how broken is tls
play

How broken is TLS? A tale of BEAST, CRIME, Lucky Thirteen and - PowerPoint PPT Presentation

Oct 07, 2022 •362 likes •821 views

Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End How broken is TLS? A tale of BEAST, CRIME, Lucky Thirteen and Heartbleed Hanno B ock, https://hboeck.de 2014-04-19 1 / 44 Introduction Software CAs Introduction

  1. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End How broken is TLS? A tale of BEAST, CRIME, Lucky Thirteen and Heartbleed Hanno B¨ ock, https://hboeck.de 2014-04-19 1 / 44

  2. Introduction Software CAs Introduction X.509 Motivation Symmetric encryption History of SSL / TLS TLS misc Overview Misc End ◮ Hanno B¨ ock, freelance journalist, lives in Berlin ◮ Often writes about cryptography for Golem.de and others ◮ Also runs webhosting ( https://schokokeks.org ) 2 / 44

  3. Introduction Software CAs Introduction X.509 Motivation Symmetric encryption History of SSL / TLS TLS misc Overview Misc End ◮ TLS is the most important crypto protocol ◮ There are problems on multiple layers (certificate authorities, software, cryptography, protocols) ◮ BEAST, CRIME, Lucky Thirteen, Heartbleed, ... 3 / 44

  4. Introduction Software CAs Introduction X.509 Motivation Symmetric encryption History of SSL / TLS TLS misc Overview Misc End ◮ SSL 1 - only internal (Netscape) ◮ 1994: SSL 2 (Netscape, severe security issues, disabled) ◮ 1996: SSL 3 (Netscape, no extensions, still used) ◮ 1999: TLS 1 (IETF standard, problems with CBC, til today de facto standard) ◮ 2006: TLS 1.1 (half fix for CBC-problems) ◮ 2008: TLS 1.2 (introduces authenticated encryption with GCM and SHA-2) 4 / 44

  5. Introduction Software CAs Introduction X.509 Motivation Symmetric encryption History of SSL / TLS TLS misc Overview Misc End ◮ X.509 certificate authority signs host-certificate, host-certificate used to get a session key for TLS ◮ Two protocols (X.509 and TLS) ◮ So we have software, CAs, X.509 and TLS itself 5 / 44

  6. Introduction Software CAs Heartbleed X.509 Software Symmetric encryption Featurebloat TLS misc C Misc End ◮ Heartbleed is only a memory read error, just a software bug, nothing with cryptography ◮ So pretty boring, right? 6 / 44

  7. Introduction Software CAs Heartbleed X.509 Software Symmetric encryption Featurebloat TLS misc C Misc End ◮ SSL libraries have terrible code quality ◮ OpenSSL Valhalla Rampage - have fun and be scared ◮ Don’t blame OpenSSL. The others are just as bad 7 / 44

  8. Introduction Software CAs Heartbleed X.509 Software Symmetric encryption Featurebloat TLS misc C Misc End ◮ Who needs the heartbeat extension? ◮ What other extensions are there in TLS and who needs them? ◮ And who needs GOST, DSA, SEED, IDEA, Brainpool curves or Camellia? (GOST is only a draft, OpenSSL still has code for it) ◮ TLS also supports DES or RC2 with 40 Bit 8 / 44

  9. Introduction Software CAs Heartbleed X.509 Software Symmetric encryption Featurebloat TLS misc C Misc End ◮ It is extremely difficult to write secure code in C (buffer overflows etc.) ◮ Which programming language is better? Not too exotic, not too much overhead and usable on many different platforms, but still memsafe? ◮ And by the way: Constant time implementations needed ◮ Can we do memsafe C? (Softbound/CETS, OpenBSD malloc) 9 / 44

  10. Introduction Software Certificate Authorities CAs 2011 CA disaster X.509 Revocation Symmetric encryption Revocation that costs money TLS misc Fixing CAs Misc End ◮ Main problem: Every certificate authority can do Man-in-the-Middle-attacks on every website ◮ You automatically trust all CAs in your browser and all sub CAs ◮ Weird: It doesn’t matter if your CA is trustworthy, only the least trustworthy CA matters 10 / 44

