OntheSecurityofTLS1.3andQUICAgainstWeaknessesinPKCS#1v1.5EncrypFon
TiborJager,JörgSchwenk,JurajSomorovskyHorstGörtzInsFtuteforITSecurity
Ruhr-UniversityBochum
1stBIUSecurityDay:TheCurrentStatusofTLSSecurityMay1,2016
Bar-IlanUniversity,Israel
TLSandSSLVersions
2
SSL1.0and2.0(Netscape)
1994 1995
SSL3.0(Netscape&MicrosobPCT)
1999
TLS1.0(=SSL3.1)(IETFstandard)
2006 2008
TLS1.2TLS1.1
2016?
TLS1.3
SupportofTLSversionsinpracFce
3SSLLabs,hgps://www.trustworthyinternet.org/ssl-pulse/,Jan5,2016
TLSv1.3
(2016?)(1999)(1995)(1994) (2006) (2008)
SupportofTLSversionsinpracFce
4SSLLabs,hgps://www.trustworthyinternet.org/ssl-pulse/,Jan5,2016
TLSv1.3
(2016?)(1999)(1995)(1994) (2006) (2008)
Supportofmorethanoneversion
isverycommon
SupportofTLSversionsinpracFce
5SSLLabs,hgps://www.trustworthyinternet.org/ssl-pulse/,Jan5,2016
TLSv1.3
(2016?)(1999)(1995)(1994) (2006) (2008)
Supportofmorethanoneversion
isverycommon
Standardizedin1999!
SupportofTLSversionsinpracFce
6SSLLabs,hgps://www.trustworthyinternet.org/ssl-pulse/,Jan5,2016
TLSv1.3
(2016?)(1999)(1995)(1994) (2006) (2008)
Supportofmorethanoneversion
isverycommon
Standardizedin1999!
UpdateofsecurityprotocolsisaveryslowprocessàRequirescarefuldesignandthoroughanalysis!
RSA-PKCS#1v1.5EncrypFon
• MostfrequentlyusedkeytransportmechanisminTLSbeforev1.3– “Textbook-RSAencrypFon”withaddiFonalrandomizedpadding
– Aciphertextis“valid”,ifitcontainsacorrectlypaddedmessage
7
RSA-PKCS#1v1.5EncrypFon
• MostfrequentlyusedkeytransportmechanisminTLSbeforev1.3– “Textbook-RSAencrypFon”withaddiFonalrandomizedpadding
– Aciphertextis“valid”,ifitcontainsacorrectlypaddedmessage
• DeprecatedinTLS1.3– Vulnerable:Bleichenbacher’saCack(CRYPTO`98)– Sufficienttoprotectagainstitsweaknesses?
8
Bleichenbacher’sAgack(CRYPTO1998)
11
CPKCS‘
„valid“/„invalid“CPKCS‘‘
„valid“/„invalid“...
CPKCS
M=Dec(CPKCS)
Bleichenbacher’sAgack(CRYPTO1998)
• Oracleusuallyprovidedbyaserver:– Errormessageifciphertextisinvalid– Othersidechannels,likeIming
• AllowstoperformRSAsecretkeyoperaIon– DecryptRSA-PKCS#1v1.5ciphertexts– ComputedigitalRSAsignatures 12
CPKCS‘
„valid“/„invalid“CPKCS‘‘
„valid“/„invalid“...
CPKCS
M=Dec(CPKCS)
Bleichenbacher’sAgack(CRYPTO1998)
• Oracleusuallyprovidedbyaserver:– Errormessageifciphertextisinvalid– Othersidechannels,likeIming
• AllowstoperformRSAsecretkeyoperaIon– DecryptRSA-PKCS#1v1.5ciphertexts– ComputedigitalRSAsignatures 13
CPKCS‘
„valid“/„invalid“CPKCS‘‘
„valid“/„invalid“...
