authenticated encryption and secure channelstce.webee.eedev.technion.ac.il › wp-content ›...
TRANSCRIPT
![Page 1: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/1.jpg)
AuthenticatedEncryptionandSecureChannels
KennyPaterson
InformationSecurityGroup
@kennyog;www.isg.rhul.ac.uk/~kp
![Page 2: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/2.jpg)
Overview
Monday:
• Securechannelsandtheirproperties• Securityforsymmetricencryption–fromblockcipherstoAEAD
Tuesday:
• TLS• SSH2
![Page 3: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/3.jpg)
TLSOverview
![Page 4: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/4.jpg)
IntroducingTLS
SSL=SecureSocketsLayer.DevelopedbyNetscapeinmid1990s.
SSLv2deprecated,SSLv3broken;bothwidelysupportedonservers.
TLS=TransportLayerSecurity.IETF-standardisedversionofSSL.
TLS1.0=SSLv3withminortweaks,RFC2246(1999).
TLS1.1=TLS1.0+tweaks,RFC4346(2006).
TLS1.2=TLS1.1+moretweaks,RFC5246(2008).
TLS1.3=majorredesigncurrentlyunderwayinTLSWGofIETF.
44
![Page 5: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/5.jpg)
IntroducingTLS
Originallyforsecuree-commerce,nowusedmuchmorewidely.Retailcustomeraccesstoonlinebankingfacilities.
Useraccesstogmail,facebook,Yahoo.
Mobileapplications,includingbankingapps.
Paymentinfrastructures.
User-to-cloud.
PostSnowden:back-endoperationsforGoogle,Yahoo,…
TLShasbecomethedefactosecureprotocolofchoice.Usedbyhundredsofmillionsofpeopleanddeviceseveryday.
55
![Page 6: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/6.jpg)
HighlySimplifiedViewofTLS
Client Server HandshakeProtocol
RecordProtocol
Usedbyclientandserverto1. Negotiateciphersuite2. Authenticate3. EstablishkeysusedintheRecordProtocol
ProvidesconfidentialityandauthenticityofapplicationlayerdatausingkeysfromHandshakeProtocol
66
![Page 7: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/7.jpg)
TLSProtocolArchitecture
TCP
Record Protocol
Handshake Protocol
Alert Protocol
HTTP, other apps
Change Cipher Spec
Protocol
7
![Page 8: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/8.jpg)
TheTLSEcosystem(1/3)
• Servers• Includingmanagedserviceproviders(CloudFlare,Akamai)
• Clients• Ofallshapesandsizes
• Certificationserviceproviders• Ofallshapes,sizesandlevelsofsecurity
• Softwarevendors• FromGoogledowntoone-manopen-sourceoperations
• OpenSSLsomewherein-between• Hardwarevendors
88
![Page 9: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/9.jpg)
TheTLSEcosystem(2/3)
• TLSversions:• SSL3.0,TLS1.0,TLS1.1,TLS1.2
• ManyserversevenstillsupportSSL2.0(-->DROWNattack)
• 200+ciphersuites• https://www.thesprawl.org/research/tls-and-ssl-cipher-suites
• Somequitecommon,e.g.TLS_RSA_WITH_AES_128_CBC_SHA256
• Somemoreesoteric,e.g.TLS_KRB5_WITH_3DES_EDE_CBC_MD5
• Some offering no security: TLS_NULL_WITH_NULL_NULL!
• TLSextensions• Toonumeroustomention.
• DTLS99
![Page 10: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/10.jpg)
TheTLSEcosystem(3/3)
• IETFTLSWorkingGroup• AlsoIETFUTAWorkingGroup(UTA=UsingTLSinApplications)
• AndCFRG(CryptoForumResearchGroup)
• Growingcommunityofresearchers
• TheTLSecosystemhasbecomeverycomplexandvibrant.
1010
![Page 11: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/11.jpg)
TheTLSEcosystem(4/3)(bonusslide)
11
![Page 12: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/12.jpg)
ANewsworthyProtocol
TLShasbeeninthenews…..BEAST(2011),CRIME(2012),Lucky13(2013),RC4attacks(2013),POODLE(2014),RC4(again)(2015),AES-GCMwithbadrandomness(2016),SWEET32(2016),
Renegotiationattack(2009),tripleHandshakeattack(2014),FREAKandLOGJAM(2015),SLOTH(2016),DROWN(2016),…
Poorqualityofimplementations(particularlyincertificatehandling).
“WhyEveandMalloryLoveAndroid”(2012)
“Themostdangerouscodeintheworld”(2012)
Applegotofail(2013)
GnuTLScertificateprocessingbug(2013)
Truncationandcookiecutterattacks(2013,2014)
OpenSSLCCSbug(2014)
Frankencerts(2014)
Mostlytechpress,withlimitedcrossovertomainstreammedia.
1212
![Page 13: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/13.jpg)
ANewsworthyProtocol
TLShasreallybeeninthenews…..
….Heartbleedbug.
• Pressurebuiltandthedamfinallybroke?
• Severityofthethreat:leakageofprivateinformation,inc.serverprivatekeys+widespreaduseofOpenSSL.
• Practicaldemonstrationofthreat.
• Agoodlogo!
1313
![Page 14: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/14.jpg)
TLSProtocolArchitecture
TCP
Record Protocol
Handshake Protocol
Alert Protocol
HTTP, other apps
Change Cipher Spec
Protocol
14
![Page 15: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/15.jpg)
TLSRecordProtocol
TLSRecordProtocolprovides:- Dataoriginauthentication,integrityusingaMAC.
- Confidentialityusingasymmetricencryptionalgorithm.
- Anti-replayusingsequencenumbersprotectedbytheMAC.
- Optionalcompression.
- Fragmentationofapplicationlayermessages(butnotreassembly!).
- Astreaminginterfacetocallingapplications.
15
![Page 16: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/16.jpg)
TLSRecordProtocol:MAC-Encode-Encrypt
MAC
SQN||HDR Payload
Padding
Encrypt
Ciphertext
MACtagPayload
HDR
MAC HMAC-MD5, HMAC-SHA1, HMAC-SHA256
Encrypt CBC-AES128, CBC-AES256, CBC-3DES, RC4-128
1616Padding “00” or “01 01” or “02 02 02” or …. or “FF FF….FF”
![Page 17: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/17.jpg)
OperationofTLSRecordProtocol
• Datafromlayeraboveisreceivedandpartitionedintofragments(maxsize214bytes).
• Optionaldatacompression.
• Defaultoptionisnocompression.
• CalculateMAConsequencenumber,headerfields,anddata,andappendMACtodata.
• Pad(ifneededbyencryptionmode),thenencrypt.
• Prepend5-byteheader,containing:
• Contenttype(1byte,indicatingcontentofrecord,e.g.handshakemessage,applicationmessage,etc),
• SSL/TLSversion(2bytes),
• Lengthoffragment(2bytes).
• SubmittoTCP.
17
![Page 18: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/18.jpg)
OperationofTLSRecordProtocol
In-boundprocessingstepsreversesthesesteps:1.Receivemessage,oflengthspecifiedinHDR.2.Decrypt.3.Removepadding.4.CheckMAC.5.(Decompresspayload.)6.Passpayloadtoupperlayer
(note:nodefragmentation;TLSprovidesastreamoffragmentstotheapplication).
Errorscanarisefromanyofdecryption,paddingremovalorMACcheckingsteps.AllofthesearefatalerrorsinTLS.
18
![Page 19: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/19.jpg)
AEADandTLSRecordProtocol
MEEonlyforallversionsofSSLandTLSuptoTLS1.1.
• Security?
DedicatedAuthenticatedEncryptionwithAssociatedData(AEAD)algorithmswereaddedinTLS1.2.
