attacks on ssl/tls - applied cryptography, lecture 6 · 2015-12-09 · applied cryptography,...
TRANSCRIPT
/ department of mathematics and computer science
Assignments
I Choice of topic: before Thursday, November 26th, 23:59 (today).I Assignment of topic: Friday, November 27th.I Deadline of first assignment: Sunday, December 13th, 23:59.
The deadlines are strict!
/ department of mathematics and computer science
Attacks on SSL/TLSApplied Cryptography, Lecture 6
Ruben Niederhagen
Nov. 26th, 2015
3/42
/ department of mathematics and computer science
Timeline of attacks on SSL/TLS
2010 2011 2012 2013 2014 2015 2016
SSLstrip
BEAST
CRIME
Lucky 13
Royal Holloway
BREACH
FREAK
Bar-mitzvah
Heartbleed
POODLE
Logjam
NOMORE
RC4
←− 2002 Padding Oracle
4/42
/ department of mathematics and computer science
SSLstrip Attack (2009)
I Eve wants to read the traffic between Alice and Bob’s webserver.
I Problem: Bob offers http via TLS.I Solution: Make sure Alice uses an unencrypted connection.
People usually start SSL connections in two different ways:
I Click on links that happen to be https.I Through HTTP 302 redirects.(Try to enter http://www.google.nl/ in your web browser.)
Idea: Parse web traffic and strip the “s” from all links to https.https −→ http
4/42
/ department of mathematics and computer science
SSLstrip Attack (2009)
I Eve wants to read the traffic between Alice and Bob’s webserver.I Problem: Bob offers http via TLS.
I Solution: Make sure Alice uses an unencrypted connection.
People usually start SSL connections in two different ways:
I Click on links that happen to be https.I Through HTTP 302 redirects.(Try to enter http://www.google.nl/ in your web browser.)
Idea: Parse web traffic and strip the “s” from all links to https.https −→ http
4/42
/ department of mathematics and computer science
SSLstrip Attack (2009)
I Eve wants to read the traffic between Alice and Bob’s webserver.I Problem: Bob offers http via TLS.I Solution: Make sure Alice uses an unencrypted connection.
People usually start SSL connections in two different ways:
I Click on links that happen to be https.I Through HTTP 302 redirects.(Try to enter http://www.google.nl/ in your web browser.)
Idea: Parse web traffic and strip the “s” from all links to https.https −→ http
4/42
/ department of mathematics and computer science
SSLstrip Attack (2009)
I Eve wants to read the traffic between Alice and Bob’s webserver.I Problem: Bob offers http via TLS.I Solution: Make sure Alice uses an unencrypted connection.
People usually start SSL connections in two different ways:
I Click on links that happen to be https.I Through HTTP 302 redirects.(Try to enter http://www.google.nl/ in your web browser.)
Idea: Parse web traffic and strip the “s” from all links to https.https −→ http
4/42
/ department of mathematics and computer science
SSLstrip Attack (2009)
I Eve wants to read the traffic between Alice and Bob’s webserver.I Problem: Bob offers http via TLS.I Solution: Make sure Alice uses an unencrypted connection.
People usually start SSL connections in two different ways:
I Click on links that happen to be https.I Through HTTP 302 redirects.(Try to enter http://www.google.nl/ in your web browser.)
Idea: Parse web traffic and strip the “s” from all links to https.https −→ http
5/42
/ department of mathematics and computer science
SSLstrip Attack (2009)
5/42
/ department of mathematics and computer science
SSLstrip Attack (2009)
5/42
/ department of mathematics and computer science
SSLstrip Attack (2009)
5/42
/ department of mathematics and computer science
SSLstrip Attack (2009)
I Watch HTTP traffic go by.I Switch <a href="https://..."> to <a href="http://..."> andremember what has changed.
I Switch request https://... to http://... and remember whathas changed.
5/42
/ department of mathematics and computer science
SSLstrip Attack (2009)
I Watch HTTP traffic go by.I If we see an HTTP request for an URL that we had stripped, proxythat as HTTPS.
I Watch the HTTPS traffic go by;remember relative links, CSS links, JavaScript, ...
5/42
/ department of mathematics and computer science
SSLstrip Attack (2009)
I Server does not notice any difference.I No warning message displayed to the client;needs to look out for https marks explicitly (and know about it).
I Eve sees all the traffic.
6/42
/ department of mathematics and computer science
SSLstrip Attack (2009)
Countermeasure: HTTP Strict Transport Security (HSTS).I Inform the browser to always use SSL/TLS to the site.I This information is stored by the browser for all future connections.I Can also be stripped by attacker;only works if first connection was not intercepted.
I Some browsers are shipped with static HSTS list for some sites.
Best countermeasure:Carefully check that site is encryptedwhen handling sensitive information!
6/42
/ department of mathematics and computer science
SSLstrip Attack (2009)
Countermeasure: HTTP Strict Transport Security (HSTS).I Inform the browser to always use SSL/TLS to the site.I This information is stored by the browser for all future connections.I Can also be stripped by attacker;only works if first connection was not intercepted.
I Some browsers are shipped with static HSTS list for some sites.
Best countermeasure:Carefully check that site is encryptedwhen handling sensitive information!
