downgrade attacks by example
play

Downgrade Attacks by Example How Compatibility breaks Security - PowerPoint PPT Presentation

Feb 02, 2023 •300 likes •820 views

Downgrade Attacks by Example How Compatibility breaks Security Michael Rodler (@f0rki) 2012-01-21 Michael Rodler Downgrade Attacks 1 / 39 About me about me @f0rki, http://f0rki.at Student Sichere Informationssysteme Bachelor at

  1. Downgrade Attacks by Example How Compatibility breaks Security Michael Rodler (@f0rki) 2012-01-21 Michael Rodler Downgrade Attacks 1 / 39

  2. About me about me ◮ @f0rki, http://f0rki.at ◮ Student “Sichere Informationssysteme Bachelor” at FH Hagenberg ◮ 5th semester ◮ Member of Hagenberger Kreis and CTF Team ◮ Helps organize Security Forum ◮ Annual security conference at Hagenberg ◮ 18./19. April 2012 ◮ www.securityforum.at Michael Rodler Downgrade Attacks 2 / 39

  3. What are “Downgrade Attacks”? ◮ In every application layer protocol there’s some kind of Handshake ◮ Negotiation of common... ◮ ... protocol version ◮ ... protocol features ◮ ... crypto algorithms ◮ ... etc. Michael Rodler Downgrade Attacks 3 / 39

  4. What are “Downgrade Attacks”? ◮ Man-in-the-middle (e.g. arp spoofing, fake ra, etc.) ◮ Attacker can alter traffic Michael Rodler Downgrade Attacks 4 / 39

  5. What are “Downgrade Attacks”? ◮ Man-in-the-middle (e.g. arp spoofing, fake ra, etc.) ◮ Attacker can alter traffic Downgrade Attack The attacker acts as a proxy and alters the communication so that no or weaker security features are used by the client, the server or both. Michael Rodler Downgrade Attacks 4 / 39

  6. Welcome to History Class... SSL 2.0 ◮ published 1994 – a long time ago ◮ had some serious security issues [7] ◮ was fixed in SSL 3.0 in 1995 ◮ Vulnerable to some kind of downgrade attack 1 ◮ No integrity protection of handshake messages 1 called Ciphersuite Rollback Attack back then Michael Rodler Downgrade Attacks 5 / 39

  7. Welcome to History Class... SSL 2.0 The Attack ◮ Replace Cipher Specs sent by client with weakest cipher suite Michael Rodler Downgrade Attacks 6 / 39

  8. Welcome to History Class... SSL 2.0 The Attack ◮ Replace Cipher Specs sent by client with weakest cipher suite SSLv2 Record Layer : C l i e n t Hello Length : 28 Handshake Message Type : C l i e n t Hello (1) [ . . . ] Cipher Specs (X specs ) Cipher Spec : SSL2_DES_64_CBC_WITH_MD5 (0 x060040 ) [ . . . ] Challenge Michael Rodler Downgrade Attacks 6 / 39

  9. SSL 3.0 – The Fix ◮ Integrity protection of handshake introduced ◮ Handshake ends with: ◮ change_cipher_spec – change to negotiated parameters ◮ finished – hash over handshake, key material ◮ need to check hash in finished message ◮ detects tampering of handshake messages Michael Rodler Downgrade Attacks 7 / 39

  10. Problem fixed! Michael Rodler Downgrade Attacks 8 / 39

  11. Problem fixed! ... yeah right ... Michael Rodler Downgrade Attacks 8 / 39

  12. E-Mail ◮ E-Mail is much older than SSL/TLS ◮ First SMTP RFC in 1982 ◮ Security introduced later ◮ RFC for STARTTLS extension to SMTP in 2002 ◮ Compatibility is essential Michael Rodler Downgrade Attacks 9 / 39

  13. E-Mail ◮ explicit TLS ◮ STARTTLS, STLS commandos ◮ Client requests switching to TLS secured connection ◮ implicit TLS ◮ imaps, pops ◮ no attack vector here Michael Rodler Downgrade Attacks 10 / 39

  14. IMAP ∗ OK [ CAPABILITY IMAP4rev1 LITERAL+ SASL − IR LOGIN − REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED ] Dovecot ready . 1 STARTTLS 1 OK Begin TLS n e g o t i a t i o n now . < TLS Handshake > Michael Rodler Downgrade Attacks 11 / 39