• Singlealgorithmprovidingbothconfidentialityandintegrity/dataorigin(authentication)
• NeednotconformtoMEEtemplate.
• GeneralAEADinterfacespecifiedinRFC5116.
• AES-GCMspecifiedinRFC5288.
• AES-CCMspecifiedinRFC6655.
19
![Page 20: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/20.jpg)
20
AEADandTLSRecordProtocol
TLS1.2supportonmajorwebsites:
9/2012:5%;9/2013:17%;9/2014:43%;9/2015:66%;9/2016:79%
(source:sslpulse)
TLS1.2supportinbrowsers:
Chrome:sincerelease30.
Firefox:sincerelease28.
IE:sinceIE11.
Safari:sinceiOS5andOSX10.9.
(source:wikipedia,Nov.2013)
20
![Page 21: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/21.jpg)
HistoricalAEADUsageinTLS
SnapshotfromICSICertificateNotaryProject(Sept.2014):
21
16.3%
1.6%
![Page 22: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/22.jpg)
CurrentAEADUsageinTLS
SnapshotfromICSICertificateNotaryProject(Aug.2016):
22
>60%
1.2%
![Page 23: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/23.jpg)
BEAST
![Page 24: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/24.jpg)
24
BEAST
• IVchaining:uselastblockofpreviousciphertextasIV.
• DefaultinCBCmodeforSSLv3andTLS1.0.
• Leadstoachosen-plaintextdistinguishingattackagainstTLS.• FirstobservedforCBCmodeingeneralbyRogawayin1995.
• ApplicationtoTLSnotedbyDaiandMöllerin2004.
• ExtendedtotheoreticalplaintextrecoveryattackbyBardin2004/2006.
• TurnedintoapracticalplaintextrecoveryattackonHTTPcookiesbyDuongandRizzoin2011–theBEAST.• BEAST=BrowserExploitAgainstSSL/TLS
• 16-yeardemonstrationthatattacksdogetbetterwithtime.
24
![Page 25: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/25.jpg)
25
Ci-1 Ci
Pi-1 Pi
dK dK
Pi-1 Pi
Ci-1 Ci
eK eK
InitialisationVector(IV):• DefinesC0forprocessingfirst
block.• ChainedIVsarecommonin
applications,andinSSL3.0andTLS1.oinparticular.
• TLS1.1and1.2requireIVtoberandom.
CBCmodeneedssomeformofpaddingifplaintextlengthsarenotmultipleofblocklength.• Moreonpaddinglater.
CBCModeReminder
![Page 26: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/26.jpg)
26
AttackingChainedIVs
26
SupposeattackerwishestodistinguishencryptionsofsingleblocksP0,P1.AttackermakesLoRencryptionqueryformessagepair(P0,P1).
AttackerreceivesciphertextC=C1formessagePbwheresomeknown,previousblockC0wasusedastheIV.
Pb
C0 C1
eK
![Page 27: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/27.jpg)
27
AttackingChainedIVs
27
C1willbeusedastheIVforthenextencryption.AttackernowmakesLoRqueryonmessageP0⊕C0⊕C1.AttackerreceivessingleblockciphertextC2.
Pb
C0 C1
eK
P0⊕C0⊕C1
C2
eK
![Page 28: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/28.jpg)
AttackingChainedIVs
Pb
C0 C1
eK
P0⊕C0⊕C1
C2
eK
• IfPb=P0,theninputstoblockcipherarethesameinbothencryptions.
• Hence,ifPb=P0,thenC1=C2.• Otherwise,ifPb=P1,thenC1≠C2.• SolookingatC1andC2givesusatesttodistinguish
encryptionsofP0andP1.28
![Page 29: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/29.jpg)
AttackingChainedIVs
Distinguishingattackextendseasilytomulti-blockmessages.
BreaksCBCmodeintheIND-CPAsecuritymodel.
SoIVchainingforCBCmodeisbrokenintheory.
HowcanweturnthisintoapracticalattackonTLS?
• Wewantplaintextrecoveryratherthanadistinguishingattack.
• Weneedtofindawaytorealisethechosenplaintextrequirement.
29
![Page 30: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/30.jpg)
TheBEAST–Part1
• AssumebytesP0,P1,…P14areknown,trytorecoverP15.• UseP 0 P 1…P14asfirst15bytesofP’.• Iterateover256possiblevaluesinP’15.• P’15=P15ifandonlyifC1=C2.• Soaverageof128trials(eachinvolvingonechosenplaintext)toextractP15
whenremainingbytesinblockareknown.
C0 C1
eK
P’⊕C0⊕C1
C2
eK
P0…P14
P15
30
![Page 31: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/31.jpg)
TheBEAST–Part2
NowassumeattackercancontrolpositionofunknownbytesinstreamwithrespecttoCBCblockboundaries(chosenboundaryprivilege).Repeatprevioussingle-byterecoveryattackwithslidingbytes.
Green:initiallyknownbytes.Red:unknown(target)bytes.Orange:recoveredbytes.
P10 P11 T0 P12 P13 P14 T1 T2 T3 T4 T5 P9 P8 P7 P5 P6 …
P10 P11 T0 P12 P13 P14 T1 T2 T3 T4 T5 P9 P8 P7 P5 P6 …
P10 P11 T0 P12 P13 P14 T1 T2 T3 T4 T5 P9 P8 P7 P5 P6 …
P4 P3 P1 P2 P0
P4 P3 P1 P2 P0
P4 P3 P1 P2 P0
…
…
…
P10 P11 T0 P12 P13 P14 T1 T2 T3 T4 T5 P9 P8 P7 P5 P6 … P4 P3 P1 P2 P0 …
31
![Page 32: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/32.jpg)
TheBEAST–Part3
Browser
TLStunnelCookiefor
remotesite
32
![Page 33: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/33.jpg)
33
BEAST–KeyFeatures
• BEASTJavaScriptloadedaheadoftimeintoclientbrowserfromcompromisedormaliciouswesbite.
• Provideschosen-plaintextcapability.• AttacktargetisHTTPsecurecookie.• JavaScriptusesHTTPpaddingtocontrolpositionsofunknownbytes
(chosenboundaryprivilege).• Difficulttogetfinecontroloverbyte/blockpositions.• Needtobeabletoinjectchosenplaintextblockattheverystartof
RecordProtocolmessages.• JavaScriptalsoneedstocommunicatewithMITMattacker.
• Summary:it’scomplicated,butitcanbemadetowork.**Givenazero-dayinthebrowser!
33
![Page 34: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/34.jpg)
34
BEAST–Impact
• TheBEASTwasamajorheadacheforTLSvendors.• Perceivedtobearealisticattack.• Mostclientimplementationswere“stuck”atTLS1.0.
• Bestsolution:switchtousingTLS1.1or1.2.• UsesrandomIVs,soattackprevented.• Buttheseversionwerenotwidelysupportedserver-sideattimeof
attack.
• ForTLS1.0,varioushacksweredone:• Use1/n-1recordsplittinginclient.
• Nowimplementedinmostbrowsers.• Send0-lengthdummyrecordaheadofeachrealrecord.
• Breakssomeimplementations.• OrswitchtousingRC4?
34
![Page 35: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/35.jpg)
35
BEAST–Lessons
• Atheoreticalvulnerabilitypointedoutin1995becamea“practical”attackin2011.• Attacksreallydogetbetter(worse!)withtime.• Practitionersreallyshouldlistento(some)theoreticians.• And,inthiscase,theydid:TLS1.1and1.2userandomIVs.• Problemwasthatno-onewasusingtheseversionsin2011.
• Toolsfromthewidersecurityfieldwereneededtomaketheattacksheadlinenews.• Man-in-the-browserviaJavascript.• FairgamegiventhehugerangeofwaysinwhichTLSgetused.• Maybethosetoolscanbeusedelsewhere?
