Attacks on SSL/TLS - Applied Cryptography, Lecture 6 · 2015-12-09 · Applied Cryptography,...

transcript

/ department of mathematics and computer science

Assignments

I Choice of topic: before Thursday, November 26th, 23:59 (today).I Assignment of topic: Friday, November 27th.I Deadline of first assignment: Sunday, December 13th, 23:59.

The deadlines are strict!

Attacks on SSL/TLSApplied Cryptography, Lecture 6

Ruben Niederhagen

Nov. 26th, 2015

Timeline of attacks on SSL/TLS

2010 2011 2012 2013 2014 2015 2016

SSLstrip

Lucky 13

Royal Holloway

BREACH

Bar-mitzvah

Heartbleed

POODLE

Logjam

NOMORE

←− 2002 Padding Oracle

SSLstrip Attack (2009)

I Eve wants to read the traffic between Alice and Bob’s webserver.

I Problem: Bob offers http via TLS.I Solution: Make sure Alice uses an unencrypted connection.

People usually start SSL connections in two different ways:

I Click on links that happen to be https.I Through HTTP 302 redirects.(Try to enter http://www.google.nl/ in your web browser.)

Idea: Parse web traffic and strip the “s” from all links to https.https −→ http

I Eve wants to read the traffic between Alice and Bob’s webserver.I Problem: Bob offers http via TLS.

I Solution: Make sure Alice uses an unencrypted connection.

I Eve wants to read the traffic between Alice and Bob’s webserver.I Problem: Bob offers http via TLS.I Solution: Make sure Alice uses an unencrypted connection.

I Watch HTTP traffic go by.I Switch <a href="https://..."> to <a href="http://..."> andremember what has changed.

I Switch request https://... to http://... and remember whathas changed.

I Watch HTTP traffic go by.I If we see an HTTP request for an URL that we had stripped, proxythat as HTTPS.

I Watch the HTTPS traffic go by;remember relative links, CSS links, JavaScript, ...

I Server does not notice any difference.I No warning message displayed to the client;needs to look out for https marks explicitly (and know about it).

I Eve sees all the traffic.

Countermeasure: HTTP Strict Transport Security (HSTS).I Inform the browser to always use SSL/TLS to the site.I This information is stored by the browser for all future connections.I Can also be stripped by attacker;only works if first connection was not intercepted.

I Some browsers are shipped with static HSTS list for some sites.

Best countermeasure:Carefully check that site is encryptedwhen handling sensitive information!

Countermeasure: HTTP Strict Transport Security (HSTS).I Inform the browser to always use SSL/TLS to the site.I This information is stored by the browser for all future connections.I Can also be stripped by attacker;only works if first connection was not intercepted.

I Some browsers are shipped with static HSTS list for some sites.

Best countermeasure:Carefully check that site is encryptedwhen handling sensitive information!

BEAST Attack (2011)

Recall the CBC mode of operation:

Cipher Block Chaining (CBC) mode encryption

block cipherencryption

Ciphertext

Plaintext

Ciphertext

Plaintext

Ciphertext

Plaintext

Initialization Vector (IV)

BEAST Attack (2011)

Ciphertext 0

Plaintext 0

Ciphertext 1

Plaintext 1

Ciphertext 2

Plaintext 2

Ciphertext 3

Ciphertext 2

guessed Plaintext 1

BEAST Attack (2011)

Ciphertext 0

Plaintext 0

Ciphertext 1

Plaintext 1

Ciphertext 2

Plaintext 2

Ciphertext 1

Ciphertext 0

Ciphertext 2

Ciphretext 2

guessed Plaintext 1

BEAST Attack (2011)

BEAST: Browser Exploit Against SSL/TLSI Attacker must be able to force the client to send deliberate data.I There have been proof-of-concepts using cross-site scripting forstealing session cookies (byte by byte).

I Do we need to worry about information leaking when the attackercan modify or inject data on the client side?