  15. IMAP ∗ OK [ CAPABILITY IMAP4rev1 LITERAL+ SASL − IR LOGIN − REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED ] Dovecot ready . 1 STARTTLS 1 OK Begin TLS n e g o t i a t i o n now . < TLS Handshake > The Attack ◮ Attacker strips out STARTTLS and LOGINDISABLED ◮ tricks client into thinking that the server does not support STARTTLS Michael Rodler Downgrade Attacks 11 / 39

  16. POP S : + OK Dovecot ready . C: CAPA S : + OK S : CAPA S : [ . . . ] S : STLS S : . C: STLS S : + OK Begin TLS n e g o t i a t i o n now . < TLS Handshake > Michael Rodler Downgrade Attacks 12 / 39

  17. POP S : + OK Dovecot ready . C: CAPA S : + OK S : CAPA S : [ . . . ] S : STLS S : . C: STLS S : + OK Begin TLS n e g o t i a t i o n now . < TLS Handshake > The Attack ◮ Attacker strips out STLS ◮ tricks client into thinking that the server does not support STLS Michael Rodler Downgrade Attacks 12 / 39

  18. SMTP S : 220 t e s t m a i l e r ESMTP P o s t f i x ( Ubuntu ) C: EHLO [ 1 0 . 4 2 . 4 2 . 2 ] S : 250 − t e s t m a i l e r S : [ . . . ] S : 250 − STARTTLS C: STARTTLS S : 220 2 . 0 . 0 Ready to s t a r t TLS < TLS Handshake > Michael Rodler Downgrade Attacks 13 / 39

  19. SMTP S : 220 t e s t m a i l e r ESMTP P o s t f i x ( Ubuntu ) C: EHLO [ 1 0 . 4 2 . 4 2 . 2 ] S : 250 − t e s t m a i l e r S : [ . . . ] S : 250 − STARTTLS C: STARTTLS S : 220 2 . 0 . 0 Ready to s t a r t TLS < TLS Handshake > The Attack ◮ Attacker strips out STARTTLS ◮ tricks client into thinking that the server does not support STARTTLS Michael Rodler Downgrade Attacks 13 / 39

  20. Status ◮ nothing new ◮ Attack is descirbed in “Security Considerations” of RFCs ◮ Responsiblity is at the client, to abort insecure connections Michael Rodler Downgrade Attacks 14 / 39

  21. Status ◮ nothing new ◮ Attack is descirbed in “Security Considerations” of RFCs ◮ Responsiblity is at the client, to abort insecure connections Mail Clients ◮ Thunderbird > 3 – good ◮ Outlook 2007 – has “automatic” setting == bad ◮ Windos Live Mail – IMAP/POP: no support, SMTP: bad ◮ Apple Mail (v3.6) – no support ◮ Pegasus Mail – good, SMTP: bad Michael Rodler Downgrade Attacks 14 / 39

  22. Mitigation ◮ don’t use plaintext auth ◮ use PGP or S/MIME for end-to-end encryption ◮ use implicit TLS, e.g. imaps, pops ◮ most client software behaves correct anyway ◮ no real risk here Michael Rodler Downgrade Attacks 15 / 39

  23. HTTPS/HTTP ◮ Default is browsing over unsecured http:// connection ◮ Users get redirected to https:// via ◮ links in html ◮ 302 Redirects ◮ Connection: Upgrade Header ◮ As with STARTTLS, this happens in unsecured traffic Michael Rodler Downgrade Attacks 16 / 39

  24. Strippping https links sslstrip by Moxie Marlinspike (presented at BlackHat DC 2009) [1] [2] ◮ http proxy ◮ strips out https links ◮ keeps track of https only resources Michael Rodler Downgrade Attacks 17 / 39

  25. Strippping https links sslstrip by Moxie Marlinspike (presented at BlackHat DC 2009) [1] [2] ◮ http proxy ◮ strips out https links ◮ keeps track of https only resources Mitigation ◮ A smart user? ◮ https only website Michael Rodler Downgrade Attacks 17 / 39

  26. Oracle Paper/presentations by László Tóth [5] [6], Steve Ocepek and Wendel G. Henrique [3] Oracle protocols ◮ Proprietary protocols ◮ Specifications only for $$$ ◮ → hard to analyze ◮ Transparent Network Substrate (TNS) ◮ simple/primitve protocol ◮ Wireshark decoder exists ◮ Net8 or SQL*Net ◮ complex and obscure ◮ no wireshark decoder (only partial implementation) ◮ TNS transports Net8 Michael Rodler Downgrade Attacks 18 / 39

