Transport Layer Security (TLS)
ECEN 4133 Feb 18, 2021
Review: HTTP
GET / HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …
gmail.com
HTTP Threats
?
GET / HTTP/1.1 Host: gmail.com
Eve
gmail.com
HTTP/1.1 200 OK …
????
HTTP/1.1 200 OK …
…
Mallory
HTTP Threats
Eve can observe:
◦ What page you are visiting (e.g. http://gmail.com/email84534) ◦ Server response (e.g. the content of your email)
◦ Cookies (Can now login as you!)
◦ Submitted forms (passwords, new emails, credit cards, etc)
Mallory can:
◦ Provide you false information (e.g. change the content of an email)
◦ Change what data you send (e.g. change the contents of what you post/send!)
◦ Insert Javascript on your page (e.g. tracking info / steal information from gmail’s origin)
Solution:
◦ Cryptography! Confidentiality + Integrity
◦ …but how?
How do we translate?
Cryptographic Primitives
RSA PKI
Symmetric
Encryption
Certificate
Public Key
RC4
Diffie-Hellman
DSA
HMAC
ECDSA
Encryption
Asymmetric
How do we translate?
Cryptographic Primitives
Objectives
Message Integrity Confidentiality Authentication
RSA Encryption PKI
HMAC Certificate Public Key
RC4
Diffie-Hellman
DSA
Symmetric
ECDSA
Encryption
Asymmetric
How do we translate?
Cryptographic Primitives
Typical HTTPS
Connection
Symmetric
Encryption
RSA PKI
Certificate
Public Key
RC4
Diffie-Hellman
DSA
HMAC
ECDSA
Encryption
Asymmetric
HTTPS, TLS
Transport Layer Security (TLS)
◦ Previous versions: Secure Socket Layer (SSL) – do not use!
◦ SSL2
◦ SSL 3.0
◦ TLS 1.0, 1.1, 1.2 – extensions/improvements to SSL 3.0 ◦ TLS 1.3 – redesigned TLS (2018)
HTTPS – the S stands for Secure! ◦ HTTP over TLS
Case Study: TLS
Arguably the most important (and widely used) cryptographic protocol on the Internet Almost all encrypted protocols (minus SSH) uses TLS for transport encryption
HTTPS, POP3, IMAP, SMTP, FTP, NNTP, XMPP (Jabber), OpenVPN, SIP (VoIP), …
Browser TLS Support
source: http://en.wikipedia.org/wiki/Transport_Layer_Security
Browser TLS support
source: http://en.wikipedia.org/wiki/Transport_Layer_Security
Where does TLS live?
Application (HTTP) Transport (TCP)
Network (IP) Data-Link (1gigE) Physical (copper)
Client
Server
“the handshake”
Client Server
Client Server
Client Server
Client Server
Client
Server
Encrypted Communication Channel (Symmetric)
Cipher Suites
DHE-RSA-AES256-SHA
Ephemeral Key Exchange
Identity Data Transfer Message Digest Authentication Cipher
Goals
Confidentiality Message Integrity Authentication
X509 Certificates
Subject: C=US/O=Google Inc/CN=www.google.com
Issuer: C=US/O=Google Inc/CN=Google Internet Authority
Serial Number: 01:b1:04:17:be:22:48:b4:8e:1e:8b:a0:73:c9:ac:83 Expiration Period: Jul 12 2010 – Jul 19 2012
Public Key Algorithm: rsaEncryption
Public Key: 43:1d:53:2e:09:ef:dc:50:54:0a:fb:9a:f0:fa:14:58:ad:a0:81:b0:3d 7c:be:b1:82:19:b9:7c3:8:04:e9:1e5d:b5:80:af:d4:a0:81:b0:b0:68:5b:a4:a4 :ff:b5:8a:3a:a2:29:e2:6c:7c3:8:04:e9:1e5d:b5:7c3:8:04:e9:39:23:46
SignatureAlgorithm: sha1WithRSAEncryption
Signature: 39:10:83:2e:09:ef:ac:50:04:0a:fb:9a:f0:fa:14:58:ad:a0:81:b0:3d 7c:be:b1:82:19:b9:7c3:8:04:e9:1e5d:b5:80:af:d4:a0:81:b0:b0:68:5b:a4:a4 :ff:b5:8a:3a:a2:29:e2:6c:7c3:8:04:e9:1e5d:b5:7c3:8:04:e9:1e:5d:b5
