Transport Layer Security (TLS)
ECEN 4133 Feb 18, 2021
Review: HTTP
GET / HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK
gmail.com
HTTP Threats
?
GET / HTTP/1.1 Host: gmail.com
Eve
gmail.com
HTTP/1.1 200 OK
????
HTTP/1.1 200 OK
Mallory
HTTP Threats
Eve can observe:
What page you are visiting (e.g. http://gmail.com/email84534) Server response (e.g. the content of your email)
Cookies (Can now login as you!)
Submitted forms (passwords, new emails, credit cards, etc)
Mallory can:
Provide you false information (e.g. change the content of an email)
Change what data you send (e.g. change the contents of what you post/send!)
Insert Javascript on your page (e.g. tracking info / steal information from gmails origin)
Solution:
Cryptography! Confidentiality + Integrity
but how?
How do we translate?
Cryptographic Primitives
RSA PKI
Symmetric
Encryption
Certificate
Public Key
RC4
Diffie-Hellman
DSA
HMAC
ECDSA
Encryption
Asymmetric
How do we translate?
Cryptographic Primitives
Objectives
Message Integrity Confidentiality Authentication
RSA Encryption PKI
HMAC Certificate Public Key
RC4
Diffie-Hellman
DSA
Symmetric
ECDSA
Encryption
Asymmetric
How do we translate?
Cryptographic Primitives
Typical HTTPS
Connection
Symmetric
Encryption
RSA PKI
Certificate
Public Key
RC4
Diffie-Hellman
DSA
HMAC
ECDSA
Encryption
Asymmetric
HTTPS, TLS
Transport Layer Security (TLS)
Previous versions: Secure Socket Layer (SSL) do not use!
SSL2
SSL 3.0
TLS 1.0, 1.1, 1.2 extensions/improvements to SSL 3.0 TLS 1.3 redesigned TLS (2018)
HTTPS the S stands for Secure! HTTP over TLS
Case Study: TLS
Arguably the most important (and widely used) cryptographic protocol on the Internet Almost all encrypted protocols (minus SSH) uses TLS for transport encryption
HTTPS, POP3, IMAP, SMTP, FTP, NNTP, XMPP (Jabber), OpenVPN, SIP (VoIP),
Browser TLS Support
source: http://en.wikipedia.org/wiki/Transport_Layer_Security
Browser TLS support
source: http://en.wikipedia.org/wiki/Transport_Layer_Security
Where does TLS live?
Application (HTTP) Transport (TCP)
Network (IP) Data-Link (1gigE) Physical (copper)
Client
Server
the handshake
Client Server
Client Server
Client Server
Client Server
Client
Server
Encrypted Communication Channel (Symmetric)
Cipher Suites
DHE-RSA-AES256-SHA
Ephemeral Key Exchange
Identity Data Transfer Message Digest Authentication Cipher
Goals
Confidentiality Message Integrity Authentication
X509 Certificates
Subject: C=US/O=Google Inc/CN=www.google.com
Issuer: C=US/O=Google Inc/CN=Google Internet Authority
Serial Number: 01:b1:04:17:be:22:48:b4:8e:1e:8b:a0:73:c9:ac:83 Expiration Period: Jul 12 2010 Jul 19 2012
Public Key Algorithm: rsaEncryption
Public Key: 43:1d:53:2e:09:ef:dc:50:54:0a:fb:9a:f0:fa:14:58:ad:a0:81:b0:3d 7c:be:b1:82:19:b9:7c3:8:04:e9:1e5d:b5:80:af:d4:a0:81:b0:b0:68:5b:a4:a4 :ff:b5:8a:3a:a2:29:e2:6c:7c3:8:04:e9:1e5d:b5:7c3:8:04:e9:39:23:46
SignatureAlgorithm: sha1WithRSAEncryption
Signature: 39:10:83:2e:09:ef:ac:50:04:0a:fb:9a:f0:fa:14:58:ad:a0:81:b0:3d 7c:be:b1:82:19:b9:7c3:8:04:e9:1e5d:b5:80:af:d4:a0:81:b0:b0:68:5b:a4:a4 :ff:b5:8a:3a:a2:29:e2:6c:7c3:8:04:e9:1e5d:b5:7c3:8:04:e9:1e:5d:b5
Certificate Chains
Browser Root CA store
Trust everything signed by this root certificate
I authorize and trust this certificate; here is my signature
I authorize and trust this certificate; here is my signature
Subject: C=US//OU=Equifax Secure Certificate Authority Issuer: C=US//OU=Equifax Secure Certificate Authority Public Key:
Signature: 39:10:83:2e:09:ef:ac:50:04:0a:fb:9a:38:c9:d1
Subject: C=US//CN=Google Internet Authority
Issuer: C=US//OU=Equifax Secure Certificate Authority Public Key:
Signature: be:b1:82:19:b9:7c:5d:28:04:e9:1e:5d:39:cd
Subject: C=US//O=Google Inc/CN=*.google.com Issuer: C=US//CN=Google Internet Authority
Public Key:
Signature: bf:dd:e8:46:b5:a8:5d:28:04:38:4f:ea:5d:49:ca
Goals
Confidentiality (Symmetric Crypto) Message Integrity (HMACs) Authentication (Public Key Crypto)
Certificate Authority Ecosystem
Each browser trusts a set of CAs
CAs can sign certificates for new CAs CAs can sign certificates for any web site
If a single CA is compromised, then the entire system is compromised We ultimately place our complete trust of the Internet in the weakest CA
Immediate Concerns
Nobody has any idea who these CAs are 1,500+ known browser trusted CAs
History of CAs being hacked (e.g. Diginotar)
Oooops, Korea gave every elementary school, library, and agency a CA certificate (1,324) Luckily invalid due to a higher-up constraint
Getting a Certificate
Certificates are free and easy to get!