7/42
/ department of mathematics and computer science
BEAST Attack (2011)
Recall the CBC mode of operation:
Cipher Block Chaining (CBC) mode encryption
block cipherencryption
Key
Ciphertext
Plaintext
block cipherencryption
Key
Ciphertext
Plaintext
block cipherencryption
Key
Ciphertext
Plaintext
Initialization Vector (IV)
8/42
/ department of mathematics and computer science
BEAST Attack (2011)
block cipherencryption
Key
Ciphertext 0
Plaintext 0
block cipherencryption
Key
Ciphertext 1
Plaintext 1
block cipherencryption
Key
Ciphertext 2
Plaintext 2
Initialization Vector (IV)
block cipherencryption
Key
Ciphertext 3
Ciphertext 2
guessed Plaintext 1
8/42
/ department of mathematics and computer science
BEAST Attack (2011)
block cipherencryption
Key
Ciphertext 0
Plaintext 0
block cipherencryption
Key
Ciphertext 1
Plaintext 1
block cipherencryption
Key
Ciphertext 2
Plaintext 2
Initialization Vector (IV)
block cipherencryption
Key
Ciphertext 1
Ciphertext 0
Ciphertext 2
Ciphretext 2
guessed Plaintext 1
9/42
/ department of mathematics and computer science
BEAST Attack (2011)
BEAST: Browser Exploit Against SSL/TLSI Attacker must be able to force the client to send deliberate data.I There have been proof-of-concepts using cross-site scripting forstealing session cookies (byte by byte).
I Do we need to worry about information leaking when the attackercan modify or inject data on the client side?
Countermeasures:I For TLS 1.0: send an empty package ahead of each packet.I TLS 1.1 and newer are not affected by this attack because eachpacket has a new IV that is send in plain text.
9/42
/ department of mathematics and computer science
BEAST Attack (2011)
BEAST: Browser Exploit Against SSL/TLSI Attacker must be able to force the client to send deliberate data.I There have been proof-of-concepts using cross-site scripting forstealing session cookies (byte by byte).
I Do we need to worry about information leaking when the attackercan modify or inject data on the client side?
Countermeasures:I For TLS 1.0: send an empty package ahead of each packet.I TLS 1.1 and newer are not affected by this attack because eachpacket has a new IV that is send in plain text.
10/42
/ department of mathematics and computer science
CRIME (2012) and BREACH (2013) Attacks
CRIME: Compression Ratio Info-leak Made EasyI Some parts of the plaintext are VERY predictable.I Session cookies can be found on well-defined spots:GET index.html HTTP/1.1Host: thebankserver.com(...)Cookie: secret=7xc89f+94/wa(...)
I Try to send data from the client in the TLS context and see how thisaffects the ciphertext; “guess” session cookie character by character.
11/42
/ department of mathematics and computer science
CRIME (2012) and BREACH (2013) Attacks
CRIME attack: exploit SSL/TLS compressionI Iteratively increase secret value:GET index.html HTTP/1.1Host: thebankserver.com(...)Cookie: secret=7xc89f+94/wa(...)Cookie: secret=0XXX
I E.g., with DEFLATE compression, the second occurrence of“secret=” is encoded as back reference.
I Once the correct 1st digit has been reached, the compressedplaintext and thus the ciphertext will be shorter.
I Continue with next digit.
11/42
/ department of mathematics and computer science
CRIME (2012) and BREACH (2013) Attacks
CRIME attack: exploit SSL/TLS compressionI Iteratively increase secret value:GET index.html HTTP/1.1Host: thebankserver.com(...)Cookie: secret=7xc89f+94/wa(...)Cookie: secret=1XXX
I E.g., with DEFLATE compression, the second occurrence of“secret=” is encoded as back reference.
I Once the correct 1st digit has been reached, the compressedplaintext and thus the ciphertext will be shorter.
I Continue with next digit.
11/42
/ department of mathematics and computer science
CRIME (2012) and BREACH (2013) Attacks
CRIME attack: exploit SSL/TLS compressionI Iteratively increase secret value:GET index.html HTTP/1.1Host: thebankserver.com(...)Cookie: secret=7xc89f+94/wa(...)Cookie: secret=2XXX
I E.g., with DEFLATE compression, the second occurrence of“secret=” is encoded as back reference.
I Once the correct 1st digit has been reached, the compressedplaintext and thus the ciphertext will be shorter.
I Continue with next digit.
11/42
/ department of mathematics and computer science
CRIME (2012) and BREACH (2013) Attacks
CRIME attack: exploit SSL/TLS compressionI Iteratively increase secret value:GET index.html HTTP/1.1Host: thebankserver.com(...)Cookie: secret=7xc89f+94/wa(...)Cookie: secret=3XXX
I E.g., with DEFLATE compression, the second occurrence of“secret=” is encoded as back reference.
I Once the correct 1st digit has been reached, the compressedplaintext and thus the ciphertext will be shorter.
I Continue with next digit.
11/42
/ department of mathematics and computer science
CRIME (2012) and BREACH (2013) Attacks
CRIME attack: exploit SSL/TLS compressionI Iteratively increase secret value:GET index.html HTTP/1.1Host: thebankserver.com(...)Cookie: secret=7xc89f+94/wa(...)Cookie: secret=4XXX
I E.g., with DEFLATE compression, the second occurrence of“secret=” is encoded as back reference.
