The TLS & Tor Protocols
Security & Networks
•
How it works
• •
Details of TLS
•
Common problems Tor
• • •
Anonymity on the internet The Tor Protocol
Hidden servers
Today’s Lecture
1. A 2. Na
3. {Na, Pay Elvis €5}Kab 1. A→B:A
2. B→A:Na
3. A → B : {Na, Pay Elvis €5}Kab
Last Lecture
Alice
Bob
The Needham-Schroeder Public Key Protocol
Assume Alice and Bob know each others public keys,
can they set up a symmetric key?
1. A → B : EB(Na, A) 2. B → A : EA(Na, Nb) 3. A→B:EB(Nb)
Na and Nb can then be used to generate a symmetric key.
Goals: Alice and Bob are sure they are talking to each other and only they know the key.
EX(_) means public key encryption
An Attack Against the NH Protocol
The attacker C acts as a man-in-the-middle: 1. A → C : EC(Na, A)
1) C(A) → B : EB(Na, A)
2) B → C(A) : EA(Na, Nb) 2. C → A : EA(Na, Nb)
3. A→C:EC(Nb)
3) C(A) → B : EB(Nb)
Corrected Version
A very simple fix:
1. A → B : EB(Na, A)
2. B → A : EA(Na,Nb,B) 3. A→B:EB(Nb)
•
•
The Secure Sockets Layer (SSL) protocol was renamed to
Transport Layer Security (TLS) protocol.
The SSL/TLS Protocol
It provides encrypted socket communication and authentication,
based on public keys.
•
These are negotiated at the start of the run.
It may use a range of ciphers (RSA, DES, DH,…)
•
• • • •
X.509 certificates contain a subject, subject’s public key, issuer name, etc. The issuer signs the hash of all the data
To check a certificate, I hash all the data and check the issuers public key.
If I have the issuer’s public key and trust the issuer, I can then be sure of the subject’s public key.
X.509 Standard for Certificates
Example Cert.
Stuff that you write TCP or UDP
IP Ethernet or 802.11
Application
Transport
Network
Link/Hardware
The Internet Protocol Stack (Most of the Time)
The Internet Protocol Stack with TLS
The TLS layer runs between the Application and Transport layer.
The encryption is transparent to the Application layer.
Normal TCP and IP protocols etc. can be used at the low layers.
Application
TLS
Transport
Network
Link/Hardware
TLS
1. C→S:NC
2. S → C : NS, CertS
3. C → S : ES(Kseed), {Hash1}KCS
4. S → C : {Hash2}KCS Hash1 = #(NC, NS, ES(Kseed))
Hash2 = #(NC, NS, ES(Kseed), {Hash1}KCS) KCS is a session key based on NC, NS, Kseed
All previous messages are hashed and then encrypted with KCS for integrity.
TLS-DHE
A variant uses Diffie-Hellman for forward secrecy
i.e., if someone gets the server’s key later, they can’t go back and break a recording
of the traffic.
1. C→S:NC
2. S → C : NS, gx, CertS, SignS(#(NC, NS, gx)) 3. C → S : gy, {#(All previous messages)}KCS 4. S → C : {#(All previous messages)}KCS
KCS is a session key based on NC, NS, gxy.
Cipher Suites with encryption and authentication:
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
…
Cipher Suites with just authentication:
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
Cipher Suites with just encryption:
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA
Cipher Suites
Cipher Suites with encryption and authentication:
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
…
Cipher Suites with just authentication:
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
Cipher Suites with just encryption:
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA
Cipher Suites
Cipher Suites Handshake
https://en.wikipedia.org/wiki/Cipher_suite
• •
Websites Wireshark
TLS Demo
•
Cipher downgrading
Configuration weaknesses:
• •
Self-signed certificates
•
Apple’s goto fail bug
Direct attack against implementations:
• • •
LogJam attack HeartBleed
Weaknesses in TLS
Client supports:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
Server supports:
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
Cipher downgrading attack
Ciphers are listed in the order of preference. What cipher will be used?