CPKCS
M=Dec(CPKCS)
Bleichenbacheragacksoverandover
14
• Bleichenbacher(CRYPTO1998)• Klimaetal.(CHES2003)• Jageretal.(ESORICS2012)• Degabrieleetal.(CT-RSA2012)• Bardouetal.(CRYPTO2012)• Zhangetal.(ACMCCS2014)• Meyeretal.(USENIXSecurity2014)• …
Manydifferenttechniquestoconstructtherequiredoracle
Bleichenbacheragacksoverandover• Bleichenbacher(CRYPTO1998)• Klimaetal.(CHES2003)• Jageretal.(ESORICS2012)• Degabrieleetal.(CT-RSA2012)• Bardouetal.(CRYPTO2012)• Zhangetal.(ACMCCS2014)• Meyeretal.(USENIXSecurity2014)• … AssumpIon:Bleichenbacher-likeagacksremain
arealisFcthreat15
Manydifferenttechniquestoconstructtherequiredoracle
Bleichenbacheragacksoverandover• Bleichenbacher(CRYPTO1998)• Klimaetal.(CHES2003)• Jageretal.(ESORICS2012)• Degabrieleetal.(CT-RSA2012)• Bardouetal.(CRYPTO2012)• Zhangetal.(ACMCCS2014)• Meyeretal.(USENIXSecurity2014)• Avirametal.(DROWN2016)• … AssumpIon:Bleichenbacher-likeagacksremain
arealisFcthreat16
Manydifferenttechniquestoconstructtherequiredoracle
TypicaluseofTLS1.3inpracFce
18
ServerS
TLS1.3
TLS1.0(BackwardscompaFbility)
RSA
TLS1.0
TLS1.3
AssumpFon
Secure?
ServerS
TLS1.3
RSA
AcloserlookatTLS1.3
ECDHshare
ClientKeyShare
ClientHello
1.CipherSuiteAgreement2.KeyExchangeTLS1.3
ServerS
TLS1.3
RSA
AcloserlookatTLS1.3
ECDHshare
ECDHshare
ClientKeyShare
ServerKeyShare
ServerHello
ClientHello
Certificate
1.CipherSuiteAgreement2.KeyExchangeTLS1.3
ServerS
TLS1.3
RSA
AcloserlookatTLS1.3
ECDHshare
ECDHshare
RSASignatureoverallpreviousmessages
ClientKeyShare
CertificateVerify
ServerKeyShare
ServerHello
ClientHello
Certificate
1.CipherSuiteAgreement2.KeyExchangeTLS1.3
ServerS
TLS1.3
RSA
AcloserlookatTLS1.3
ECDHshare
ECDHshare
RSASignatureoverallpreviousmessages
S-Finished
ClientKeyShare
C-Finished
CertificateVerify
ServerKeyShare
ServerHello
ClientHello
Certificate
3.Finishedmessages
1.CipherSuiteAgreement2.KeyExchangeTLS1.3
High-levelAgackDescripFon
25
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaFbility)
RSA
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
High-levelAgackDescripFon
26
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaFbility)
RSA
CertVerify
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
High-levelAgackDescripFon
27
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaFbility)
RSA
Bleichenbacher‘sAgack
CertVerify
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
High-levelAgackDescripFon
28
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaFbility)
RSA
Bleichenbacher‘sAgack
CertVerify
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
S-Finished C-Finished
High-levelAgackDescripFon
29
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaFbility)
RSA
Bleichenbacher‘sAgack
CertVerify
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
S-Finished C-Finished
TLS1.3maybevulnerabletoBleichenbacher‘sagack,eventhoughPKCS#1v1.5encrypIonisnotused!
PracFcalImpact
30
• PracFcalimpactonTLS1.3ratherlimited– TypicalBleichenbacher-agackstakehoursordays– Machine-to-machinecommunicaFon?
• Nevertheless:– BackwardscompaIbilitymustbeconsidered
(cf.Jager,Paterson,Somorovsky,NDSS2013)
– FutureimprovementsofBleichenbacher’sagack?• DROWNtechniques:computesignatureinoneminuteonasingleCPU– LeveragesnewvulnerabilityinopenSSL– AllopenSSLversionsfrom1998toearly2015:– 26%ofHTTPSserverswerevulnerable
PracFcalImpact
31
• PracFcalimpactonTLS1.3ratherlimited– TypicalBleichenbacher-agackstakehoursordays– Machine-to-machinecommunicaFon?
• Nevertheless:– BackwardscompaIbilitymustbeconsidered
(cf.Jager,Paterson,Somorovsky,NDSS2013)
– FutureimprovementsofBleichenbacher’sagack?• DROWNtechniques:computesignatureinoneminuteonasingleCPU– LeveragesnewvulnerabilityinopenSSL– AllopenSSLversionsfrom1998toearly2015:– 26%ofHTTPSserverswerevulnerable
PracFcalImpact
32
• PracFcalimpactonTLS1.3ratherlimited– TypicalBleichenbacher-agackstakehoursordays– Machine-to-machinecommunicaFon?
