ssl/tls eavesdropping with fullpath control
TRANSCRIPT
2©A10 Networks, Inc.
Not a Mathematician!!! -> Don’t fault me on my math.
Work for A10 Networks as a Principal Architect.
Jack of all trades
Formula One Junky
Python Junky
You can find me on LinkedIn: Layer427expert
A little about myself
3©A10 Networks, Inc.
The topics of SSL/TLS is enormous.
We will not cover every topic.
We will try to give you the basis of understanding so that we can talk about eavesdropping.
We will not be covering cryptographic attacks in the eavesdropping section.
If you have questions we will be more than happy to talk after class.
There is a lot of things we can discuss but lets stay on point.
I am the only rat hole digger in this lab. After the lab we can dig over a drink.
Actors:
About this Lab/Lecture
4©A10 Networks, Inc.
Basics of SSL
Basics of SSL Eavesdropping
Utilizing SSL Eavesdropping for Defense
SSL Eavesdropping for Offense and Detection
Lab Agenda
6©A10 Networks, Inc.
The TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. - We will come back to this
Through Public key cryptography it is the basis for E-Commerce Security and Trust
Utilized by almost everyone: “Who wants to be secure…”
Source of pain felt globally when vulnerabilities are found.
For non-security people, it is:– Blindly Trusted
– Never questioned
– Always Secure
What is SSL?
7©A10 Networks, Inc.
Think of SSL/TLS having four parts:– The Protocol
– Key Exchange
– Bulk Crypto Operations
– Chain of Trust
The primary purpose of SSL/TLS to compute a secret key that will be utilized for symmetric encryption. – This is accomplished through Asymmetric Cryptography
The Purpose of SSL/TLS
8©A10 Networks, Inc.
SSL/TLS can provide:– identification:
When the Chain of Trust can be established.
– authentication When client authentication is enabled.
– confidentiality Encryption of data in flight.
– integrity Through Cipher Suites
Benefits
10©A10 Networks, Inc.
Protocol Basics
Think of the TLS handshake messages similar to TCP handshake.The messages are to negotiate a set of parameters that will be utilized going forward.
11©A10 Networks, Inc.
Client Hello
Purpose:
1. Establish Protocol Version2. Send Random Number 13. Session ID if it exist4. Send List of support
Cipher Suites1. Each Cipher will tell you what it
is doing. You have to just understand what each segment explains
5. Compression Algorithm
12©A10 Networks, Inc.
Purpose:
1. Version Number
2. Send Random Number 2
3. Session ID if exist.
4. Set the Cipher Suite
5. Send Public Certificate.
6. Compression Algorithm
Server Hello
13©A10 Networks, Inc.
Client Key ExchangePurpose:
1. Send Pre-shared Master encrypted with Public Key
Between the Server Hello and the Client Key Exchange the Client Validates the Certificate against its Root CA list.
We will discuss this a later section.
14©A10 Networks, Inc.
Client Change Cipher SpecPurpose:
1. Notify Server that all further messages will be Encrypted
15©A10 Networks, Inc.
Client Encrypted Handshake Message
Purpose:
1. First messaged send to server that is encrypted.
2. Will be utilized by server to see if encrypted channel is valid.
3. End of handshake from client
16©A10 Networks, Inc.
Server Change Cipher Spec & Encrypted Handshake Message
Purpose:
1. Notifies client that server decrypted messages
2. Generates the master secrete and sends the client a finish message encrypted.
19©A10 Networks, Inc.
RSA
– RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described the algorithm in 1977. Clifford Cocks, an English mathematician, had developed an equivalent system in 1973, but it was not declassified until 1997.[1]**wikipedia
– Currently is the most widely utilized.
– Utilizes a modular arithmetic.
DH <- We are not going to cover this topic. We will talk about PFS and ECDH specifically.
