crypto meets web security certificates and ssl tls spring
play

Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 - PowerPoint PPT Presentation

Oct 16, 2023 •549 likes •848 views

CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Authenticity of Public Keys ? private key Bob Alice public key Problem: How does Alice know that the public key she received is really Bob’s public key? 4/27/16 CSE 484 / CSE M 584 - Spring 2016 2

  3. Threat: Man-In-The-Middle (MITM) Google.com 4/27/16 CSE 484 / CSE M 584 - Spring 2016 3

  4. Distribution of Public Keys • Public announcement or public directory – Risks: forgery and tampering • Public-key certificate – Signed statement specifying the key and identity • sig CA (“Bob”, PK B ) • Common approach: certificate authority (CA) – Single agency responsible for certifying public keys – After generating a private/public key pair, user proves his identity and knowledge of the private key to obtain CA’s certificate for the public key (offline) – Every computer is pre-configured with CA’s public key 4/27/16 CSE 484 / CSE M 584 - Spring 2016 4

  5. Trusted Certificate Authorities 4/27/16 CSE 484 / CSE M 584 - Spring 2016 5

  6. Hierarchical Approach • Single CA certifying every public key is impractical • Instead, use a trusted root authority – For example, Verisign – Everybody must know the public key for verifying root authority’s signatures • Root authority signs certificates for lower-level authorities, lower-level authorities sign certificates for individual networks, and so on – Instead of a single certificate, use a certificate chain • sig Verisign (“AnotherCA”, PK AnotherCA ), sig AnotherCA (“Alice”, PK A ) – What happens if root authority is ever compromised? 4/27/16 CSE 484 / CSE M 584 - Spring 2016 6

  7. You encounter this every day… SSL/TLS: Encryption & authentication for connections (More on this later!) 4/27/16 CSE 484 / CSE M 584 - Spring 2016 7

  8. Example of a Certificate 4/27/16 CSE 484 / CSE M 584 - Spring 2016 8

  9. X.509 Certificate 4/27/16 CSE 484 / CSE M 584 - Spring 2016 9

  10. Many Challenges… [more examples in section] • Hash collisions • Weak security at CAs – Allows attackers to issue rogue certificates • Users don’t notice when attacks happen – We’ll talk more about this later • Etc… 4/27/16 CSE 484 / CSE M 584 - Spring 2016 10

  11. [Sotirov et al. “ Rogue Certificates ” ] Colliding Certificates serial number serial number set by the CA validity period validity period chosen prefix (difference) real cert rogue cert domain name domain name Hash to the same MD5 value! real cert ??? RSA key collision bits (computed) Valid for both certificates! X.509 extensions X.509 extensions identical bytes (copied from real cert) signature signature 4/27/16 CSE 484 / CSE M 584 - Spring 2016 11

  12. Attacking CAs Security of DigiNotar servers: • All core certificate servers controlled by a single admin password (Pr0d@dm1n) • Software on public- facing servers out of date, unpatched • No anti-virus (could have detected attack) 4/27/16 CSE 484 / CSE M 584 - Spring 2016 12

  13. Consequences • Attacker needs to first divert users to an attacker- controlled site instead of Google, Yahoo, Skype, but then… – For example, use DNS to poison the mapping of mail.yahoo.com to an IP address • … “authenticate” as the real site • … decrypt all data sent by users – Email, phone conversations, Web browsing 4/27/16 CSE 484 / CSE M 584 - Spring 2016 13

  14. More Rogue Certs • In Jan 2013, a rogue *.google.com certificate was issued by an intermediate CA that gained its authority from the Turkish root CA TurkTrust – TurkTrust accidentally issued intermediate CA certs to customers who requested regular certificates – Ankara transit authority used its certificate to issue a fake *.google.com certificate in order to filter SSL traffic from its network • This rogue *.google.com certificate was trusted by every browser in the world 4/27/16 CSE 484 / CSE M 584 - Spring 2016 14

  15. Certificate Revocation • Revocation is very important • Many valid reasons to revoke a certificate – Private key corresponding to the certified public key has been compromised – User stopped paying his certification fee to this CA and CA no longer wishes to certify him – CA’s private key has been compromised! • Expiration is a form of revocation, too – Many deployed systems don’t bother with revocation – Re-issuance of certificates is a big revenue source for certificate authorities 4/27/16 CSE 484 / CSE M 584 - Spring 2016 15

  16. Certificate Revocation Mechanisms • Certificate revocation list (CRL) – CA periodically issues a signed list of revoked certificates • Credit card companies used to issue thick books of canceled credit card numbers – Can issue a “delta CRL” containing only updates • Online revocation service – When a certificate is presented, recipient goes to a special online service to verify whether it is still valid • Like a merchant dialing up the credit card processor 4/27/16 CSE 484 / CSE M 584 - Spring 2016 16

  17. Attempt to Fix CA Problems: Convergence • Background observation: – Attacker will have a hard time mounting man-in-the- middle attacks against all clients around the world • Basic idea: – Lots of nodes around the world obtaining SSL/TLS certificates from servers – Check responses across servers, and also observe unexpected changes from existing certificates http://convergence.io/ 4/27/16 CSE 484 / CSE M 584 - Spring 2016 17

