Return Of Bleichenbacher’s Oracle Threat (ROBOT)

Hanno Böck

Juraj Somorovsky (Ruhr University Bochum / Hackmanit)

Craig Young (Tripwire VERT)

Recent Attacks on TLS

• CRIME, BEAST, Lucky 13, Heartbleed, Early CCS

• 20 years ago: Bleichenbacher’s attack• Applied to RSA PKCS#1 v1.5 in SSL/TLS• Decrypt SSL/TLS traffic• Implementations applied ad-hoc fixes• Everything is secure, right?

• Return of Bleichenbacher’s Oracle Threat – ROBOT*

* Name idea shamelessly stolen from ROCA

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 2

1. Bleichenbacher’s attack

2. How we started – Attack on Facebook

3. Performing the scans

4. Responsible disclosure

5. Conclusions

Overview

Designed by Ange Albertini

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 3

TLS Protocol (High Level Overview)

1. TLS Handshake• Selection of algorithm, version, extensions

• Key exchange: RSA, (EC)DH, (EC)DHE

2. Encrypted and authenticated data transport

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 4

TLS RSA Handshake

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 5

ClientHello

ServerHello

Certificate

ServerHelloDone

ChangeCipherSpec

(Client-) Finished

ChangeCipherSpec

(Server-) Finished

ClientKeyExchange

RSA encrypted premaster secret

ClientKeyExchange

RSA PKCS#1 v1.5

• Used to pad and encrypt the premaster secret:• To pad it to the RSA key length

• To add randomization

• Example for TLS 1.2:

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 6

00 02 [non-zero padding] 00 03 03 [secret]

Encryption block type

0x00 Delimiter

TLS 1.2 version(Don’t ask why, a different story)

[non-zero padding] [secret]

Bleichenbacher’s Attack

• 1998: Adaptive chosen-ciphertext attack

• Exploits strict RSA PKCS#1 v1.5 padding validation

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 7

C1

valid/invalid

M = Dec(C)

C2

valid/invalid

Ciphertext C

…

Starts with 00 02 ?

Bleichenbacher’s Attack

• The attack needs some math (Not going into details here)

• “Million message attack”

(In general performance depends on the oracle properties)

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 8

Creating Bleichenbacher’s Oracle

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 9

ClientHello

ServerHello

Certificate

ServerHelloDone

ClientKeyExchange’

Server

Decrypt

Error

ChangeCipherSpec

(Client-) Finished:

Bad Record

MAC Alert/

Modified ciphertext

TLS Countermeasure

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 10

ClientHello

ServerHello

Certificate

ServerHelloDone

Alert

ChangeCipherSpec

(Client-) Finished:

If the attacker can distinguish valid /invalid PKCS#1 messages, he wins

ClientKeyExchange’

1. Bleichenbacher’s attack

2. How we started – Attack on Facebook

3. Performing the scans

4. Responsible disclosure

5. Conclusions

Overview

Designed by Ange Albertini

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 11

Hanno Found a Weird Behavior of Facebook

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 12

ClientHello

ServerHello

Certificate

ServerHelloDone

Server

Illegal

Parameter

ChangeCipherSpec

(Client-) Finished:

Bad Record

MAC Alert/

ClientKeyExchange’

Can We Exploit It?

• Idea: It would be funny to sign a message with Facebook’s private key• Yes, signing is possible as well

• Millions of queries needed…would Facebook block us?

• Successful after several tries:

“We hacked Facebook with a

Bleichenbacher Oracle (JS/HB).”

• Facebook fixed

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 13

Facebook: New Attempt

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 14

ClientHello

ServerHello

Certificate

ServerHelloDone

Server

ChangeCipherSpec

(Client-) Finished:

/

ClientKeyExchange’

Facebook Fixed Again

• This is interesting. So how about other servers?

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 15

1. Bleichenbacher’s attack

2. How we started – Attack on Facebook

3. Performing the scans

4. Responsible disclosure

5. Conclusions

Overview

Designed by Ange Albertini

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 16

Let’s Start Scanning

• Careful selection of ClientKeyExchange messages:• Wrong TLS version

• Wrong padding length

• Not starting with 0x00 02

• Full / Shortened TLS handshakes:

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 17

00 02 [non-zero padding] 00 03 03 [secret]

ClientHello

ServerHello

Certificate

ServerHelloDone

ChangeCipherSpec

(Client-) Finished:

ClientKeyExchange’

ClientHello

ServerHello

Certificate

ServerHelloDone

ChangeCipherSpec

(Client-) Finished:

ClientKeyExchange’

Alexa Top 1 Million Scan

• 2,8 % vulnerable

• PayPal, Apple, ebay, Cisco, …

• Different behaviors…different combinations:

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 18

Illegal

Parameter

Bad Record

MAC Alert/

TCP connection resets Timeouts

Different alerts

Duplicate alerts Alert/Alert Alert

Handshake

Failure/ Internal

Error/ /..

1. Bleichenbacher’s attack

2. How we started – Attack on Facebook

3. Performing the scans

4. Responsible disclosure

5. Conclusions

Overview

Designed by Ange Albertini

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 19

Who Is Responsible for These Mistakes?

• Reporting is not always that easy …

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 20

Your server is vulnerable to Bleichenbacher‘s attack.

No worries, we usemillitary grade encryption.

Don’t Fix for Some Vendors … Cisco ACE

• Supports only TLS RSA

• Cisco: We won't fix it, it's out of support for several years

• But there were plenty of webpages still running with these devices

Like cisco.com

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 21

Identified (Most of) Them

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 22

Test Tools

• No easily usable test tool for Bleichenbacher attacks available

• Currently implemented in SSL Labs, testssl.sh, TLS-Attacker, tlsfuzzer

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 23

1. Bleichenbacher’s attack

2. How we started – Attack on Facebook

3. Performing the scans

4. Responsible disclosure

5. Conclusions

Overview

Designed by Ange Albertini

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 24

Future Work

• Timing attacks

• Fingerprinting

• Some servers send certificates or "garbage bytes"• Bleedinbacher? There could be a Heartbleed-style memory disclosure waiting

to be found

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 25

Illegal

Parameter

Bad Record

MAC Alert/ /..

Conclusions

• Old 20 year attacks still work

• New side-channels (timeouts, TCP resets, …)

• Crypto attack countermeasures are hard to apply

• Disable TLS_RSA cipher suites (not used in TLS 1.3)

• Stop using RSA PKCS#1 v1.5, use elliptic curves

(or RSA-OAEP if RSA needed)

https://robotattack.org/

Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 26