Countermeasures:I For TLS 1.0: send an empty package ahead of each packet.I TLS 1.1 and newer are not affected by this attack because eachpacket has a new IV that is send in plain text.

BEAST Attack (2011)

BEAST: Browser Exploit Against SSL/TLSI Attacker must be able to force the client to send deliberate data.I There have been proof-of-concepts using cross-site scripting forstealing session cookies (byte by byte).

I Do we need to worry about information leaking when the attackercan modify or inject data on the client side?

Countermeasures:I For TLS 1.0: send an empty package ahead of each packet.I TLS 1.1 and newer are not affected by this attack because eachpacket has a new IV that is send in plain text.

CRIME (2012) and BREACH (2013) Attacks

CRIME: Compression Ratio Info-leak Made EasyI Some parts of the plaintext are VERY predictable.I Session cookies can be found on well-defined spots:GET index.html HTTP/1.1Host: thebankserver.com(...)Cookie: secret=7xc89f+94/wa(...)

I Try to send data from the client in the TLS context and see how thisaffects the ciphertext; “guess” session cookie character by character.

CRIME attack: exploit SSL/TLS compressionI Iteratively increase secret value:GET index.html HTTP/1.1Host: thebankserver.com(...)Cookie: secret=7xc89f+94/wa(...)Cookie: secret=0XXX

I E.g., with DEFLATE compression, the second occurrence of“secret=” is encoded as back reference.

I Once the correct 1st digit has been reached, the compressedplaintext and thus the ciphertext will be shorter.

I Continue with next digit.

CRIME attack: exploit SSL/TLS compressionI Iteratively increase secret value:GET index.html HTTP/1.1Host: thebankserver.com(...)Cookie: secret=7xc89f+94/wa(...)Cookie: secret=70XX

Countermeasure for CRIME attack:I Disable TLS compression (on client or server).I Prevent attacker from sending data in user context(prevent cross-site request forgery).

I There will be no compression for TLS 1.3.

BREACH: Browser Reconnaissance and Exfiltration via AdaptiveCompression of HypertextThe same attack works on HTTP content for HTTP compression.Will still work with TLS 1.3!

Countermeasure for BREACH attack:I Disable HTTP compression (on client or server).I Prevent attacker from sending data in user context(prevent cross-site request forgery).

I Disable HTTP compression on cross-site requests.

Padding Oracle Attack (2002)

TLS prior to version 1.1 was susceptible to a padding oracle attack.I Before encrypting with AES-CBC,need to pad data||MAC-tag to the AES block size (16 bytes).

I The padding sets each byte in the pad to the pad length,i.e., padding has specific format.

At the server side on receipt of an encrypted record:I decrypt record with the client encryption key,I check pad format,if not valid, return decryption_failed alert,

I if pad format okay, check MAC on fragmentif does not verify, return bad_record_mac alert.

This introduced different types of errors that an attacker can distinguish.

TLS prior to version 1.1 was susceptible to a padding oracle attack.I Before encrypting with AES-CBC,need to pad data||MAC-tag to the AES block size (16 bytes).

I The padding sets each byte in the pad to the pad length,i.e., padding has specific format.

At the server side on receipt of an encrypted record:I decrypt record with the client encryption key,I check pad format,if not valid, return decryption_failed alert,

I if pad format okay, check MAC on fragmentif does not verify, return bad_record_mac alert.

This introduced different types of errors that an attacker can distinguish.

Padding oracle:I Attacker submits ciphertexts of choice,I learns whether the last bytes of a plaintext are a valid pad;I if not valid, server returns decryption_failed,I if valid, server returns bad_record_mac.

Gives rise to a chosen-ciphertext attack!

Padding oracle attack on CBC encryption

CBC mode encryption: CBC mode decryption:I C0 = IV

I Ci = EK (Ci−1 ⊕Mi ).

I C0 = IV ,I Mi = DK (Ci )⊕ Ci−1.