– first published by Whitfield Diffie and Martin Hellman in 1976.[2] By 1975, James H. Ellis,[3] Clifford Cocks and Malcolm J. Williamson within GCHQ, the British signals intelligence agency, had also shown how public-key cryptography could be achieved; however, their work was kept secret until 1997.[4]Utilizes **wikipedia
– Utilizes a modular arithmetic.
ECC
– The use of elliptic curves in cryptography was suggested independently by Neal Koblitz[1] and Victor S. Miller[2] in 1985. Elliptic curve cryptography algorithms entered wide use in 2004 to 2005.
– Based on the algebraic structure of elliptic curves over finite fields.
– Hurts my head to think don’t let the pretty graph fool you….
Public-Key Encryption Algorithms
21©A10 Networks, Inc.
Cipher Suites notation
cipher id a unique 2-3 byte cipher identifier. For example, SSL2_RC4_128_WITH_MD5 is identified as 0x010080 and TLS_RSA_WITH_3DES_EDE_CBC_SHA is identified as 0x00000A or simply 0x000A.Name common cipher suite name. TLS ciphers have //TLS_Kx_[Au]_FROM_Enc_MAC// format. SSL2 only use RSA for key exchange and authentication, so their names have //SSL2_Enc_WITH_MAC// format.Protocol Most ciphers suites fall into either //TLS// or //SSL/SSL2// protocols. The only exception is Microsoft's proprietary //PCT// protocol.Kx Key exchange algorithm. Most popular exchange methods are RSA and Diffie-Hellman (DH/DHE). Some of the more exotic methods include Kerberos (KRB5), Pre-Shared Key (PSK), and others.Au Authentication algorithm. RSA is commonly used for key authentication.Enc Symmetric encryption algorithm (e.g. DES, 3DES, AES, RC4, etc.)Bits Effective symmetric encryption key size in bits. Export for export outside US are limited to 40-56 bits.MAC Hashing algorithm used for TLS/SSL data packets integrity and authentication checks.Anon Anonymous cipher suites with no key authentication. Highly vulnerable to man in the middle attack.Export Intentionally crippled cipher suite to conform to US export laws. Symmetric cipher used in export cipher suites typically does not exceed 56bits.NULL Null cipher suites do not provide any data encryption and/or data integrity. //TLS_NULL_WITH_NULL_NULL (0x0000)// cipher suite is used during initial session establishment.
Source:https://www.thesprawl.org/research/tls-and-ssl-cipher-suites/
22©A10 Networks, Inc.
Cipher Suite Examples
Cipher ID Name Protocol Kx Au Enc Bits Mac0x000009 TLS_RSA_WITH_DES_CBC_SHA TLS RSA RSA DES_CBC 56 SHA0x00003C TLS_RSA_WITH_AES_128_CBC_SHA256 TLS RSA RSA AES_128_CBC 128 SHA2560x00003D TLS_RSA_WITH_AES_256_CBC_SHA256 TLS RSA RSA AES_256_CBC 256 SHA2560x00003E TLS_DH_DSS_WITH_AES_128_CBC_SHA256 TLS DH DSS AES_128_CBC 128 SHA2560x00003F TLS_DH_RSA_WITH_AES_128_CBC_SHA256 TLS DH RSA AES_128_CBC 128 SHA2560x00C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS ECDH RSA AES_128_CBC 128 SHA0x00C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS ECDH RSA AES_256_CBC 256 SHAx00009E TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS DHE RSA AES_128_GCM 128 SHA256
Green Indicates Perfect Forward Secrecy Support
24©A10 Networks, Inc.
Note: We are not talking about ECC Cipher Suite yet….. We will get to that.
Based on the RSA algorithm
Encryption: c = m^e mod n
Decryption: m = c^d mod n
– Encryption and Decryption are inverse functions
Remember how back in school:
15 = 3*5 and the inverse is 5 = 15/3
RSA Asymmetric Cryptography
Where:e = exponentm = messagen = public certd = private keyc = cipher text
25©A10 Networks, Inc.