  27. Oracle Authentication I ◮ Challenge-Response ◮ Used crypto algorithms changed with every release Oracle 8i ◮ Server sends session key encrypted with DES, Key is oraclehash of the user password ◮ Client sends user password encrypted with DES, Key is the session key Oracle 9i ◮ Similar to 8i, but uses 3DES Michael Rodler Downgrade Attacks 19 / 39

  28. Oracle Authentication II Oracle 10g/11g ◮ Client/Server both send a session Key → MD5(XOR(ServerKey, ClientKey)) ◮ uses AES-128/192 in 10g/11g Problems ◮ DES is broken ◮ Bruteforce attack ◮ Java Thin Client till Version 10 supports only 8i Michael Rodler Downgrade Attacks 20 / 39

  29. Downgrade Attacks Several Downgrade Attacks published [5] [3] [6] ◮ Against old versions of Oracle 11 JDBC Driver ◮ “Downgrade through Replay” ◮ Replace Handshake Packets with older Version ◮ Combinations of versions and platforms behave differently ◮ many WTF?!? moments... ◮ Attack against Oracle 10g Windows Client and Server ◮ Downgrade to Oracle 8i level ◮ metasploit module – release? Michael Rodler Downgrade Attacks 21 / 39

  30. Attack! Michael Rodler Downgrade Attacks 22 / 39

  31. Attack! Michael Rodler Downgrade Attacks 23 / 39

  32. Attack! Michael Rodler Downgrade Attacks 24 / 39

  33. Mitigation ◮ Strong passwords ◮ Keep Software up to date ◮ espescially JDBC driver ◮ Configure minimal accepted net8 version SQLNET.ALLOWED_LOGON_VERSION ◮ (buy Oracle Advanced Security) ◮ (tunnel over SSH or SSL) Michael Rodler Downgrade Attacks 25 / 39

  34. Questions? Michael Rodler Downgrade Attacks 26 / 39

  35. Microsoft SQL Server ◮ Tabular Data Stream Protocol (TDS) ◮ Open Spezifikation [4] → not as painful as analyzing Oracle ;) ◮ Wireshark Decoder exists ◮ Two types of authentication ◮ Native authentication ◮ Integrated/Windows authentication Michael Rodler Downgrade Attacks 27 / 39

  36. Native Authentication ◮ Authentication with "‘Login7"’ packet ◮ No cryptographic Challenge-Response, no crypto at all??? ◮ Password is obfuscated ◮ no problem: obfuscation algorithm is in the standard Michael Rodler Downgrade Attacks 28 / 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20

370 views • 33 slides
Downgrade Resilience in Key Exchange markulf kohlweiss joint work with: k. bhargavan, c.

Downgrade Resilience in Key Exchange markulf kohlweiss joint work with: k. bhargavan, c.

Downgrade Resilience in Key Exchange markulf kohlweiss joint work with: k. bhargavan, c. brzuska, c. fournet, m. green, s. zanella-beguelin 1 Downgrade as an everyday phenomen https:// http:// 2 TLS protocol suite not a single protocol

624 views • 24 slides
Downgrade Resilience in Key-Exchange Protocols Ruth Ng TLS Crypto Seminar, Winter 2019, UC San

Downgrade Resilience in Key-Exchange Protocols Ruth Ng TLS Crypto Seminar, Winter 2019, UC San

Downgrade Resilience in Key-Exchange Protocols Ruth Ng TLS Crypto Seminar, Winter 2019, UC San Diego Overview High-level summary of the whole paper: Motivate the study of downgrade resilience (Very) brief discussion on modelling

604 views • 24 slides
Standard &amp; Poors downgrade in 2018, 2020 on Fairgrounds JPA bond ratings

Standard &amp; Poors downgrade in 2018, 2020 on Fairgrounds JPA bond ratings

Standard &amp; Poors downgrade in 2018, 2020 on Fairgrounds JPA bond ratings Fairgrounds Operating budget impacted by COVID Cancelation of 2020 NHSFR &amp; postponement FMCA facility-wide events using new improvements: over

314 views • 13 slides
From Criticality Incredible Project Plan to Facility Hazard Categorization Downgrade Tom Hines

From Criticality Incredible Project Plan to Facility Hazard Categorization Downgrade Tom Hines

From Criticality Incredible Project Plan to Facility Hazard Categorization Downgrade Tom Hines DOE Nuclear Safety Oversight Lead Matthew Wilson Senior Nuclear Criticality Safety Consultant 2017 ANS Winter Meeting www.energy.gov/EM 1