I Once the correct 1st digit has been reached, the compressedplaintext and thus the ciphertext will be shorter.
I Continue with next digit.
11/42
/ department of mathematics and computer science
CRIME (2012) and BREACH (2013) Attacks
CRIME attack: exploit SSL/TLS compressionI Iteratively increase secret value:GET index.html HTTP/1.1Host: thebankserver.com(...)Cookie: secret=7xc89f+94/wa(...)Cookie: secret=5XXX
I E.g., with DEFLATE compression, the second occurrence of“secret=” is encoded as back reference.
I Once the correct 1st digit has been reached, the compressedplaintext and thus the ciphertext will be shorter.
I Continue with next digit.
11/42
/ department of mathematics and computer science
CRIME (2012) and BREACH (2013) Attacks
CRIME attack: exploit SSL/TLS compressionI Iteratively increase secret value:GET index.html HTTP/1.1Host: thebankserver.com(...)Cookie: secret=7xc89f+94/wa(...)Cookie: secret=6XXX
I E.g., with DEFLATE compression, the second occurrence of“secret=” is encoded as back reference.
I Once the correct 1st digit has been reached, the compressedplaintext and thus the ciphertext will be shorter.
I Continue with next digit.
11/42
/ department of mathematics and computer science
CRIME (2012) and BREACH (2013) Attacks
CRIME attack: exploit SSL/TLS compressionI Iteratively increase secret value:GET index.html HTTP/1.1Host: thebankserver.com(...)Cookie: secret=7xc89f+94/wa(...)Cookie: secret=7XXX
I E.g., with DEFLATE compression, the second occurrence of“secret=” is encoded as back reference.
I Once the correct 1st digit has been reached, the compressedplaintext and thus the ciphertext will be shorter.
I Continue with next digit.
11/42
/ department of mathematics and computer science
CRIME (2012) and BREACH (2013) Attacks
CRIME attack: exploit SSL/TLS compressionI Iteratively increase secret value:GET index.html HTTP/1.1Host: thebankserver.com(...)Cookie: secret=7xc89f+94/wa(...)Cookie: secret=70XX
I E.g., with DEFLATE compression, the second occurrence of“secret=” is encoded as back reference.
I Once the correct 1st digit has been reached, the compressedplaintext and thus the ciphertext will be shorter.
I Continue with next digit.
12/42
/ department of mathematics and computer science
CRIME (2012) and BREACH (2013) Attacks
Countermeasure for CRIME attack:I Disable TLS compression (on client or server).I Prevent attacker from sending data in user context(prevent cross-site request forgery).
I There will be no compression for TLS 1.3.
13/42
/ department of mathematics and computer science
CRIME (2012) and BREACH (2013) Attacks
BREACH: Browser Reconnaissance and Exfiltration via AdaptiveCompression of HypertextThe same attack works on HTTP content for HTTP compression.Will still work with TLS 1.3!
Countermeasure for BREACH attack:I Disable HTTP compression (on client or server).I Prevent attacker from sending data in user context(prevent cross-site request forgery).
I Disable HTTP compression on cross-site requests.
14/42
/ department of mathematics and computer science
Padding Oracle Attack (2002)
TLS prior to version 1.1 was susceptible to a padding oracle attack.I Before encrypting with AES-CBC,need to pad data||MAC-tag to the AES block size (16 bytes).
I The padding sets each byte in the pad to the pad length,i.e., padding has specific format.
At the server side on receipt of an encrypted record:I decrypt record with the client encryption key,I check pad format,if not valid, return decryption_failed alert,
I if pad format okay, check MAC on fragmentif does not verify, return bad_record_mac alert.
This introduced different types of errors that an attacker can distinguish.
14/42
/ department of mathematics and computer science
Padding Oracle Attack (2002)
TLS prior to version 1.1 was susceptible to a padding oracle attack.I Before encrypting with AES-CBC,need to pad data||MAC-tag to the AES block size (16 bytes).
I The padding sets each byte in the pad to the pad length,i.e., padding has specific format.
At the server side on receipt of an encrypted record:I decrypt record with the client encryption key,I check pad format,if not valid, return decryption_failed alert,
I if pad format okay, check MAC on fragmentif does not verify, return bad_record_mac alert.
This introduced different types of errors that an attacker can distinguish.
15/42
/ department of mathematics and computer science
Padding Oracle Attack (2002)
Padding oracle:I Attacker submits ciphertexts of choice,I learns whether the last bytes of a plaintext are a valid pad;I if not valid, server returns decryption_failed,I if valid, server returns bad_record_mac.
Gives rise to a chosen-ciphertext attack!
16/42
/ department of mathematics and computer science
Padding oracle attack on CBC encryption
CBC mode encryption: CBC mode decryption:I C0 = IV
I Ci = EK (Ci−1 ⊕Mi ).
I C0 = IV ,I Mi = DK (Ci )⊕ Ci−1.
Suppose an attacker wants to find M2 from ciphertext (C0,C1,C2, . . . )
I M2 = DK (C2)⊕ C1.I Guess the last byte of M2 to be g ,I compute C ′1 = C1 ⊕ 00| . . . |00|g ⊕ 00| . . . |00|01,I submit C = (C ′1,C2) to the server and wait for response.I If g is the last byte of M2, the decryption of C will have a valid pad;I if not, the pad will not be valid,I try all 256 possible bytes for g until the correct one g0 is found.I Go on using C ′1 = C1 ⊕ 00| . . . |00|g |g0 ⊕ 00| . . . |00|02|02.