Certificate Chains
Browser Root CA store
Trust everything signed by this “root” certificate
I authorize and trust this certificate; here is my signature
I authorize and trust this certificate; here is my signature
Subject: C=US/…/OU=Equifax Secure Certificate Authority Issuer: C=US/…/OU=Equifax Secure Certificate Authority Public Key:
Signature: 39:10:83:2e:09:ef:ac:50:04:0a:fb:9a:38:c9:d1
Subject: C=US/…/CN=Google Internet Authority
Issuer: C=US/…/OU=Equifax Secure Certificate Authority Public Key:
Signature: be:b1:82:19:b9:7c:5d:28:04:e9:1e:5d:39:cd
Subject: C=US/…/O=Google Inc/CN=*.google.com Issuer: C=US/…/CN=Google Internet Authority
Public Key:
Signature: bf:dd:e8:46:b5:a8:5d:28:04:38:4f:ea:5d:49:ca
Goals
Confidentiality (Symmetric Crypto) Message Integrity (HMACs) Authentication (Public Key Crypto)
Certificate Authority Ecosystem
Each browser trusts a set of CAs
CAs can sign certificates for new CAs CAs can sign certificates for any web site
If a single CA is compromised, then the entire system is compromised We ultimately place our complete trust of the Internet in the weakest CA
Immediate Concerns
Nobody has any idea who these CAs are… 1,500+ known browser trusted CAs
History of CAs being hacked (e.g. Diginotar)
Oooops, Korea gave every elementary school, library, and agency a CA certificate (1,324) ◦ Luckily invalid due to a higher-up constraint
Getting a Certificate
Certificates are free and easy to get!
https://letsencrypt.org/
Identity validated via e-mail in whois, or proving control over a certain webpage on the domain ◦ What can go wrong?
Setting up TLS manually is hard. People are terrible at it!
DigiNotar
DigiNotar was a Dutch Certificate Authority
On June 10, 2011, *.google.com cert was issued to an attacker and subsequently used to
orchestrate MITM attacks in Iran
Nobody noticed the attack until someone found the certificate in the wild… and posted to
pastebin
DigiNotar Contd.
DigiNotar later admitted that dozens of fraudulent certificates were created Google, Microsoft, Apple and Mozilla all revoked the root Diginotar certificate Dutch Government took over Diginotar
Diginotar went bankrupt and died
Kazakhstan TLS MITM
Kazakhstan TLS MITM
Kazakhstan TLS MITM
Domains impacted:
allo.google.com, android.com, cdninstagram.com, dns.google.com, docs.google.com, encrypted.google.com, facebook.com, goo.gl, google.com, groups.google.com, hangouts.google.com, instagram.com, mail.google.com, mail.ru, messages.android.com, messenger.com, news.google.com, ok.ru, picasa.google.com, plus.google.com, rukoeb.com, sites.google.com, sosalkino.tv, tamtam.chat, translate.google.com, twitter.com, video.google.com, vk.com, vk.me, vkuseraudio.net, vkuservideo.net, www.facebook.com, www.google.com, www.instagram.com, www.messenger.com, www.youtube.com, youtube.com
Browser response:
◦ Remove KZ root cert even if user explicitly added it!
Attack Vectors
Attack the weakest Certificate Authority
Attack browser implementations
Magically notice a bug in a key generation library that leads you to discovering all the private keys on the Internet
Attack the cryptographic primitives ◦ Math is hard, let’s go shopping!