  18. Keybase • Basic idea: – Rely on existing trust of a person’s ownership of other accounts (e.g., Twitter, GitHub, website) – Each user publishes signed proofs to their linked account https://keybase.io/ 4/27/16 CSE 484 / CSE M 584 - Spring 2016 18

  19. SSL/TLS • Secure Sockets Layer and Transport Layer Security protocols – Same protocol design, different crypto algorithms • De facto standard for Internet security – “The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications” • Deployed in every Web browser; also VoIP, payment systems, distributed systems, etc. 4/27/16 CSE 484 / CSE M 584 - Spring 2016 19

  20. TLS Basics • TLS consists of two protocols – Familiar pattern for key exchange protocols • Handshake protocol – Use public-key cryptography to establish a shared secret key between the client and the server • Record protocol – Use the secret symmetric key established in the handshake protocol to protect communication between the client and the server 4/27/16 CSE 484 / CSE M 584 - Spring 2016 20

  21. Basic Handshake Protocol ClientHello Client announces (in plaintext): • Protocol version it is running • Cryptographic algorithms it supports • Fresh, random number S C 4/27/16 CSE 484 / CSE M 584 - Spring 2016 21

  22. Basic Handshake Protocol C, version c , suites c , N c ServerHello Server responds (in plaintext) with: S • Highest protocol version supported by C both the client and the server • Strongest cryptographic suite selected from those offered by the client • Fresh, random number 4/27/16 CSE 484 / CSE M 584 - Spring 2016 22

  23. Basic Handshake Protocol C, version c , suites c , N c version s , suite s , N s , ServerKeyExchange S C Server sends his public-key certificate containing either his RSA, or his Diffie-Hellman public key (depending on chosen crypto suite) 4/27/16 CSE 484 / CSE M 584 - Spring 2016 23

  24. Basic Handshake Protocol C, version c , suites c , N c version s , suite s , N s , certificate, “ ServerHelloDone ” S ClientKeyExchange C The client generates secret key material and sends it to the server encrypted with the server’s public key (if using RSA) 4/27/16 CSE 484 / CSE M 584 - Spring 2016 24

  25. Basic Handshake Protocol C, version c , suites c , N c version s , suite s , N s , certificate, “ ServerHelloDone ” S {Secret c } PKs if using RSA C C and S share secret key material (secret c ) at this point switch to keys derived switch to keys derived from secret c , N c , N s from secret c , N c , N s Finished Finished Record of all sent and received handshake messages 4/27/16 CSE 484 / CSE M 584 - Spring 2016 25

  26. “Core” SSL 3.0 Handshake (Not TLS) C, version c =3.0, suites c , N c version s =3.0, suite s , N s , certificate, “ ServerHelloDone ” S {Secret c } PKs if using RSA C C and S share secret key material (secret c ) at this point switch to keys derived switch to keys derived from secret c , N c , N s from secret c , N c , N s Finished Finished 4/27/16 CSE 484 / CSE M 584 - Spring 2016 26

  27. Version Rollback Attack C, version c = 2.0 , suites c , N c Version s = 2.0 , suite s , N s , Server is fooled into thinking he is communicating with a client who certificate, supports only SSL 2.0 “ ServerHelloDone ” S {Secret c } PKs if using RSA C C and S end up communicating using SSL 2.0 (weaker earlier version of the protocol that does not include “ Finished ” messages) 4/27/16 CSE 484 / CSE M 584 - Spring 2016 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Crypto meets Web Security: Certificates and SSL/TLS Spring 2017 Franziska (Franzi) Roesner

Crypto meets Web Security: Certificates and SSL/TLS Spring 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

532 views • 36 slides
Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska

Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska

CSE 484 / CSE M 584: Computer Security and Privacy Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi

849 views • 25 slides
Crypto meets Web Security: Certificates and SSL/TLS Fall 2016 Ada (Adam) Lerner

Crypto meets Web Security: Certificates and SSL/TLS Fall 2016 Ada (Adam) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

917 views • 55 slides
Cryptography (+ Web Security): Certificates Spring 2015

Cryptography (+ Web Security): Certificates Spring 2015

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography (+ Web Security): Certificates Spring 2015 Franziska (Franzi) Roesner

505 views • 21 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

IN3210 Network Security PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure Threats to certificates / PKI Protecting certificates / PKI 2 Certificates Motivation 3 Motivation: TLS

1.68k views • 108 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
CSCE 790 Computer Systems Security Entity Authentication Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Entity Authentication Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Entity Authentication Professor Qiang Zeng Spring 2020 Previous Class PKI Digital Certificate Certificate Authority Verifying Certificates and Chain of Trust Revoking Certificates

310 views • 30 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Crypto Mining CHRISTOS HADJISTYLLIS EPL682 - ADVANCED SECURITY TOPICS, SPRING 2018/2019

