ssl & tls story of a protocol part ii - tau · ssl & tls story of a protocol part ii...
TRANSCRIPT
![Page 1: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/1.jpg)
Introduction to Information Introduction to Information SecuritySecurity
SSL & TLSSSL & TLSSSL & TLSSSL & TLSStory of a protocolStory of a protocol
Part IIPart IIItamar Gilad (infosec15 at modprobe dot net)
![Page 2: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/2.jpg)
Certificate examplesCertificate examples• Good example
![Page 3: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/3.jpg)
Certificate examplesCertificate examples• Good example
![Page 4: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/4.jpg)
Certificate examplesCertificate examples• Not-so-good example
![Page 5: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/5.jpg)
Certificate examplesCertificate examples• Not-so-good example
![Page 6: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/6.jpg)
Reflecting trust to usersReflecting trust to users• We want users to know if a site is “safe” or not
• There are many things that may cause a certificate to be rejectedo Too old / too new (also caused by mis-configured dates on the host)
o Misconfigured servers (e.g.: presenting the wrong certificate for a subdomain)
o Client & server cannot agree on a ciphero Client & server cannot agree on a cipher
o Self-signed or untrusted certificate, but not a malicious attack
o Actual attack
• In reality, attacks are rare
• Nonetheless, we must be strict – reject and prompt the user!
• Result – few sites will even use SSL/TLS
• HTTP is more common than HTTPS by far (and often, users will connect to the HTTP version of an HTTPS website anyway…)
![Page 7: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/7.jpg)
Other reasons HTTPS is not as Other reasons HTTPS is not as
common as HTTPcommon as HTTP• Performance issues –
o though negligible for the client, a server has to perform many costly operations to support many clients (in particular – public key operations). Solution – Crypto accelerators & better support in modern CPUs
• Harder to obtain, configure & maintain –• Harder to obtain, configure & maintain –o More complex & often costly than plain HTTP
• Bad threat model –o Many companies & organizations do not see themselves or
their users as a target, so “there’s no need for encryption”
• Internet caching / filtering –o ISPs cannot cache (or otherwise inspect, manipulate or block)
traffic that’s encrypted
![Page 8: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/8.jpg)
Increasing use of HTTPSIncreasing use of HTTPS• HSTS (HTTP Strict Transport Security) –
o An HTTP header asking the client to use HTTPS in the future
o Very effective in minimizing the cleartext attack vectorvector
• HTTP certificate pinning (RFC 7469) –
o An HTTP header to enable ceritificate pinning over HTTP
o At first glance, it seems wrong
o But it does make it a little harder for the attacker (you can’t lie to everyone all the time…)
![Page 9: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/9.jpg)
Increasing use of HTTPSIncreasing use of HTTPS• Opportunistic Encryption –
o Try using HTTPS when possible, even without a certificate, to fight against mass-collection and tampering (make things harder for attackers without requiring anything new)without requiring anything new)
• “Let’s Encrypt” –
o A disruptive yet simple idea pushed by the EFF to offer a free CA to everyone
o Instead of background checks and real-world validation – prove validity by proving control over the domain / server content
o Theoretically, no reason not to support HTTPS anymore
![Page 10: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/10.jpg)
Review of TLS session Review of TLS session setupsetupsetupsetup
![Page 11: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/11.jpg)
What’s required for a secure What’s required for a secure
session?session?• Ciphers & MACs –
o Key exchange (and authentication) method –RSA, DH-RSA, DHE-RSA (PFS), ECDH-RSA, ECDHE-RSA (PFS), DH-DSS, DHE-DSS (PFS), PSK, PSK-RSA, DHE-PSK (PFS), Kerberos, etc.
o Symmetric cipher –Null, RC4, DES CBC, IDEA CBC, 3DES CBC, AES CBC, AES Null, RC4, DES CBC, IDEA CBC, 3DES CBC, AES CBC, AES CCM, AES GCM, ChaCha20-Poly1305, etc.
o Message authentication code –HMAC-MD5, HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, AEAD, GOST, etc.