35
![Page 36: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/36.jpg)
PaddingOracleAttacks
![Page 37: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/37.jpg)
TLSRecordProtocol:MAC-Encode-Encrypt
MAC
SQN||HDR Payload
Padding
Encrypt
Ciphertext
MACtagPayload
HDR
MAC HMAC-MD5, HMAC-SHA1, HMAC-SHA256
Encrypt CBC-AES128, CBC-AES256, CBC-3DES, RC4-128
3737Padding “00” or “01 01” or “02 02 02” or …. or “FF FF….FF”
![Page 38: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/38.jpg)
TLSRecordProtocolPadding
PaddinginTLS1.0anduphasaparticularformat:– Alwaysaddatleast1byteofpadding.– Iftbytesareneeded,thenaddtcopiesofthebyterepresentationoft-1.
– SopossiblepaddingpatternsinTLSare: 00; 0101; 020202;…- SSLv3hasweakerformatrequirements:
00; ??01; ????02;….38
![Page 39: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/39.jpg)
TLSRecordProtocolPadding
• VariablelengthpaddingispermittedinallversionsofTLS(butnotinSSL).
• Upto256bytesofpaddingintotal: FFFF….FF
• FromTLS1.0:Lengthslongerthannecessarymightbedesirabletofrustrateattacksonaprotocolbasedonanalysisofthelengthsofexchangedmessages.
39
![Page 40: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/40.jpg)
HandlingPaddingDuringDecryption
• TLS1.0erroralert:decryption_failed:ATLSCiphertextdecryptedinaninvalidway:eitheritwasn`tanevenmultipleoftheblocklengthoritspaddingvalues,whenchecked,weren’tcorrect.Thismessageisalwaysfatal.
• Suggestspaddingformatshouldbechecked,butwithoutspecifyingexactlywhatchecksshouldbedone.
• LegacyofSSLv3,wherenocheckingcanbedonebecauseoflooserequirementsonpaddingformat.
40
![Page 41: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/41.jpg)
ExploitingWeakPaddingChecks–MöllerAttack
SSL/TLSdecryptionsequence:CBCmodedecrypt,removepadding,checkMAC.
[M04]:failuretocheckpaddingformatleadstoasimpleattackrecoveringthelastbyteofplaintextfromanyblock.
Assumptionsfortheattack:• AttackerhasaspecialTLSciphertextcontainingacompleteblockof
padding.
• SoMACendsonblockboundaryforthisciphertext.
• Paddingisremovedbyinspectinglastbyteonly(cfSSLv3).
41
![Page 42: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/42.jpg)
MöllerAttack
42
Ct-1 Ct
dK dK
Ct-2
dK
…
…
Blocks from special ciphertext
Byte value is “0F” here
![Page 43: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/43.jpg)
MöllerAttack
43
Ct-1 C*
dK dK
Decryption succeeds if and only if byte value is “0F” here
Target ciphertext block from stream
Ct-2
dK
…
…
Blocks from special ciphertext
Enabling recovery of last byte of dK(C*) here.
![Page 44: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/44.jpg)
MöllerAttack
• Decryptionsucceedsifandonlyif:
Ct-1⊕dK(C*)=(??,??,....??,0F)
• Failureofdecryptionresultsinvisibleerrormessage.
• HenceattackercanrecoverlastbyteofdK(C*)withprobability1/256.
• SuccessenablesrecoveryoflastbyteoforiginalplaintextP*correspondingtoC*intheCBCstream,bysolvingsystemofeqns:
Ct-1⊕dK(C*)=(??,??,....??,0F)
C*-1⊕dK(C*)=P*
whereC*-1istheblockprecedingC*inthestream.
44
![Page 45: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/45.jpg)
POODLEattack
45
• InSSLv3,noformatcheckingispossible!• SoMöller’sattackalreadybreaksCBCmodeinSSLv3.• CombinewithBEASTideastomovetargetplaintextbytesinto
correctpositionforattackone-by-one.• ResultingcombinationoftechniquesisknownasthePOODLE
attack(Duongetal.2014).• POODLE=PaddingOracleonDowngradeLegacyAttack• https://www.openssl.org/~bodo/ssl-poodle.pdf• Nozero-dayvulnerabilityisneeded.• 10yearsfromMöller’soriginalobservationtoPOODLE.
![Page 46: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/46.jpg)
POODLEattack
46
• ThereisnoeffectivecountermeasuretoPOODLEattack.• Receivercannotdomorerigorouspaddingchecks,becausesendercannot
bereliedupontouseTLSformatinSSL!
• CannotswitchtoRC4becausethat’salsobroken.• SothisPOODLEkillsSSLv3.What’stheproblem?NomodernbrowserrequestsSSLv3!• SSL/TLSversionnegotiationmechanismisnotproperly
implementedbymanyservers.• AnactiveMITMattackercandowngradeclientandservertoSSLv3
byspoofingserverresponsesinSSL/TLShandshake.• OnlysolutionistocompletelyremoveSSLv3supportinbrowsers.
![Page 47: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/47.jpg)
FullPaddingCheck
• InTLS1.1andup:
Eachuint8inthepaddingdatavectorMUSTbefilledwiththepaddinglengthvalue.ThereceiverMUSTcheckthispadding….
• Sodecryptionchecksthatbytesattheendoftheplaintexthaveoneofthefollowingformats:
00;
01,01;
02,02,02;
….
FF,FF,………..FF;
andoutputsanerrorifnoneoftheseformatsisfound.
• NBOther“sanity”checksmayalsobeneededduringdecryption.
47
![Page 48: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/48.jpg)
PaddingOracles
48 48
• Vaudenay[V02]proposedtheconceptofapaddingoracle.
C
Valid/Invalid
• Vaudenayshowedthat,forCBCmodeandforcertainpaddingschemes,apaddingoraclecanbeusedtobuildadecryptionoracle!
PaddingOracle
P=DecK(C)
CheckpaddingofP
![Page 49: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/49.jpg)
PaddingOracleAttackforTLSPadding
Ct-1 Ct
Pt-1 Pt
dK dK
XOR with various Δ here and submit to padding oracle
Eventually produces valid pad “00” here
Recovering true plaintext byte via Pt ⊕ Δ = (…. 00)
49
![Page 50: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/50.jpg)
PaddingOracleAttackforTLSPadding
Ct-1 Ct
Pt-1 Pt
dK dK
XOR with Δ1Δ0 here and submit to oracle
Eventually produces valid pattern “01 01” here
This byte now set to “01” by setting Δ0:=Δ ⊕ 01
Recovering true plaintext byte via
Pt ⊕ (…..Δ1Δ0) = (….0101)
50
![Page 51: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/51.jpg)
PaddingOracleAttackforTLSPadding
• Anaverageof128trialsareneededtoextractthelastbyteofeachplaintextblock.
• Canextendtotheentireblock,withanaverageof128trialsperbyte.
• Canextendtotheentireciphertext.• Becauseattackercanplaceanytargetblockaslastblockofciphertext.
51
![Page 52: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/52.jpg)
TLSPaddingOraclesInPractice?
• InTLS,anerrormessageduringdecryptioncanarisefromeitherafailureofthepaddingcheckoraMACfailure.
• Vaudenay’spaddingoracleattackwillproduceanerrorofonetypeortheother.
• Paddingfailureindicatesincorrectpadding.
• MACfailureindicatescorrectpadding.
• Iftheseerrorsaredistinguishable,thenapaddingoracleattackshouldbepossible.
52
![Page 53: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/53.jpg)
TLSPaddingOraclesInPractice?