Crypto Mining CHRISTOS HADJISTYLLIS EPL682 - ADVANCED SECURITY TOPICS, SPRING 2018/2019

Crypto Mining CHRISTOS HADJISTYLLIS EPL682 - ADVANCED SECURITY TOPICS, SPRING 2018/2019 UNIVERSITY OF CYPRUS Introduction Cryptocurrency: virtual currency usually not controlled by any government or physical entity Examples: Bitcoin,

623 views • 36 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
1 Figure 7.3 Figure 7.3 Messages with both Authenticity and Secrecy Messages with both

1 Figure 7.3 Figure 7.3 Messages with both Authenticity and Secrecy Messages with both

Today Today 1. Review/Summary of security technologies Crypto and certificates 2. Combination of techniques in SSL Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust The basis for secure HTTP, ssh

269 views • 7 slides
Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust Today

Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust Today

Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust Today Today 1. Review/Summary of security technologies Crypto and certificates 2. Combination of techniques in SSL The basis for secure HTTP, ssh

564 views • 40 slides
Security infrastructure, certificates and responsibilities Anand Padmanabhan for the OSG

Security infrastructure, certificates and responsibilities Anand Padmanabhan for the OSG

OSG Summer Workshop Lubbock, 2011 Security infrastructure, certificates and responsibilities Anand Padmanabhan for the OSG Security team Aug 10th, 2011 OSG Security 1 OSG Security OSG Security model A high level overview Aug 10th, 2011

714 views • 37 slides
Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

ITS335 Web Security Browsing Applications Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2 February 2014 its335y13s2l09,

446 views • 31 slides
An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS Rance DeLong* Rance DeLong* The Open Group The Open Group Layered Assurance Workshop Layered Assurance Workshop December 2010 December 2010 1

355 views • 11 slides
When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan,

When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan,

When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan, H., Li, K., Wan, T., & Wu, J 2014 IEEE Symposium on Security and Privacy Web Traffic Needs Security! Goals = CIA triad Confidentiality

192 views • 18 slides
Assertion-Carrying Certificates Waqar Aqeel, Zachary Hanif, James Larisch, Olamide Omolola,

Assertion-Carrying Certificates Waqar Aqeel, Zachary Hanif, James Larisch, Olamide Omolola,

Assertion-Carrying Certificates Waqar Aqeel, Zachary Hanif, James Larisch, Olamide Omolola, Taejoong Chung, Dave Levin, Bruce Maggs, Alan Mislove, Bryan Parno, Christo Wilson The Public Key Infrastructure is how users know with whom they

157 views • 14 slides
Avoiding Useless Rules Automatically Matt Kaufmann May 29, 2020 1/8 B ACKGROUND : A CCUMULATED -

Avoiding Useless Rules Automatically Matt Kaufmann May 29, 2020 1/8 B ACKGROUND : A CCUMULATED -

Avoiding Useless Rules Automatically Matt Kaufmann May 29, 2020 1/8 B ACKGROUND : A CCUMULATED - PERSISTENCE The useless runes tool is based on accumulated-persistence. Time for a demo .... 2/8 D OCUMENTATION See :DOC useless-runes in

370 views • 20 slides
Centers for Disease Control and Prevention CDC Zika IMS Sustaining the Zika Response in 2017

Centers for Disease Control and Prevention CDC Zika IMS Sustaining the Zika Response in 2017

Centers for Disease Control and Prevention CDC Zika IMS Sustaining the Zika Response in 2017 Medical Investigations Team Thursday, March 30, 2017 Maleeka Glover, ScD CDR, USPHS Medical Investigations Lead OPHPR/DEO 1 Opening Remarks 2

411 views • 22 slides
Streamlining the 10 CFR Part 72 Storage Cask Design Certification Process Kristina Banovac,

Streamlining the 10 CFR Part 72 Storage Cask Design Certification Process Kristina Banovac,

Streamlining the 10 CFR Part 72 Storage Cask Design Certification Process Kristina Banovac, Project Manager Licensing Branch Division of Spent Fuel Storage and Transportation, NMSS U.S. Nuclear Regulatory Commission July 27, 2011 1

408 views • 6 slides
EISPP A First Attempt on Prevention Co-operation Bernd Grobauer Siemens CERT EISPP 2003

EISPP A First Attempt on Prevention Co-operation Bernd Grobauer Siemens CERT EISPP 2003

EISPP A First Attempt on Prevention Co-operation Bernd Grobauer Siemens CERT EISPP 2003 First TC, Uppsala 2003 1 What is EISPP? EISPP stands for European Information

397 views • 15 slides
Security Innovation The Israeli Eco System National Risk Management & Innovation REFAEL

Security Innovation The Israeli Eco System National Risk Management & Innovation REFAEL

Second Annual Event Encouraging Digital Security Innovation The Israeli Eco System National Risk Management & Innovation REFAEL FRANCO Deputy Director General Head of Robustness Division CERT IL 3 Israel cyber eco system Israeli CERT

1.01k views • 52 slides

More recommend