16/42
/ department of mathematics and computer science
Padding oracle attack on CBC encryption
CBC mode encryption: CBC mode decryption:I C0 = IV
I Ci = EK (Ci−1 ⊕Mi ).
I C0 = IV ,I Mi = DK (Ci )⊕ Ci−1.
Suppose an attacker wants to find M2 from ciphertext (C0,C1,C2, . . . )
I M2 = DK (C2)⊕ C1.
I Guess the last byte of M2 to be g ,I compute C ′1 = C1 ⊕ 00| . . . |00|g ⊕ 00| . . . |00|01,I submit C = (C ′1,C2) to the server and wait for response.I If g is the last byte of M2, the decryption of C will have a valid pad;I if not, the pad will not be valid,I try all 256 possible bytes for g until the correct one g0 is found.I Go on using C ′1 = C1 ⊕ 00| . . . |00|g |g0 ⊕ 00| . . . |00|02|02.
16/42
/ department of mathematics and computer science
Padding oracle attack on CBC encryption
CBC mode encryption: CBC mode decryption:I C0 = IV
I Ci = EK (Ci−1 ⊕Mi ).
I C0 = IV ,I Mi = DK (Ci )⊕ Ci−1.
Suppose an attacker wants to find M2 from ciphertext (C0,C1,C2, . . . )
I M2 = DK (C2)⊕ C1.I Guess the last byte of M2 to be g ,I compute C ′1 = C1 ⊕ 00| . . . |00|g ⊕ 00| . . . |00|01,I submit C = (C ′1,C2) to the server and wait for response.
I If g is the last byte of M2, the decryption of C will have a valid pad;I if not, the pad will not be valid,I try all 256 possible bytes for g until the correct one g0 is found.I Go on using C ′1 = C1 ⊕ 00| . . . |00|g |g0 ⊕ 00| . . . |00|02|02.
16/42
/ department of mathematics and computer science
Padding oracle attack on CBC encryption
CBC mode encryption: CBC mode decryption:I C0 = IV
I Ci = EK (Ci−1 ⊕Mi ).
I C0 = IV ,I Mi = DK (Ci )⊕ Ci−1.
Suppose an attacker wants to find M2 from ciphertext (C0,C1,C2, . . . )
I M2 = DK (C2)⊕ C1.I Guess the last byte of M2 to be g ,I compute C ′1 = C1 ⊕ 00| . . . |00|g ⊕ 00| . . . |00|01,I submit C = (C ′1,C2) to the server and wait for response.I If g is the last byte of M2, the decryption of C will have a valid pad;I if not, the pad will not be valid,I try all 256 possible bytes for g until the correct one g0 is found.
I Go on using C ′1 = C1 ⊕ 00| . . . |00|g |g0 ⊕ 00| . . . |00|02|02.
16/42
/ department of mathematics and computer science
Padding oracle attack on CBC encryption
CBC mode encryption: CBC mode decryption:I C0 = IV
I Ci = EK (Ci−1 ⊕Mi ).
I C0 = IV ,I Mi = DK (Ci )⊕ Ci−1.
Suppose an attacker wants to find M2 from ciphertext (C0,C1,C2, . . . )
I M2 = DK (C2)⊕ C1.I Guess the last byte of M2 to be g ,I compute C ′1 = C1 ⊕ 00| . . . |00|g ⊕ 00| . . . |00|01,I submit C = (C ′1,C2) to the server and wait for response.I If g is the last byte of M2, the decryption of C will have a valid pad;I if not, the pad will not be valid,I try all 256 possible bytes for g until the correct one g0 is found.I Go on using C ′1 = C1 ⊕ 00| . . . |00|g |g0 ⊕ 00| . . . |00|02|02.
17/42
/ department of mathematics and computer science
Padding oracle attack on CBC encryption
block cipherdecryption
Key
Plaintext
Ciphertext
Initialization Vector (IV)
block cipherdecryption
Key
Plaintext
Ciphertext
17/42
/ department of mathematics and computer science
Padding oracle attack on CBC encryption
block cipherdecryption
Key
Plaintext
Ciphertext
Initialization Vector (IV)
block cipherdecryption
Key
Plaintext
Ciphertext
17/42
/ department of mathematics and computer science
Padding oracle attack on CBC encryption
block cipherdecryption
Key
Plaintext
Ciphertext
Initialization Vector (IV)
block cipherdecryption
Key
Plaintext
Ciphertext⊕g ⊕ 01
01
17/42
/ department of mathematics and computer science
Padding oracle attack on CBC encryption
block cipherdecryption
Key
Plaintext
Ciphertext
Initialization Vector (IV)
block cipherdecryption
Key
Plaintext
Ciphertext⊕g ⊕ 02 | ⊕ g0 ⊕ 02
02|02
18/42
/ department of mathematics and computer science
Padding oracle attack on CBC encryption
I For AES we can find one plaintext block with at most 16 · 256chosen ciphertext queries to the padding oracle.
I More complicated in practice: In case of invalid record, session isterminated, new keys need to be negotiated.