Goodnews(fortheattacker):
• TheerrormessagesarisinginTLS1.0aredifferent:• bad_record_mac
• decryption_failed
Badnews:
• Buttheerrormessagesareencrypted,socannotbeseenbytheattacker.
• Andanerrorofeithertypeisfatal,leadingtoimmediateterminationoftheTLSsession.
• 53
![Page 54: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/54.jpg)
TLSPaddingOraclesInPractice?
Canveletal.[CHVV03]:• Recallthesequence:decrypt,checkpadding,checkMAC.• AMACfailureerrormessagewillappearonthenetworklaterthan
apaddingfailureerrormessage.• BecauseanimplementationwouldonlybothertochecktheMACif
thepaddingisgood.
• Sotimingtheappearanceoferrormessagesmightgiveustherequiredpaddingoracle.
• Eveniftheerrormessagesareencrypted!
• Amplifythetimingdifferencebyusinglongmessages.
• Buttheerrorsarefatal,soitseemstheattackercanstillonlylearn
onebyteofplaintext,andthenwithprobabilityonly1/256.
54
![Page 55: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/55.jpg)
OpenSSLandPaddingOracles
Canveletal.[CHVV03]:
• TheattackercanstilldecryptreliablyifafixedplaintextisrepeatedinafixedlocationacrossmanyTLSsessions.
• e.g.passwordinloginprotocoloranHTTPsessioncookie.
• Amulti-sessionattack.
• Modernviewpoint:useBEAST-stylemalwaretogeneratetherequiredencryptions.
• TheOpenSSLimplementationhadadetectabletimingdifference.
• Roughly2msdifferenceforlongmessages(closeto214bytemaximum).
• EnablingrecoveryofTLS-protectedOutlookpasswordsinabout3hours.
55
![Page 56: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/56.jpg)
Multi-sessionVersion
Ct-1 Ct
Pt-1 Pt
dK dK
XOR with various Δ here and submit for decryption
Eventually produces valid pad “00” here
Recovering true plaintext byte via Pt ⊕ Δ = (…. 00)
56
Ct-1, Ct vary in each trial, but Pt is fixed
![Page 57: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/57.jpg)
57
PaddingOracleAttackCountermeasures?
• RedesignTLS:• Pad-MAC-EncryptorPad-Encrypt-MAC.
• Tooinvasive,didnothappen.
• SwitchtoRC4?
• Oraddafixtoensureuniformerrors:• CheckaMACanyway,evenifthepaddingisbad.
• Ifattackercan’ttelldifferencebetweenMACandpaderrors,thenmaybeTLS’sMEEconstructionissecure?
• FixincludedinTLS1.1and1.2specifications.
57
![Page 58: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/58.jpg)
PaddingOraclesPost[CHVV03]
• RegardedasasolvedproblemforSSL/TLS.
• Steadytrickleofotherpapersshowingpaddingoracleattacksinothersystems,e.g.
• ISOstandardforCBC-modeencryption[PY04,YPM05].
• TraileroracleattackonIPsec[DP07,DP10]
• POETattackonASP.NET[DR10].
• XMLencryption[JS11].
• OpenSSLimplementationofDTLS[AP12].
58
![Page 59: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/59.jpg)
Lucky13Attack
![Page 60: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/60.jpg)
60
PaddingOracleCountermeasures,Revisited
Responsetotimingattacksin[V02,CHVV03]fromtheTLS1.1and1.2specifications:
…implementationsMUSTensurethatrecordprocessingtimeisessentiallythesamewhetherornotthepaddingiscorrect.Ingeneral,thebestwaytodothisistocomputetheMACevenifthepaddingisincorrect,andonlythenrejectthepacket.ComputetheMAConwhatthough?
60
![Page 61: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/61.jpg)
TLSRecordProtocol:MAC-Encode-Encrypt
MAC
SQN||HDR Payload
Padding
Encrypt
Ciphertext
MACtagPayload
HDR
Problemis:howtoparseplaintextaspayload,paddingandMACfieldswhenthepaddingisnotoneoftheexpectedpatterns00,0101,…?
6161
![Page 62: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/62.jpg)
62
EnsuringUniformErrors
FromtheTLS1.1and1.2specifications:Forinstance,ifthepadappearstobeincorrect,theimplementationmightassumeazero-lengthpadandthencomputetheMAC.• Thisapproachwasadoptedinmanyimplementations,
includingOpenSSL,NSS(Chrome,Firefox),BouncyCastle,OpenJDK,…
• Otherapproachespossible(e.g.GnuTLS).
62
![Page 63: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/63.jpg)
63
EnsuringUniformErrors
…Thisleavesasmalltimingchannel,sinceMACperformancedependstosomeextentonthesizeofthedatafragment,butitisnotbelievedtobelargeenoughtobeexploitable,duetothelargeblocksizeofexistingMACsandthesmallsizeofthetimingsignal.
63
![Page 64: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/64.jpg)
64
EnsuringUniformErrors
…Thisleavesasmalltimingchannel,sinceMACperformancedependstosomeextentonthesizeofthedatafragment,butitisnotbelievedtobelargeenoughtobeexploitable,duetothelargeblocksizeofexistingMACsandthesmallsizeofthetimingsignal.
64
![Page 65: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/65.jpg)
65
Lucky13:DistinguishingAttack
65
CK C’
C=EncK(M) MiseitherR287||00orR32||FF256
K
• AdversaryinterceptsC,mauls,andforwardsontorecipient.• Timetakentorespondwitherrormessagewillindicate
whetherM=R287||00orM=R32||FF256.• Ciphertext-onlydistinguishingattack.
![Page 66: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/66.jpg)
Lucky13DistinguishingAttack–Choose
RR…..……….……………R00
FFFF………………………….FF
R
R
C
CIV
IV
66
![Page 67: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/67.jpg)
Lucky13DistinguishingAttack–Maul
RR…..……….……………R00
FFFF………………………….FF
R
R
CIV
CIV
67
![Page 68: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/68.jpg)
Lucky13DistinguishingAttack–Inject
RR…..……….……………R00
FFFF………………………….FF
R
R
C’IV
C’IV
1-bytevalidpadding20-byteMAC267-bytemessage
256-bytevalidpadding20-byteMAC12-bytemessage
68
![Page 69: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/69.jpg)
Lucky13DistinguishingAttack–Decrypt
RR…..……….……..RR
R
CIV
CIV
69
![Page 70: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/70.jpg)
RR…..……….……..RR
R
SlowMACverification
FastMACverification
Timingdifference:4SHA-1compressionfunctionevaluations
SQN||HDR
SQN||HDR
280bytes
25bytes
Lucky13DistinguishingAttack–Decrypt
70
![Page 71: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/71.jpg)
Lucky13–ExperimentalResultsforDistinguishingAttack
71
Prob
abil
ity
1.50�106 1.51�106 1.52�106 1.53�106 1.54�106 1.55�106 1.56�106 1.57�1060
0.00001
0.00002
0.00003
0.00004
0.00005
0.00006
Hardware Cycles �Calculated by Attacker⇥OpenSSLv1.0.1onserverrunningat1.87Ghz.
100MbitLAN.
Differenceinmeansiscirca3.2μs.
![Page 72: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/72.jpg)
Lucky13–SuccessProbabilityforDistinguishingAttack
72
NumberofSessions SuccessProbability
1 0.756
4 0.858
16 0.951
64 0.992
128 1
![Page 73: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/73.jpg)
73
Lucky13–PlaintextRecovery
73
XOR 2-byte Δ here and submit for decryption
Produces valid patterns “01 01”
(or longer valid pad) or “00”,
OR bad pad.
