kci based mitm attacks against tls prying open pandora s

play

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens - PowerPoint PPT Presentation

Sep 14, 2022 •340 likes •684 views

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes BS(l)idesVienna 0x7df whoami [ haku@bsidesbox ] % getent passwd whoami | awk F :

KCI-based MitM Attacks against TLS Prying Open Pandora’s Box Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes BS(l)idesVienna 0x7df
whoami [ haku@bsidesbox ] % getent passwd ‘ whoami ‘ | awk − F ’ : ’ ’ { p r i n t $5 } ’ Clemens Hlauschek [ haku@bsidesbox ] % id − G − n | t r ” ” ” \ n” co − h e a d s e c u r i t y d i v i s i o n r i s e g m b h l e c t u r e r a t t u v i e n n a student mathematics s t u d e n t c o m p u t a t i o n a l i n t e l l i g e n c e r e s e a r c h e r p e n e t r a t i o n t e s t e r s e c u r i t y e n g i n e e r KCI-based MitM Attacks against TLS 2 / 17
Outline of this Talk Authenticated Key Agreement and KCI ■ TLS is vulnerable to KCI ■ KCI and TLS in practice ■ Live demo: TLS MitM attack ■ Conclusion and Mitigation ■ KCI-based MitM Attacks against TLS 3 / 17
Key Compromise Impersonation (KCI) Weakness of Authenticated Key Agreement protocol KCI-based MitM Attacks against TLS 4 / 17
Key Compromise Impersonation (KCI) Weakness of Authenticated Key Agreement protocol Authenticated Key Agreement 2 parties exchange messages ■ Over an adversarial network ■ To derive a shared secret ■ (session key) KCI-based MitM Attacks against TLS 4 / 17
Key Compromise Impersonation (KCI) Weakness of Authenticated Key Agreement protocol Compromise of long-term secret al- ■ lows to trivially impersonate the compromised party KCI – reverse situation: Imperson- ■ ate an uncompromised party to the compromised party KCI allows for MitM attacks ■ KCI-based MitM Attacks against TLS 5 / 17
Key Compromise Impersonation (KCI) Weakness of Authenticated Key Agreement protocol Compromise of long-term secret al- ■ lows to trivially impersonate the compromised party KCI – reverse situation: Imperson- ■ ate an uncompromised party to the compromised party KCI allows for MitM attacks ■ KCI-based MitM Attacks against TLS 5 / 17
Key Compromise Impersonation (KCI) Weakness of Authenticated Key Agreement protocol Compromise of long-term secret al- ■ lows to trivially impersonate the compromised party KCI – reverse situation: Imperson- ■ ate an uncompromised party to the compromised party KCI allows for MitM attacks ■ KCI-based MitM Attacks against TLS 5 / 17
TLS protocol is vulnerable to KCI Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication Z p as well as EC ■ In all TLS versions ■ Client indicates support in ■ ClientHello message Server requests fixed_(ec)dh au- ■ thentication Session key is derived from static DH ■ values: PRF (( g s ) c , rand c || rand s ) client: server: PRF (( g c ) s , rand c || rand s ) KCI-based MitM Attacks against TLS 6 / 17
TLS protocol is vulnerable to KCI Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication Z p as well as EC ■ In all TLS versions ■ Client indicates support in ■ ClientHello message Server requests fixed_(ec)dh au- ■ thentication Session key is derived from static DH ■ values: PRF (( g s ) c , rand c || rand s ) client: server: PRF (( g c ) s , rand c || rand s ) KCI-based MitM Attacks against TLS 6 / 17
TLS protocol is vulnerable to KCI Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication Z p as well as EC ■ In all TLS versions ■ Client indicates support in ■ ClientHello message Server requests fixed_(ec)dh au- ■ thentication Session key is derived from static DH ■ values: PRF (( g s ) c , rand c || rand s ) client: server: PRF (( g c ) s , rand c || rand s ) KCI-based MitM Attacks against TLS 6 / 17
TLS protocol is vulnerable to KCI Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication Z p as well as EC ■ In all TLS versions ■ Client indicates support in ■ ClientHello message Server requests fixed_(ec)dh au- ■ thentication Session key is derived from static DH ■ values: PRF (( g s ) c , rand c || rand s ) client: server: PRF (( g c ) s , rand c || rand s ) KCI-based MitM Attacks against TLS 6 / 17
TLS protocol is vulnerable to KCI Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication Z p as well as EC ■ In all TLS versions ■ Client indicates support in ■ ClientHello message Server requests fixed_(ec)dh au- ■ thentication Session key is derived from static DH ■ values: PRF (( g s ) c , rand c || rand s ) client: server: PRF (( g c ) s , rand c || rand s ) KCI-based MitM Attacks against TLS 6 / 17