• Nevertheless:– BackwardscompaIbilitymustbeconsidered
(cf.Jager,Paterson,Somorovsky,NDSS2013)
– FutureimprovementsofBleichenbacher’sagack?• UseDROWNtechniquetoforgesignatureinoneminuteonasingleCPU– LeveragesvulnerabilityinopenSSL– AllopenSSLversionsfrom1998toearly2015– 26%ofHTTPSserverswerevulnerable
AgackontheQUICprotocol
ServerS
QUIC
TLS1.0
RSA
QUICBleichenbacher‘s
Agack
FullQUICprotocol
• AcanrunBleichenbacher’sagackbeforeLisaconnectstoS• OnesignatureisequivalenttothesecretkeyofS• PracIcal,evenifagacktakesweeks!
AgackerA
LimitedImpactonTLS1.3
TLS1.3
CertVerify
ServerS
TLS1.3
TLS1.0
RSA
Bleichenbacher‘sAgack
• AcanimpersonateSonlyinasingleTLSsession• OnlypracFcalwithveryfastBleichenbacheragack
“Hello”
“Finished”
AgackerA
ThedifficultyofprevenFngsuchagacks(example)
37
TLS1.3 RSA1 ServerS
TLS1.3
TLS1.0(BackwardscompaFbility)
RSA1
RSA2
Bleichenbacher‘sAgack
ThedifficultyofprevenFngsuchagacks(example)
38
TLS1.3 RSA2 ServerS
TLS1.3
TLS1.0(BackwardscompaFbility)
RSA1
RSA2
• X.509cerFficatesdonotcontainprotocolversion
Bleichenbacher‘sAgack
FurtherdifficulFes
• KeyseparaFonnotsupportedbymajorservers/browserimplementaFons
• CerFficatescostmoney(extendedvalidaFon)• X.509supports“sign/encrypt-only”certs
– “Sign-only”certsfor“signing”ciphersuites(incl.TLS1.3)
– “Encrypt-only”keysforTLS-RSAciphersuites– Dobrowsersreallycheckthis?
• Mozilladeveloper:“No.AndnointenIontochangethis,becauseofusability/compaIbility.”
FurtherdifficulFes
• KeyseparaFonnotsupportedbymajorservers/browserimplementaFons
• CerFficatescostmoney(extendedvalidaFon)• X.509supports“sign/encrypt-only”certs
– “Sign-only”certsfor“signing”ciphersuites(incl.TLS1.3)
– “Encrypt-only”keysforTLS-RSAciphersuites– Dobrowsersreallycheckthis?
• Mozilladeveloper:“No.AndnointenIontochangethis,becauseofusability/compaIbility.”
FurtherdifficulFes
• KeyseparaFonnotsupportedbymajorservers/browserimplementaFons
• CerFficatescostmoney(extendedvalidaFon)• X.509supports“sign/encrypt-only”certs
– “Sign-only”certsfor“signing”ciphersuites(incl.TLS1.3)
– “Encrypt-only”keysforTLS-RSAciphersuites– Dobrowsersreallycheckthis?
• Mozilladeveloper:“No.AndnointenIontochangethis,becauseofusability/compaIbility.”
FurtherdifficulFes
• KeyseparaFonnotsupportedbymajorservers/browserimplementaFons
• CerFficatescostmoney(extendedvalidaFon)• X.509supports“sign/encrypt-only”certs
– “Sign-only”certsfor“signing”ciphersuites(incl.TLS1.3)
– “Encrypt-only”keysforTLS-RSAciphersuites– Dobrowsersreallycheckthis?
• Mozilladeveloper:“No.AndwehavenointenIontochangethis,becauseofusability/compaIbility.”
SummaryandrecommendaFons
• RemovingRSA-PKCS#1v1.5fromTLSisanexcellentdecision– Notsufficienttoprotectcompletelyagainstweakness
• TLS1.3ismore“robust”thanQUIC– Butnotimmune– Signingephemeralvaluesisagoodidea
• ProperkeyseparaIonisdifficultinpracFce– SupportinfutureversionsofX.509?– Supportbybrowsers?
43
SummaryandrecommendaFons
• RemovingRSA-PKCS#1v1.5fromTLSisanexcellentdecision– Notsufficienttoprotectcompletelyagainstweakness
• TLS1.3ismore“robust”thanQUIC– Butnotimmune– Signingephemeralvaluesisagoodidea
• ProperkeyseparaIonisdifficultinpracFce– SupportinfutureversionsofX.509?– Supportbybrowsers?
44Thankyou!