Ct
Pt
dK
Ct-1
dK
R2 R1
dK dK
IV
(HMAC-SHA-1+AES-CBC)
Target ciphertext block from
stream
![Page 74: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/74.jpg)
74
Case1:“0101”(orlongervalidpad)
74
Ct
Pt
dK
Ct-1
dK
R2 R1
dK dK
IV
XOR 2-byte Δ here and submit for decryption
SQN||HDR
13+16+16+10=55bytes 20bytes
4SHA-1compressionfunctionevaluations
“01 01” (or longer valid pad)
![Page 75: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/75.jpg)
75
Case2:“00”
75
Ct
Pt
dK
Ct-1
dK
R2 R1
dK dK
IV
XOR 2-byte Δ here and submit for decryption
SQN||HDR
56bytes 20bytes
5SHA-1compressionfunctionevaluations
“00”
![Page 76: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/76.jpg)
76
Case3:Badpadding
76
Ct
Pt
dK
Ct-1
dK
R2 R1
dK dK
IV
XOR 2-byte Δ here and submit for decryption
SQN||HDR
57bytes 20bytes
5SHA-1compressionfunctionevaluations
zero-length pad
![Page 77: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/77.jpg)
77
Lucky13–PlaintextRecovery
77
Theinjectedciphertextcausesbadpaddingand/orabadMAC.ThisleadstoaTLSerrormessage,whichtheattackertimes.
Thereisatimingdifferencebetween“0101”caseandtheother2cases.AsingleSHA-1compressionfunctionevaluation.
Roughly1000clockcycles,circa1μsontypicalprocessor.
Measurabledifferenceonsamehost,LAN,orafewhopsaway.
(Comparewithoriginalpaddingoracleattack:2ms.)
Detectingthe“0101”caseallowslast2plaintextbytesinthetargetblockCttoberecovered.
UsingthestandardCBCalgebra:Pt ⊕ (…..Δ1Δ0) = (….0101).
Attackthenextendstoallbytesasinastandardpaddingoracleattack.
![Page 78: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/78.jpg)
78
Lucky13–PlaintextRecovery
78
Weneed216attemptstotryall2-byteΔvalues.
Andweneedaround27trialsforeachΔvaluetoreliablydistinguishthedifferentevents.
(Actualnoiseleveldependsonexperimentalset-up.)
EachtrialkillstheTLSsession.
Hencetheheadlineattackcostis223sessions,allencryptingthesameplaintext.
Seemsrathertheoretical?
![Page 79: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/79.jpg)
79
Lucky13–Improvements(AttacksGetBetter!)
79
If1-out-of-2lastplaintextbytesknown,thenweonlyneed28attemptsperbyte.
Iftheplaintextisbase64encoded,thenweonlyneed26attemptsperbyte.
And27trialsperattempttode-noise,foratotalof213.
BEAST-styleattacktargetingHTTPcookies.
Maliciousclient-sideJavascriptmakesHTTPGETrequests.
TLSsessionsareautomaticallygeneratedandHTTPcookiesattached.
GETrequestsare“padded”sothat1-out-of-2conditionalwaysholds.
Costofattackis213GETrequestsperbyteofcookie.
Nowapracticalattack!
![Page 80: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/80.jpg)
80
Lucky13–ExperimentalResults
80
Hard
ware
Cycl
es�Cal
cula
tedby
Adve
rsar
y⇥
⇥15 � 0xFE
0 50 100 150 200 2501.286⇤106
1.287⇤106
1.288⇤106
1.289⇤106
1.290⇤106
1.291⇤106
1.292⇤106
�15Byte14ofplaintextsetto01;byte15settoFF.
ModifyΔinposition15.
OpenSSLv1.0.1onserverrunningat1.87Ghz,100MbitLAN.
Mediantimes(noisenotshown).
![Page 81: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/81.jpg)
81
Lucky13–Countermeasures
81
Wereallyneedconstant-timedecryptionforTLS-CBC.
Adddummyhashcompressionfunctioncomputationswhenpaddingisgoodtoensuretotalisthesameaswhenpaddingisbad.
Adddummypaddingcheckstoensurenumberofiterationsdoneisindependentofpaddinglengthand/orcorrectnessofpadding.
Watchoutforlengthsanitycheckstoo.
Needtoensurethere’senoughspaceforsomeplaintextafterremovingpaddingandMAC,butwithoutleakinganyinformationaboutamountofpaddingremoved.
![Page 82: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/82.jpg)
PerformanceofBasicCountermeasures
82
Prob
abil
ity
1.50�106 1.51�106 1.52�106 1.53�106 1.54�106 1.55�106 1.56�106 1.57�1060
0.00001
0.00002
0.00003
0.00004
0.00005
0.00006
Hardware Cycles �Calculated by Attacker⇥Pr
obab
ilit
y1.54�106 1.55�106 1.56�106 1.57�106 1.58�106 1.59�106 1.60�106 1.61�1060
0.00001
0.00002
0.00003
0.00004
0.00005
0.00006
Hardware Cycles �Calculated by Attacker⇥
Before After
![Page 83: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/83.jpg)
83
ConstantTimeDecryptionforMEE
• Better,butstillnotperfect.
• Distinguishingattackstillpossible.
• Properconstant-time,constant-memoryaccessimplementationisreallyneeded.
• Challengingtotestpaddingcorrectnessanddosanitycheckingwithoutbranchingonsecretdata.
• SeeAdamLangley’sblogpostat:
https://www.imperialviolet.org/2013/02/04/luckythirteen.html
forfulldetailsonhowLucky13wasfixedinOpenSSLandNSS.
83
![Page 84: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/84.jpg)
84
Lucky13–Impact
84
OpenSSLpatchedinversions1.0.1d,1.0.0kand0.9.8y,released05/02/2013.
NSS(Firefox,Chrome)patchedinversion3.14.3,released15/02/2013.
Apple:patchedinOSXv10.8.5(iOSversiontbd).
Operapatchedinversion12.13,released30/01/2013
OraclereleasedaspecialcriticalpatchupdateofJavaSE,19/02/2013.
BouncyCastlepatchedinversion1.48,10/02/2013
AlsoGnuTLS,PolarSSL,CyaSSL,MatrixSSL.
Microsoft“determinedthattheissuehadbeenadequatelyaddressedinpreviousmodificationstotheirTLSandDTLSimplementation”.
(Fulldetailsat:www.isg.rhul.ac.uk/tls/lucky13.html)
![Page 85: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/85.jpg)
85
SecurityproofforMEEinTLS
85
Theorem([PRS11],informalstatement)SupposeEisablockcipherwithblocksizenthatisSPRP-secure.SupposeMAChastagsizetandisPRF-secure.SupposethatforallmessagesMqueriedbytheadversary:
|M|+t≥n.
ThenMEEwithCBCmodeencryption,randomIVs,TLSpadding,anduniformerrorsprovidesAEsecurity.
C0 C1
eK
C2
eK
C3
eK
![Page 86: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/86.jpg)
86
Lucky13–Lessons
86
TLS’sMAC-Encode-Encryptconstructionishardtoimplementsecurelyandhardtoprovepositivesecurityresultsabout.
Longhistoryofattacksandfixes.
Eachfixwasthe“easiestoptionatthetime”.
Nowreachedpointwherea500linepatchtoOpenSSLwasneededtofullyeliminatetheLucky13attack.
BettertouseanEtMconstructionfromdayone,oreatthecostofswitchingatthefirstsignoftrouble.
Aconservativeapproachseemsmeritedforsuchanimportantprotocol.
AtthetimeTLSwasfirstdesigned,EtMversusMtEdebatewasnotsoclearcut.
![Page 87: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/87.jpg)
CurrentStatusandFutureDevelopmentsinTLS
![Page 88: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/88.jpg)
CurrentStatus–CBC-mode
MostCBC-modeimplementationshavebeenpatchedagainstBEASTandLucky13,butreputationhasbeendamagedbylongseriesofattacks.
