[PPT] - KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens PowerPoint Presentation

SLIDE 1

KCI-based MitM Attacks against TLS Prying Open Pandora’s Box

Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes BS(l)idesVienna 0x7df

SLIDE 2

KCI-based MitM Attacks against TLS

whoami

2 / 17

[ haku@bsidesbox ] % getent passwd ‘ whoami ‘ | awk −F ’ : ’ ’{ p r i n t $5 } ’ Clemens Hlauschek [ haku@bsidesbox ] % id −G −n | t r ” ” ”\n” co−h e a d s e c u r i t y d i v i s i o n r i s e g m b h l e c t u r e r a t t u v i e n n a student mathematics s t u d e n t c o m p u t a t i o n a l i n t e l l i g e n c e r e s e a r c h e r p e n e t r a t i o n t e s t e r s e c u r i t y e n g i n e e r

SLIDE 3

KCI-based MitM Attacks against TLS

Outline of this Talk

3 / 17 ■

Authenticated Key Agreement and KCI

■

TLS is vulnerable to KCI

■

KCI and TLS in practice

■

Live demo: TLS MitM attack

■

Conclusion and Mitigation

SLIDE 4

KCI-based MitM Attacks against TLS

Key Compromise Impersonation (KCI)

4 / 17

Weakness of Authenticated Key Agreement protocol

SLIDE 5

KCI-based MitM Attacks against TLS

Key Compromise Impersonation (KCI)

4 / 17

Weakness of Authenticated Key Agreement protocol Authenticated Key Agreement

■

2 parties exchange messages

■

Over an adversarial network

■

To derive a shared secret (session key)

SLIDE 6

KCI-based MitM Attacks against TLS

Key Compromise Impersonation (KCI)

5 / 17

Weakness of Authenticated Key Agreement protocol

■

Compromise of long-term secret allows to trivially impersonate the compromised party

■

KCI – reverse situation: Imperson- ate an uncompromised party to the compromised party

■

KCI allows for MitM attacks

SLIDE 7

KCI-based MitM Attacks against TLS

Key Compromise Impersonation (KCI)

5 / 17

Weakness of Authenticated Key Agreement protocol

■

Compromise of long-term secret allows to trivially impersonate the compromised party

■

KCI – reverse situation: Imperson- ate an uncompromised party to the compromised party

■

KCI allows for MitM attacks

SLIDE 8

KCI-based MitM Attacks against TLS

Key Compromise Impersonation (KCI)

5 / 17

Weakness of Authenticated Key Agreement protocol

■

Compromise of long-term secret allows to trivially impersonate the compromised party

■

KCI – reverse situation: Imperson- ate an uncompromised party to the compromised party

■

KCI allows for MitM attacks

SLIDE 9

KCI-based MitM Attacks against TLS

TLS protocol is vulnerable to KCI

6 / 17

Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication

■

Zp as well as EC

■

In all TLS versions

■

Client indicates support in ClientHello message

■

Server requests fixed_(ec)dh authentication

■

Session key is derived from static DH values: client: PRF((gs)c, randc||rands) server: PRF((gc)s, randc||rands)

SLIDE 10

KCI-based MitM Attacks against TLS

TLS protocol is vulnerable to KCI

6 / 17

Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication

■

Zp as well as EC

■

In all TLS versions

■

Client indicates support in ClientHello message

■

Server requests fixed_(ec)dh authentication

■

Session key is derived from static DH values: client: PRF((gs)c, randc||rands) server: PRF((gc)s, randc||rands)

SLIDE 11

KCI-based MitM Attacks against TLS

TLS protocol is vulnerable to KCI

6 / 17

Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication

■

Zp as well as EC

■

In all TLS versions

■

Client indicates support in ClientHello message

■

Server requests fixed_(ec)dh authentication

■

Session key is derived from static DH values: client: PRF((gs)c, randc||rands) server: PRF((gc)s, randc||rands)

SLIDE 12

KCI-based MitM Attacks against TLS

TLS protocol is vulnerable to KCI

6 / 17

Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication

■

Zp as well as EC

■

In all TLS versions

■

Client indicates support in ClientHello message

■

Server requests fixed_(ec)dh authentication

■

Session key is derived from static DH values: client: PRF((gs)c, randc||rands) server: PRF((gc)s, randc||rands)