Suppose an attacker wants to find M2 from ciphertext (C0,C1,C2, . . . )

I M2 = DK (C2)⊕ C1.I Guess the last byte of M2 to be g ,I compute C ′1 = C1 ⊕ 00| . . . |00|g ⊕ 00| . . . |00|01,I submit C = (C ′1,C2) to the server and wait for response.I If g is the last byte of M2, the decryption of C will have a valid pad;I if not, the pad will not be valid,I try all 256 possible bytes for g until the correct one g0 is found.I Go on using C ′1 = C1 ⊕ 00| . . . |00|g |g0 ⊕ 00| . . . |00|02|02.

I C0 = IV ,I Mi = DK (Ci )⊕ Ci−1.

I M2 = DK (C2)⊕ C1.

I Guess the last byte of M2 to be g ,I compute C ′1 = C1 ⊕ 00| . . . |00|g ⊕ 00| . . . |00|01,I submit C = (C ′1,C2) to the server and wait for response.I If g is the last byte of M2, the decryption of C will have a valid pad;I if not, the pad will not be valid,I try all 256 possible bytes for g until the correct one g0 is found.I Go on using C ′1 = C1 ⊕ 00| . . . |00|g |g0 ⊕ 00| . . . |00|02|02.

I C0 = IV ,I Mi = DK (Ci )⊕ Ci−1.

I M2 = DK (C2)⊕ C1.I Guess the last byte of M2 to be g ,I compute C ′1 = C1 ⊕ 00| . . . |00|g ⊕ 00| . . . |00|01,I submit C = (C ′1,C2) to the server and wait for response.

I If g is the last byte of M2, the decryption of C will have a valid pad;I if not, the pad will not be valid,I try all 256 possible bytes for g until the correct one g0 is found.I Go on using C ′1 = C1 ⊕ 00| . . . |00|g |g0 ⊕ 00| . . . |00|02|02.

I C0 = IV ,I Mi = DK (Ci )⊕ Ci−1.

I M2 = DK (C2)⊕ C1.I Guess the last byte of M2 to be g ,I compute C ′1 = C1 ⊕ 00| . . . |00|g ⊕ 00| . . . |00|01,I submit C = (C ′1,C2) to the server and wait for response.I If g is the last byte of M2, the decryption of C will have a valid pad;I if not, the pad will not be valid,I try all 256 possible bytes for g until the correct one g0 is found.

I Go on using C ′1 = C1 ⊕ 00| . . . |00|g |g0 ⊕ 00| . . . |00|02|02.

I C0 = IV ,I Mi = DK (Ci )⊕ Ci−1.

I M2 = DK (C2)⊕ C1.I Guess the last byte of M2 to be g ,I compute C ′1 = C1 ⊕ 00| . . . |00|g ⊕ 00| . . . |00|01,I submit C = (C ′1,C2) to the server and wait for response.I If g is the last byte of M2, the decryption of C will have a valid pad;I if not, the pad will not be valid,I try all 256 possible bytes for g until the correct one g0 is found.I Go on using C ′1 = C1 ⊕ 00| . . . |00|g |g0 ⊕ 00| . . . |00|02|02.

block cipherdecryption

Plaintext

Ciphertext

Plaintext

Ciphertext

Plaintext

Ciphertext

Plaintext

Ciphertext

Plaintext

Ciphertext

Plaintext

Ciphertext⊕g ⊕ 01

Plaintext

Ciphertext

Plaintext

Ciphertext⊕g ⊕ 02 | ⊕ g0 ⊕ 02

I For AES we can find one plaintext block with at most 16 · 256chosen ciphertext queries to the padding oracle.

I More complicated in practice: In case of invalid record, session isterminated, new keys need to be negotiated.

I Still valid attack if the same message is encrypted in various sessions.I Example: IMAP over TLS: every few minutes client sends usernameand password to login.

I Compute password within a few hours.

Solutions:I Make alert message and time the same in both cases.I RFCs: always perform a MAC check as if zero-length padding isapplied.