  11. Introduction Software Certificate Authorities CAs 2011 CA disaster X.509 Revocation Symmetric encryption Revocation that costs money TLS misc Fixing CAs Misc End ◮ CA disaster 2011 ◮ Diginotar, Comodo, T¨ urktrust and others ◮ EFF SSL Observatory finds many valid certificates that shouldn’t exist (e.g. 512 Bit EV certificate) ◮ Diginotar is the only case where it had consequences ◮ Comodo issued fake certificates for mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com 11 / 44

  12. Introduction Software Certificate Authorities CAs 2011 CA disaster X.509 Revocation Symmetric encryption Revocation that costs money TLS misc Fixing CAs Misc End ◮ CRL doesn’t scale, OCSP not privacy friendly ◮ OCSP useless in Firefox and IE, disabled in Chrome ◮ OCSP Stapling could fix things a bit ◮ OCSP Stapling Required - only a draft ◮ Revocation does not work right now 12 / 44

  13. Introduction Software Certificate Authorities CAs 2011 CA disaster X.509 Revocation Symmetric encryption Revocation that costs money TLS misc Fixing CAs Misc End ◮ Heartbleed: StartSSL charges for revocation ◮ This is a problem: It gives incentives to do the wrong thing ◮ Cynics might say: Doesn’t matter, it’s broken anyway ◮ More general problem: It’s expensive and difficult to be secure (certificates) - it should be the other way round 13 / 44

  14. Introduction Software Certificate Authorities CAs 2011 CA disaster X.509 Revocation Symmetric encryption Revocation that costs money TLS misc Fixing CAs Misc End ◮ Convergence: distributed access (MitM still possible if attacker near server) ◮ Sovereign Keys: EFF, complicated, uses append-only log ◮ TACK: draft for TLS to pin certificates, shares many ideas with Sovereign Keys ◮ HTTP Key Pinning: draft from Google, only HTTPS ◮ Certificate Transparency: from Google, append-only log, make sure MitM gets detected 14 / 44

  15. Introduction Software CAs X.509 Algorithms Symmetric encryption Signaturen TLS misc Misc End ◮ Three public key types for X.509 certificates: RSA, DSA, ECDSA ◮ Everyone uses RSA and that’s a good thing ◮ DSA/ECDSA have severe problems with bad randomness 15 / 44

  16. Introduction Software CAs X.509 Algorithms Symmetric encryption Signaturen TLS misc Misc End ◮ MD5 signatures were used until someone showed they are really broken ◮ SHA1 signatures are de facto standard ◮ Few CAs do SHA256 signatures (about to change) ◮ RSA signatures use old PKCS #1 1.5 scheme, RSA-PSS (PKCS #1 2.1) would be better, lacks software support 16 / 44

  17. Introduction Algorithms Software BEAST CAs CBC, MAC, Padding X.509 From the TLS 1.2 standard Symmetric encryption Lucky Thirteen TLS misc CBC Misc RC4 End RC4 or CBC ◮ TLS supports a lot of algorithm combinations ◮ Example: ECDHE-RSA-AES256-GCM-SHA384 ◮ Key exchange with elliptic curves, signature with RSA, encryption with AES, key size 256 bit, block mode GCM (Galois/Counter Mode), MAC algorithm SHA385 17 / 44

  18. Introduction Algorithms Software BEAST CAs CBC, MAC, Padding X.509 From the TLS 1.2 standard Symmetric encryption Lucky Thirteen TLS misc CBC Misc RC4 End RC4 or CBC ◮ Until TLS 1.0 AES CBC used an implicit initialization vector ◮ This led to the BEAST attack ◮ Fixed in TLS 1.1, but who implements better protocols with more security if they don’t have to? 18 / 44