Non-Padded Example
e = 7d = 1810402843n = 2534665157
msg = "Hello World!"print "Message Send:", msgcipher_buffer = []for m in msg: #c = pow(ord(m), e, n) c = pow(ord(m), e, n) print "Clear Text:",m, "| Cipher Text:",c cipher_buffer.append(c)print ”Message in flight", "".join(str(x) for x in cipher_buffer)msg = ""for c in cipher_buffer: m = chr(pow(c,d,n)) print "Cipher Text:", c, "| Clear Text:", m msg = msg + mprint "Message Recieved:",msg
Message Send: Hello World!Clear Text: H | Cipher Text: 942978039Clear Text: e | Cipher Text: 2268399915Clear Text: l | Cipher Text: 1042287397Clear Text: l | Cipher Text: 1042287397Clear Text: o | Cipher Text: 1592280001Clear Text: | Cipher Text: 1409091327Clear Text: W | Cipher Text: 2057956152Clear Text: o | Cipher Text: 1592280001Clear Text: r | Cipher Text: 2200164507Clear Text: l | Cipher Text: 1042287397Clear Text: d | Cipher Text: 2390226036Clear Text: ! | Cipher Text: 2063800465
Message in flight: 94297803922683999151042287397104228739715922800011409091327205795615215922800012200164507104228739723902260362063800465
Cipher Text: 942978039 | Clear Text: HCipher Text: 2268399915 | Clear Text: eCipher Text: 1042287397 | Clear Text: lCipher Text: 1042287397 | Clear Text: lCipher Text: 1592280001 | Clear Text: oCipher Text: 1409091327 | Clear Text: Cipher Text: 2057956152 | Clear Text: WCipher Text: 1592280001 | Clear Text: oCipher Text: 2200164507 | Clear Text: rCipher Text: 1042287397 | Clear Text: lCipher Text: 2390226036 | Clear Text: dCipher Text: 2063800465 | Clear Text: !
Message Received: Hello World!
26©A10 Networks, Inc.
This is where padding schemas come into play.
However lots of padding attacks are discovered.
Read online about this if you want to dig deeper.
.
Plain RSA is vulnerable to attack….
28©A10 Networks, Inc.
ECC CryptographyEquation:
y^2 = x^3 + ax + b
However there is a lot of complex subject behind it…
If you want to read a great set of post visit:http://jeremykun.com/2014/02/08/introducing-elliptic-curves/
https://www.certicom.com/10-introduction
So lets move on to ECDH to get a practical example.
29©A10 Networks, Inc.
Diffie–Hellman
Alice and Bob agree to use a prime number p = 23 and base g = 5 (which is a primitive root modulo 23). Alice chooses a secret integer a = 6, then sends Bob A = ga mod p A = 56 mod 23 = 8 Bob chooses a secret integer b = 15, then sends Alice B = gb mod p B = 515 mod 23 = 19 Alice computes s = Ba mod p s = 196 mod 23 = 2 Bob computes s = Ab mod p s = 815 mod 23 = 2 Alice and Bob now share a secret (the number 2).
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
30©A10 Networks, Inc.
Elliptic curve Diffie–Hellman (ECDH) is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public–private key pair, to establish a shared secret over an insecure channel.
The shared secrete will be utilized to perform symmetric encryption. – In the case of the following Cipher Specification AES^256 is utilized:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
ECDH
When reviewing ECC I was configured about how the Finite Field was initialized and I realized it specified in the domain parameters. For more information http://csrc.nist.gov/groups/ST/toolkit/documents/SP800-56Arev1_3-8-07.pdf
31©A10 Networks, Inc.
Session 1:
FiniteField: 3851
Secret keys, Alice: 194 , Bob:33
base_point (920 (mod 3851), 303 (mod 3851)) 3014 2809
Public keys, Alice:(3014 (mod 3851), 2809 (mod 3851)) , Bob:(1324 (mod 3851), 2950 (mod 3851))
Shared secret: ALice:(2462 (mod 3851), 3558 (mod 3851)) , Bob:(2462 (mod 3851), 3558 (mod 3851))
Bob is extracing x-coordinate to get an integer shared secret: 2462
Alice is extracing x-coordinate to get an integer shared secret: 2462
ECDH Working Example Session 1
32©A10 Networks, Inc.
FiniteField: 3851
Secret keys, Alice: 90 , Bob:74
base_point (920 (mod 3851), 303 (mod 3851)) 1034 733
Public keys, Alice:(1034 (mod 3851), 733 (mod 3851)) , Bob:(3241 (mod 3851), 1093 (mod 3851))
Shared secret: Alice:(2718 (mod 3851), 3657 (mod 3851)) , Bob:(2718 (mod 3851), 3657 (mod 3851))
Bob is extracing x-coordinate to get an integer shared secret: 2718
Alice is extracing x-coordinate to get an integer shared secret: 2718
ECDH Working Example Session 2
33©A10 Networks, Inc.
forward secrecy is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future.
You do not get this with RSA– Remember Client Random 1 and Sever Random 1
– If session was recorded and private key is compromised past sessions can be compromised
– If private key is compromised then present and future sessions are also compromised.
Cipher suites that use ephemeral Diffie-Hellman (DHE) or the elliptic-curve variant (ECDHE) will have perfect forward secrecy
Perfect Forward Secrecy
40©A10 Networks, Inc.
http://threatpost.com/lenovo-superfish-certificate-password-cracked/111165
http://www.pcworld.com/article/2453343/microsoft-revokes-trust-in-certificate-authority-operated-by-the-indian-government.html
http://www.fastcompany.com/3042030/tech-forecast/the-huge-web-security-loophole-that-most-people-dont-know-about-and-how-its-be
on and on and on
In the news
41©A10 Networks, Inc.
The rest of the class we will focus on Trusted Root CA Poisoning and Root CA Compromise.
We will focus on full-wire-control eavesdropping a.k.a Man-in-the-Middle
We not cover brute force or crypto attacks for eavesdropping.
If you want to explore server private key compromise then take a private key off the server and utilize wire shark.
Eavesdropping
42©A10 Networks, Inc.
BGP
Route Injection
ARP Poison
Wireless control
so on.
Ways to Gain Full Wire Control
43©A10 Networks, Inc.
Lets look at the chain of Trust one more time. 1. Lets talk, but I need to know if I should
trust you. 2. Here is my cert saying I know ICARus
and there is his signature. 3. Have I untrusted ICArus? No4. Do I Trust ICArus? Let me Check5. Here is my cert that says Carolyn Trust
me and here is her signature. 6. Have I untrusted CArolyn? No7. Do I Trust CArolyn?8. Here is my cert that says I Trust myself
and here is my signature signature. --- Carolyn’s Signature was Trusted by someone who put it their so I must Trust it, right? Why note……9. Hey buddy you’re a swell guy…
44©A10 Networks, Inc.
Lost of money gets spent to become a CA.
Last time I checked in 2002 it was going to cost more in audit fees the first year then we calculated the first 10 years revenue would be…
Here is how to get into the Windows OS– https://msdn.microsoft.com/en-us/library/cc751157.aspx
If you are “really” a corporation you will do everything to make sure you are Trusted.
Not being Trusted can put you out of business…. An this is the problem…
TO be or not to be...Trusted
45©A10 Networks, Inc.
From the time the CA is compromised to the time the compromise is discovered puts anyone who trusted that CA at risk for Man in the Middle Attacks.
After the CA compromise is discovered there is still a delta between a updated Revocation list or security update made available.
There is another delta between the revocation list or security update being made available until it is applied by the home user or the corporate administrator.
This is the WORST OF THE WORST because it could compromise everyone on the internet.
Effects Root CA Compromise
46©A10 Networks, Inc.
This is where a ROOT CA certificate is implanted with in the Trusted ROOT CA store with out the knowledge or authorization of the owner of the system.
How can this happen?– Malware
– Physical Access
– Trusted programs
– Ignorance…
This is a more targeted approach. This will also be the most common encountered.
Root CA Poisoning
48©A10 Networks, Inc.
Eve C2 - DefenseYou are allowed one rule group at a time.
What this means is you can fill in every field however this will be the compete rule set.
Click the activate button to send the defensive commands.
Click the disable protection to remove the commands
Active will overwrite the existing rule
49©A10 Networks, Inc.
EVE C2 - Offense
This tool be be utilized to inject content into the data path.
It will also load the data that was captured form the Eavesdropping.
Do not goose yourself by putting sensitive information into the lab systems.
50©A10 Networks, Inc.
EVEC2 - Exploit
This tool in conjunction with your browser or python scripts will give you the ability to send pre defined exploits to the server over SSL.
The bot payload will send a pre-defind payload to the command server over SSL
52©A10 Networks, Inc.
Add Server Information here when lab it build
We will be utilizing DVWA which is a vulnerable web application written in PHP for as the target.
There are Twisted Instances that are written for
Server Type
54©A10 Networks, Inc.
Cyber Threats Hidden in SSL Traffic
–35%+ of Internet traffic is encrypted
–50% of attacks will use encryption to bypass controls by 2017
–80%+ of organizations with firewalls, IPS, or UTM do not decrypt SSL traffic
70%+SSL Traffic
For some organizations
Sources: “SSL Performance Problems,” NSS Labs, 2013 and service provider data“Security Leaders Must Address Threats From Rising SSL Traffic,” 2013
56©A10 Networks, Inc.
Drivers for SSL Traffic Growth
Snowden Leaks in June 2013–Revelations of NSA snooping
increased privacy concerns
Privacy watchdogs now publish SSL report cards
57©A10 Networks, Inc.
Surveillance and Search Engine Ranking
New disclosures in 2014 that governments were leveraging app vulnerabilities to inject surveillance software in web traffic
– Targeted sites YouTube and Microsoft Liveused as conduits to inject malware
– Now YouTube & MS Live encrypt traffic
In August 2014, Google announced itwould rank SSL sites higher for SEO
Source: Washington Post
58©A10 Networks, Inc.
SSL Performance Impact on Next Gen Firewalls
Juniper SRX3600 Stonesoft 3202 Palo Alto Networks PA-5020
SourceFire 8250 Check Point 12600 Dell SonicWALL E10800
Fortinet 3600C SourceFire 82900%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Performance Impact with 2048-bit SSL Ciphers
81%: The average of performance loss across 7 NG Firewalls
Source: “SSL Performance Problems,” NSS Labs, 2013
60©A10 Networks, Inc.
BACKGROUND Organization had deployed
security devices from many leading security vendors
SSL traffic not inspected due to performance, scale, & complexity
RESULT OF ATTACK Attackers infiltrated network,
installed malware, and stole data across multiple end-points
Organization dropped internet connectivity for days, performed lengthy forensics and remediation
ESTIMATED FINANCIAL COSTS Lost productivity and forensic investigation= Medium Cost Loss of intellectual property = High Cost
Impact of Not Inspecting SSL: A Case Study
FINDINGS: Network security tools could have prevented this attack if the tools had had visibility into SSL traffic
61©A10 Networks, Inc.
How Malware Developers Exploit Encrypted Traffic
Botnet Herder
Clients
Data exfiltration over SSL channels Command
and Control Servers
HTTPS
Malicious file ininstant messaging
Drive-by downloadfrom an HTTPS site
Malicious attachmentsent over SMTPS
• Encryption obscures:– Bot installation– C&C communication– Data exfiltration
62©A10 Networks, Inc.
Reference Architecture: Inline Deployment
1. A10 Thunder ADC decrypts outbound SSL traffic
2. A third-party security device inspects traffic in clear text
3. A second Thunder ADC appliance encrypts SSL traffic and forwards it to the Internet
4. Thunder ADC decrypts the response from the Internet
5. The third-party security device inspects inbound traffic
6. Thunder ADC encrypts and forwards the response to the server
Other
DLPUTM
IDS
Server
A10 ADC
A10 ADC
Encrypted
Decrypted
Encrypted
Inspection and
Protection
Client
16
2
5
3
4
63©A10 Networks, Inc.
Reference Architecture: Non-inline Deployment
A Thunder ADC intercepts and decrypts SSL traffic
Thunder ADC forwards decrypted traffic to third party security devices
Security devices inspects traffic for attacks or data loss
Thunder ADC encrypts decrypted traffic and forwards it to the intended destination
Encrypted
Decrypted
Encrypted
Client
A10 Thunder ADC
Security Devices
Internet Server
67©A10 Networks, Inc.
Governments– Gathering Intelligence
– Hiding exfiltration traffic
– Avoid Detection
– Bot Command and Control
– others?
Criminals– Click Fraud
– Theft of personal data
– money
– Ego
What is the motivation?
SKY-NET– Destruction of the human race.
– Kill John Conner
70©A10 Networks, Inc.
Lab 3 Scenario
You are at some coffee shop.You need to check your bank account because your (“Mine, I am projecting”) calls up and says I need $5000.00 today for college. So you connect to the WIFI hot spot and…
Little did you know that DNS has been hijack and a server is in play owned by the attacker. The Eve here has full-wire-control because they own the hotspot.
You figure that everything would be alright. So just click ok…
72©A10 Networks, Inc.
Open Your Browser and go to and type in https://www.hotspot.dcc.lab/login/login.html
Enter any username
Enter any password
Click Login
You will be redirected.
Lab 3 Instructions: Step 1
75©A10 Networks, Inc.
Application Will install ICON on Desktop.
If the Application is Not started click on the icon.
Enter any username and password again.
And Click Logon,
Lab 3 Instructions: Step 4
76©A10 Networks, Inc.
Since we still need to install the certificate we will utilize a little bit of social engineering to get you do this.
Older Version of Windows or other operating systems this could be bypassed easier if we are delegated foo super user privileges during setup...
Just click ok… You son needs money.
Lab 3 Instructions: Step 5
78©A10 Networks, Inc.
Lab 3 Instructions: Step 7
When you see the log out button you know everything thing is good.
Your Browser will open over the application window. And take you to your banking website.
If you are not able to connect to install the certificate or can not signal to the attacker you will be denied access.
82©A10 Networks, Inc.
Governments– Gathering Intelligence
– Hiding exfiltration traffic
– Avoid Detection
– Bot Command and Control
– others?
Criminals– Click Fraud
– Theft of personal data
– money
– Ego
What is the motivation?
SKY-NET– Destruction of the human race.
– Kill John Conner
85©A10 Networks, Inc.
Attack Scenario
You are at some coffee shop.You need to check your bank account because your (“Mine, I am projecting”) calls up and says I need $5000.00 today for college. So you connect to the WIFI hot spot and…
Little did you know that DNS has been hijack and a server is in play owned by the attacker. The Eve here has full-wire-control because they own the hotspot.
You figure that everything would be alright. So just click ok…
87©A10 Networks, Inc.
Open Your Browser and go to and type in https://www.hotspot.dcc.lab/login/login.html
Enter any username
Enter any password
Click Login
You will be redirected.
Redirect to the webpage
89©A10 Networks, Inc.
Application Will install ICON on Desktop.
If the Application is Not started click on the icon.
Enter any username and password again.
And Click Logon,
Lab 3 Instructions: Step 4
93©A10 Networks, Inc.
Cert Pinning
Embedded Certificate in Compiled Code.
OCSP
CRL
How to protect against offensive attacks?
94©A10 Networks, Inc.
Physically Proximity Full-wire-control is needed for a successful attack.
Potentially PGP Encrypted Payload to validation services.
Validation Server outside of last mile different path.
Third Party Alternate Path