I Encrypt-then-MAC avoids the problem because change is detectedbefore decryption.

I MAC-then-CBC is authenticated encryption, but padding oracledestroys it.

Lucky 13 Attack (2013)

Side channel attack:The Lucky 13 attack is a variant of the padding oracle attack, using thetiming difference in the MAC computation as side a channel.

The TLS 1.1 and 1.2 RFCs recommend checking the MAC as if there wasa zero-length pad:

This leaves a small timing channel, since MAC performancedepends to some extent on the size of the data fragment, but itis not believed to be large enough to be exploitable, due to thelarge block size of existing MACs and the small size of thetiming signal.

It turns out that the small timing difference actually can be exploited!

Side channel attack:The Lucky 13 attack is a variant of the padding oracle attack, using thetiming difference in the MAC computation as side a channel.

The TLS 1.1 and 1.2 RFCs recommend checking the MAC as if there wasa zero-length pad:

This leaves a small timing channel, since MAC performancedepends to some extent on the size of the data fragment, but itis not believed to be large enough to be exploitable, due to thelarge block size of existing MACs and the small size of thetiming signal.

It turns out that the small timing difference actually can be exploited!

Countermeasures:I Add random time delays to CBC-mode decryption processing.

• Ineffective, attacker just needs more samples!I Switch to using RC4 cipher suites.

• RC4 is vulnerable!I Modify TLS’s CBC-mode decryption procedure so as to remove thetiming side channel.

• “Lucky Microseconds: A Timing Attack on Amazon’s s2nImplementation of TLS”, Albrecht and Paterson, Nov. 18, 2015.

I Switch to using authenticated encryption, such as AES-GCM.−→ TLS 1.3 uses authenticated encryption only.

• Ineffective, attacker just needs more samples!

I Switch to using RC4 cipher suites.• RC4 is vulnerable!

I Modify TLS’s CBC-mode decryption procedure so as to remove thetiming side channel.

• RC4 is vulnerable!

I Modify TLS’s CBC-mode decryption procedure so as to remove thetiming side channel.

POODLE Attack (2014)

POODLE: Padding Oracle On Downgraded Legacy EncryptionI Client requests TLS 1.2.I Eve lets handshake fail (e.g. with Alert message).

• The correct behaviour of the server would be to respond with anolder SSL/TLS so that the handshake is finished properly and thetranscript can be verified by both sides.

I To work with broken servers, some clients just try again after thehandshake was aborted using a lower (less secure) SSL/TLS version.

I Eve is able to use the padding oracle attack and wins.

Countermeasure: TLS Fallback Signaling Cipher Suite Value (SCSV)I When the client tries to connect again, he adds TLS_FALLBACK_SCSV(0x56, 0x00) to his supported ciphers list.

I When the server sees TLS_FALLBACK_SCSV, he is supposed to checkif he actually would have supported the (higher) TLS version.

Best countermeasure:Do not implement insecure cipher suits

either as server or as client!

Do not trade interoperabilityfor security and standard compliance!

Countermeasure: TLS Fallback Signaling Cipher Suite Value (SCSV)I When the client tries to connect again, he adds TLS_FALLBACK_SCSV(0x56, 0x00) to his supported ciphers list.

I When the server sees TLS_FALLBACK_SCSV, he is supposed to checkif he actually would have supported the (higher) TLS version.

Best countermeasure:Do not implement insecure cipher suits

either as server or as client!

Do not trade interoperabilityfor security and standard compliance!

RC4 Attacks

Roos’ biases (1995):I First byte of the keystream is correlated to the first three bytes ofthe key.

I Gives a square-root speedup to brute force key recovery, e.g., O(264)for 128-bit keys.

Biased outputs of the RC4 (2001):I The second output byte of the key stream is biased toward zero withprobability 1/128.−→ 2nd byte tends to be plaintext!