  19. Introduction Algorithms Software BEAST CAs CBC, MAC, Padding X.509 From the TLS 1.2 standard Symmetric encryption Lucky Thirteen TLS misc CBC Misc RC4 End RC4 or CBC ◮ TLS needs confidentiality and authenticity ◮ Most common: Encryption with AES-CBC, authentication with HMAC ◮ TLS does MAC-then-Pad-then-Encrypt ◮ Different error messages for padding and MAC errors allow Padding Oracle attack ◮ ”Solution”: just one error message 19 / 44

  20. Introduction Algorithms Software BEAST CAs CBC, MAC, Padding X.509 From the TLS 1.2 standard Symmetric encryption Lucky Thirteen TLS misc CBC Misc RC4 End RC4 or CBC ”Canvel et al. [CBCTIME] have demonstrated a timing attack on CBC padding based on the time required to compute the MAC. In order to defend against this attack, implementations MUST ensure that record processing time is essentially the same whether or not the padding is correct. In general, the best way to do this is to compute the MAC even if the padding is incorrect, and only then reject the packet. For instance, if the pad appears to be incorrect, the implementation might assume a zero-length pad and then compute the MAC. This leaves a small timing channel , since MAC performance depends to some extent on the size of the data fragment, but it is not believed to be large enough to be exploitable , due to the large block size of existing MACs and the small size of the timing signal.” (TLS 1.2, RFC 5246, p. 23) 20 / 44

  21. Introduction Algorithms Software BEAST CAs CBC, MAC, Padding X.509 From the TLS 1.2 standard Symmetric encryption Lucky Thirteen TLS misc CBC Misc RC4 End RC4 or CBC ◮ To translate this: We know there is a problem, but we don’t think it’s a real problem ◮ That was the Lucky Thirteen attack - it was already mentioned in the TLS standard itself 21 / 44

  22. Introduction Algorithms Software BEAST CAs CBC, MAC, Padding X.509 From the TLS 1.2 standard Symmetric encryption Lucky Thirteen TLS misc CBC Misc RC4 End RC4 or CBC ◮ For all problems with BEAST and Lucky Thirteen there are workarounds in browsers ◮ But after Lucky Thirteen many wanted to avoid CBC ◮ Solution: RC4 (only non-CBC-algorithm left before TLS 1.2) ◮ PCI verification (credit card standard) required RC4 for some time 22 / 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus

Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus

Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus & have given up on being their own savior! Abraham Sarah (wife) Isaac (son) Hagar (maidservant) Ishmael (son) Abraham, our broken spiritual

258 views • 21 slides
Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access

207 views • 6 slides
GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines

GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines

GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines that led me straight to Christ. MATTHEW 1:1-17 UNCONDITIONAL & CONDITIONAL I. UNDERLYING COVENANTS Edenic & Adamic Covenants A. 1.

364 views • 20 slides
Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~# whoami Eric Biako Bsc. IT, CEH v9 Information security officer @ E-connecta Moderator @ https://legalhackmen.com IDOR ( Broken Access Control )

517 views • 12 slides
Review of prices for water and sewerage services in Broken Hill, and prices for the Broken Hill

Review of prices for water and sewerage services in Broken Hill, and prices for the Broken Hill

Review of prices for water and sewerage services in Broken Hill, and prices for the Broken Hill Pipeline, from 1 July 2019 Public Hearing 20 November 2018 Outline Overview of WaterNSW and Essential Water reviews Review of WaterNSWs prices

521 views • 22 slides
AI Is Broken Sophie Searcy AI Is Broken slides at soph.info/ai-traps Sophie Searcy Caveats

AI Is Broken Sophie Searcy AI Is Broken slides at soph.info/ai-traps Sophie Searcy Caveats

AI Is Broken Sophie Searcy AI Is Broken slides at soph.info/ai-traps Sophie Searcy Caveats AI lumping together Data Science, Artificial Intelligence, Machine Learning, Data Mining, etc. Audience Conversant in AI topics. Not

759 views • 47 slides
ANNOUNCEMENT Date: 8 April 2020 Number: 668/08042020 BROKEN HILL ALLIANCE PRESENTATION Broken

ANNOUNCEMENT Date: 8 April 2020 Number: 668/08042020 BROKEN HILL ALLIANCE PRESENTATION Broken