SLIDE 13

KCI-based MitM Attacks against TLS

TLS protocol is vulnerable to KCI

6 / 17

Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication

■

Zp as well as EC

■

In all TLS versions

■

Client indicates support in ClientHello message

■

Server requests fixed_(ec)dh authentication

■

Session key is derived from static DH values: client: PRF((gs)c, randc||rands) server: PRF((gc)s, randc||rands)

SLIDE 14

KCI-based MitM Attacks against TLS

TLS protocol is vulnerable to KCI

7 / 17

Man-in-the-Middle attack against TLS using KCI

■

Block connection to server

■

Send server cert

■

Request fixed (EC)DH

■

Request compromised cert via Dis- tinguished Name in CertRequest

■

Both attacker and client do the same session key computation: PRF((gs)c, randc||rands)

■

Connect to server

SLIDE 15

KCI-based MitM Attacks against TLS

TLS protocol is vulnerable to KCI

7 / 17

Man-in-the-Middle attack against TLS using KCI

■

Block connection to server

■

Send server cert

■

Request fixed (EC)DH

■

Request compromised cert via Dis- tinguished Name in CertRequest

■

Both attacker and client do the same session key computation: PRF((gs)c, randc||rands)

■

Connect to server

SLIDE 16

KCI-based MitM Attacks against TLS

TLS protocol is vulnerable to KCI

7 / 17

Man-in-the-Middle attack against TLS using KCI

■

Block connection to server

■

Send server cert

■

Request fixed (EC)DH

■

Request compromised cert via Dis- tinguished Name in CertRequest

■

Both attacker and client do the same session key computation: PRF((gs)c, randc||rands)

■

Connect to server

SLIDE 17

KCI-based MitM Attacks against TLS

TLS protocol is vulnerable to KCI

7 / 17

Man-in-the-Middle attack against TLS using KCI

■

Block connection to server

■

Send server cert

■

Request fixed (EC)DH

■

Request compromised cert via Dis- tinguished Name in CertRequest

■

Both attacker and client do the same session key computation: PRF((gs)c, randc||rands)

■

Connect to server

SLIDE 18

KCI-based MitM Attacks against TLS

TLS protocol is vulnerable to KCI

7 / 17

Man-in-the-Middle attack against TLS using KCI

■

Block connection to server

■

Send server cert

■

Request fixed (EC)DH

■

Request compromised cert via Dis- tinguished Name in CertRequest

■

Both attacker and client do the same session key computation: PRF((gs)c, randc||rands)

■

Connect to server

SLIDE 19

KCI-based MitM Attacks against TLS

Prerequisites KCI attacks against TLS

8 / 17

1. Victim client support: must implement non-ephemeral Diffie Hellman with fixed client authentication handshake

■

rsa_fixed_dh

■

dss_fixed_dh

■

rsa_fixed_ecdh

■

ecdsa_fixed_ecdh 2. Victim server support: must have matching certificate 3. Compromised client certificate’s secret:

■

Stolen private key

■

Client cert foisted on victim (various vectors)

SLIDE 20

KCI-based MitM Attacks against TLS

Foisting client cert on victim: Social engineering

9 / 17 ■

Secure ways for generating client certs exist

■

Common practice: send pre- generated client certs with secret key to user

■

Insecure OS mechanisms to install client certs

■

Attacker / malicious admin coax victim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers

SLIDE 21

KCI-based MitM Attacks against TLS

Foisting client cert on victim: Social engineering

9 / 17 ■

Secure ways for generating client certs exist

■

Common practice: send pre- generated client certs with secret key to user

■

Insecure OS mechanisms to install client certs

■

Attacker / malicious admin coax victim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers

SLIDE 22

KCI-based MitM Attacks against TLS

Foisting client cert on victim: Social engineering

9 / 17 ■

Secure ways for generating client certs exist

■

Common practice: send pre- generated client certs with secret key to user

■

Insecure OS mechanisms to install client certs

■

Attacker / malicious admin coax victim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers

SLIDE 23

KCI-based MitM Attacks against TLS

Foisting client cert on victim: Social engineering

9 / 17 ■

Secure ways for generating client certs exist

■

Common practice: send pre- generated client certs with secret key to user

■

Insecure OS mechanisms to install client certs

■

Attacker / malicious admin coax victim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers

SLIDE 24

KCI-based MitM Attacks against TLS

Foisting client cert on victim: Social engineering

9 / 17 ■

Secure ways for generating client certs exist

■

Common practice: send pre- generated client certs with secret key to user

■

Insecure OS mechanisms to install client certs

■

Attacker / malicious admin coax victim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers

SLIDE 25

KCI-based MitM Attacks against TLS

Foisting client cert on victim: Social engineering

9 / 17 ■

Secure ways for generating client certs exist

■

Common practice: send pre- generated client certs with secret key to user

■

Insecure OS mechanisms to install client certs

■

Attacker / malicious admin coax victim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers

SLIDE 26

KCI-based MitM Attacks against TLS

Foisting client cert on victim: Install in certificate store

10 / 17

For example (hypothetically): Abusing the trustStore on Android devices

■

A user installs a malicious, but be- nign looking app

■

Malicious app installs client certificate in system trustStore

■

Targeted app makes TLS connection

■

MitM forces targeted app to use client authentication, using the pre- viously installed cert

■

User confirms client authentication

SLIDE 27

KCI-based MitM Attacks against TLS

Foisting client cert on victim: Vendor backdoor

11 / 17

A malicious vendor or distributor might install a backdoor in form of a client certificate

■

Superfish-MitM: Inject own CA certificate

■

KCI-Backdoor:

■

Implementation fully spec-conform

■

Server certs do not change

SLIDE 28

KCI-based MitM Attacks against TLS

Securely generate weak certificates

12 / 17 ■

Use secure mechanism (keygen-tag, javascript) to install client certificate

■

But generate keys with deprecated key strength (1024 Bit DH, 160 Bit ECDH)

■

Break low-security client keys in offline attack

■

Attack servers that would support strong cryptography (>=2048 Bit DH, >= 256 Bit ECDSA)

■

Lower bound for client-supported key strength sets upper bound for achievable security

SLIDE 29

KCI-based MitM Attacks against TLS

Victim server support: Matching Certificate

13 / 17

Server must either

■

Support a non-ephemeral (EC)DH handshake

■

Have an ECDSA certificate ( < 10% )

■

ECDH and ECDSA cert same structure

■

If X509 KeyUsage extension is used

KeyAgreement Bit must be set
But client may not check KeyUsage extension

■

KeyUsage extension not mandatory

CERTIFICATE

gs

SLIDE 30

KCI-based MitM Attacks against TLS

Attacking Facebook

14 / 17

DEMO

SLIDE 31

KCI-based MitM Attacks against TLS

Victim client support

15 / 17

Vulnerable client software

■

Programs using BouncyCastle might be vulnerable

■

Apple SecureTransport on older versions of Mac OS X (Safari)

■

OpenSSL

■

Recently added support (1.0.2 branch) for fixed DH (Zp) client authentication

■

TODOs in the source code for fixed ECDH client authentication

■

RSA Bsafe(?): support for non-ephemeral ECDH (according to API documentation)

SLIDE 32

KCI-based MitM Attacks against TLS

Conclusion and Mitigation

16 / 17 ■

Clients should disable KCI-vulnerable cipher suites

■

ECDSA server certificates should not set KeyAgreement bit in X509 KeyUsage extension

■

Industry best-practice guides (e.g., RFC 7572) should warn against KCI-vulnerable cipher suites

■

Secure generation of client certificates (private key does not leave user’s computer) should become common practice Although we managed to attack prestigious targets (Safari – Facebook), both client and server support are rather rare, currently. Hopefully, this work prevents the issue from ever becoming more widespread:

■

OpenSSL only very recently added support for fixed DH client authentication

■

ECDSA certificates are probably becoming more widespread in the future

SLIDE 33

KCI-based MitM Attacks against TLS

Open and interesting problems

17 / 17 ■

Certification revocation is broken in practice

■

Proprietory TLS implementations (BSafe, etc)

■

KCI-vulnerable TLS in different use cases

■

Other KCI-vulnerable protocols used in the real-world