468 views • 22 slides
IMPACT OF COVID-19 AND SOVEREIGN DOWNGRADE ON SA GOVERNMENT DEBT CABRI webinar: Managing public

IMPACT OF COVID-19 AND SOVEREIGN DOWNGRADE ON SA GOVERNMENT DEBT CABRI webinar: Managing public

IMPACT OF COVID-19 AND SOVEREIGN DOWNGRADE ON SA GOVERNMENT DEBT CABRI webinar: Managing public debt amidst COVID- 19 financing pressures in Africa Alilali Nelufule, National Treasury of South Africa 25 June 2020 SOUTH AFRICA WAS DOWNGRADED

648 views • 16 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant, Opportunistic Security for Server To Server E-Mail Delivery Overview Server-to-Server E-Mail background SMTP Vulnerabilities DANE/SMTP to

360 views • 16 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
Interdomain Routing and Games Hagay Levin Michael Schapira Aviv Zohar Abstract We

Interdomain Routing and Games Hagay Levin Michael Schapira Aviv Zohar Abstract We

Interdomain Routing and Games Hagay Levin Michael Schapira Aviv Zohar Abstract We present a game-theoretic model that captures many of the intricacies of interdomain routing in todays Internet. In this model, the strategic agents are

429 views • 17 slides
VISA: Netstations Virtual Internet SCSI Adapter Rodney Van Meter USC/Information Sciences

VISA: Netstations Virtual Internet SCSI Adapter Rodney Van Meter USC/Information Sciences

VISA: Netstations Virtual Internet SCSI Adapter Rodney Van Meter USC/Information Sciences Institute rdv@isi.edu http://www.isi.edu/netstation/ July 15, 1997 1 Talk Outline Netstation STORM &amp; Derived Virtual Devices IP

653 views • 29 slides
Network Redesign at Bates College MTUG 2018 If the network is supposed to be up all of the

Network Redesign at Bates College MTUG 2018 If the network is supposed to be up all of the

Network Redesign at Bates College MTUG 2018 If the network is supposed to be up all of the time, then how do you maintain and upgrade it? Bates College A private, highly selective, residential college devoted to undergraduate study in

903 views • 35 slides
High Impact Project Life-cycle management of mission-critical systems through certification,

High Impact Project Life-cycle management of mission-critical systems through certification,

High Impact Project Life-cycle management of mission-critical systems through certification, commissioning, in-service maintenance, remote testing, and risk assessment Research Team M. Kezunovic, PI Co-PIs: D. Bakken, S. Meliopoulos, T.

620 views • 43 slides
Samba's Cloudy Future Wider World Opening Windows to a Jeremy Allison Samba Team jra@samba.org

Samba's Cloudy Future Wider World Opening Windows to a Jeremy Allison Samba Team jra@samba.org

Samba's Cloudy Future Wider World Opening Windows to a Jeremy Allison Samba Team jra@samba.org Isn't cloud storage the future ? Wider World Opening Windows to a Yes, but not usable for many existing apps. Cloud Storage is a blob store

317 views • 17 slides
Eric Prebys Fermilab APC Program Director, LARP November 1, 2010 Highlights since last

Eric Prebys Fermilab APC Program Director, LARP November 1, 2010 Highlights since last

Eric Prebys Fermilab APC Program Director, LARP November 1, 2010 Highlights since last meeting DOE Review The high luminosity LHC (HL-LHC) project 2 LARP CM15 Introduction - Prebys November 1, 2010 LHC Performance CM14:

220 views • 21 slides
ADVANCED INTERNET SERVICES (COMS 6181) Henning Schulzrinne Dept. of Computer Science Columbia

ADVANCED INTERNET SERVICES (COMS 6181) Henning Schulzrinne Dept. of Computer Science Columbia

1 2/9/15 AIS ADVANCED INTERNET SERVICES (COMS 6181) Henning Schulzrinne Dept. of Computer Science Columbia University Spring 2015 2 2/9/15 AIS Course overview Review of Internet technology wireline and wireless transmission

671 views • 15 slides
Designing Extensible IP Router Software Mark Handley Department of Computer Science UCL

Designing Extensible IP Router Software Mark Handley Department of Computer Science UCL

Designing Extensible IP Router Software Mark Handley Department of Computer Science UCL Networking research: divorced from reality? Gap between research and practice in routing and forwarding. Most of the important Internet protocols

703 views • 57 slides

More recommend