Crypto meets Web Security: Certificates and SSL/TLS

Similar documents
Public-Key Infrastructure NETS E2008

(Continue) Cryptography + (Back to) Software Security

Web Security [SSL/TLS and Browser Security Model]

Computer Security: Crypto & Web Security

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Overview. SSL Cryptography Overview CHAPTER 1

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Software Security and Intro to Cryptography

Chapter 4: Securing TCP connections

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

SSL/TLS. *Slides borrowed from Vitaly Shmatikov. slide 1

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

PROVING WHO YOU ARE TLS & THE PKI

CS 161 Computer Security

Introduction to Cryptography (cont.)

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography and Network Security

Internet security and privacy

Datasäkerhetsmetoder föreläsning 7

Cryptography (Overview)

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

CSE 484 / CSE M 584: Computer Security and Privacy. Usable Security. Fall Franziska (Franzi) Roesner

Information Security CS 526

Software Security Design Principles + Intro to Crypto

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Cryptography: Symmetric Encryption [continued]

Cryptographic Protocols 1

Cryptography [Symmetric Encryption]

Auth. Key Exchange. Dan Boneh

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Data Security and Privacy. Topic 14: Authentication and Key Establishment

SSL/TLS FOR MORTALS.

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Securing Internet Communication: TLS

Encryption. INST 346, Section 0201 April 3, 2018

CSE 565 Computer Security Fall 2018

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography (cont.)

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Key Management and Distribution

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

CSCE 715: Network Systems Security

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Network Security Chapter 8

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

CS November 2018

Cryptography and Network Security Chapter 14

Diffie-Hellman. Part 1 Cryptography 136

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Fall 2010/Lecture 32 1

Certificateless Public Key Cryptography

Software Security: Misc and Principles

Overview of Authentication Systems

Transport Layer Security

14. Internet Security (J. Kurose)

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Chapter 9: Key Management

Public-key Cryptography: Theory and Practice

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

1.264 Lecture 28. Cryptography: Asymmetric keys

Spring 2010: CS419 Computer Security

Symmetric Cryptography

Configuring SSL. SSL Overview CHAPTER

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Real-time protocol. Chapter 16: Real-Time Communication Security

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Configuring SSL CHAPTER

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Grenzen der Kryptographie

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Lecture Notes 14 : Public-Key Infrastructure

Web Security: Web Application Security [continued]

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Configuring SSL. SSL Overview CHAPTER

Web Security: Loose Ends

Chapter 8 Web Security

Security Fundamentals

CS Computer Networks 1: Authentication

Outline Key Management CS 239 Computer Security February 9, 2004

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Lecture 2 Applied Cryptography (Part 2)

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Most Common Security Threats (cont.)

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

CPSC 467b: Cryptography and Computer Security

CIS 5373 Systems Security

Using Cryptography CMSC 414. October 16, 2017

Web Security: Web Application Security [continued]

Transcription:

CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...

Authenticity of Public Keys? private key Alice Bob public key Problem: How does Alice know that the public key she received is really Bob s public key? 4/27/16 CSE 484 / CSE M 584 - Spring 2016 2

Threat: Man-In-The-Middle (MITM) Google.com 4/27/16 CSE 484 / CSE M 584 - Spring 2016 3

Distribution of Public Keys Public announcement or public directory Risks: forgery and tampering Public-key certificate Signed statement specifying the key and identity sig CA ( Bob, PK B ) Common approach: certificate authority (CA) Single agency responsible for certifying public keys After generating a private/public key pair, user proves his identity and knowledge of the private key to obtain CA s certificate for the public key (offline) Every computer is pre-configured with CA s public key 4/27/16 CSE 484 / CSE M 584 - Spring 2016 4

