off path attacks against pki
play

OFF-PATH ATTACKS AGAINST PKI Markus Brandt, Tianxiang Dai, Amit - PowerPoint PPT Presentation

Dec 27, 2022 •38 likes •588 views

OFF-PATH ATTACKS AGAINST PKI Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, Michael Waidner 1 WHO AM I? n Security Researcher n Technische Universitt Darmstadt n Fraunhofer-Institut fr Sichere Informationstechnologie n Freelancer n

  1. OFF-PATH ATTACKS AGAINST PKI Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, Michael Waidner 1

  2. WHO AM I? n Security Researcher n Technische Universität Darmstadt n Fraunhofer-Institut für Sichere Informationstechnologie n Freelancer n Teaching IT Security at TU Darmstadt n Special interest: n Network Security n Crypto n Reverse engineering n … 2

  3. OUTLINE n Public-Key Infrastructures n Domain Validation n Off-Path attack against Domain Validation n Defences n Conclusion 3

  4. PUBLIC-KEY INFRASTRUCTURES 4

  5. LET'S START WITH A SIMPLE EXAMPLE client 5

  6. INSECURE WITHOUT ENCRYPTION client 6

  7. ENCRYPTION PROTECTS THE DATA client ? 7

  8. CERTIFICATES BIND CRYPTOGRAPHIC KEYS TO SUBJECTS Certificate is signed by trusted root client 8

  9. CERTIFICATES BIND CRYPTOGRAPHIC KEYS TO SUBJECTS Certificate is signed by untrusted root ✘ or self signed ebay client 9

  10. DOMAIN VALIDATION 10

  11. MORE THAN 100 ROOT CA IN BROWSERS Domain Organisation Extended Validation (OV) Validation (EV) Validation (DV) Expensive Manual Time-consuming Automated Free / cheap Immediate n We tested 17 CAs that perform DV n They control over 95% of the certificates market n Five were vulnerable n Only one vulnerable CA is sufficient n Usually it doesn’t matter which CA signed it 11

  12. CERTIFICATE ISSUANCE WITH DOMAIN VALIDATION 1 2 3 4 5 12

  13. RESOLVING A DOMAIN NAME Nameserver ns.ebay.com DNS resolver Client www.ebay.com? www.ebay.com? 1.2.3.4 1.2.3.4 1.2.3.4 13

  14. REPLYING FROM CACHE DNS resolver Client www.ebay.com? 1.2.3.4 1.2.3.4 14

  15. OFF-PATH ATTACK AGAINST DOMAIN VALIDATION 15

  16. WE ASSUME THE WEAKEST ATTACKER Off-Path (Spoofing) Attackers can: n only inject packets n not eavesdrop n not modify or delay packets in any way 16

  17. DNS CACHE POISONING Nameserver ns.ebay.com DNS resolver Client www.ebay.com? www.ebay.com? 6.6.6.6 1.2.3.4 6.6.6.6 6.6.6.6 DNS Cache Poisoning 17

  18. AGAINST OFF-PATH POISONING: CHALLENGE-RESPONSE n Send request from random port (16 Bit) n Select random DNS transaction ID (also 16 Bit) n 2 32 values à impractical to guess! 18

  19. DNS PACKET: IP HEADER Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 v4 IHL TOS Total Length 0 IP Identifier Flags Fragment Offset 32 Header Time To Live Protocol IP Header Checksum 64 IP Source IP Address 96 Destination IP Address 128 19

  20. DNS PACKET: UDP HEADER Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 v4 IHL TOS Total Length 0 IP Identifier Flags Fragment Offset 32 Header Time To Live Protocol IP Header Checksum 64 IP Source IP Address 96 Destination IP Address 128 Header Source Port Destination Port 160 UDP Length UDP Checksum 192 20

  21. DNS PACKET: DNS HEADER Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 v4 IHL TOS Total Length 0 IP Identifier Flags Fragment Offset 32 Header Time To Live Protocol IP Header Checksum 64 IP Source IP Address 96 Destination IP Address 128 Header Source Port Destination Port 160 UDP Length UDP Checksum 192 Transaction Identifier (TXID) DNS Flags 224 Header DNS Question Count Answer Record Count 256 Authority Record Count Additional Record Count 288 21

