Return Of Bleichenbacher’s Oracle Threat (ROBOT)
Hanno Böck
Juraj Somorovsky (Ruhr University Bochum / Hackmanit)
Craig Young (Tripwire VERT)
Recent Attacks on TLS
• CRIME, BEAST, Lucky 13, Heartbleed, Early CCS
• 20 years ago: Bleichenbacher’s attack• Applied to RSA PKCS#1 v1.5 in SSL/TLS• Decrypt SSL/TLS traffic• Implementations applied ad-hoc fixes• Everything is secure, right?
• Return of Bleichenbacher’s Oracle Threat – ROBOT*
* Name idea shamelessly stolen from ROCA
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 2
1. Bleichenbacher’s attack
2. How we started – Attack on Facebook
3. Performing the scans
4. Responsible disclosure
5. Conclusions
Overview
Designed by Ange Albertini
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 3
TLS Protocol (High Level Overview)
1. TLS Handshake• Selection of algorithm, version, extensions
• Key exchange: RSA, (EC)DH, (EC)DHE
2. Encrypted and authenticated data transport
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 4
TLS RSA Handshake
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 5
ClientHello
ServerHello
Certificate
ServerHelloDone
ChangeCipherSpec
(Client-) Finished
ChangeCipherSpec
(Server-) Finished
ClientKeyExchange
RSA encrypted premaster secret
ClientKeyExchange
RSA PKCS#1 v1.5
• Used to pad and encrypt the premaster secret:• To pad it to the RSA key length
• To add randomization
• Example for TLS 1.2:
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 6
00 02 [non-zero padding] 00 03 03 [secret]
Encryption block type
0x00 Delimiter
TLS 1.2 version(Don’t ask why, a different story)
[non-zero padding] [secret]
Bleichenbacher’s Attack
• 1998: Adaptive chosen-ciphertext attack
• Exploits strict RSA PKCS#1 v1.5 padding validation
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 7
C1
valid/invalid
M = Dec(C)
C2
valid/invalid
Ciphertext C
…
Starts with 00 02 ?
Bleichenbacher’s Attack
• The attack needs some math (Not going into details here)
• “Million message attack”
(In general performance depends on the oracle properties)
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 8
Creating Bleichenbacher’s Oracle
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 9
ClientHello
ServerHello
Certificate
ServerHelloDone
ClientKeyExchange’
Server
Decrypt
Error
ChangeCipherSpec
(Client-) Finished:
Bad Record
MAC Alert/
Modified ciphertext
TLS Countermeasure
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 10
ClientHello
ServerHello
Certificate
ServerHelloDone
Alert
ChangeCipherSpec
(Client-) Finished:
If the attacker can distinguish valid /invalid PKCS#1 messages, he wins
ClientKeyExchange’
1. Bleichenbacher’s attack
2. How we started – Attack on Facebook
3. Performing the scans
4. Responsible disclosure
5. Conclusions
Overview
Designed by Ange Albertini
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 11
Hanno Found a Weird Behavior of Facebook
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 12
ClientHello
ServerHello
Certificate
ServerHelloDone
Server
Illegal
Parameter
ChangeCipherSpec
(Client-) Finished:
Bad Record
MAC Alert/
ClientKeyExchange’
Can We Exploit It?
• Idea: It would be funny to sign a message with Facebook’s private key• Yes, signing is possible as well
• Millions of queries needed…would Facebook block us?
• Successful after several tries:
“We hacked Facebook with a
Bleichenbacher Oracle (JS/HB).”
• Facebook fixed
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 13
Facebook: New Attempt
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 14
ClientHello
ServerHello
Certificate
ServerHelloDone
Server
ChangeCipherSpec
(Client-) Finished:
/
ClientKeyExchange’
Facebook Fixed Again
• This is interesting. So how about other servers?
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 15
1. Bleichenbacher’s attack
2. How we started – Attack on Facebook
3. Performing the scans
4. Responsible disclosure
5. Conclusions
Overview
Designed by Ange Albertini
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 16
Let’s Start Scanning
• Careful selection of ClientKeyExchange messages:• Wrong TLS version
• Wrong padding length
• Not starting with 0x00 02
• Full / Shortened TLS handshakes:
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 17
00 02 [non-zero padding] 00 03 03 [secret]
ClientHello
ServerHello
Certificate
ServerHelloDone
ChangeCipherSpec
(Client-) Finished:
ClientKeyExchange’
ClientHello
ServerHello
Certificate
ServerHelloDone
ChangeCipherSpec
(Client-) Finished:
ClientKeyExchange’
Alexa Top 1 Million Scan
• 2,8 % vulnerable
• PayPal, Apple, ebay, Cisco, …
• Different behaviors…different combinations:
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 18
Illegal
Parameter
Bad Record
MAC Alert/
TCP connection resets Timeouts
Different alerts
Duplicate alerts Alert/Alert Alert
Handshake
Failure/ Internal
Error/ /..
1. Bleichenbacher’s attack
2. How we started – Attack on Facebook
3. Performing the scans
4. Responsible disclosure
5. Conclusions
Overview
Designed by Ange Albertini
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 19
Who Is Responsible for These Mistakes?
• Reporting is not always that easy …
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 20
Your server is vulnerable to Bleichenbacher‘s attack.
No worries, we usemillitary grade encryption.
Don’t Fix for Some Vendors … Cisco ACE
• Supports only TLS RSA
• Cisco: We won't fix it, it's out of support for several years
• But there were plenty of webpages still running with these devices
Like cisco.com
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 21
Identified (Most of) Them
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 22
Test Tools
• No easily usable test tool for Bleichenbacher attacks available
• Currently implemented in SSL Labs, testssl.sh, TLS-Attacker, tlsfuzzer
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 23
1. Bleichenbacher’s attack
2. How we started – Attack on Facebook
3. Performing the scans
4. Responsible disclosure
5. Conclusions
Overview
Designed by Ange Albertini
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 24
Future Work
• Timing attacks
• Fingerprinting
• Some servers send certificates or "garbage bytes"• Bleedinbacher? There could be a Heartbleed-style memory disclosure waiting
to be found
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 25
Illegal
Parameter
Bad Record
MAC Alert/ /..
Conclusions
• Old 20 year attacks still work
• New side-channels (timeouts, TCP resets, …)
• Crypto attack countermeasures are hard to apply
• Disable TLS_RSA cipher suites (not used in TLS 1.3)
• Stop using RSA PKCS#1 v1.5, use elliptic curves
(or RSA-OAEP if RSA needed)
https://robotattack.org/
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 26