• Key material –o (Authenticated) Public key material
o Symmetric session keys
o MAC session keys
![Page 12: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/12.jpg)
• ClientHello
• Highest TLS version supported
• Supported cipher suites
• Supported compression methods
• Client Random
Client
TLS Handshake ExampleTLS Handshake Example
• Client Random
• ServerHello
• Chosen TLS version
• Chosen cipher suites
• Chosen compression methods
• Server Random
Server
![Page 13: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/13.jpg)
• Server Certificate
• ServerKeyExhange (DHE only)
• CertificateRequest (for client auth)
• ServerHelloDone
Server
•Client Certificate (for client auth)
•ClientKeyExchange (PreMasterSecret / public-key / none)
•CertificateVerify (for client auth – signing over the server’s random)Client
• ServerKeyExchange
• CertificateVerify (for the client’s cert)
• ChangeCipherSpec
• Finished (first encrypted and MAC’dmessage)
Server
•CertificateVerify (for client auth – signing over the server’s random)
•ChangeCipherSpec
•Finished (first encrypted and MAC’d message)
Client
![Page 14: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/14.jpg)
TLS record structureTLS record structure
Content Types Protocol Versions
![Page 15: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/15.jpg)
A word about FS/PFSA word about FS/PFS• PFS = “Perfect” Forward Secrecy
• Using a fixed key (e.g.: RSA) to send session keys makes any past session vulnerable to future compromise in an attacker can get future compromise in an attacker can get the private key
• Using Diffie-Hellman key-exchange based modes to agree upon session keys avoids this issue
• Relevant modes: DHE-RSA, DHE-DSS, ECDHE-RSA, ECDHE-ECDSA
![Page 16: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/16.jpg)
Version Rollback AttacksVersion Rollback Attacks• Let’s assume TLS 1.0 is secure, but we can
attack SSL v3 (not a myth)
• If we can find a way to make two TLS-capable hosts use an older version, we can capable hosts use an older version, we can defeat the use of encryption
• It just so happens that if two hosts try to use TLS 1.0 and fail to negotiate a connection, they will fall-back to SSLv3
• There are some attacks against the TLS 1.2 False Start extension
![Page 17: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/17.jpg)
Compression Based AttacksCompression Based Attacks• Any compression must be done before encryption
• Thus, TLS supports compression by default
• Goal: the attacker wants to know the value of a user’s cookie (i.e.: “session_id”) for domain example.comexample.com
• And that she can –
o Inspect all (encrypted) traffic
o Run Javascript code on the target, and thus –ask the user’s browser make multiple HTTPS requests of its choosing (but not get any clear-texts, since that would be a violation of the SOP)
![Page 18: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/18.jpg)
Compression Based AttacksCompression Based Attacks• The attacker asks the user to make the
following requests:o https://www.example.com/session_id=a
o https://www.example.com/session_id=b
o https://www.example.com/session_id=co https://www.example.com/session_id=c
o …
• The attacker can measure the length of the ciphertext, and know which guesses resulted in the shortest ciphertext
• Due to compression, if a sequence is repeated, it will compress better
![Page 19: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/19.jpg)
Compression Based AttacksCompression Based Attacks• Once the attacker finds a candidate,
they can try guessing the next byte:o https://www.example.com/session_id=aa
o https://www.example.com/session_id=ab
https://www.example.com/session_id=aco https://www.example.com/session_id=ac
o …
• By repeating these steps (and using some methods for recovering from errors) – the attacker can recover the entire cookie in minutes
![Page 20: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/20.jpg)
CRIME & BREACHCRIME & BREACH• The previous example was called CRIME (Compression
Ratio Info-leak Made Easy), and used TLS’s built-in compression in the client-to-server direction
• The solution to the CRIME vulnerability was simple – just disable TLS compression in all implementations
• Or was it?• Or was it?
• Enter BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) –o BREACH is like CRIME, but uses HTTP’s support for
compression in server responses to create a similar info-leak
o It requires a server which will reflect back to the user data controlled by the attacker
o Luckily, this is indeed possible (e.g.: by using error pages )
![Page 21: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/21.jpg)
HeartBleedHeartBleed 101101• In SSL/TLS, a “Heart-beat” packet can be used to
keep the connection alive / know when the connection has dropped
• Similarly an ICMP Echo Request – the peer will echo sent data (using a built-in length field)sent data (using a built-in length field)
• OpenSSL (~66% of HTTPS servers on the Internet) allowed a peer to send a heart-beat packet while controlling the length field
• Attacker can send a small packet with a large length value Attacker gets back a bigger answer, consisting of unknown server memory
Logo credit: http://heartbleed.com/
![Page 22: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/22.jpg)
ImplicationsImplications• Reading (dynamic) server memory
• Which may contain sensitive information
• And key material!