  22. DNS PACKET: DNS PAYLOAD Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 v4 IHL TOS Total Length 0 IP Identifier Flags Fragment Offset 32 Header Time To Live Protocol IP Header Checksum 64 IP Source IP Address 96 Destination IP Address 128 Header Source Port Destination Port 160 UDP Length UDP Checksum 192 Transaction Identifier (TXID) DNS Flags 224 Header DNS Question Count Answer Record Count 256 Authority Record Count Additional Record Count 288 Question Section … Payload Answer Section DNS Authority Section Additional Section 22

  23. CHALLENGES n Modify communication without seeing it and without access to it n Overwrite cached record with incorrect value n Exploit DNS cache poisoning to circumvent PKI authentication (and issue certificate) 23

  24. GOALS Create Inject Issue correct into spoofed 3 1 2 response DNS certificate cache (Port, TXID) 24

  25. LET’S START WITH STEP 1 Create Inject Issue correct into spoofed 3 1 response DNS certificate cache (Port, TXID) 25

  26. LARGE PACKETS CAN GET FRAGMENTED ON PATH Net Net 5.5.5 .0 Net 3.3.3 .0 2.2.2 .0 From: 2.2.2.5 To : 3.3.3.7 From: 2.2.2.5 Bob, how much I . . . To : 3.3.3.7 Bob, how much I From: 2.2.2.5 love you To : 3.3.3.7 . love you ! . . Bob, how Bob, how IPs, Ports and IP IDs have to match! much much I love you I love you 26

  27. FRAGMENTATION CAN ALSO BE REQUESTED Net Net 5.5.5 .0 Net 3.3.3 .0 ¸ 2.2.2 .0 ICMP From: 2.2.2.5 To : 3.3.3.7 Packet too Bob, how much I love you big Bob, how much I love you 27

  28. ICMP FRAGMENTATION NEEDED AND DON'T FRAGMENT WAS SET Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 v4 IHL TOS Total Length 0 IP Identifier Flags Fragment Offset 32 Header Time To Live Protocol IP Header Checksum 64 IP Source IP Address 96 Destination IP Address 128 Header Type = 3 Code = 4 ICMP Checksum 160 ICMP Unused MTU = 100 192 v4 IHL TOS Total Length 224 IP Header IP Identifier Flags Fragment Offset 256 Time To Live Protocol IP Header Checksum 288 Source IP Address 320 Destination IP Address 352 IP Payload … 28

  29. FORCING FRAGMENTATION n Among 5K-top Alexa that reduce the MTU n 33,4% allow >= 296 bytes n 11% allow < 296 bytes n ICMP Messages can be sent by anyone n OSes typically do not apply any checks for UDP n UDP is stateless. 29

  30. EXPLOITING FRAGMENTATION AGAINST DNS Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 v4 IHL TOS Total Length 0 IP Identifier Flags Fragment Offset 32 Time To Live Protocol IP Header Checksum 64 But what about Source IP Address 96 the IP ID? Destination IP Address 128 Source Port Destination Port 160 Length UDP Checksum 192 Transaction Identifier (TXID) DNS Flags 224 Question Count Answer Record Count 256 Modify only this! Authority Record Count Additional Record Count 288 Question Section … Answer Section Authority Section Additional Section 30

  31. RFC 791 September 1981 Internet Protocol Overview Fragmentation [...] The identification field is used to distinguish the fragments of one datagram from those of another. The originating protocol module of an internet datagram sets the identification field to a value that must be unique for that source-destination pair and protocol for the time the datagram will be active in the internet system. The originating protocol module of a complete datagram sets the more-fragments flag to zero and the fragment offset to zero. [...] 31

  32. HOW DO MAKE IP IDENTIFIERS UNIQUE? RANDOM IP IDENTIFIERS n Very few servers use random IP ID values (<1%) n Quite complicated n Needs enough entropy n Has to check for collisions 32

  33. HOW DO MAKE IP IDENTIFIERS UNIQUE? Per-Destination IP ID n <40% of the nameservers use a per-destination incrementing IP ID n Default in Linux n Attacks exist [KC14] [KC14] Jeffrey Knockel and Jedidiah R Crandall. 2014. Counting Packets Sent Between Arbitrary Internet Hosts.. In FOCI. 33

  34. HOW DO MAKE IP IDENTIFIERS UNIQUE? Sequentially Incrementing IP ID n >60% of 10K-top Alexa domains use sequentially incrementing IP ID values n Easiest to attack n Simply estimate incremention 34

  35. WHAT HAPPENS IF THE 2 ND FRAGMENT ARRIVES FIRST? n Operating systems keep 2 nd fragment and wait for 1 st fragment n Windows keeps 100 fragments n Linux keeps 64 fragments n Older Linux kernels allow for thousands of fragments n Can be set via ip_frag_max_dist 35

  36. NOW WE WANT TO INSERT OUR ENTRY INTO THE CACHE Create Inject Issue correct into spoofed 2 response DNS certificate cache (Port, TXID) 36

  37. ADVANCED CACHE POISONING DNS resolver ns.doma.in sub.doma.in? sub.doma.in? 2.2.2.2 Answer: (none) Cache: Domain IP Authoritative Server: doma.in 1.1.1.1 sub.doma.in NS ns.doma.in ns.doma.in 2.2.2.2 Additional Section: … … ns.doma.in A 9.9.9.9 37

  38. ADVANCED CACHE POISONING DNS resolver ns.doma.in sub.doma.in? sub.doma.in? 2.2.2.2 Answer: ns.doma.in has a (none) new IP. Cache: I should update this. Domain IP Authoritative Server: doma.in 1.1.1.1 sub.doma.in NS ns.doma.in ns.doma.in 9.9.9.9 Additional Section: … … ns.doma.in A 9.9.9.9 38

  39. THIS WAS JUST ONE (VERY SIMPLE) EXAMPLE “Internet-wide study of DNS cache injections” [KSW17] examines 18 different techniques There may be many others yet to be discovered [KSW17] A. Klein, H. Shulman and M. Waidner, "Internet-wide study of DNS cache injections," IEEE INFOCOM 2017 - IEEE Conference on Computer Communications , Atlanta, GA, 2017 39

  40. DNS RESOLVERS APPLY DIFFERENT POLICIES Deciding which records to cache and which to overwrite 40

  41. DIFFERENT DNS SERVER ARE VULNERABLE TO DIFFERENT PAYLOADS 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler

Introduction &amp; background Path-key-enabled attacks Secure path-key revocation Conclusions Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler Moore and Jolyon Clulow University of Cambridge

505 views • 22 slides
Martha Brumfield, President and CEO C-Path Mission C-Path The Critical Path Institute is a

Martha Brumfield, President and CEO C-Path Mission C-Path The Critical Path Institute is a

The C-Path Vision: Sharing Data and Expertise to Accelerate the Development of Safe and Effective Therapies for Neonates Martha Brumfield, President and CEO C-Path Mission C-Path The Critical Path Institute is a catalyst in the development of

410 views • 20 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Introduction to Path Analysis Ways to think about path analysis Path coefficients

Introduction to Path Analysis Ways to think about path analysis Path coefficients

Introduction to Path Analysis Ways to think about path analysis Path coefficients A bit about direct and indirect effects What path analysis can and cant do for you Measured vs. manifested the when of

589 views • 24 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
The Wrong Path - Adultery Everyday Wisdom | Proverbs 5:1-23; 6:20-35; 7:1-27 Path #1 - The way

The Wrong Path - Adultery Everyday Wisdom | Proverbs 5:1-23; 6:20-35; 7:1-27 Path #1 - The way

The Wrong Path - Adultery Everyday Wisdom | Proverbs 5:1-23; 6:20-35; 7:1-27 Path #1 - The way Path #2 - The way of of the foolish the wise Picture from rootsrated.com via Ed Ogle/Flickr Pay attention to my commands, Gods Word. Proverbs

527 views • 25 slides
CSE 421 Longest Path in a DAG, LIS, Shortest Path with Negative Weights Shayan Oveis Gharan 1

CSE 421 Longest Path in a DAG, LIS, Shortest Path with Negative Weights Shayan Oveis Gharan 1

CSE 421 Longest Path in a DAG, LIS, Shortest Path with Negative Weights Shayan Oveis Gharan 1 Longest Path in a DAG Longest Path in a DAG Goal: Given a DAG G, find the longest path. Recall: A directed graph G is a DAG if it has no cycle.

571 views • 23 slides
Resilience of Deployed TCP to Blind Attacks Matthew Luckie , Robert Beverly, Tiange Wu, Mark

Resilience of Deployed TCP to Blind Attacks Matthew Luckie , Robert Beverly, Tiange Wu, Mark

Resilience of Deployed TCP to Blind Attacks Matthew Luckie , Robert Beverly, Tiange Wu, Mark Allman, kc claffy IMC 2015, October 28th 2015 1 w w w . cai da. or What is a Blind Attack on TCP? A brute-force attempt by an off-path

335 views • 29 slides
More On Paths Supplement to Chapter 4, Graph Theory Path definition What is a path? We

More On Paths Supplement to Chapter 4, Graph Theory Path definition What is a path? We

More On Paths Supplement to Chapter 4, Graph Theory Path definition What is a path? We are in in a graph context MOP2 Path definition 2 What is a path? A path is a sequence of nodes n 1 , n 2 , , n p Each

850 views • 65 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
PATH F Framew mework LEC EC 1 12-4-19 19 PATH TH Fr Framework I k In Context W t Within

PATH F Framew mework LEC EC 1 12-4-19 19 PATH TH Fr Framework I k In Context W t Within

PATH F Framew mework LEC EC 1 12-4-19 19 PATH TH Fr Framework I k In Context W t Within O Oaklan and Ho Homelessn ssness ss S Sho hould B Be e Rare, B , Brief, &amp; , &amp; Non R n Recur ecurring Affordable Housing Policy

873 views • 31 slides
Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Introduction to Digital VLSI Logic Synthesis Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups according to the clock associated with the endpoint of the path. There is a default path group that

540 views • 18 slides
Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The

Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The

Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The Rendering Equation Monte Carlo Integration A Basic Path Tracer Variance Reduction and Optimisation Techniques Additional Resources Plan From Ray

1.08k views • 54 slides
A * A path finding algorithm. A path finding algorithm. Given a state space, such as a

A * A path finding algorithm. A path finding algorithm. Given a state space, such as a

A * A path finding algorithm. A path finding algorithm. Given a state space, such as a 2-dimensional map, find a path from point A to point B in that space, if such a path exists. If such a path exists, return a path within certain criteria

445 views • 30 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Blended Cryptography: Public Key Infrastructure for Devices that dont Public key Phillip

Blended Cryptography: Public Key Infrastructure for Devices that dont Public key Phillip

Blended Cryptography: Public Key Infrastructure for Devices that dont Public key Phillip Hallam-Baker Principal Scientist VeriSign Inc. Small is not beautiful Not When you write the code PIC 16F88 368 bytes RAM 4K Word ROM 20MHz

390 views • 21 slides
PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007

PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007

Everything you never wanted to know about PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007 SAMLized applications HTTPS web browser What about email access network access

141 views • 11 slides
Scholarly Text Curation &amp; Robust Anchoring Requirements Timothy W. Cole

Scholarly Text Curation &amp; Robust Anchoring Requirements Timothy W. Cole

W3C Workshop on Annotations San Francisco, California USA 2 April 2014 Scholarly Text Curation &amp; Robust Anchoring Requirements Timothy W. Cole (t-cole3@illinois.edu) Thomas G. Habing (thabing@illinois.edu) Anchoring Methods to Support

329 views • 20 slides
t strs rt r

t strs rt r

trt Prs r Prs t sts sss s t strs

323 views • 30 slides
A PKI for IP Address Space and AS Numbers Dr. Stephen Kent Chief Scientist - Information

A PKI for IP Address Space and AS Numbers Dr. Stephen Kent Chief Scientist - Information

A PKI for IP Address Space and AS Numbers Dr. Stephen Kent Chief Scientist - Information Security Why A PKI? All proposals for improving the security of BGP rely on a secure infrastructure that attests to address space and AS number

252 views • 13 slides
c b roland.vanrijswijk@surfnet.nl Overview - Introduction - The 2-factor landscape - Something

c b roland.vanrijswijk@surfnet.nl Overview - Introduction - The 2-factor landscape - Something

tiqr: a novel take on two-factor authentication LISA 2011, Boston, MA Roland van Rijswijk c b roland.vanrijswijk@surfnet.nl Overview - Introduction - The 2-factor landscape - Something we all have - - Comparison of 2-factor AuthN

546 views • 19 slides
OSG PKI Transition: Status and Next Steps (and Lessons Learned) Von Welch OSG PKI

OSG PKI Transition: Status and Next Steps (and Lessons Learned) Von Welch OSG PKI

OSG PKI Transition: Status and Next Steps (and Lessons Learned) Von Welch OSG PKI Transition Lead Indiana University Center for Applied Cybersecurity Research Key Message DOE Grids CA stops issuing new certificates March 23 rd ,

397 views • 29 slides
MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, Bart Preneel 1/17 New Hope Key

MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, Bart Preneel 1/17 New Hope Key

MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, Bart Preneel 1/17 New Hope Key Exchange Post-Quantum KX based on RLWE USENIX 2016 2/17 New Hope Key Exchange Post-Quantum KX based on RLWE USENIX 2016

586 views • 54 slides

More recommend