I The XOR value of the 1st and 2nd outputs of RC4 is alsonon-uniform.

RC4 Attacks

Roos’ biases (1995):I First byte of the keystream is correlated to the first three bytes ofthe key.

I Gives a square-root speedup to brute force key recovery, e.g., O(264)for 128-bit keys.

Biased outputs of the RC4 (2001):I The second output byte of the key stream is biased toward zero withprobability 1/128.−→ 2nd byte tends to be plaintext!

I The XOR value of the 1st and 2nd outputs of RC4 is alsonon-uniform.

RC4 Attacks

Fluhrer, Mantin and Shamir attack (2001):I RC4 is like a pseudo random number generator, generating a keystream from a secret key.

I RC4 requires a nonce if a long-term key is used.I If the nonce and the long-term key are simply concatenated, thelong-term key can be discovered.

I SSL/TLS uses different keys for each session; but this is a problemfor WEP, requires 10 million messages.

Klein’s attack (2005):I Exploiting more correlations between the RC4 keystream and the key.I Breaks 128-bit WEP in under a minute, requires 40,000 frames for50% success probability, 85,000 frames for 95% probability.

RC4 Attacks

Fluhrer, Mantin and Shamir attack (2001):I RC4 is like a pseudo random number generator, generating a keystream from a secret key.

I RC4 requires a nonce if a long-term key is used.I If the nonce and the long-term key are simply concatenated, thelong-term key can be discovered.

I SSL/TLS uses different keys for each session; but this is a problemfor WEP, requires 10 million messages.

Klein’s attack (2005):I Exploiting more correlations between the RC4 keystream and the key.I Breaks 128-bit WEP in under a minute, requires 40,000 frames for50% success probability, 85,000 frames for 95% probability.

RC4 Attacks

Royal Holloway attack (2013):I Extensive study revealed even more correlations in keystream.I Requires 228 to 232 TLS connections for reliable recovery.I Only first 220 bytes of application data can be targeted.

Countermeasures:I Discard initial keystream bytes.I Add random length padding to records.I Limit lifetime of cookies or number of times cookies can be sent.I Stop using RC4 in TLS.

RC4 Attacks

Royal Holloway attack (2013):I Extensive study revealed even more correlations in keystream.I Requires 228 to 232 TLS connections for reliable recovery.I Only first 220 bytes of application data can be targeted.

Countermeasures:I Discard initial keystream bytes.I Add random length padding to records.I Limit lifetime of cookies or number of times cookies can be sent.I Stop using RC4 in TLS.

RC4 Attacks

Bar-mitzvah attack (2015):I Make use of the 13-year old attack by Fluhrer, Mantin and Shamir.I Some keys are particularly weak when used with RC4.I Attack reveals several hundred bytes in the beginning of the plaintextif a weak key is used.

Countermeasures:I Discard even more initial keystream bytes.I Seriously, stop using RC4 in TLS!

RC4 Attacks

Bar-mitzvah attack (2015):I Make use of the 13-year old attack by Fluhrer, Mantin and Shamir.I Some keys are particularly weak when used with RC4.I Attack reveals several hundred bytes in the beginning of the plaintextif a weak key is used.

Countermeasures:I Discard even more initial keystream bytes.I Seriously, stop using RC4 in TLS!

RC4 Attacks

NOMORE RC4 attack (2015):Numerous Occurrence MOnitoring & Recovery Exploit:

I Exploit even more biases, including long-term biases.I Exploit Mantin’s ABSAB bias: a byte pair (A, B) likely reappears.

A B S A BI With 94% probability, attack can be preformed using 9 · 227encryptions collected over 75 hours.

RC4 Attacks

Countermeasures:

NOMORE RC4 in TLS!

RC4 Attacks

How about the NSA?I The biases have been known to the NSA, the NSA has the resourcesto conduct research on their own.

I Large computing power allows to find even more biases.I Chances are the NSA can do better than public research.I There are hints in the Snowden leaks that NSA can decrypt someSSL/TLS traffic — when RC4 is used?