I Still valid attack if the same message is encrypted in various sessions.I Example: IMAP over TLS: every few minutes client sends usernameand password to login.
I Compute password within a few hours.
19/42
/ department of mathematics and computer science
Padding oracle attack on CBC encryption
Solutions:I Make alert message and time the same in both cases.I RFCs: always perform a MAC check as if zero-length padding isapplied.
I Encrypt-then-MAC avoids the problem because change is detectedbefore decryption.
I MAC-then-CBC is authenticated encryption, but padding oracledestroys it.
20/42
/ department of mathematics and computer science
Lucky 13 Attack (2013)
Side channel attack:The Lucky 13 attack is a variant of the padding oracle attack, using thetiming difference in the MAC computation as side a channel.
The TLS 1.1 and 1.2 RFCs recommend checking the MAC as if there wasa zero-length pad:
This leaves a small timing channel, since MAC performancedepends to some extent on the size of the data fragment, but itis not believed to be large enough to be exploitable, due to thelarge block size of existing MACs and the small size of thetiming signal.
It turns out that the small timing difference actually can be exploited!
20/42
/ department of mathematics and computer science
Lucky 13 Attack (2013)
Side channel attack:The Lucky 13 attack is a variant of the padding oracle attack, using thetiming difference in the MAC computation as side a channel.
The TLS 1.1 and 1.2 RFCs recommend checking the MAC as if there wasa zero-length pad:
This leaves a small timing channel, since MAC performancedepends to some extent on the size of the data fragment, but itis not believed to be large enough to be exploitable, due to thelarge block size of existing MACs and the small size of thetiming signal.
It turns out that the small timing difference actually can be exploited!
21/42
/ department of mathematics and computer science
Lucky 13 Attack (2013)
Countermeasures:I Add random time delays to CBC-mode decryption processing.
• Ineffective, attacker just needs more samples!I Switch to using RC4 cipher suites.
• RC4 is vulnerable!I Modify TLS’s CBC-mode decryption procedure so as to remove thetiming side channel.
• “Lucky Microseconds: A Timing Attack on Amazon’s s2nImplementation of TLS”, Albrecht and Paterson, Nov. 18, 2015.
I Switch to using authenticated encryption, such as AES-GCM.−→ TLS 1.3 uses authenticated encryption only.
21/42
/ department of mathematics and computer science
Lucky 13 Attack (2013)
Countermeasures:I Add random time delays to CBC-mode decryption processing.
• Ineffective, attacker just needs more samples!
I Switch to using RC4 cipher suites.• RC4 is vulnerable!
I Modify TLS’s CBC-mode decryption procedure so as to remove thetiming side channel.
• “Lucky Microseconds: A Timing Attack on Amazon’s s2nImplementation of TLS”, Albrecht and Paterson, Nov. 18, 2015.
I Switch to using authenticated encryption, such as AES-GCM.−→ TLS 1.3 uses authenticated encryption only.
21/42
/ department of mathematics and computer science
Lucky 13 Attack (2013)
Countermeasures:I Add random time delays to CBC-mode decryption processing.
• Ineffective, attacker just needs more samples!I Switch to using RC4 cipher suites.
• RC4 is vulnerable!I Modify TLS’s CBC-mode decryption procedure so as to remove thetiming side channel.
• “Lucky Microseconds: A Timing Attack on Amazon’s s2nImplementation of TLS”, Albrecht and Paterson, Nov. 18, 2015.
I Switch to using authenticated encryption, such as AES-GCM.−→ TLS 1.3 uses authenticated encryption only.
21/42
/ department of mathematics and computer science
Lucky 13 Attack (2013)
Countermeasures:I Add random time delays to CBC-mode decryption processing.
• Ineffective, attacker just needs more samples!I Switch to using RC4 cipher suites.
• RC4 is vulnerable!
I Modify TLS’s CBC-mode decryption procedure so as to remove thetiming side channel.
• “Lucky Microseconds: A Timing Attack on Amazon’s s2nImplementation of TLS”, Albrecht and Paterson, Nov. 18, 2015.
I Switch to using authenticated encryption, such as AES-GCM.−→ TLS 1.3 uses authenticated encryption only.
21/42
/ department of mathematics and computer science
Lucky 13 Attack (2013)
Countermeasures:I Add random time delays to CBC-mode decryption processing.
• Ineffective, attacker just needs more samples!I Switch to using RC4 cipher suites.
• RC4 is vulnerable!I Modify TLS’s CBC-mode decryption procedure so as to remove thetiming side channel.
• “Lucky Microseconds: A Timing Attack on Amazon’s s2nImplementation of TLS”, Albrecht and Paterson, Nov. 18, 2015.
I Switch to using authenticated encryption, such as AES-GCM.−→ TLS 1.3 uses authenticated encryption only.
21/42
/ department of mathematics and computer science
Lucky 13 Attack (2013)
Countermeasures:I Add random time delays to CBC-mode decryption processing.
• Ineffective, attacker just needs more samples!I Switch to using RC4 cipher suites.
• RC4 is vulnerable!I Modify TLS’s CBC-mode decryption procedure so as to remove thetiming side channel.
• “Lucky Microseconds: A Timing Attack on Amazon’s s2nImplementation of TLS”, Albrecht and Paterson, Nov. 18, 2015.