Trusted Certificate Authorities 4/27/16 CSE 484 / CSE M 584 - Spring 2016 5

Hierarchical Approach Single CA certifying every public key is impractical Instead, use a trusted root authority For example, Verisign Everybody must know the public key for verifying root authority s signatures Root authority signs certificates for lower-level authorities, lower-level authorities sign certificates for individual networks, and so on Instead of a single certificate, use a certificate chain sig Verisign ( AnotherCA, PK AnotherCA ), sig AnotherCA ( Alice, PK A ) What happens if root authority is ever compromised? 4/27/16 CSE 484 / CSE M 584 - Spring 2016 6

You encounter this every day SSL/TLS: Encryption & authentication for connections (More on this later!) 4/27/16 CSE 484 / CSE M 584 - Spring 2016 7

Example of a Certificate 4/27/16 CSE 484 / CSE M 584 - Spring 2016 8

X.509 Certificate 4/27/16 CSE 484 / CSE M 584 - Spring 2016 9

Hash collisions Many Challenges [more examples in section] Weak security at CAs Allows attackers to issue rogue certificates Users don t notice when attacks happen We ll talk more about this later Etc 4/27/16 CSE 484 / CSE M 584 - Spring 2016 10

[Sotirov et al. Rogue Certificates ] Colliding Certificates set by the CA serial number validity period real cert domain name chosen prefix (difference) serial number validity period rogue cert domain name real cert RSA key Valid for both certificates! Hash to the same MD5 value! collision bits (computed)??? X.509 extensions signature identical bytes (copied from real cert) X.509 extensions signature 4/27/16 CSE 484 / CSE M 584 - Spring 2016 11

Attacking CAs Security of DigiNotar servers: All core certificate servers controlled by a single admin password (Pr0d@dm1n) Software on publicfacing servers out of date, unpatched No anti-virus (could have detected attack) 4/27/16 CSE 484 / CSE M 584 - Spring 2016 12

Consequences Attacker needs to first divert users to an attackercontrolled site instead of Google, Yahoo, Skype, but then For example, use DNS to poison the mapping of mail.yahoo.com to an IP address authenticate as the real site decrypt all data sent by users Email, phone conversations, Web browsing 4/27/16 CSE 484 / CSE M 584 - Spring 2016 13

More Rogue Certs In Jan 2013, a rogue *.google.com certificate was issued by an intermediate CA that gained its authority from the Turkish root CA TurkTrust TurkTrust accidentally issued intermediate CA certs to customers who requested regular certificates Ankara transit authority used its certificate to issue a fake *.google.com certificate in order to filter SSL traffic from its network This rogue *.google.com certificate was trusted by every browser in the world 4/27/16 CSE 484 / CSE M 584 - Spring 2016 14

Certificate Revocation Revocation is very important Many valid reasons to revoke a certificate Private key corresponding to the certified public key has been compromised User stopped paying his certification fee to this CA and CA no longer wishes to certify him CA s private key has been compromised! Expiration is a form of revocation, too Many deployed systems don t bother with revocation Re-issuance of certificates is a big revenue source for certificate authorities 4/27/16 CSE 484 / CSE M 584 - Spring 2016 15

Certificate Revocation Mechanisms Certificate revocation list (CRL) CA periodically issues a signed list of revoked certificates Credit card companies used to issue thick books of canceled credit card numbers Can issue a delta CRL containing only updates Online revocation service When a certificate is presented, recipient goes to a special online service to verify whether it is still valid Like a merchant dialing up the credit card processor 4/27/16 CSE 484 / CSE M 584 - Spring 2016 16

Attempt to Fix CA Problems: Convergence Background observation: Attacker will have a hard time mounting man-in-themiddle attacks against all clients around the world Basic idea: Lots of nodes around the world obtaining SSL/TLS certificates from servers Check responses across servers, and also observe unexpected changes from existing certificates http://convergence.io/ 4/27/16 CSE 484 / CSE M 584 - Spring 2016 17

Keybase Basic idea: Rely on existing trust of a person s ownership of other accounts (e.g., Twitter, GitHub, website) Each user publishes signed proofs to their linked account https://keybase.io/ 4/27/16 CSE 484 / CSE M 584 - Spring 2016 18