BUT…
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Client supports:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
The cipher suite messages
are not authenticated!
Server supports:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
Cipher downgrading attack
An attacker that owns the network can remove strong ciphers.
If both client and server support a weak cipher, then an attack can force its use.
•
• •
Maintaining a set of certificates is hard
(especially on apps and IoT devices).
Self-signed Certificates
It’s much easier just to accept any certificate
(or certificates that sign themselves).
What’s the problem?
Certwww.bham.ac.uk
signed by TTP
www.bham.ac.uk
•
• •
Maintaining a set of certificates is hard
(especially on apps and IoT devices).
Self-signed Certificates
It’s much easier just to accept any certificate
(or certificates that sign themselves).
What’s the problem? Certwww.bham.ac.uk
self-signed
MITM
www.bham.ac.uk
Self-signed Certificates
•
•
• •
Maintaining a set of certificates is hard
(especially on apps and IoT devices).
It’s much easier just to accept any certificate
(or certificates that sign themselves).
If the client accepts the self-signed certificates, then it’s easy to man-in- the-middle.
This has been shown to happen a lot in devices and code that use TLS!
static OSStatus
{
Apple’s Implementation of TLS
clientRandom.data = ctx->clientRandom;
hashOut.data = hashes + SSL_MD5_DIGEST_LEN;
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
hashOut.length = SSL_SHA1_DIGEST_LEN;
uint8_t *signature, UInt16 signatureLen)
if ((err = SSLFreeBuffer(&hashCtx)) != 0)
OSStatus err;
goto fail;
SSLBuffer hashOut, hashCtx, clientRandom, serverRandom;
if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
uint8_t hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN];
goto fail;
SSLBuffer signedHashes;
if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0)
uint8_t *dataToSign;
goto fail;
size_t dataToSignLen;
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
signedHashes.data = 0;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
hashCtx.data = 0;
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
goto fail;
serverRandom.data = ctx->serverRandom;
serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
err = sslRawVerify(ctx,
ctx->peerPubKey,
dataToSign, /* plaintext */
if(isRsa) {
/* skip this if signing with DSA */
dataToSign = hashes;
dataToSignLen = SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN;
hashOut.data = hashes;
hashOut.length = SSL_MD5_DIGEST_LEN;
if ((err = ReadyHash(&SSLHashMD5, &hashCtx)) != 0)
goto fail;
if ((err = SSLHashMD5.update(&hashCtx, &clientRandom)) != 0)
goto fail;
if ((err = SSLHashMD5.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashMD5.update(&hashCtx, &signedParams)) != 0)
goto fail;
if ((err = SSLHashMD5.final(&hashCtx, &hashOut)) != 0)
}
goto fail;
else {
/* DSA, ECDSA – just use the SHA1 hash */
dataToSign = &hashes[SSL_MD5_DIGEST_LEN];
dataToSignLen = SSL_SHA1_DIGEST_LEN;
}
dataToSignLen, /* plaintext length */
signature,
signatureLen);
if(err) {
sslErrorLog(“SSLDecodeSignedServerKeyExchange: sslRawVerify ”
fail:
“returned %d\n”, (int)err);
goto fail;
}
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c
}
Apple’s TLS-DHE
1. C→S:NC
2. S → C : NS, gx, CertS, SignS(#(NC, NS, gx))
3. C → S : gy, {#(All previous messages)}KCS
4. S → C : {#(All previous messages)}KCS KCS is a session key based on NC, NS, gxy.
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
… other checks …
fail:
… buffer frees (cleanups) …
return err;
Apple’s TLS-DHE
1. C→S:NC
2. S → C : NS,gx,CertS,True
3. C → S : gy, {#(All previous messages)}KCS
4. S → C : {#(All previous messages)}KCS KCS is a session key based on NC, NS, gxy.
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
… other checks …
fail:
… buffer frees (cleanups) …
return err;
• • • •
Major issues
iOS fixed days before macOS!
Why didn’t tests pick this up?
Compiler should have warned of unreachable code. Bad programming style: no brackets, goto:
http://xkcd.com/292/
•
•
•
•
What if one side supports a weak cipher suite but the other does not? Generally considered safe.
Browser developers removed all weak ciphers, some remained in servers.
Cipher Suites
This depends on different cipher suites being incompatible, e.g.:
SSL_RSA_WITH_DES_CBC_SHA and TLS_DHE_DSS_WITH_AES_256_CBC_SHA
LogJam
The Snowden leaks revealed that the NSA regularly MITMed TLS. How could they be doing this? Someone had missed something.
These people figured it out:
https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
•
• • •
A weak Diffie Hellman key is compatible with a strong Diffie Hellman key!
• •
Diffie-Hellman
Alice and Bob pick random numbers rA and rB and find “tA = grA mod p” and “tB = grB mod p”
The protocol just exchanges these numbers: 1. A→B:tA
2. B→A:tB
Alice calculates “tBrA mod p” and Bob “tArB mod p”, receiving the key:
K = grArB mod p
•
DHE = ephemeral DH (strong prime)
Attack Diagram from paper
Figure 2: The Logjam attack. A man-in-the-middle can
message fai suite that t DHE, an ac
DHE_EXPORT = “export version”
of DH (weak 512-bit pmriemssea)ge is i for 1990s-era U.S. export
restrictions on cryptography
negotiate e show how logs in real to use a D confidentia
The atta
and relies
DHE_EXPO
handshake,
message co
ciphersuite
force TLS clients to use export-strength DH with any server
o�er a corre
x a
H
l c
o
n d
s l
h t
HeartBleed
A programming error in OpenSSL
• •
• •
•
Introduced in 2012, made public in 2014. Rumours it was being exploited.
TLS client can request a “heart beat” from the server to make sure the connection is still open.
This memory could contain the server’s key.
From Wikipedia
TLS 1.3
Newest standard, ratified August 2018 Removes obsolete cryptographic protocols Simplified handshake ⇒ efficiency gain
•
•
• • •
Forward secrecy mandatory
Intercepting TLS connections now only possible as active attacker performing MITM attack
Cranor et al.’s Crying Wolf: “An Empirical Study of SSL Warning Effectiveness”
People that ignored warnings:
Image courtesy of Johnathan Nightingale
Image courtesy of Johnathan Nightingale
Checking servers
There are many insecure TLS servers on the internet.
•
•
The most common problems are support for weak ciphers
and old unpatched code.
•
https://www.ssllabs.com/ssltest/index.html
SSL labs provide a useful testing tool:
•
•
How it works
• •
Details of TLS
•
Common problems Tor
• • •
Anonymity on the internet The Tor Protocol
Hidden servers
Today’s Lecture
“You have zero privacy anyway, get over it.”
–Scott McNealy, former CEO of SUN Microsystems
“With your permission, you give us more information about you, about your friends, and we can improve the quality of our searches. We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.”
–Eric Schmidt, former CEO of Google
Proxy: Hotspot Shield VPN
•
• • •
An internet connection reveals your IP number.
Hotspot Shield .
VPNs promise “Anonymity”. Connection made via their servers.
The intended recipient server never see’s your IP address.
• • •
VPNs securely connect you to another network.
e.g., you can connect to the school’s printers via the school’s VPN. Secured with certificates and encryption, e.g., TLS or IPSec.
Virtual Private Networks
•
•
There is no anonymity to the VPN provider.
Virtual Private Networks For Anonymity
•
Server thinks you are the VPN provider
To get some anonymity, you can route all your traffic via the VPN.
•
•
ISP only sees the connection to the VPN
A global observer can probably link your connections.
•
•
Quiz!
Virtual Private Networks For Anonymity
Suppose you’re connected to a public WiFi hotspot and browse to the website “https://bham.ac.uk“ using a VPN.
•
…your WiFi’s outgoing IP address
What information does the WiFi provider have about you?
• • • • •
…that you are connected to the VPN
…your VPN’s outgoing IP address
…that you are browsing to “https://bham.ac.uk”
…the contents of your communication with the website
•
•
Quiz!
Virtual Private Networks For Anonymity
Suppose you’re connected to a public WiFi hotspot and browse to the website “https://bham.ac.uk“ using a VPN.
•
…your WiFi’s outgoing IP address
What information does the VPN provider have about you?
• • • • •
…that you are connected to the VPN
…your VPN’s outgoing IP address
…that you are browsing to “https://bham.ac.uk”
…the contents of your communication with the website
•
•
Quiz!
Virtual Private Networks For Anonymity
Suppose you’re connected to a public WiFi hotspot and browse to the website “https://bham.ac.uk“ using a VPN.
•
…your WiFi’s outgoing IP address
What information does the website provider have about you?
• • • • •
…that you are connected to the VPN
…your VPN’s outgoing IP address
…that you are browsing to “https://bham.ac.uk”
…the contents of your communication with the website
Might infer that from the IP address
Onion Routing
You get the best anonymity by routing your traffic via a number of proxies.
•
•
•
Onion Routing ensures that your message really is routed via the proxies you want.
The Tor network is using this protocol
https://www.torproject.org/
Tor: Onion Routing
Each proxy only learns the IP of the proxy before it and the proxy after it. The public key of each proxy is known.
Source IP is visible to the first node, destination IP is visible to the last node.
•
• • •
User picks 3 proxies (entry, middle, and exit node) and is anonymous as long as they aren’t all corrupt.
Tor: Onion Routing
m
Tor Tor Tor Node 1 Node 2 Node 3
m
Tor: Onion Routing
Tor Tor Tor Node 1 Node 2 Node 3
Tor: Onion Routing
m
Tor Tor Tor Node 1 Node 2 Node 3
Tor: Onion Routing
m
Tor Tor Tor Node 1 Node 2 Node 3
Tor: Onion Routing
m
Tor Tor Tor Node 1 Node 2 Node 3
ET1(gx) gy, H(gxy)
{T2, ET2(gz)}gxy {gw, H(gzw)}gxy
{{T3, ET3(gu)}gzw}gxy {{gv, H(guv)}gzw}gxy
{{{Server, m}guv}gzw}gxy {{{r}guv}gzw}gxy
ET2(gz) gw, H(gzw)
{T3, ET3(gu)}gzw {gv, H(guv)}gzw
{{Server, m}guv}gzw {{r}guv}gzw
ET3(gu) gv, H(guv)
{Server, m}guv {r}guv
m r
Tor: Onion Routing
Tor Node 1
Tor Node 2
Tor Node 3
Tor: Onion Routing
m
ET1(gx) gy, H(gxy)
{T2, ET2(gz)}gxy {gw, H(gzw)}gxy
{{T3, ET3(gu)}gzw}gxy {{gv, H(guv)}gzw}gxy
{{{Server, m}guv}gzw}gxy {{{r}guv}gzw}gxy
ET2(gz) gw, H(gzw)
{T3, ET3(gu)}gzw {gv, H(guv)}gzw
{{Server, m}guv}gzw {{r}guv}gzw
ET3(gu) gv, H(guv)
{Server, m}guv {r}guv
Tor Node 1
Tor Node 2
Tor Node 3
m r
Tor: Onion Routing
ET1(gx) gy, H(gxy)
{T2, ET2(gz)}gxy {gw, H(gzw)}gxy
{{T3, ET3(gu)}gzw}gxy {{gv, H(guv)}gzw}gxy
{{{Server, m}guv}gzw}gxy {{{r}guv}gzw}gxy
m
ET2(gz) gw, H(gzw)
{T3, ET3(gu)}gzw {gv, H(guv)}gzw
{{Server, m}guv}gzw {{r}guv}gzw
ET3(gu) gv, H(guv)
{Server, m}guv {r}guv
Tor Node 1
Tor Node 2
Tor Node 3
m r
Tor: Onion Routing
ET1(gx) gy, H(gxy)
{T2, ET2(gz)}gxy {gw, H(gzw)}gxy
{{T3, ET3(gu)}gzw}gxy {{gv, H(guv)}gzw}gxy
{{{Server, m}guv}gzw}gxy {{{r}guv}gzw}gxy
ET2(gz) gw, H(gzw)
{T3, ET3(gu)}gzw {gv, H(guv)}gzw
{{Server, m}guv}gzw {{r}guv}gzw
m
ET3(gu) gv, H(guv)
{Server, m}guv {r}guv
Tor Node 1
Tor Node 2
Tor Node 3
m r
Tor: Onion Routing
ET1(gx) gy, H(gxy)
{T2, ET2(gz)}gxy {gw, H(gzw)}gxy
{{T3, ET3(gu)}gzw}gxy {{gv, H(guv)}gzw}gxy
{{{Server, m}guv}gzw}gxy {{{r}guv}gzw}gxy
ET2(gz) gw, H(gzw)
{T3, ET3(gu)}gzw {gv, H(guv)}gzw
{{Server, m}guv}gzw {{r}guv}gzw
ET3(gu) gv, H(guv)
{Server, m}guv {r}guv
m
Tor Node 1
Tor Node 2
Tor Node 3
m r
Tor: Onion Routing
ET1(gx) gy, H(gxy)
{T2, ET2(gz)}gxy {gw, H(gzw)}gxy
{{T3, ET3(gu)}gzw}gxy {{gv, H(guv)}gzw}gxy
{{{Server, m}guv}gzw}gxy {{{r}guv}gzw}gxy
ET2(gz) gw, H(gzw)
{T3, ET3(gu)}gzw {gv, H(guv)}gzw
{{Server, m}guv}gzw {{r}guv}gzw
ET3(gu) gv, H(guv)
{Server, m}guv {r}guv
r
Tor Node 1
Tor Node 2
Tor Node 3
m r
Tor: Onion Routing
ET1(gx) gy, H(gxy)
{T2, ET2(gz)}gxy {gw, H(gzw)}gxy
{{T3, ET3(gu)}gzw}gxy {{gv, H(guv)}gzw}gxy
{{{Server, m}guv}gzw}gxy {{{r}guv}gzw}gxy
ET2(gz) gw, H(gzw)
{T3, ET3(gu)}gzw {gv, H(guv)}gzw
{{Server, m}guv}gzw {{r}guv}gzw
ET3(gu) gv, H(guv)
{Server, m}guv {r}guv
r
Tor Node 1
Tor Node 2
Tor Node 3
m r
Tor: Onion Routing
ET1(gx) gy, H(gxy)
{T2, ET2(gz)}gxy {gw, H(gzw)}gxy
{{T3, ET3(gu)}gzw}gxy {{gv, H(guv)}gzw}gxy
{{{Server, m}guv}gzw}gxy {{{r}guv}gzw}gxy
ET2(gz) gw, H(gzw)
{T3, ET3(gu)}gzw {gv, H(guv)}gzw
{{Server, m}guv}gzw {{r}guv}gzw
r
ET3(gu) gv, H(guv)
{Server, m}guv {r}guv
Tor Node 1
Tor Node 2
Tor Node 3
m r
Tor: Onion Routing
ET1(gx) gy, H(gxy)
{T2, ET2(gz)}gxy {gw, H(gzw)}gxy
{{T3, ET3(gu)}gzw}gxy {{gv, H(guv)}gzw}gxy
{{{Server, m}guv}gzw}gxy {{{r}guv}gzw}gxy
r
ET2(gz) gw, H(gzw)
{T3, ET3(gu)}gzw {gv, H(guv)}gzw
{{Server, m}guv}gzw {{r}guv}gzw
ET3(gu) gv, H(guv)
{Server, m}guv {r}guv
Tor Node 1
Tor Node 2
Tor Node 3
m r
•
How it works
• •
Details of TLS
•
Common problems Tor
• • •
Anonymity on the internet The Tor Protocol
Hidden servers
Today’s Lecture