I Switch to using authenticated encryption, such as AES-GCM.−→ TLS 1.3 uses authenticated encryption only.
21/42
/ department of mathematics and computer science
Lucky 13 Attack (2013)
Countermeasures:I Add random time delays to CBC-mode decryption processing.
• Ineffective, attacker just needs more samples!I Switch to using RC4 cipher suites.
• RC4 is vulnerable!I Modify TLS’s CBC-mode decryption procedure so as to remove thetiming side channel.
• “Lucky Microseconds: A Timing Attack on Amazon’s s2nImplementation of TLS”, Albrecht and Paterson, Nov. 18, 2015.
I Switch to using authenticated encryption, such as AES-GCM.−→ TLS 1.3 uses authenticated encryption only.
22/42
/ department of mathematics and computer science
POODLE Attack (2014)
POODLE: Padding Oracle On Downgraded Legacy EncryptionI Client requests TLS 1.2.I Eve lets handshake fail (e.g. with Alert message).
• The correct behaviour of the server would be to respond with anolder SSL/TLS so that the handshake is finished properly and thetranscript can be verified by both sides.
I To work with broken servers, some clients just try again after thehandshake was aborted using a lower (less secure) SSL/TLS version.
I Eve is able to use the padding oracle attack and wins.
23/42
/ department of mathematics and computer science
POODLE Attack (2014)
Countermeasure: TLS Fallback Signaling Cipher Suite Value (SCSV)I When the client tries to connect again, he adds TLS_FALLBACK_SCSV(0x56, 0x00) to his supported ciphers list.
I When the server sees TLS_FALLBACK_SCSV, he is supposed to checkif he actually would have supported the (higher) TLS version.
Best countermeasure:Do not implement insecure cipher suits
either as server or as client!
Do not trade interoperabilityfor security and standard compliance!
23/42
/ department of mathematics and computer science
POODLE Attack (2014)
Countermeasure: TLS Fallback Signaling Cipher Suite Value (SCSV)I When the client tries to connect again, he adds TLS_FALLBACK_SCSV(0x56, 0x00) to his supported ciphers list.
I When the server sees TLS_FALLBACK_SCSV, he is supposed to checkif he actually would have supported the (higher) TLS version.
Best countermeasure:Do not implement insecure cipher suits
either as server or as client!
Do not trade interoperabilityfor security and standard compliance!
24/42
/ department of mathematics and computer science
RC4 Attacks
Roos’ biases (1995):I First byte of the keystream is correlated to the first three bytes ofthe key.
I Gives a square-root speedup to brute force key recovery, e.g., O(264)for 128-bit keys.
Biased outputs of the RC4 (2001):I The second output byte of the key stream is biased toward zero withprobability 1/128.−→ 2nd byte tends to be plaintext!
I The XOR value of the 1st and 2nd outputs of RC4 is alsonon-uniform.
24/42
/ department of mathematics and computer science
RC4 Attacks
Roos’ biases (1995):I First byte of the keystream is correlated to the first three bytes ofthe key.
I Gives a square-root speedup to brute force key recovery, e.g., O(264)for 128-bit keys.
Biased outputs of the RC4 (2001):I The second output byte of the key stream is biased toward zero withprobability 1/128.−→ 2nd byte tends to be plaintext!
I The XOR value of the 1st and 2nd outputs of RC4 is alsonon-uniform.
25/42
/ department of mathematics and computer science
RC4 Attacks
Fluhrer, Mantin and Shamir attack (2001):I RC4 is like a pseudo random number generator, generating a keystream from a secret key.
I RC4 requires a nonce if a long-term key is used.I If the nonce and the long-term key are simply concatenated, thelong-term key can be discovered.
I SSL/TLS uses different keys for each session; but this is a problemfor WEP, requires 10 million messages.
Klein’s attack (2005):I Exploiting more correlations between the RC4 keystream and the key.I Breaks 128-bit WEP in under a minute, requires 40,000 frames for50% success probability, 85,000 frames for 95% probability.
25/42
/ department of mathematics and computer science
RC4 Attacks
Fluhrer, Mantin and Shamir attack (2001):I RC4 is like a pseudo random number generator, generating a keystream from a secret key.
I RC4 requires a nonce if a long-term key is used.I If the nonce and the long-term key are simply concatenated, thelong-term key can be discovered.
I SSL/TLS uses different keys for each session; but this is a problemfor WEP, requires 10 million messages.
Klein’s attack (2005):I Exploiting more correlations between the RC4 keystream and the key.I Breaks 128-bit WEP in under a minute, requires 40,000 frames for50% success probability, 85,000 frames for 95% probability.
26/42
/ department of mathematics and computer science
RC4 Attacks
Royal Holloway attack (2013):I Extensive study revealed even more correlations in keystream.I Requires 228 to 232 TLS connections for reliable recovery.I Only first 220 bytes of application data can be targeted.
Countermeasures:I Discard initial keystream bytes.I Add random length padding to records.I Limit lifetime of cookies or number of times cookies can be sent.I Stop using RC4 in TLS.
26/42
/ department of mathematics and computer science
RC4 Attacks
Royal Holloway attack (2013):I Extensive study revealed even more correlations in keystream.I Requires 228 to 232 TLS connections for reliable recovery.I Only first 220 bytes of application data can be targeted.