TLS Attacks
User concerns
◦ Deploying site leaks private key
◦ Client users ignore HTTPS errors!
Attack (weakest) CA
◦ DigiNotar, Comodo, WoSign/Startcom
Attack Browser
◦ SSL Strip, Null Prefix, Padding Oracle, BEAST, CRIME, goto fail, POODLE, FREAK, LogJam, DROWN, …
Attack Server ◦ Heartbleed
Google no evil
SSL Strip
Discovered by Moxie Marlinspike, 2009
GET / HTTP/1.1 Host: bank.com
bank.com
HTTP/1.1 301 Moved Permanently Location: https://bank.com/
[TLS Connection]
SSL Strip
Discovered by Moxie Marlinspike, 2009
bank.com
GET / HTTP/1.1 Host: bank.com
[TLS connection]
Attacker replaces all https:// links with http:// links
HTTP/1.1 200 OK\r\n …
…
Null Termination Attack
Discovered by Moxie Marlinspike, 2009
ASN.1 utilizes Pascal-style strings
Web browsers utilize use C-style strings
gmail.com.evil.com
gmail.com\0.evil.com
strcmp(“gmail.com\0.evil.com”, “gmail.com”) == 0
BEAST attack
Discovered by Thai Duong and Juliano Rizzo, 2011
“Browser Exploit Against SSL/TLS”
Chosen Plaintext attack against CBC-mode
Attacker can:
◦ Observe Alice’s Ciphertext
◦ Make Alice to send secret plaintext P over TLS ◦ E.g. HTTP Cookie
◦ Make Alice to send arbitrary plaintext over same TLS session
CBC: Cipher-Block Chaining Mode
Ci := E(K, Pi Ci-1) for i = 1, …, n
EK EK EK
P1
P2
P3
…
IV
C1
C2
C3
…
BEAST attack
Secret plaintext: Attacker-chosen plaintext:
Cookie: secret=a26b3f8e…
P1
P2
Pi
…
C2 == Ci iff P2 == G …
Ci-1
EK
EK
(Ci-1 C1 G)
EK
IV
C1
C2
Ci
…
C2 = EK(C1 P2)
Ci =EK(Ci-1Ci-1C1G)=EK(C1 G)
BEAST attack
Problem: Attacker has to guess G entirely Solution: force part of P2 to be known padding!
Cookie: secret=a26b3f8e…
P2
Only have to guess 1-byte now!
◦ 256 guesses and we’re sure to get it
P3
AAAAA\r\nCookie: secret=a
26b3f8e…
BEAST attack
Once we guess a, we can redo the attack, with less padding:
P2 P3
AAAA\r\nCookie: secret=a2
6b3f8e…
AAA\r\nCookie: secret=a26
b3f8e…
AA\r\nCookie: secret=a26b
3f8e…
A\r\nCookie: secret=a26b3
f8e…
Padding oracle attack
Discovered by Serge Vaudenay, 2003
D(C3)5b d8 99 ee
P1
P2
P3
EK EK EK
C2 P3
34 da 9b ed
6f 02 02 01
MAC ERROR
P1 = D(C1)IV P2 = D(C2)C1 P3 = D(C3)C2
C1
C2
C3
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
Compression Ratio Info-leak Made Easy Client compresses HTTP header
◦ Contains attacker controlled AND secret data!!
Attacker can:
◦ Make Alice send HTTPS requests with some data controlled by the attacker, some data secret ◦ Observe encrypted data (length)
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
GET / HTTP/1.1 Host: bank.com Cookie: a2bf6c89…
GET / HTTP/1.1 Host: bank.com
Cookie: a2bf6c89…
?
bank.com
320
bytes
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
bank.com
https://bank.com/?Cookie: 000000…
GET /?Cookie: 0000… HTTP/1.1 Host: bank.com
Cookie: a2bf6c89…
400 bytes
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
bank.com
https://bank.com/?Cookie: 000000…
GET /?Cookie: 0000… HTTP/1.1 Host: bank.Ecnocmrypted!