• Largeecosystemandtrickinessofproperpatchmeansthatnoteveryimplementationispatchedtothesamedegree.
• Variantattacksarediscoveredfromtime-to-time.
• Lucky13strikesagain–flushandreloadattacks[IIES15].• LuckymicrosecondsonAWSs2n[AP16].
• ErrorinLucky13countermeasureinOpenSSLNIcodepath[S16].
Relativeperformancealsoanissue(HMACquiteslowcomparedtomodernMACalgorithms).
88
![Page 89: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/89.jpg)
CurrentStatus–RC4
RC4isnearlydeadforHTTPoverTLS
• Usagehasdroppedfrom50%to1-2%since2013.
• ButstillwidelyusedinotherTLSapplications,e.g.STARTTLSforSMTP.
AES-GCMandAES-CCMareavailableforTLS1.2.
• TLS1.2isnowsupportedinallmajorbrowsersandinmajorityofhightrafficwebservers(wikipedia,sslpulse).
• Morethan60%ofTLStrafficisusingTLS1.2(ICSICertificateNotary).
89
![Page 90: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/90.jpg)
CurrentStatus–AES-GCM
AES-GCMistrickytoimplementsecurelypurelyinsoftware.• Mainissueisavoidingleakageofhashkeyviaside-channelattack.
• Alsoneedside-channelresistantimplementationofAES.
AES-GCMisrelativelyfast
• EspeciallywithAES-NIandPCLMULQDQinstructions(IntelandAMD).
• 2.53to1.03cyclesperbyte,dependingonprocessor.
http://2013.diac.cr.yp.to/slides/gueron.pdf
• RoughlytwiceasfastasAES-CBC+HMAC-SHA-*
• ButOCBwouldbeevenfaster!
90
![Page 91: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/91.jpg)
Otherdevelopments
ChaCha20-Poly1305definedinIETFRFC7905.• ImportantforenvironmentswhereAESisnotavailableinhardware.
• ChaCha20isastreamcipher;Poly1305aMACalgorithmbasedonpolynomialhashing.
• CombinationisagoodAEADschemeassumingChaCha20isideal[P14].
• Smallamountofusagecurrently.
ReformofMEEtoEtMtomakeCBC-modeeasiertoimplementsecurely.
• RFC7366.
• DeploymentviaTLSextension,unclearhowwidelyadopteditwillbecome.
91
![Page 92: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/92.jpg)
92
TLS1.3
TLS1.3isnownearingcompletioninIETFTLSWG.
• ReducinglatencyinHandshake.
• SimplificationofkeyexchangeandauthenticationmethodsinHandshake.
• Servername/identityhiding/handshakeencryptionforimprovedprivacy(?)
• Reformofsymmetricalgorithms–AEADonly.
92
![Page 93: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/93.jpg)
SSH
![Page 94: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/94.jpg)
IntroductiontoSSH
94
Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Used primarily on Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for TELNET and other insecure remote shells, which send information, notably passwords, in plaintext, leaving them open for interception. The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet.
– Wikipedia
![Page 95: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/95.jpg)
SSHBinaryPacketProtocol(RFC4253)
• Encode-then-E&Mconstruction,statefulbecauseofinclusionof4-bytesequencenumber.
• Packetlengthfieldmeasuresthesizeofthepacket:|PadLen|+|Payload|+|Padding|.• Encrypted,sosequenceofencryptedpacketslookslikealongstringofrandombytes.
• EncryptionoptionsinRFC4253:CBCmode;RC4.• AES-CTRdefinedinRFC4344.95
Encrypt
PRF-MAC
Payload
Ciphertext MAC tag
Sequence Number 4
Packet Length 4
Pad Len 1
Padding ≥4
![Page 96: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/96.jpg)
CBCmodeinSSH
96
• RFC4253mandates3DES-CBCandrecommendsAES-CBC.
• SSHusesachainedIVinCBCmode:– IVforcurrentpacketisthelast
ciphertextblockfromthepreviouspacket.
– EffectivelycreatesasinglestreamofdatafrommultipleSSHpackets.
Ci-1 Ci
Pi-1 Pi
dK dK
Pi-1 Pi
Ci-1 Ci
eK eK
![Page 97: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/97.jpg)
CTRmodeinSSH
97
• CTRmodeusesblockciphertobuildastreamcipher.
• CTRmodeforSSHisstandardisedinRFC4344.• Initialvalueofcounteris
obtainedfromhandshakeprotocol.
• Counterrunsacrosspackets.• Packetformatispreservedfrom
CBCcase.• RFCrecommendsuseofAES-
CTRwith128,192and256-bitkeys,and3DES-CTR.
Ci
eK
Pi
ctr+i
Pi
eK
Ci
ctr+i
![Page 98: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/98.jpg)
SSHBinaryPacketProtocol(RFC4253)
• IVchainingattack:• Chosenplaintext,distinguishingattackduetoRogaway,appliedtoSSHin[BKN04].• NotfullyrealisticforSSHbecauseofformatrequirementsonthefirstblockof
plaintextandbecauseofchosenplaintextrequirement.• ConstructionwithrandomIVsisIND-sfCCAsecure[BKN04].
98
Encrypt
PRF-MAC
Payload
Ciphertext MAC tag
Sequence Number 4
Packet Length 4
Pad Len 1
Padding ≥4
![Page 99: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/99.jpg)
SSHBinaryPacketProtocol(RFC4253)
• Howdoesdecryptionwork?• Recall:receivergetsastreamofbytes,andasingleciphertext
canbefragmentedoverseveralTCPmessages.
99
Encrypt
PRF-MAC
Payload
Ciphertext MAC tag
Sequence Number 4
Packet Length 4
Pad Len 1
Padding ≥4
![Page 100: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/100.jpg)
BreakingCBCmodeinSSH[APW09]
100
IV Ci*
P0’
dK
• Thereceiverwilltreatthefirst32bitsofthecalculatedplaintextblockasthepacketlengthfieldforthenewpacket.
• Here: P0’=IV⊕dK(Ci*)whereIVisknown.
Targetciphertextblockfromstream
Lengthfield
![Page 101: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/101.jpg)
BreakingCBCmodeinSSH[APW09]
101
IV Ci*
P0’
dK
R R
P2’
dK dK
P1’
Theattackerthenfeedsrandomblockstothereceiver– Oneblockatatime,waitingtoseewhathappensattheserver
wheneachnewblockisprocessed– ThisispossiblebecauseSSHrunsoverTCPandtriestodoonline
processingofincomingblocks
![Page 102: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/102.jpg)
BreakingCBCmodeinSSH[APW09]
102
IV Ci*
P0’
dK
• Onceenoughdatahasarrived,thereceiverwillreceivewhatitthinksistheMACtag– TheMACcheckwillfailwithoverwhelmingprobability– Consequentlytheconnectionisterminated(withanerrormessage)
• Howmuchdatais“enough”sothatthereceiverdecidestochecktheMAC?
• Answer:whateverisspecifiedinthelengthfield:
R R
P2’
dK dK
P1’
MAC tag
![Page 103: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/103.jpg)
BreakingCBCmodeinSSH[APW09]
103
IV Ci*
P0’
dK
Ci-1* Ci
*
Pi*
dK
• KnowingIVand32bitsofP0’,theattackercannowrecover
32bitsofthetargetplaintextblockPi*:
Pi*=Ci-1
*⊕dK(Ci*)=Ci-1
*⊕IV⊕P0’
![Page 104: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/104.jpg)
Furtherdetails
• Theattackasdescribedrequirestheinjectionofcirca231bytesofciphertext(expectedvalueoflengthfield).
• Itrecovers32bitsofplaintextwithprobability1.
• AndleadstoanSSHconnectionteardown(onMACfailure).
