study Guide

Breaking and Fixing Public-Key Kerberos

Transcription:

no more downgrades: protec)ng TLS from legacy crypto karthik bhargavan INRIA joint work with: g. leurent, c. brzuska, c. fournet, m. green, m. kohlweiss, s. zanella-beguelin

TLS: a long year of downgrade afacks POODLE TLS 1.2 à SSLv3 [Dec 14] FREAK RSA-2048 à RSA-512 [Mar 15] LOGJAM DH-2048 à DH-512 [May 15] BLEICH? RSA-Sign à RSA-Enc [Aug 15] SLOTH RSA-SHA256 à RSA-MD5 [Jan 16] What s going on? How do we fix it in TLS 1.3? More details: mitls.org, sloth-afack.org

Anonymous Diffie-Hellman (ADH)

Man-in-the-Middle afack on ADH Ac)ve Network AFacker or Malicious Peer

Authen)cated DH (SIGMA) PKI Sign-and-MAC: prevents most MitM afacks

Agility: Nego)a)ng DH Groups Group Nego)a)on Why? backwards compa)bility, export regula)ons, sloth

MitM Group Downgrade AFack Essen)ally, Logjam [CCS 15]

MACs for Downgrade Protec)on TLS: mac the full transcript to prevent tampering mac(k, [G 2048,G 512 ] G 512 m 1 m 2 ) but it is too late, because we already used G 512 k = kdf(g xy mod p 512 ) so, the afacker can forge the mac The TLS downgrade protec:on mechanism itself depends on downgradeable parameters. hence, the only fix is to find and disable all weak parameters: groups, curves, mac algorithms,

Signing Handshake Transcripts IKEv1: both A and B sign the offered groups sign(sk B, hash([g 2048,G 512 ] m 1 m 2 )) no agreement on chosen group! IKEv2: each signs its own messages sign(sk A, hash([g 2048,G 512 ] m 1 )) sign(sk B, hash(g 512 m 2 )) no agreement on offered groups! SSH-2 and TLS 1.3: sign everything sign(k, hash([g 2048,G 512 ] G 512 m 1 m 2 )) works! (. or does it?)

SLOTH: Transcript Collision AFacks SSH-2 and TLS 1.3: sign the full transcript sign(k, hash([g 2048,G 512 ] G 512 m 1 m 2 )) what if hash were a weak hash func)on? How weak can hash be? do we need collision resistance? do we only need 2 nd preimage resistance? SLOTH: transcript collision afacks break key protocol guarantees in TLS, IKE, SSH so yes, we do need collision resistance

Authen)cated DH with Nego)a)on Cipher/Version Nego)a)on Transcript Hash

A Transcript Collision AFack Transcript Collision

Compu)ng a Transcript Collision hash(m 1 m 2 ) = hash(m 1 m 2 ) We need to compute a collision, not a preimage Assume we know or control the black bits, how easy would it be to compute the red bits? This is usually called a generic collision If we re lucky, we can set up a shortcut collision Common-prefix: collision aler a shared prefix Chosen-prefix: collision aler afacker-controlled prefixes

Primer on Hash Collision Complexity MD5: known hash collision complexi)es MD5 generic collision: 2 64 hashes (birthday) MD5 chosen-prefix collision: 2 39 hashes (1 hour) MD5 common-prefix collision: 2 16 hashes (seconds) SHA1: es)mated hash collision complexi)es SHA1 generic collision: 2 80 hashes (birthday) SHA1 chosen-prefix collision: 2 77 hashes (?) SHA1 common-prefix collision: 2 61 hashes (?) Collision resistance for other hash construc)ons MD5(x) SHA1(x) not much befer than SHA1 HMAC-MD5(k,x) not much befer than MD5 HMAC-SHA256(k,x) truncated to 2N bits takes 2 N hashes

A Generic Transcript Collision hash(m 1 m 2 ) = hash(m 1 m 2 ) Suppose hash = MD5 Problem: afacker must compute m 1 before seeing m 2 So, suppose B uses predictable m 2 (no freshness) We can break the protocol with 2 64 MD5 hashes S)ll imprac)cal for academics, but almost feasible

A Common-Prefix Transcript Collision hash(m 1 m 2 ) = hash(m 1 m 2 ) hash([len 1 g x nego A ] [len 2 g y nego B ) = hash([len 1 g x nego A ] [len 2 gy nego B ]) Suppose len 2 is predictable but m 2 is not Problem: need to compute m 1 aler m 1 but before m 2 But suppose nego A, nego B allow arbitrary data We can break the protocol with 2 39 MD5 hashes About 1 hour on a powerful worksta)on

A Common-Prefix Transcript Collision hash(m 1 m 2 ) = hash(m 1 m 2 ) Compute a chosen-prefix MD5 collision C 1, C 2 : hash([len 1 g x nego A ] [len 2 g y C 1 ) = hash([len 1 g x filler bytes C 2 ]) Then, by carefully choosing m 1, m 2, we get hash(m 1 m 2 ) = hash([len 1 g x nego A ] [len 2 g y C 1 m 2 ]) = hash([len 1 g x <filler bytes> C 2 ] m 2 ) = hash(m 1 m 2 )

SLOTH in TLS 1.2 TLS 1.2 supports MD5-based signatures! Surprising, because TLS <= 1.1 only supported MD5 SHA1 Even if the client and server prefer RSA-SHA256, the connec)on can be downgraded to RSA-MD5! We can break TLS 1.2 client signatures Takes 1 hour/connec)on on a 48-core worksta)on Prac)cal-ish: we can always throw more cores/asics at it TLS 1.2 server signatures are harder to break Irony: the same flaw that enables Logjam blocks SLOTH Needs 2 X prior connec)ons + 2 128-X hashes/connec)on Not prac)cal for academics, maybe doable by govt?

Other SLOTH AFacks Reduced security for TLS 1.*, IKEv1, IKEv2, SSH via downgrades + transcript collisions these are protocol flaws, not implementa)on bugs Mi:ga:on: fully disable MD5 (and SHA1?) hfp://sloth-afack.org

Downgrade Resilience in TLS 1.3 Both client and server sign the full transcript with strong signature and hash algorithms TLS 1.3 client/server authen)ca)on with RSA-MD5 is completely broken by SLOTH, so we got rid of MD5 Good news: We can prove that the downgrade protec)on sub-protocol within TLS 1.3 works New crypto defini)ons, proofs, in dral paper What do we do about version downgrade? Can an afacker downgrade TLS 1.3 to TLS 1.2 and remount Logjam, SLOTH etc?

Version Downgrade Resilience To detect downgrades, clients need to check that the server chose the highest common version TLS 1.3 server signatures do cover client+server versions But TLS <= 1.2 server signatures do not cover the version How do we patch TLS <= 1.2 to prevent downgrades? Protocol extensions or SCSVs cannot help; the afacker will delete them Look away: we put the max server version in the server nonce because it is signed in all versions of TLS Good news: we can now prove version downgrade resilience for clients and servers that support TLS 1.0-1.3 only for signature ciphersuites, not if they support RSA

Final Thoughts Legacy crypto is strangely hard to get rid of, but we have to keep trying to kill them Key exchanges in Internet protocols do rely on collision resistance, don t let anyone tell you otherwise! We can and should design downgrade resilient protocols Implementa)on bugs can undermine all protec)ons; so we need to verify protocol code More details, papers, demos are at: hfp://mitls.org hfp://sloth-afack.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback