Post on 18-Jan-2017
transcript
Outline Background Past Present Future
TLS: Past, Present, Future
Thyla van der Merwe
Royal Holloway, University of London
2 May 2016
TLS: Past, Present, Future – Thyla van der Merwe 1/ 30
Outline Background Past Present Future
Outline
2011$ 2016$
1 Background (what is TLS?)
2 The Past
3 The Present
Password recovery attacks against RC4 in TLS
4 The Future
TLS: Past, Present, Future – Thyla van der Merwe 2/ 30
Outline Background Past Present Future
Outline
2011$ 2016$
1 Background (what is TLS?)
2 The Past
3 The Present
Password recovery attacks against RC4 in TLS
4 The Future
TLS: Past, Present, Future – Thyla van der Merwe 2/ 30
Outline Background Past Present Future
Outline
2011$ 2016$
1 Background (what is TLS?)
2 The Past
3 The Present
Password recovery attacks against RC4 in TLS
4 The Future
TLS: Past, Present, Future – Thyla van der Merwe 2/ 30
Outline Background Past Present Future
Outline
2011$ 2016$
1 Background (what is TLS?)
2 The Past
3 The Present
Password recovery attacks against RC4 in TLS
4 The Future
TLS: Past, Present, Future – Thyla van der Merwe 2/ 30
Outline Background Past Present Future
Outline
2011$ 2016$
1 Background (what is TLS?)
2 The Past
3 The Present
Password recovery attacks against RC4 in TLS
4 The Future
TLS: Past, Present, Future – Thyla van der Merwe 2/ 30
Outline Background Past Present Future
Outline
2011$ 2015$
PAST$ PRESENT$ FUTURE$
2011$ 2016$
1 Background (what is TLS?)
2 The Past
3 The Present
Password recovery attacks against RC4 in TLS
4 The Future
TLS: Past, Present, Future – Thyla van der Merwe 2/ 30
Outline Background Past Present Future
Importance of TLS [KP]
Originally designed for secure e-commerce, now widely used
Access to online bankingAcesss to Gmail, Facebook, etc.Mobile applications, including banking apps
TLS has become the de facto secure protocol of choice
Used by millions (billions?) of devices dailyAnalysis is crucial
TLS: Past, Present, Future – Thyla van der Merwe 3/ 30
Outline Background Past Present Future
Highly Simplified View of TLS
Ku,$Kd$
Data$Link$
Internet$
Transport$
Applica7on$ TLS$h:p$tcp$
hello, let’s chat
okay, let’s agree on algorithms, establish keys to communicate
securely and here’s some assurance as to my identity
Ku,$Kd$
let’s exchange application data
Handshake$protocol$
Record$protocol$
C S
Nego7ate$ciphersuite,$authen7cate$en77es$and$establish$keys$for$record$protocol$
Provide$confiden7ality$and$authen7city$of$applica7on$data$using$keys$established$in$the$Handshake$protocol$
TLS: Past, Present, Future – Thyla van der Merwe 4/ 30
Outline Background Past Present Future
The TLS Ecosystem
TLS versions TLS extensions
DTLS
TLS Ecosystem
Servers Clients
Cer1fica1on Authori1es (CAs)
So:ware vendors
Hardware vendors
Researchers
Standards
TLS: Past, Present, Future – Thyla van der Merwe 5/ 30
Outline Background Past Present Future
Past
Started life as SSL, developed by Netscape
SSL 2.0 released in 1995 and SSL 3.0 in 1996
TLS 1.0 released in 1999, TLS 1.1 in 2006 and TLS 1.2 in2008
Bleichenbacher Attack in 1998, against RSA using PKCS#1
Renegotiation Attack by Ray and Dispensa in 2009,impersonation attack
TLS: Past, Present, Future – Thyla van der Merwe 6/ 30
Outline Background Past Present Future
Past
2011$
1995$
1996$
1999$
2006$
2008$
2016$2009$
1998$
Started life as SSL, developed by Netscape
SSL 2.0 released in 1995 and SSL 3.0 in 1996
TLS 1.0 released in 1999, TLS 1.1 in 2006 and TLS 1.2 in2008
Bleichenbacher Attack in 1998, against RSA using PKCS#1
Renegotiation Attack by Ray and Dispensa in 2009,impersonation attack
TLS: Past, Present, Future – Thyla van der Merwe 6/ 30
Outline Background Past Present Future
Past
2011$
1995$
1996$
1999$
2006$
2008$
2016$2009$
1998$
2002$
Started life as SSL, developed by Netscape
SSL 2.0 released in 1995 and SSL 3.0 in 1996
TLS 1.0 released in 1999, TLS 1.1 in 2006 and TLS 1.2 in2008
Bleichenbacher Attack in 1998, against RSA using PKCS#1
Renegotiation Attack by Ray and Dispensa in 2009,impersonation attack
TLS: Past, Present, Future – Thyla van der Merwe 6/ 30
Outline Background Past Present Future
As of 21 April, 2016. Available at:https://www.trustworthyinternet.org/ssl-pulse/
TLS: Past, Present, Future – Thyla van der Merwe 7/ 30
Outline Background Past Present Future
Present
BEAST by Duong and Rizzo in 2011
CRIME by Duong and Rizzo in 2012
Lucky Thirteen by Al Fardan and Paterson, and RC4 Attacksby Al Fardan et al. in 2013
Cookie Cutter and Triple Handshake attacks by Bhargavan etal., Heartbleed bug and POODLE by Moller et al. in 2014
TLS: Past, Present, Future – Thyla van der Merwe 8/ 30
Outline Background Past Present Future
Present
2011$
1995$
1996$
1999$
2006$
2008$
2016$2009$
2012$
2013$
2014$
1998$
2002$
2015$
BEAST by Duong and Rizzo in 2011
CRIME by Duong and Rizzo in 2012
Lucky Thirteen by Al Fardan and Paterson, and RC4 Attacksby Al Fardan et al. in 2013
Cookie Cutter and Triple Handshake attacks by Bhargavan etal., Heartbleed bug and POODLE by Moller et al. in 2014
TLS: Past, Present, Future – Thyla van der Merwe 8/ 30
Outline Background Past Present Future
Present
2011$
1995$
1996$
1999$
2006$
2008$
2016$2009$
2012$
2013$
2014$
1998$
2002$
2015$
BEAST by Duong and Rizzo in 2011
CRIME by Duong and Rizzo in 2012
Lucky Thirteen by Al Fardan and Paterson, and RC4 Attacksby Al Fardan et al. in 2013
Cookie Cutter and Triple Handshake attacks by Bhargavan etal., Heartbleed bug and POODLE by Moller et al. in 2014
TLS: Past, Present, Future – Thyla van der Merwe 8/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Password Recovery Attacks Against RC4 in TLS [GPV15]
Despite work such as On the Security of RC4 in TLS, AlFardan et al. (USENIX 2013) RC4 usage stood at 35% ofTLS connections
ICSI$Notary$Sta+s+cs$[Dec.,$2014]$
h9p://notary.icsi.berkeley.edu/$
TLS: Past, Present, Future – Thyla van der Merwe 9/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Password Recovery Attacks Against RC4 in TLS [GPV15]
Despite work such as On the Security of RC4 in TLS, AlFardan et al. (USENIX 2013) RC4 usage stood at 35% ofTLS connections
Can we strengthen these attacks?
Passwords are widely used for authentication and the fact thatthey are not uniformly distributed may give us a boost
Get RC4 closer to the point where it needs to be abandoned!
TLS: Past, Present, Future – Thyla van der Merwe 9/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
RC4
RC4 State Byte permutation and indices i and j
RC4 Key scheduling RC4 Keystream generation
TLS: Past, Present, Future – Thyla van der Merwe 10/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
RC4 in TLS
Ku, Kd
Data Link
Internet
Transport
Applica7on TLS h:p tcp
ClientHello(…,[RC4,…])
ServerHello(…,RC4)
.
.
.
ClientFinshed
.
Ku, Kd
ServerFinshed
applica7on data
.
.
.
Handshake protocol
Record protocol (encrypted with RC4, keys Ku and Kd) Integrity, HMAC-‐SHA1
Cr = Pr Zr
C S
36 protected FINISHED bytes
TLS: Past, Present, Future – Thyla van der Merwe 11/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
RC4 Biases
0
32
64
96
128
160
192
224
255
0 32 64 96 128 160 192 224 255
Byte
val
ue, P
ositi
on 2
[0...
255]
Byte value, Position 1 [0...255]
INFILE using 1:2:(max(min(4194304*$3,1.0),-1.0))
-1
-0.5
0
0.5
1
��
���
���
���
���
����
����
����
��
�� ��� ��� ��� ��� ���� ���� ���� ��
�� ������������� ��������������
�� ������������� ��������������
��������� �������������� ������
� !�"#�����$��%�%&'�(&'��&�������)*�����+�,���++
,�
,��
��
���
��
TLS: Past, Present, Future – Thyla van der Merwe 12/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Attack Setting
First described by Mantin and Shamir in 2001
A fixed plaintext, P, is encrypted multiple times underindependent RC4 keys, Ki
P,#K1#
P,#KS#
TLS: Past, Present, Future – Thyla van der Merwe 13/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Plaintext Recovery via Bayesian Analysis
We want to maximize (for a position in the plaintext stream r):
Pr(X = x | C = c)
X is the random variable corresponding to a plaintext byte, x
C is the random variable corresponding to a vector of ciphertextbytes
TLS: Past, Present, Future – Thyla van der Merwe 14/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Plaintext Recovery via Bayesian Analysis
Using Bayes’ Theorem:
Pr(X = x | C = c) =Pr(C = c | X = x) · Pr(X = x)
Pr(C = c)
=Pr(C = c | X = x) · Pr(X = x)∑
x ′∈X Pr(C = c | X = x ′) · Pr(X = x ′)
TLS: Past, Present, Future – Thyla van der Merwe 14/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Plaintext Recovery via Bayesian Analysis
So we actually want to maximize this:
Pr(C = c | X = x) · Pr(X = x)
However,
Pr(C = c | X = x) = Pr(Z = z)
and it suffices to maximize:
Pr(X = x) · Pr(Z = z)
TLS: Past, Present, Future – Thyla van der Merwe 14/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Plaintext Recovery via Bayesian Analysis
a"posteriori"likelihood(of(x(being((correct(byte(
Recovery(algorithm:((Compute(most(likely(byte(by((considering(all(byte(possibili7es((
C1(
C2(
C3(
CS(
...((
r""
encryp7ons(of(fixed(byte((under(different(keys(
byte(candidate(((x("
x"
...((
yields(induced(distribu7on(on(keystream(bytes(Zr"
combine(with(known(distribu7on(
Combine(with(a"priori"plaintext(distribu7on((
x"
x"
x"
TLS: Past, Present, Future – Thyla van der Merwe 15/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Attacking Cookies [ABPPS13]
a"posteriori"likelihood(of(x(being((correct(byte(
Recovery(algorithm:((Compute(most(likely(byte(by((considering(all(byte(possibili7es((Repeat(for(all(bytes(of(the(cookie(
C1(
C2(
C3(
CS(
...((
r""
encryp7ons(of(fixed(byte((under(different(keys(
byte(candidate(((x("
x"
...((
yields(induced(distribu7on(on(keystream(bytes(Zr"
combine(with(known(distribu7on(
assume(a"priori"plaintext(distribu7on(uniform(
x"
x"
x"
✗((256(posi7ons,(234(encryp7ons,(2000(hrs!(TLS: Past, Present, Future – Thyla van der Merwe 16/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Attacking Passwords
Widely used for authentication on the web, NOT uniformlydistributed
RockYou leak of 32 million passwords in 2009, about 14million unique, 123456 most popular
Have a priori information from leaked datasets
Multiple bytes, not just one...
TLS: Past, Present, Future – Thyla van der Merwe 17/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Attacking Passwords
For n bytes we want to maximize
Pr(X = x) · Pr(Z = z)
where X is the random variable corresponding to a vector ofplaintext bytes, x = (x0, x1, . . . , xn−1)
Z is the random variable corresponding to the matrix of keystreambytes
?? Pr(Z = z)??
TLS: Past, Present, Future – Thyla van der Merwe 18/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Attacking Passwords
For n bytes we want to maximize
Pr(X = x) · Pr(Z = z)
where X is the random variable corresponding to a vector ofplaintext bytes, x = (x0, x1, . . . , xn−1)
Z is the random variable corresponding to the matrix of keystreambytes
?? Pr(Z = z)??
TLS: Past, Present, Future – Thyla van der Merwe 18/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Approximations
Pr(Z%=%z)%%
A"ack&1:&&Assume&keystream&bytes&behave&independently&–&use&single6byte&probabili8es&(product&distribu8on)&
A"ack&2:&&Assume&keystream&byte&is&influenced&only&by&byte&directly&adjacent&to&it&–&use&double6&and&single6byte&probabili8es&
TLS: Past, Present, Future – Thyla van der Merwe 19/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Approximations
a"posteriori"likelihood(of(x(being((correct(password(
!Recovery!algorithm:!((Compute(most(likely(password(from(((((dic8onary(of(N(passwords(
C1(
C2(
C3(
CS(
...((
r,"r+1,…,"r+n11"
encryp8ons(of(fixed(password((under(different(keys(
password(candidate(((x(=(x0",x1",…,"xn"
x0,"x1,"…,"xn"
...((
x0,"x1,"…,"xn"
x0,"x1,"…,"xn"
x0,"x1,"…,"xn"
yields(induced(distribu8on(on(keystream(bytes(Zr,Zr+1,…,Zr+n11""
combine(with(known(distribu8on(
approximate!using!known!!distribu:on!
combine(with(a"priori"password(distribu8on(
TLS: Past, Present, Future – Thyla van der Merwe 20/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
What’s different?
n bytes instead of one
T attempts before lockout
dictionary of size N
single-byte vs double-byte estimator
Base64 or ASCII
r starting position
S ciphertexts
guessing attacks
TLS: Past, Present, Future – Thyla van der Merwe 21/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Simulation Results
Use a dictionary built from RockYou leak dataset to attackSingles.org dataset
More realistic but limits our success rate
Default parameters, n = 6, T = 5, S = 220, 222, . . . , 228
Success rate based on 256 experiments
TLS: Past, Present, Future – Thyla van der Merwe 22/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Simulation Results
Single-byte vs double-byte, n = 6,T = 5
0
0.2
0.4
0.6
0.8
1
0 64 128 192 256
Succ
ess
Rate
Starting Position
db, 220
db, 222
db, 224
db, 226
db, 228
sb, 220
sb, 222
sb, 224
sb, 226
sb, 228
TLS: Past, Present, Future – Thyla van der Merwe 23/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Simulation Results
T vs success rate, n = 6, r = 133 - double-byte and guessing
0
5
10
15
20
25
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
log
2(T
)
Recovery Rate
214
216
218
220
222
224
226
228
optimal guessing
TLS: Past, Present, Future – Thyla van der Merwe 24/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Practical Validation
Applicable to BasicAuth and IMAP
We need multiple, independent encryptions of the password
We need the password to be encrypted at a favourableposition
TLS: Past, Present, Future – Thyla van der Merwe 25/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Practical Validation
www.evil.com!
www.good.com!
PW = 123456!
PW!
TLS channel!
r = 133!
Resumption latency of 250ms, 226, 6 parallel connections, 776hours (at 100ms, 312 hours)
TLS: Past, Present, Future – Thyla van der Merwe 26/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
ICSI$Notary$Sta+s+cs$[Jul./Aug.,$2015]$
h=p://notary.icsi.berkeley.edu/$
RC4$at$12.8$%$$
ICSI$Notary$Sta+s+cs$[Mar./Apr.,$2016]$
RC4$at$2.4$%$$
TLS: Past, Present, Future – Thyla van der Merwe 27/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Present
Password Recovery Attacks Against RC4 in TLS by Garman etal. (OUR WORK)
FREAK by Beurdouche et al., Bar Mitzva Attack by Mantin,LOGJAM, RC4 attack by Vanhoef and Piessens
Attack by Jager et. al, SLOTH and DROWN
TLS: Past, Present, Future – Thyla van der Merwe 28/ 30
Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Present
2011$ 2015$
1995$
1996$
1999$
2006$
2008$
2016$$$10$20
09$
2012$
2013$
2014$
1998$
2002$
Password Recovery Attacks Against RC4 in TLS by Garman etal. (OUR WORK)
FREAK by Beurdouche et al., Bar Mitzva Attack by Mantin,LOGJAM, RC4 attack by Vanhoef and Piessens
Attack by Jager et. al, SLOTH and DROWN
TLS: Past, Present, Future – Thyla van der Merwe 28/ 30
Outline Background Past Present Future
Future
2011$ 2015$
1995$
1996$
1999$
2006$
2008$
2016$$$10$20
09$
2012$
2013$
2014$
1998$
2002$
See my next talk :-)
Draft 1 of TLS 1.3 released in March 2015, draft 12 releasedin March 2016
Encrypt as much of the handshake as possible
Re-evaluate the handshake contents - different handshakes,renegotiation handshake removed, resumption done differently
1-RTT for initial handshake, 0-RTT for repeated handshakes,also 0.5-RTT
Update the record protection mechanisms
TLS: Past, Present, Future – Thyla van der Merwe 29/ 30
Outline Background Past Present Future
Future
2011$ 2015$
1995$
1996$
1999$
2006$
2008$
2016$$$10$20
09$
2012$
2013$
2014$
1998$
2002$
See my next talk :-)
Draft 1 of TLS 1.3 released in March 2015, draft 12 releasedin March 2016
Encrypt as much of the handshake as possible
Re-evaluate the handshake contents - different handshakes,renegotiation handshake removed, resumption done differently
1-RTT for initial handshake, 0-RTT for repeated handshakes,also 0.5-RTT
Update the record protection mechanisms
TLS: Past, Present, Future – Thyla van der Merwe 29/ 30