RC4 Attacks

How about the NSA?I The biases have been known to the NSA, the NSA has the resourcesto conduct research on their own.

I Large computing power allows to find even more biases.I Chances are the NSA can do better than public research.I There are hints in the Snowden leaks that NSA can decrypt someSSL/TLS traffic — when RC4 is used?

FREAK Attack (2014)

FREAK: Factoring RSA Export KeysI There are weak EXPORT ciphers due to export restrictions on“cryptography” in the Unites States in the ’90 (in the meantimeloosened due to “Bernstein v. United States”).

I Nowadays, these EXPORT ciphers can be broken with small effort,e.g., RSA-512 (cost: 100USD Amazon Cloud Services).

I Privacy at risk when EXPORT ciphers are used!

FREAK Attack (2014)

How to convince client and server to use EXPORT ciphers?I Hash of transcript in Finished message should prevent MitM todowngrade to insecure ciphers.

I “Some modern TLS clients — including Apple’s SecureTransport andOpenSSL — have a bug in them. This bug causes them to acceptRSA export-grade keys even when the client didn’t ask forexport-grade RSA.” (Matthew Green)

FREAK Attack (2014)

Client Servercr , [. . . ,RSA, . . . ]

sr ,RSA

rsaencs(pms)(ms, k1, k2) =

kdf(pms, cr |sr)(ms, k1, k2) =

kdf(pms, cr |sr)finished(ms, logC ) check logC

enc(k1,Data)

finished(ms, logS )check logS

enc(k2,Data)

MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]

sr ,RSA_EXPORTsr ,RSA

certs , sign(sks , [cr |sr |p512])

(ms, k1, k2) =

kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)

(ms, k1, k2) =

kdf(pms, cr |sr)finished(ms, logC )

s512 = factor(p512)(ms, k1, k2) =

kdf(pms, cr |sr)enc(k1,Data)

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

rsaencs(pms)

(ms, k1, k2) =

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

kdf(pms, cr |sr)

finished(ms, logC ) check logC

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

MitMcr , [. . . ,RSA, . . . ]

cr , [RSA_EXPORT]

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

sr ,RSA_EXPORT

sr ,RSA

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

kdf(pms, cr |sr)

rsaencsks (pms) s512 = factor(p512)(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

kdf(pms, cr |sr)rsaencsks (pms)

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

kdf(pms, cr |sr)

finished(ms, logC )

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

sr ,RSA

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

s512 = factor(p512)(ms, k1, k2) =

finished(ms, logS )

enc(k2,Data)

FREAK Attack (2014)

The MitM attack:1. In the client’s Hello message, it asks for a ’standard RSA’ ciphersuite.2. The MitM attacker changes this message to ask for ’export RSA’.3. The server responds with a 512-bit export RSA key, signed with its

long-term key, MitM forwards the ServerKeyExchange message.4. The client accepts the unexpected ServerKeyExchange message

due to an implementation bug and uses the weak key.5. The attacker factors the RSA modulus to recover the corresponding

RSA decryption key.6. When the client encrypts the ’pre-master secret’ to the server, the

attacker can now decrypt it to recover the TLS ’master secret’.7. From here on out, the attacker can decrypt (recorded) ciphertext.

FREAK Attack (2014)

Countermeasures:I Do not offer, do not even implement EXPORT ciphers (neither clientnor server).

I Do not have bugs in SSL/TLS implementations (pretty please).• Still a problem for TLS False Start.

Is that enough?

FREAK Attack (2014)

Countermeasures:I Do not offer, do not even implement EXPORT ciphers (neither clientnor server).

I Do not have bugs in SSL/TLS implementations (pretty please).• Still a problem for TLS False Start.

Is that enough?