ANNOUNCEMENT Date: 8 April 2020 Number: 668/08042020 BROKEN HILL ALLIANCE PRESENTATION Broken Hill Alliance: As part of the new 2020 focus on PGM-nickel-copper exploration, Impact Minerals Limited (ASX:IPT) announced to ASX on 24 February

346 views • 10 slides
Broken Hill North Mine Community Consultative Committee 04 October 2019 KPIs MOD 2 Broken Hill

Broken Hill North Mine Community Consultative Committee 04 October 2019 KPIs MOD 2 Broken Hill

Broken Hill North Mine Community Consultative Committee 04 October 2019 KPIs MOD 2 Broken Hill North Mine, MOD 1 CoC Schedule 2, 8 (c), specified, 16 ore laden truck movements per day when averaged over a calendar quarter. PBH found this

141 views • 13 slides
On h -vectors of broken circuit complexes Dinh Van Le (Univesit at Osnabr uck) Osnabr

On h -vectors of broken circuit complexes Dinh Van Le (Univesit at Osnabr uck) Osnabr

On h -vectors of broken circuit complexes Dinh Van Le (Univesit at Osnabr uck) Osnabr uck, October 10th, 2015 Outline 1 Broken circuit complexes 2 The Orlik-Terao algebra 3 Series-parallel networks 4 An open problem Chromatic

656 views • 41 slides
Come, Come Whoever You Are Come, Come, Whoever You Are Though youve broken your vows a

Come, Come Whoever You Are Come, Come, Whoever You Are Though youve broken your vows a

Come, Come Whoever You Are Come, Come, Whoever You Are Though youve broken your vows a thousand times Wanderer, worshipper, lover of leaving Ours is no caravan of despair Come, yet again, come Come, Come ~ adapted from Rumi by Leslie

586 views • 48 slides
Take, eat; this is My body which is broken for you; do this in remembrance of Me. In the

Take, eat; this is My body which is broken for you; do this in remembrance of Me. In the

Take, eat; this is My body which is broken for you; do this in remembrance of Me. In the same manner He also took the cup after supper, saying, This cup is the new covenant in My blood. This do, as often as you drink it, in

739 views • 18 slides
All wireless communication stacks are equally broken Jiska Classen Secure Mobile Networking Lab

All wireless communication stacks are equally broken Jiska Classen Secure Mobile Networking Lab

All wireless communication stacks are equally broken Jiska Classen Secure Mobile Networking Lab - SEEMOO Technische Universitt Darmstadt, Germany A foundation talk??? Wireless communication is fun damentally broken focus: everything in

687 views • 42 slides
WOOLLEN CARDING & SPINNING Niall Finn, Ray Wood Woollen Inputs Broken Top

WOOLLEN CARDING & SPINNING Niall Finn, Ray Wood Woollen Inputs Broken Top

WOOLLEN CARDING & SPINNING Niall Finn, Ray Wood Woollen Inputs Broken Top Stretch Broken Top Carbonised Wool Carbonised Noils Low VM scoured wools Synthetics Exotic fibres Recycled Fibres

807 views • 43 slides
Powe re d By Pe opl e The traditional recruitment process is broken Speed vs Quality The

Powe re d By Pe opl e The traditional recruitment process is broken Speed vs Quality The

Powe re d By Pe opl e The traditional recruitment process is broken Speed vs Quality The traditional multi-agency recruitment process is broken because it forces agencies to compete on the basis of speed not quality. As a result, the

344 views • 21 slides
The Broken Power Sequence of Radio-Loud AGN + Collective Evidence for Inverse Compton emission

The Broken Power Sequence of Radio-Loud AGN + Collective Evidence for Inverse Compton emission

The Broken Power Sequence in RL AGN 1/14 The Broken Power Sequence of Radio-Loud AGN + Collective Evidence for Inverse Compton emission from External Photons in High-Power Blazars E. Meyer 1 , M. Georganopoulos 2 , G. Fossati 1 , M. Lister 3

935 views • 28 slides
Securing Vacant and Abandoned Buildings IAAI/USFA Abandoned Building Project The "Broken

Securing Vacant and Abandoned Buildings IAAI/USFA Abandoned Building Project The "Broken

Securing Vacant and Abandoned Buildings IAAI/USFA Abandoned Building Project The "Broken Windows" Theory of Social Disorder From one broken window, you can lose a street Target Properties Secure and well maintained properties

1.03k views • 58 slides
Constructive Proofs and Program Extraction Christoph Kreitz 1. Type Theory vs. Set Theory 2.