Countermeasures:I Discard initial keystream bytes.I Add random length padding to records.I Limit lifetime of cookies or number of times cookies can be sent.I Stop using RC4 in TLS.
27/42
/ department of mathematics and computer science
RC4 Attacks
Bar-mitzvah attack (2015):I Make use of the 13-year old attack by Fluhrer, Mantin and Shamir.I Some keys are particularly weak when used with RC4.I Attack reveals several hundred bytes in the beginning of the plaintextif a weak key is used.
Countermeasures:I Discard even more initial keystream bytes.I Seriously, stop using RC4 in TLS!
27/42
/ department of mathematics and computer science
RC4 Attacks
Bar-mitzvah attack (2015):I Make use of the 13-year old attack by Fluhrer, Mantin and Shamir.I Some keys are particularly weak when used with RC4.I Attack reveals several hundred bytes in the beginning of the plaintextif a weak key is used.
Countermeasures:I Discard even more initial keystream bytes.I Seriously, stop using RC4 in TLS!
28/42
/ department of mathematics and computer science
RC4 Attacks
NOMORE RC4 attack (2015):Numerous Occurrence MOnitoring & Recovery Exploit:
I Exploit even more biases, including long-term biases.I Exploit Mantin’s ABSAB bias: a byte pair (A, B) likely reappears.
A B S A BI With 94% probability, attack can be preformed using 9 · 227encryptions collected over 75 hours.
28/42
/ department of mathematics and computer science
RC4 Attacks
NOMORE RC4 attack (2015):Numerous Occurrence MOnitoring & Recovery Exploit:
I Exploit even more biases, including long-term biases.I Exploit Mantin’s ABSAB bias: a byte pair (A, B) likely reappears.
A B S A BI With 94% probability, attack can be preformed using 9 · 227encryptions collected over 75 hours.
28/42
/ department of mathematics and computer science
RC4 Attacks
NOMORE RC4 attack (2015):Numerous Occurrence MOnitoring & Recovery Exploit:
I Exploit even more biases, including long-term biases.I Exploit Mantin’s ABSAB bias: a byte pair (A, B) likely reappears.
A B S A BI With 94% probability, attack can be preformed using 9 · 227encryptions collected over 75 hours.
Countermeasures:
NOMORE RC4 in TLS!
29/42
/ department of mathematics and computer science
RC4 Attacks
How about the NSA?I The biases have been known to the NSA, the NSA has the resourcesto conduct research on their own.
I Large computing power allows to find even more biases.I Chances are the NSA can do better than public research.I There are hints in the Snowden leaks that NSA can decrypt someSSL/TLS traffic — when RC4 is used?
29/42
/ department of mathematics and computer science
RC4 Attacks
How about the NSA?I The biases have been known to the NSA, the NSA has the resourcesto conduct research on their own.
I Large computing power allows to find even more biases.I Chances are the NSA can do better than public research.I There are hints in the Snowden leaks that NSA can decrypt someSSL/TLS traffic — when RC4 is used?
30/42
/ department of mathematics and computer science
FREAK Attack (2014)
FREAK: Factoring RSA Export KeysI There are weak EXPORT ciphers due to export restrictions on“cryptography” in the Unites States in the ’90 (in the meantimeloosened due to “Bernstein v. United States”).
I Nowadays, these EXPORT ciphers can be broken with small effort,e.g., RSA-512 (cost: 100USD Amazon Cloud Services).
I Privacy at risk when EXPORT ciphers are used!
31/42
/ department of mathematics and computer science
FREAK Attack (2014)
How to convince client and server to use EXPORT ciphers?I Hash of transcript in Finished message should prevent MitM todowngrade to insecure ciphers.
I “Some modern TLS clients — including Apple’s SecureTransport andOpenSSL — have a bug in them. This bug causes them to acceptRSA export-grade keys even when the client didn’t ask forexport-grade RSA.” (Matthew Green)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)
(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)
finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ]
cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORT
sr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)
rsaencsks (pms) s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms)
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)
finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
32/42
/ department of mathematics and computer science
FREAK Attack (2014)
Client Servercr , [. . . ,RSA, . . . ]
sr ,RSA
certs
rsaencs(pms)(ms, k1, k2) =
kdf(pms, cr |sr)(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC ) check logC
enc(k1,Data)
finished(ms, logS )check logS
enc(k2,Data)
MitMcr , [. . . ,RSA, . . . ] cr , [RSA_EXPORT]
sr ,RSA_EXPORTsr ,RSA
certs , sign(sks , [cr |sr |p512])
(ms, k1, k2) =
kdf(pms, cr |sr)rsaencsks (pms) s512 = factor(p512)
(ms, k1, k2) =
kdf(pms, cr |sr)finished(ms, logC )
s512 = factor(p512)(ms, k1, k2) =
kdf(pms, cr |sr)enc(k1,Data)
finished(ms, logS )
enc(k2,Data)
33/42
/ department of mathematics and computer science
FREAK Attack (2014)
The MitM attack:1. In the client’s Hello message, it asks for a ’standard RSA’ ciphersuite.2. The MitM attacker changes this message to ask for ’export RSA’.3. The server responds with a 512-bit export RSA key, signed with its
long-term key, MitM forwards the ServerKeyExchange message.4. The client accepts the unexpected ServerKeyExchange message
due to an implementation bug and uses the weak key.5. The attacker factors the RSA modulus to recover the corresponding
RSA decryption key.6. When the client encrypts the ’pre-master secret’ to the server, the
attacker can now decrypt it to recover the TLS ’master secret’.7. From here on out, the attacker can decrypt (recorded) ciphertext.