https://letsencrypt.org/
Identity validated via e-mail in whois, or proving control over a certain webpage on the domain What can go wrong?
Setting up TLS manually is hard. People are terrible at it!
DigiNotar
DigiNotar was a Dutch Certificate Authority
On June 10, 2011, *.google.com cert was issued to an attacker and subsequently used to
orchestrate MITM attacks in Iran
Nobody noticed the attack until someone found the certificate in the wild and posted to
pastebin
DigiNotar Contd.
DigiNotar later admitted that dozens of fraudulent certificates were created Google, Microsoft, Apple and Mozilla all revoked the root Diginotar certificate Dutch Government took over Diginotar
Diginotar went bankrupt and died
Kazakhstan TLS MITM
Kazakhstan TLS MITM
Kazakhstan TLS MITM
Domains impacted:
allo.google.com, android.com, cdninstagram.com, dns.google.com, docs.google.com, encrypted.google.com, facebook.com, goo.gl, google.com, groups.google.com, hangouts.google.com, instagram.com, mail.google.com, mail.ru, messages.android.com, messenger.com, news.google.com, ok.ru, picasa.google.com, plus.google.com, rukoeb.com, sites.google.com, sosalkino.tv, tamtam.chat, translate.google.com, twitter.com, video.google.com, vk.com, vk.me, vkuseraudio.net, vkuservideo.net, www.facebook.com, www.google.com, www.instagram.com, www.messenger.com, www.youtube.com, youtube.com
Browser response:
Remove KZ root cert even if user explicitly added it!
Attack Vectors
Attack the weakest Certificate Authority
Attack browser implementations
Magically notice a bug in a key generation library that leads you to discovering all the private keys on the Internet
Attack the cryptographic primitives Math is hard, lets go shopping!
TLS Attacks
User concerns
Deploying site leaks private key
Client users ignore HTTPS errors!
Attack (weakest) CA
DigiNotar, Comodo, WoSign/Startcom
Attack Browser
SSL Strip, Null Prefix, Padding Oracle, BEAST, CRIME, goto fail, POODLE, FREAK, LogJam, DROWN,
Attack Server Heartbleed
Google no evil
SSL Strip
Discovered by Moxie Marlinspike, 2009
GET / HTTP/1.1 Host: bank.com
bank.com
HTTP/1.1 301 Moved Permanently Location: https://bank.com/
[TLS Connection]
SSL Strip
Discovered by Moxie Marlinspike, 2009
bank.com
GET / HTTP/1.1 Host: bank.com
[TLS connection]
Attacker replaces all https:// links with http:// links
HTTP/1.1 200 OKr
Null Termination Attack
Discovered by Moxie Marlinspike, 2009
ASN.1 utilizes Pascal-style strings
Web browsers utilize use C-style strings
gmail.com.evil.com
gmail.com�.evil.com
strcmp(gmail.com�.evil.com, gmail.com) == 0
BEAST attack
Discovered by Thai Duong and Juliano Rizzo, 2011
Browser Exploit Against SSL/TLS
Chosen Plaintext attack against CBC-mode
Attacker can:
Observe Alices Ciphertext
Make Alice to send secret plaintext P over TLS E.g. HTTP Cookie
Make Alice to send arbitrary plaintext over same TLS session
CBC: Cipher-Block Chaining Mode
Ci := E(K, Pi Ci-1) for i = 1, , n
EK EK EK
P1
P2
P3
IV
C1
C2
C3
BEAST attack
Secret plaintext: Attacker-chosen plaintext:
Cookie: secret=a26b3f8e
P1
P2
Pi
C2 == Ci iff P2 == G
Ci-1
EK
EK
(Ci-1 C1 G)
EK
IV
C1
C2
Ci
C2 = EK(C1 P2)
Ci =EK(Ci-1Ci-1C1G)=EK(C1 G)
BEAST attack
Problem: Attacker has to guess G entirely Solution: force part of P2 to be known padding!
Cookie: secret=a26b3f8e
P2
Only have to guess 1-byte now!