TLS protocol is vulnerable to KCI Man-in-the-Middle attack against TLS using KCI Block connection to server ■ Send server cert ■ Request fixed (EC)DH ■ Request compromised cert via Dis- ■ tinguished Name in CertRequest Both attacker and client do the ■ same session key computation: PRF (( g s ) c , rand c || rand s ) Connect to server ■ KCI-based MitM Attacks against TLS 7 / 17
TLS protocol is vulnerable to KCI Man-in-the-Middle attack against TLS using KCI Block connection to server ■ Send server cert ■ Request fixed (EC)DH ■ Request compromised cert via Dis- ■ tinguished Name in CertRequest Both attacker and client do the ■ same session key computation: PRF (( g s ) c , rand c || rand s ) Connect to server ■ KCI-based MitM Attacks against TLS 7 / 17
TLS protocol is vulnerable to KCI Man-in-the-Middle attack against TLS using KCI Block connection to server ■ Send server cert ■ Request fixed (EC)DH ■ Request compromised cert via Dis- ■ tinguished Name in CertRequest Both attacker and client do the ■ same session key computation: PRF (( g s ) c , rand c || rand s ) Connect to server ■ KCI-based MitM Attacks against TLS 7 / 17
TLS protocol is vulnerable to KCI Man-in-the-Middle attack against TLS using KCI Block connection to server ■ Send server cert ■ Request fixed (EC)DH ■ Request compromised cert via Dis- ■ tinguished Name in CertRequest Both attacker and client do the ■ same session key computation: PRF (( g s ) c , rand c || rand s ) Connect to server ■ KCI-based MitM Attacks against TLS 7 / 17
TLS protocol is vulnerable to KCI Man-in-the-Middle attack against TLS using KCI Block connection to server ■ Send server cert ■ Request fixed (EC)DH ■ Request compromised cert via Dis- ■ tinguished Name in CertRequest Both attacker and client do the ■ same session key computation: PRF (( g s ) c , rand c || rand s ) Connect to server ■ KCI-based MitM Attacks against TLS 7 / 17
Prerequisites KCI attacks against TLS 1. Victim client support: must implement non-ephemeral Diffie Hellman with fixed client authentication handshake rsa_fixed_dh ■ dss_fixed_dh ■ rsa_fixed_ecdh ■ ecdsa_fixed_ecdh ■ 2. Victim server support: must have matching certificate 3. Compromised client certificate’s secret: Stolen private key ■ Client cert foisted on victim (various vectors) ■ KCI-based MitM Attacks against TLS 8 / 17
Foisting client cert on victim: Social engineering Secure ways for generating client ■ certs exist Common practice: send pre- ■ generated client certs with secret key to user Insecure OS mechanisms to install ■ client certs Attacker / malicious admin coax vic- ■ tim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers KCI-based MitM Attacks against TLS 9 / 17
Foisting client cert on victim: Social engineering Secure ways for generating client ■ certs exist Common practice: send pre- ■ generated client certs with secret key to user Insecure OS mechanisms to install ■ client certs Attacker / malicious admin coax vic- ■ tim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers KCI-based MitM Attacks against TLS 9 / 17
Foisting client cert on victim: Social engineering Secure ways for generating client ■ certs exist Common practice: send pre- ■ generated client certs with secret key to user Insecure OS mechanisms to install ■ client certs Attacker / malicious admin coax vic- ■ tim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers KCI-based MitM Attacks against TLS 9 / 17
Foisting client cert on victim: Social engineering Secure ways for generating client ■ certs exist Common practice: send pre- ■ generated client certs with secret key to user Insecure OS mechanisms to install ■ client certs Attacker / malicious admin coax vic- ■ tim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers KCI-based MitM Attacks against TLS 9 / 17
Foisting client cert on victim: Social engineering Secure ways for generating client ■ certs exist Common practice: send pre- ■ generated client certs with secret key to user Insecure OS mechanisms to install ■ client certs Attacker / malicious admin coax vic- ■ tim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers KCI-based MitM Attacks against TLS 9 / 17

Download Presentation

Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

More recommend