• If exploited, all your security are belong to us! (can decrypt / MITM that site’s traffic)
Logo credit: http://heartbleed.com/
![Page 23: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/23.jpg)
MitigationMitigation• Proper Solution –
o Update to a fixed version of OpenSSL
o Generate new certificates
o Ask all users to change all passwords, audit anything that happened in the mean time
o Never sleep well again
• Reality –o Most of the Internet has been patched very quickly
(<24hours)
o Not all certificates have been / will be replaced
o Most sites have not urged users to change passwords
o Most users won’t do it anyway…
Logo credit: http://heartbleed.com/
![Page 24: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/24.jpg)
FREAK & LogjamFREAK & Logjam• FREAK = Factoring RSA Export Keys
• In the past, strong encryption couldn’t legally be exported from USA
• SSL/TLS’s solution? – export-grade-compatibility mode, which limits RSA keys to 512 bits (which today are easy to factor)factor)
• On many common implementations, a MITM-capable attacker can force the client & server to use the export-grade keys instead of the secure copy
• “Logjam” = extremely similar attack for Diffie-Hellman based key exchanges
• Both attacks use weaknesses in the state-machine based implementations of SSL/TLS
![Page 25: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/25.jpg)
RSA Key Generation VulnerabilitiesRSA Key Generation Vulnerabilities• In RSA –
o p, q are both large random primes, and are used to create the public and private keys
o (n = p * q) is the main part of the public key, which is included in the certificate
• What if two hosts chose a common factor?• What if two hosts chose a common factor?
• This shouldn’t ever happen, but it did happen!
• Using GCD, researchers managed to verify (and crack) those keys
• Out of 11.4 Million keys, 26995 had common factors
• Further checks using larger data sets found even more collisions
• Most of these collisions appear to be in embedded devices and security hardware (), where real random data is more scarce
![Page 26: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/26.jpg)
SSL/TLS VulnerabilitiesSSL/TLS Vulnerabilities• Weak(er) cryptographic primitives –
o What we most often fear
o Often – not really the problem, but TLS is a ‘pluggable’ system, so these should be very easy to overcome
o Examples –RC4 (significant attacks), MD5 (likewise)o Examples –RC4 (significant attacks), MD5 (likewise)
• Weak(er) cryptographic constructs –o MAC-then-Encrypt vs Encrypt-then-MAC vs simultaneous
o CBC mode vs. CTR mode
o Padding oracles
o Can be an issue (POODLE attack, etc.), though often harder to exploit
![Page 27: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/27.jpg)
SSL/TLS VulnerabilitiesSSL/TLS Vulnerabilities• Implementation issues & design flaws –
o Timing attacks (Lucky 13, etc.)
o State-machine attacks & protocol downgrades
o Heartbleed & parsing bugs
o History of design flaws throughout the development of o History of design flaws throughout the development of SSL/TLS
o CA model is a major issue still affecting TLS/SSL security
![Page 28: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/28.jpg)
State of the Web (State of the Web (0505//20152015))• Report by SSL Pulse (PDF)
![Page 29: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/29.jpg)
Misc. attacks on SSL/TLSMisc. attacks on SSL/TLS• Parsing bugs (ASN.1, DER, X.509, PKCS, etc.) – mainly
leading to DoS, but in some cases – can enable MITM attack (BERserk, 2014)
• Session Truncation attacks –
o TLS often carried over TCPo TLS often carried over TCP
o TCP metadata is still insecure
o Attacker can send a TCP FIN packet to terminate a connection on behalf of the client
o E.g.: Can be used to prevent a user from signing-out of a secure server
![Page 30: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/30.jpg)
TORTOR• TOR = The Onion Router
• A distributed, community supported network for anonymity – protecting the identities of clients (and servers)
• Anonymity is created by using a random path • Anonymity is created by using a random path through 3 or more TOR routers
• The link to each node is encrypted using another key (‘layered’ encryption onion routing)
![Page 31: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/31.jpg)
TOR session setupTOR session setup
![Page 32: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/32.jpg)
TOR session setupTOR session setup
![Page 33: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/33.jpg)
TOR session setupTOR session setup
![Page 34: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/34.jpg)
TOR issuesTOR issues• Exit nodes can be evil (snoop or attack
users)
• Side channels (DNS, etc.) may leak sensitive datadata
• Endpoint security still an issue (attacks against Tor Browser, etc.)
• Traffic correlation attacks demonstrated
![Page 35: SSL & TLS Story of a protocol Part II - TAU · SSL & TLS Story of a protocol Part II ItamarGilad(infosec15 at modprobedot net) Certificate examples • Good example. ... even without](https://reader033.vdocuments.pub/reader033/viewer/2022052519/5f0f4b4b7e708231d4437274/html5/thumbnails/35.jpg)
Questions?Questions?Questions?Questions?