34/42
/ department of mathematics and computer science
FREAK Attack (2014)
Countermeasures:I Do not offer, do not even implement EXPORT ciphers (neither clientnor server).
I Do not have bugs in SSL/TLS implementations (pretty please).• Still a problem for TLS False Start.
Is that enough?
34/42
/ department of mathematics and computer science
FREAK Attack (2014)
Countermeasures:I Do not offer, do not even implement EXPORT ciphers (neither clientnor server).
I Do not have bugs in SSL/TLS implementations (pretty please).• Still a problem for TLS False Start.
Is that enough?
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga
(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)
finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ]
cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORT
sr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga
(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)
finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
35/42
/ department of mathematics and computer science
Logjam Attack (2015)
Client Servercr , [. . . ,DHE, . . . ]
sr ,DHE
certs , sign(sks , [cr |sr |p|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
MitMcr , [. . . ,DHE, . . . ] cr , [DHE_EXPORT]
sr ,DHE_EXPORTsr ,DHE
certs , sign(sks , [cr |sr |p512|g |gb])
ga(ms, k1, k2) =
kdf(gab, cr |sr)b = dlog(gb mod p512)(ms, k1, k2) =
kdf(gab, cr |sr)finished(ms, logC )
finished(ms, logS )
enc(k1,Data)
enc(k2,Data)
36/42
/ department of mathematics and computer science
Logjam Attack (2015)
How to break 512-bit RSA in real-time?Millions of servers all use the same prime numbers for Diffie-Hellman keyexchange. However, the first step in the number field sieve — the mostefficient algorithm for breaking a Diffie-Hellman connection — isdependent only on this prime. After this first step, an attacker canquickly break individual connections.
Using precomputation for the most common 512-bit prime, the Logjamattack can be used to downgrade connections to 80% of TLS serverssupporting DHE_EXPORT.
An academic team can break a 768-bit prime; a nation-state can probablybreak a 1024-bit prime.
37/42
/ department of mathematics and computer science
Logjam Attack (2015)
Countermeasures:I Do not offer EXPORT ciphers on servers.I Make a sanity check of presented DH parameters;reject weak parameters.
I Do not use the standard primes; use individual primes.I Use large primes, i.e., 2048-bit or larger primes.
38/42
/ department of mathematics and computer science
OpenSSL Heartbleed Bug (2014)
Bug in the implementation of the Heartbeat Extension (RFC 6520):struct {
HeartbeatMessageType type;uint16 payload_length;opaque payload[HeartbeatMessage.payload_length];opaque padding[padding_length];
} HeartbeatMessage;
[...]When a HeartbeatRequest message is received [...],the receiver MUST send a corresponding HeartbeatResponsemessage carrying an exact copy of the payload of the receivedHeartbeatRequest.
OpenSSL failed to check actual length of payload data.
39/42
/ department of mathematics and computer science
OpenSSL Heartbleed Bug (2014)
39/42
/ department of mathematics and computer science
OpenSSL Heartbleed Bug (2014)
40/42
/ department of mathematics and computer science
SSL/TLS Cipher Suites
Cipher Protocol Version
Algorithm Strength (bits) SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3AES GCM N/A N/A N/A N/A Secure SecureAES CCM N/A N/A N/A N/A Secure SecureAES CBC
256, 128N/A N/A Depends Secure Secure N/A
Camellia GCM256, 128
N/A N/A N/A N/A Secure SecureCamellia CBC N/A N/A Depends Secure Secure N/AARIA GCM N/A N/A N/A N/A Secure SecureARIA CBC
256, 128N/A N/A Depends Secure Secure N/A
SEED CBC 128 N/A N/A Depends Secure Secure N/A3DES EDE CBC 112 Insecure Insecure Low/Dep. Low Low N/AGOST CNT 256 N/A N/A Secure Secure Secure N/AIDEA CBC 128 Insecure Insecure Depends Secure N/A N/A
DES CBC40 Insecure Insecure N/A N/A N/A N/A56 Insecure Insecure Insecure N/A N/A N/A
RC2 CBC 56 Insecure Insecure Insecure N/A N/A N/AChaCha20-Poly1305 256 N/A N/A N/A N/A Secure Secure
40 Insecure Insecure Insecure N/A N/A N/ARC4
128 Insecure Insecure Insecure Insecure Insecure N/ANULL – N/A Insecure Insecure Insecure Insecure Insecure
41/42
/ department of mathematics and computer science
Announcement
Guest lectures next week:
I Tuesday: Jacob Appelbaum, Tor.I Thursday: Dan Bernstein, DNSsec.
42/42
/ department of mathematics and computer science
Assignments
I Choice of topic: before Thursday, November 26th, 23:59 (today).I Assignment of topic: Friday, November 27th.I Deadline of first assignment: Sunday, December 13th, 23:59.
The deadlines are strict!