Constructive Proofs and Program Extraction Christoph Kreitz 1. Type Theory vs. Set Theory 2.

Constructive Proofs and Program Extraction Christoph Kreitz 1. Type Theory vs. Set Theory 2. Overview of the Nuprl System 3. Proofs of the Integer Square Root Problem What distinguishes Type Theory from Set Theory? n r r 2 n

800 views • 42 slides
CICS 515 b Internet Programming Week 2 Mike Feeley 1 Software infrastructure stuff MySQL and

CICS 515 b Internet Programming Week 2 Mike Feeley 1 Software infrastructure stuff MySQL and

CICS 515 b Internet Programming Week 2 Mike Feeley 1 Software infrastructure stuff MySQL and PHP store files in public_html run on remote.mss.icics.ubc.ca access as http://ws.mss.icics.ubc.ca/~username/... see wiki for

662 views • 39 slides
STL Algorithms 14. Magic square 4. Iterator categories 15. Substitution cipher 5. Reordering

STL Algorithms 14. Magic square 4. Iterator categories 15. Substitution cipher 5. Reordering

Porter Scobey Contents http://cs.stmarys.ca/~porter/csc/ref/stl/index_algorithms.html Stanford 106L , Standard C++ Programming Laboratory http://web.stanford.edu/class/cs106l/ 11. Mapping algorithms 1. Why STL algorithm? topcoders tutorial ,

367 views • 14 slides
ITESM CEM Cuauhtemoc Carbajal Reference: http://pyserial.sourceforge.net Overview This

ITESM CEM Cuauhtemoc Carbajal Reference: http://pyserial.sourceforge.net Overview This

ITESM CEM Cuauhtemoc Carbajal Reference: http://pyserial.sourceforge.net Overview This module encapsulates the access for the serial port. It provides backends for Python running on Windows, Linux, BSD (possibly any POSIX compliant

1.03k views • 27 slides
Web Application Security John Mitchell Three top web site vulnerabilites SQL Injection

Web Application Security John Mitchell Three top web site vulnerabilites SQL Injection

CS 155 Spring 2013 Web Application Security John Mitchell Three top web site vulnerabilites SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL query CSRF Cross-site request forgery

1.76k views • 90 slides
MIPS Virtual what is the Java - what is the JVM ? lecture 25 Machine analogy ? - what is

MIPS Virtual what is the Java - what is the JVM ? lecture 25 Machine analogy ? - what is

MIPS Virtual what is the Java - what is the JVM ? lecture 25 Machine analogy ? - what is Java "byte code" Java Virtual Machine invoked methods and local stack (is it related to MIPS assembly/machine code ?) variables ?

487 views • 4 slides
How Java works The java compiler takes a .java file and generates a .class file The .class

How Java works The java compiler takes a .java file and generates a .class file The .class

How Java works The java compiler takes a .java file and generates a .class file The .class file contains Java bytecodes, the assembler language for Java programs Bytecodes are executed in a JVM (java virtual machine), the valid

426 views • 8 slides
Stack and Recursion Based on the notes from David Fernandez-Baca and Steve Kautz Bryn Mawr College

Stack and Recursion Based on the notes from David Fernandez-Baca and Steve Kautz Bryn Mawr College

Stack and Recursion Based on the notes from David Fernandez-Baca and Steve Kautz Bryn Mawr College CS206 Intro to Data Structures The Java Virtual Machine Java is designed to be platform-independent . To achieve this, every class in a Java

241 views • 6 slides

More recommend