• TheattackworkswithrandomIVstoo,breakingtheschemethatwasprovensecurein[BKN04].
• Somethingwentwrongsomewhere!
104
![Page 105: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/105.jpg)
Furtherdetails–Lengthchecking
• RFC4253requiresimplementationstocheckthatlengthfieldis“reasonable”.
• Detailsareimplementation-specific.
• Backin2009,theleadingimplementationwasOpenSSH,thenatversion5.1.
• AccordingtoSSHwebpage,80%ofserversontheInternetwereusingOpenSSHaroundthattime.
105
![Page 106: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/106.jpg)
Furtherdetails–LengthcheckinginOpenSSH
• OpenSSH5.1performstwolengthchecksonthelengthfield(LF)whendecryptingthefirstciphertextblock:
• Check1:5≤LF≤218.
• Check2:totallength(4+LF)isamultipleoftheblocksize:
LF+4modBL=0.
• Eachcheckproducesadifferenterrormessageonthenetwork,distinguishablebyattacker.
• Ifbothcheckspass,thenOpenSSHwaitsformorebytes,thenperformsMACcheck,resultinginathirdkindoferrormessage.
106
![Page 107: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/107.jpg)
Furtherdetails–LengthcheckinginOpenSSH
• Check1(5≤LF≤218)passeswithprobabilityapprox.2-14.
• Ifitpasses,thenwithhighprobability,14MSBsofLFare“0”.• Pass/faildetectableviaerrormessage.
• Henceattackwithsuccessprob.2-14recovering14bitsofconfirmedplaintext.
• Check2(LF+4modBL=0)passeswithprobability1/BL,typically2-3or2-4.• Ifitpasses,thensome(3or4)LSBsofLFarerevealed.
• Pass/faildetectableviaerrormessage/connectionenteringwaitstate.
• Ifwaitstateisentered,thentheattackproceedsasbefore.
• Overall,theattackonOpenSSH5.1recovers32bitsofplaintextwithprob.2-18(forBL=16)andrequiresinjectionofatmost218bytesofdata.
107
![Page 108: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/108.jpg)
Doestheattackmatter?
• Ontheonehand,theattackhaslowsuccessrate,onlyrecovers32bitsofplaintext,andcausestheSSHconnectiontoabort.
• Ontheotherhand,anattackercanapplytheattacktomanyconnections,boostinghisoverallsuccessrate.
• Canalsoiteratetheattackagainstclientsthatperformauto-reconnects.
• ThinkaboutwhatkindsofdataSSHmightbeprotecting.• SSHwasmeanttobebullet-proof;theattackshoweditwasnot.
• ItlefttheprovablesecurityoftheSSHBPPunresolved.108
![Page 109: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/109.jpg)
Countermeasurestotheattack
• AbandonCBC-mode?• Alternativesavailableatthattime:CTR,RC4.
• DropbearimplementedCTRandrelegatedCBCmodeinversion0.53.
• Developnewmodes?• ModesbasedonGenericEtM,AES-GCM,ChaCha20-Poly1305
weresubsequentlyaddedtoOpenSSH.
• PatchCBC-mode?• OpenSSH5.2alsointroducedapatchtostopthespecificattack
onCBCmode.
109
![Page 110: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/110.jpg)
TheOpenSSHpatch
• Basicidea:hidetheerrorsfromtheadversary.• Ifthelengthchecksfail,donotsendanerrormessage,but
waituntil218byteshavearrived,thenchecktheMAC.
• Ifthelengthcheckspass,buttheMACcheckeventuallyfails,thenwaituntil218byteshavearrived,thenchecktheMAC.
• Noerrormessageiseversentuntil218bytesofciphertexthavearrived.
• CannolongercountbytestoseehowmanyarerequiredtotriggerMACfailure.
110
![Page 111: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/111.jpg)
TheorylessonfromtheSSHattack
• Modelusedforsecurityproofin[BKN04]wasinadequate.
• Itassumedlengthwasknownandatomicprocessingofciphertexts.
• ButfragmentedadversarialdeliveryofciphertextoverTCPispossible.
• Implementationshavetodecryptfirstblocktofindouthowlongplaintextismeanttobe,andactonitbeforeperforminganyauthentication.
• That’snotreflectedinanyoftheAE/AEADsecuritymodels!
111
![Page 112: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/112.jpg)
MoreSSHsecurityanalysis
• [PW10]:bespokesecuritymodelforCTRmodeinSSHandproveditsecure(assumingblockcipherisaPRP).
• [BDPS12]:generalframeworkforstudying“SymmetricEncryptionschemessupportingfragmenteddecryption”likethoseusedinSSH.• IND-sfCFAallowstheattackertodeliverciphertexttoa
decryptionoracleinasymbol-by-symbolfashionandobserveanyerrors/messageoutputs.
• [BDPS12]alsoidentifiedadditionalsecuritypropertiesthatSSHattemptstoprovide:• BoundaryHiding(BH)andDenial-of-Serviceresistance.
112
![Page 113: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/113.jpg)
TheStateofAEADinSSHToday
![Page 114: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/114.jpg)
ThestateofAEADinSSHtoday
• In[ADHP16],weperformedameasurementstudyofSSHdeployment.
• WeconductedtwoIPv4addressspacescansinNov/Dec2015andJan2016usingZGrab/ZMap.
• GrabbingbannersandSSHservers’preferredciphers.• ActualcipherusedinagivenSSHconnectiondependsonclient
andserverpreferences.
• Roughly224serversfoundineachscan.
• Nmapfingerprintingsuggestsmostlyembeddedrouters,firewalls.
114
![Page 115: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/115.jpg)
ThestateofAEADinSSHtoday:SSHversions
115
MostlyOpenSSHanddropbear;others
lessthan5%.
![Page 116: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/116.jpg)
ThestateofAEADinSSHtoday:SSHversions
116
Dropbearat56-58%.886kolderthanversion0.53,sovulnerabletovariantof2009CBC-
modeattack!
![Page 117: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/117.jpg)
ThestateofAEADinSSHtoday:SSHversions
117
OpenSSHat37-39%.130-166kolderthanversion5.2andprefer
CBCmode,sovulnerableto2009
attack!
![Page 118: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/118.jpg)
ThestateofAEADinSSHtoday:SSHversions
• DropbearnowdominatesOpenSSH.• Butmaybeswitchingbackagain:ComcastcableIPaddress
rangedroppedfrom2M+devicesrunningDropbear(Feb2016)to83k(May2016).
• Longtailofoldsoftwareversions.• MostpopularversionofOpenSSHisversion5.3,releasedOct
2009(currentversionis7.2).
• DeterminedbymajorLinuxdistros?
• SignificantpercentageofDropbearandOpenSSHserversarepotentiallystillvulnerabletothe2009attack.• 8.4%forDropbear.
118
![Page 119: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/119.jpg)
ThestateofAEADinSSHtoday:preferredalgorithms
119
OpenSSH preferred algorithms
• Lotsofdiversity,surprisingamountof“genericEtM”(gEtM).
• CTRdominates,followedbyCBC.
• ChaCha20-Poly1305ontherise?(becamedefaultinOpenSSH6.9).
• SmallamountofGCM.
![Page 120: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/120.jpg)
ThestateofAEADinSSHtoday:preferredalgorithms
120
Dropbear preferred algorithms
• LessdiversitythanOpenSSH.
• CTRdominates,followedatalongdistancebyCBC.
• No“exotic”options.
![Page 121: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/121.jpg)
ANewAttackonCBCmodeinOpenSSH
![Page 122: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/122.jpg)
TheOpenSSHpatch
• Version5.2+CBCmodepreferredbyroughly20kOpenSSHservers.