256 guesses and were sure to get it
P3
AAAAAr
Cookie: secret=a
26b3f8e
BEAST attack
Once we guess a, we can redo the attack, with less padding:
P2 P3
AAAAr
Cookie: secret=a2
6b3f8e
AAAr
Cookie: secret=a26
b3f8e
AAr
Cookie: secret=a26b
3f8e
Ar
Cookie: secret=a26b3
f8e
Padding oracle attack
Discovered by Serge Vaudenay, 2003
D(C3)5b d8 99 ee
P1
P2
P3
EK EK EK
C2 P3
34 da 9b ed
6f 02 02 01
MAC ERROR
P1 = D(C1)IV P2 = D(C2)C1 P3 = D(C3)C2
C1
C2
C3
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
Compression Ratio Info-leak Made Easy Client compresses HTTP header
Contains attacker controlled AND secret data!!
Attacker can:
Make Alice send HTTPS requests with some data controlled by the attacker, some data secret Observe encrypted data (length)
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
GET / HTTP/1.1 Host: bank.com Cookie: a2bf6c89
GET / HTTP/1.1 Host: bank.com
Cookie: a2bf6c89
?
bank.com
320
bytes
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
bank.com
https://bank.com/?Cookie: 000000
GET /?Cookie: 0000 HTTP/1.1 Host: bank.com
Cookie: a2bf6c89
400 bytes
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
bank.com
https://bank.com/?Cookie: 000000
GET /?Cookie: 0000 HTTP/1.1 Host: bank.Ecnocmrypted!
Cookie: a2bf6c89
400 bytes
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
bank.com
https://bank.com/?Cookie: 100000
GET /?Cookie: 1000 HTTP/1.1 Host: bank.com
Cookie: a2bf6c89
400 bytes
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
bank.com
https://bank.com/?Cookie: a00000
GET /?Cookie: a000 HTTP/1.1 Host: bank.com
Cookie: a2bf6c89
394 bytes
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
Guess Request size
bank.com
000000
100000
400 bytes
400 bytes
200000
400 bytes
900000
a00000
b00000
400 bytes
394 bytes
400 bytes
goto fail;
hashOut.data = hashes + SSL_MD5_DIGEST_LEN;
hashOut.length = SSL_SHA1_DIGEST_LEN;
2014 Apple TLS library SSLVerifySignedServerKeyExchange() if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail;
err = sslRawVerify();
fail:
// Cleanup buffers, etc. Return err
return err;
if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail;
POODLE
Discvoered by Bodo Moller, Thai Duong and Krzysztof Kotowicz, 2014
Padding Oracle On Downgraded Legacy Encryption SSLv3 padding only the last byte matters
CBC Encrypt
Attacker copies cookie block to padding block
ignored
GET / HT
TP/1.1r
Cookie:
a2c86f2e
[MAC tag]
xxxxxxx7
CBC Decrypt
GET / HT
TP/1.1r
Cookie:
a2c86f2e
[MAC tag]
4G&1mA,
BAD PADDING OR MAC
padding byte
POODLE
Discvoered by Bodo Moller, Thai Duong and Krzysztof Kotowicz, 2014
Padding Oracle On Downgraded Legacy Encryption SSLv3 padding only the last byte matters
CBC Encrypt
Attacker copies cookie block to padding block
ignored
padding byte
GET / HT
TP/1.1r
Cookie:
a2c86f2e
[MAC tag]
xxxxxxx7
CBC Decrypt
Attacker learns last byte of DK(Ccookie)! (shift cookie and repeat)
P = DK(Ccookie) Ci-1
GET / HT
TP/1.1r
Cookie:
a2c86f2e
[MAC tag]
6*I(`Sn7
Padding ignored; MAC OK
Heartbleed
Heartbleed
https://xkcd.com/1354/
MD5 Considered Harmful Today
Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger
In 2008 (at CCC), a group of researchers showed that they could create a rogue CA certificate using an MD5 collision
https://win.tue.nl/hashclash/rogue-ca/downloads/md5-collisions-1.0.pdf
MD5 Considered Harmful Today
Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger
This kind of md5 collisions takes a bit more processing than fastcoll from the crypto project
So researchers used a cluster of 200 PS3s for ~2 days: Took 4 attempts (CA signatures)
https://win.tue.nl/hashclash/rogue-ca/downloads/md5-collisions-1.0.pdf
Mining Your Ps and Qs
Nadia Heninger, Zakir Durumeric, Eric Wustrow , and J. Alex Halderman
In 2012, a team of researchers performed a global analysis of SSL/TLS and SSH keys
5.6% of TLS and 9.6% of SSH hosts shared cryptographic keys in a vulnerable manner
Calculated the private keys for 0.5% of TLS hosts and 1.06% of SSH hosts
What if two RSA servers generate the same p but different q? N1 = pq1 and N2 = pq2 [Find p given N1 and N2?]
Uncovered vulnerabilities in Linuxs Random Number Generator (/dev/urandom)
Reviews
There are no reviews yet.