Logjam Attack (2015)

Client Servercr , [. . . ,DHE, . . . ]

sr ,DHE

certs , sign(sks , [cr |sr |p|g |gb])

ga(ms, k1, k2) =

kdf(gab, cr |sr)(ms, k1, k2) =

kdf(gab, cr |sr)finished(ms, logC )

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]

sr ,DHE_EXPORTsr ,DHE

certs , sign(sks , [cr |sr |p512|g |gb])

ga(ms, k1, k2) =

kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

kdf(gab, cr |sr)

finished(ms, logC )

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

MitMcr , [. . . ,DHE, . . . ]

cr , [DHE_EXPORT]

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE_EXPORT

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

ga(ms, k1, k2) =

kdf(gab, cr |sr)

finished(ms, logC )

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

sr ,DHE

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

ga(ms, k1, k2) =

finished(ms, logS )

enc(k1,Data)

enc(k2,Data)

How to break 512-bit RSA in real-time?Millions of servers all use the same prime numbers for Diffie-Hellman keyexchange. However, the first step in the number field sieve — the mostefficient algorithm for breaking a Diffie-Hellman connection — isdependent only on this prime. After this first step, an attacker canquickly break individual connections.

Using precomputation for the most common 512-bit prime, the Logjamattack can be used to downgrade connections to 80% of TLS serverssupporting DHE_EXPORT.

An academic team can break a 768-bit prime; a nation-state can probablybreak a 1024-bit prime.

Countermeasures:I Do not offer EXPORT ciphers on servers.I Make a sanity check of presented DH parameters;reject weak parameters.

I Do not use the standard primes; use individual primes.I Use large primes, i.e., 2048-bit or larger primes.

OpenSSL Heartbleed Bug (2014)

Bug in the implementation of the Heartbeat Extension (RFC 6520):struct {

HeartbeatMessageType type;uint16 payload_length;opaque payload[HeartbeatMessage.payload_length];opaque padding[padding_length];

} HeartbeatMessage;

[...]When a HeartbeatRequest message is received [...],the receiver MUST send a corresponding HeartbeatResponsemessage carrying an exact copy of the payload of the receivedHeartbeatRequest.

OpenSSL failed to check actual length of payload data.

SSL/TLS Cipher Suites

Cipher Protocol Version

Algorithm Strength (bits) SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3AES GCM N/A N/A N/A N/A Secure SecureAES CCM N/A N/A N/A N/A Secure SecureAES CBC

256, 128N/A N/A Depends Secure Secure N/A

Camellia GCM256, 128

N/A N/A N/A N/A Secure SecureCamellia CBC N/A N/A Depends Secure Secure N/AARIA GCM N/A N/A N/A N/A Secure SecureARIA CBC

256, 128N/A N/A Depends Secure Secure N/A

SEED CBC 128 N/A N/A Depends Secure Secure N/A3DES EDE CBC 112 Insecure Insecure Low/Dep. Low Low N/AGOST CNT 256 N/A N/A Secure Secure Secure N/AIDEA CBC 128 Insecure Insecure Depends Secure N/A N/A

DES CBC40 Insecure Insecure N/A N/A N/A N/A56 Insecure Insecure Insecure N/A N/A N/A

RC2 CBC 56 Insecure Insecure Insecure N/A N/A N/AChaCha20-Poly1305 256 N/A N/A N/A N/A Secure Secure

40 Insecure Insecure Insecure N/A N/A N/ARC4

128 Insecure Insecure Insecure Insecure Insecure N/ANULL – N/A Insecure Insecure Insecure Insecure Insecure

Announcement

Guest lectures next week:

I Tuesday: Jacob Appelbaum, Tor.I Thursday: Dan Bernstein, DNSsec.

Assignments

I Choice of topic: before Thursday, November 26th, 23:59 (today).I Assignment of topic: Friday, November 27th.I Deadline of first assignment: Sunday, December 13th, 23:59.

The deadlines are strict!

Attacks on SSL/TLS - Applied Cryptography, Lecture 6 · 2015-12-09 · Applied Cryptography,...

Documents