• RecalltheOpenSSHpatch,inversion5.2andup:• Ifthelengthchecksfail,donotsendanerrormessage,butwait
until218byteshavearrived,thenchecktheMAC.
• Ifthelengthcheckspass,buttheMACcheckeventuallyfails,thenwaituntil218byteshavearrived,thenchecktheMAC.
• OneMACcheckisdoneiflengthchecksfail:on218bytes.
• TwoMACchecksaredoneiflengthcheckspass:oneonroughlyLFbytes,theotheron218bytes.
122
![Page 123: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/123.jpg)
AttackingtheOpenSSHpatch[ADHP16]
• ThisleadstoatimingattackonCBCmodeinOpenSSH5.2andup:1. InjecttargetciphertextblockCi
*.2. Thensend218bytesasquicklyaspossibletoserver.
3. TimethearrivaloftheMACfailuremessage.
• FastarrivalindicatesthatlengthchecksfailedandoneMACcomputation.
• SlowarrivalindicatesthatthelengthcheckspassedandtwoMACcomputations.
• Thisleaks18bitsofinformationaboutthelengthfield,andhence18bitsaboutthetargetblock.
123
![Page 124: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/124.jpg)
AttackingtheOpenSSHpatch[ADHP16]
• Sizeoftimingdifference:• AMACcomputationonroughly217bytes(theexpectedvalueofLF).
• ForHMAC-SHA1,thisrequires211hashcompressionfunctionevaluations.
• cf.Lucky13timingdifference:asinglehashcompressionfunction!
• Remoteattackercaneasilydetectdifference.
• Successprobabilityoftheattack:• Needtopassbothlengthchecks,so2-18.
• Canincreasesuccessrategivenpartialplaintextknowledgeintargetblock.
• (Idea:waitfortherightIVbeforemountingtheattack;moresevereattackforrandom,explicitIVversion.)
124
![Page 125: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/125.jpg)
AttackingtheOpenSSHpatch[ADHP16]
• Increasenumberofplaintextbitsrecoveredbyusingfiner-grainedtiminginformation.• BecausethetimingdelayisproportionaltothevalueofLF.
• Iftiminggranularity=1compressionfunctionevaluation,thenwecanrecoverupto30bitsofplaintextfromtargetblock.
• Challenging,butnotimpossibleinco-residentattackerscenario.
• Possiblecountermeasuretotheattack:ifMACfails,thencomputesecondMACon218–LFbytesinsteadofonall218bytes.
• StillleavesresidualtimingdifferencebecauseoffinedetailsofHMAC.
• Reallyneedconstanttimeimplementationofdecryptionalgorithmtoeliminatethisclassofattack.
125
![Page 126: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/126.jpg)
Disclosureoftheattack
• WenotifiedtheOpenSSHteamoftheattack(5/5/16).
• “…wedonotfeelthatanemergencyreleaseisnecessary,northattheattackremainsecretaheadofsucharelease.”
• TheyaddedcountermeasuresinOpenSSH7.3(1/8/16).
• OpenSSHhassteadilybeendeprecatingoldalgorithmsandmodes.
• CBCmodewasalreadydisabledbydefaultinOpenSSH6.7(butcanbere-enabled).
• ButOpenSSHcannotforcepeopletostopusingoldversionsofthesoftware.
126
![Page 127: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/127.jpg)
SecurityanalysisofotherSSHandOpenSSHmodes–CTR,gEtM,AES-GCM,ChaCha20Poly1305
![Page 128: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/128.jpg)
SecurityanalysisofotherOpenSSHencryptionmodes
• In[ADHP16],wealsousetheframeworkof[BDPS12]toprovesecuritypropertiesofgEtM,AES-GCM,andChaCha20-Poly1305inOpenSSH.
• Theframeworkallowsfragmenteddecryptioncapability,multipledecryptionerrors,etc.
• Wefoundasubtleerrorinthesecuritymodelsin[BDPS12].
• Wealsoextendedthemodelstoincludeintegrityaswellasconfidentiality.
128
![Page 129: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/129.jpg)
SecurityanalysisofotherOpenSSHencryptionmodes
gEtMandAES-GCMinOpenSSH:• DerivedfromAEADschemeswithAD=lengthfield(nowunencrypted).
• Hencesanitycheckingoflengthfieldcannotrevealanythingusefultoadversary.
• IssueingEtMcode:
• MACiscomputedoncetheciphertexthasarrivedbutisnotcomparedtoreceivedMACuntilafterdecryption.
• Henceanyerrorsarisingduringdecryptionstepwillbesignalledtoattacker.
• Arisesfromsharedcode-pathandreuseoflegacyE&Mcode.
• Notasecuritythreatforanycurrentlyspecifiedencryptionschemes.
• FixedinOpenSSH7.3.
• Both(fixed)gEtMandAES-GCMareprovablysecure:achievingIND-sfCFA,INT-sfCFAsecurity.
129
![Page 130: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/130.jpg)
ChaCha20-Poly1305inOpenSSH
130
Payload
MAC tag
SQN 4
Packet Length 4
Pad Len 1
Padding ≥4
C1 C2
K1IV = SQN||064 ChaCha20 ChaCha20
K2IV = SQN||0631
ChaCha20 K2
IV = SQN||0630
0256
KpolyPoly1305
![Page 131: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/131.jpg)
SecurityanalysisofChaCha20-Poly1305inOpenSSH
• ChaCha20-Poly1305inOpenSSH:• 64-bytekeyissplitintotwohalves,K1,K2.
• K1usedtoencryptSSHlengthfieldusingChaCha20.
• K2usedtoencrypteverythingelse,alsousingChaCha20.
• Poly1305MACkeyisobtainedas:
ChaCha20(K2,IV=SQN||0630,M=0256).
• MACappliedtobothciphertextcomponents.
• Analysismorecomplexbecauseofencryptedlengthfield.
• Ideaisthatusingseparatekeysforencryptinglengthfieldandthereststopsattacks.
• CTRmodeanalysisshowsthistobeunnecessary.
131
![Page 132: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/132.jpg)
Closingremarks
![Page 133: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/133.jpg)
133
Closingremarks
• Onceabadcryptographicchoiceisoutthereinimplementations,it’sveryhardtoundo.
• OldversionsofTLShangaroundforalongtime.
• ThereisnoTLSproductrecallprogramme!
• SlowuptakeofTLS1.1,1.2.
• TLShascomeundersustainedpressurefromattacks.
• BEAST,Lucky13andRC4attackshaveprovidedincentivestomovetoTLS1.2andinfluencedthedesignofTLS1.3.
• Attacksare“semi-practical”butweignoresuchattacksatourperil.
• GoodvendorresponsetoLucky13viapatching,slowerresponsetoRC4attacksviaswitchingoffsupport.
133
![Page 134: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/134.jpg)
Closingremarks
• Goodalgorithmdesignishard.
• Butsoisgoodprotocoldesign.• Attacksareusuallyobviousinretrospect,butfinding
themisnotsoeasy.
• Keepinmindthevalueofattacksonpaperversusattacksinpractice.
• Implementedattacksareneededtoconvincepractitioners.
• Butanon-paperattackisoftentheharbingerofapracticalattack.
134
![Page 135: Authenticated Encryption and Secure Channelstce.webee.eedev.technion.ac.il › wp-content › uploads › ... · “The most dangerous code in the world” (2012) Apple goto fail](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f17c2ad47a2d83b2d6dca0f/html5/thumbnails/135.jpg)
Closingremarks
• We’veseentheevolutionfromsimplesecuritymodelsforsymmetricencryptiontomoresophisticatedsecuritynotionsforsecurechannels.
• ThecryptographycommunityisfocussedonAEADasanendgoal.
• AEADisanimportanttoolbutnotthesamethingasasecurechannel.
135