Cookie: a2bf6c89…
400 bytes
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
bank.com
https://bank.com/?Cookie: 100000…
GET /?Cookie: 1000… HTTP/1.1 Host: bank.com
Cookie: a2bf6c89…
400 bytes
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
bank.com
https://bank.com/?Cookie: a00000…
GET /?Cookie: a000… HTTP/1.1 Host: bank.com
Cookie: a2bf6c89…
394 bytes
CRIME attack
Discovered by Thai Duong and Juliano Rizzo, 2012
Guess Request size
bank.com
000000…
100000…
400 bytes
400 bytes
200000…
…
400 bytes
900000…
a00000…
b00000…
400 bytes
394 bytes
400 bytes
goto fail;
hashOut.data = hashes + SSL_MD5_DIGEST_LEN;
hashOut.length = SSL_SHA1_DIGEST_LEN;
2014 Apple TLS library – SSLVerifySignedServerKeyExchange() if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail;
err = sslRawVerify(…);
fail:
// Cleanup buffers, etc. Return err
return err;
if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail;
POODLE
Discvoered by Bodo Möller, Thai Duong and Krzysztof Kotowicz, 2014
Padding Oracle On Downgraded Legacy Encryption SSLv3 padding – only the last byte matters
CBC Encrypt
Attacker copies cookie block to padding block
ignored
GET / HT
TP/1.1\r\n
Cookie:
a2c86f2e
[MAC tag]
xxxxxxx7
CBC Decrypt
GET / HT
TP/1.1\r\n
Cookie:
a2c86f2e
[MAC tag]
4G&1mA,”
BAD PADDING OR MAC
padding byte
POODLE
Discvoered by Bodo Möller, Thai Duong and Krzysztof Kotowicz, 2014
Padding Oracle On Downgraded Legacy Encryption SSLv3 padding – only the last byte matters
CBC Encrypt
Attacker copies cookie block to padding block
ignored
padding byte
GET / HT
TP/1.1\r\n
Cookie:
a2c86f2e
[MAC tag]
xxxxxxx7
CBC Decrypt
Attacker learns last byte of DK(Ccookie)! (shift cookie and repeat…)
P = DK(Ccookie) Ci-1
GET / HT
TP/1.1\r\n
Cookie:
a2c86f2e
[MAC tag]
6*I(`Sn7
Padding ignored; MAC OK
Heartbleed
Heartbleed
https://xkcd.com/1354/
MD5 Considered Harmful Today
Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger
In 2008 (at CCC), a group of researchers showed that they could create a rogue CA certificate using an MD5 collision
https://win.tue.nl/hashclash/rogue-ca/downloads/md5-collisions-1.0.pdf
MD5 Considered Harmful Today
Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger
This kind of md5 collisions takes a bit more processing than fastcoll from the crypto project…
◦ So researchers used a cluster of 200 PS3s for ~2 days: ◦ Took 4 attempts (CA signatures)
https://win.tue.nl/hashclash/rogue-ca/downloads/md5-collisions-1.0.pdf
“Mining Your Ps and Qs”
Nadia Heninger, Zakir Durumeric, Eric Wustrow , and J. Alex Halderman
In 2012, a team of researchers performed a global analysis of SSL/TLS and SSH keys
◦ 5.6% of TLS and 9.6% of SSH hosts shared cryptographic keys in a vulnerable manner
◦ Calculated the private keys for 0.5% of TLS hosts and 1.06% of SSH hosts
◦ What if two RSA servers generate the same p but different q? N1 = pq1 and N2 = pq2 [Find p given N1 and N2?]
◦ Uncovered vulnerabilities in Linux’s Random Number Generator (/dev/urandom)