SSL/TLS Secure Sockets Layer and Transport Layer Security protocols Same protocol design, different crypto algorithms De facto standard for Internet security The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications Deployed in every Web browser; also VoIP, payment systems, distributed systems, etc. 4/27/16 CSE 484 / CSE M 584 - Spring 2016 19

TLS Basics TLS consists of two protocols Familiar pattern for key exchange protocols Handshake protocol Use public-key cryptography to establish a shared secret key between the client and the server Record protocol Use the secret symmetric key established in the handshake protocol to protect communication between the client and the server 4/27/16 CSE 484 / CSE M 584 - Spring 2016 20

Basic Handshake Protocol ClientHello C Client announces (in plaintext): Protocol version it is running Cryptographic algorithms it supports Fresh, random number S 4/27/16 CSE 484 / CSE M 584 - Spring 2016 21

Basic Handshake Protocol C, version c, suites c, N c ServerHello C Server responds (in plaintext) with: Highest protocol version supported by both the client and the server Strongest cryptographic suite selected from those offered by the client Fresh, random number S 4/27/16 CSE 484 / CSE M 584 - Spring 2016 22

Basic Handshake Protocol C, version c, suites c, N c version s, suite s, N s, ServerKeyExchange C Server sends his public-key certificate containing either his RSA, or his Diffie-Hellman public key (depending on chosen crypto suite) S 4/27/16 CSE 484 / CSE M 584 - Spring 2016 23

Basic Handshake Protocol C, version c, suites c, N c version s, suite s, N s, certificate, ServerHelloDone C ClientKeyExchange The client generates secret key material and sends it to the server encrypted with the server s public key (if using RSA) S 4/27/16 CSE 484 / CSE M 584 - Spring 2016 24

Basic Handshake Protocol C, version c, suites c, N c version s, suite s, N s, certificate, ServerHelloDone C {Secret c } PKs if using RSA C and S share secret key material (secret c ) at this point switch to keys derived from secret c, N c, N s switch to keys derived from secret c, N c, N s S Finished Finished Record of all sent and received handshake messages 4/27/16 CSE 484 / CSE M 584 - Spring 2016 25

Core SSL 3.0 Handshake (Not TLS) C, version c =3.0, suites c, N c version s =3.0, suite s, N s, certificate, ServerHelloDone C {Secret c } PKs if using RSA C and S share secret key material (secret c ) at this point switch to keys derived from secret c, N c, N s switch to keys derived from secret c, N c, N s S Finished Finished 4/27/16 CSE 484 / CSE M 584 - Spring 2016 26

Version Rollback Attack C, version c =2.0, suites c, N c Server is fooled into thinking he is communicating with a client who supports only SSL 2.0 Version s =2.0, suite s, N s, certificate, ServerHelloDone C {Secret c } PKs if using RSA S C and S end up communicating using SSL 2.0 (weaker earlier version of the protocol that does not include Finished messages) 4/27/16 CSE 484 / CSE M 584 - Spring 2016 27

Chosen-Protocol Attacks Why do people release new versions of security protocols? Because the old version got broken! New version must be backward-compatible Not everybody upgrades right away Attacker can fool someone into using the old, broken version and exploit known vulnerability Similar: fool victim into using weak crypto algorithms Defense is hard: must authenticate version in early designs Many protocols had version rollback attacks SSL, SSH, GSM (cell phones) 4/27/16 CSE 484 / CSE M 584 - Spring 2016 28

Version Check in SSL 3.0 C, version c =3.0, suites c, N c Embed version number into secret version s =3.0, suite s, N s, certificate for PK s, ServerHelloDone C {version c, secret c } PKs Check that received version is equal to the version in ClientHello S C and S share secret key material secret c at this point switch to key derived from secret c, N c, N s switch to key derived from secret c, N c, N s 4/27/16 CSE 484 / CSE M 584 - Spring 2016 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback