on the security of rc4 in tls
play

On the Security of RC4 in TLS Nadhem AlFardan, Dan Bernstein, Kenny - PowerPoint PPT Presentation

Mar 28, 2024 •305 likes •856 views

On the Security of RC4 in TLS Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London University of Illinois at Chicago http://www.isg.rhul.ac.uk/tls/ Agenda Brief overview of

  1. On the Security of RC4 in TLS Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London University of Illinois at Chicago http://www.isg.rhul.ac.uk/tls/

  2. Agenda • Brief overview of TLS and use of RC4 • Analysis of RC4 • Two attacks against RC4 in TLS • Single-byte attack • Double-byte attack • Conclusions 2

  3. TLS • TLS = Transport Layer Security • Security goal: provide confidential and authenticated channel between client and server Client Server TLS Application data • Applications of TLS are ubiqutous • Secure websites (https://), secure e-mail (IMAP/TLS, POP/TLS, SMPT/TLS), mobile application, etc. 3

  4. Brief History of TLS • Started life as Secure Socket Layer (SSL) protocol • Developed at Netscape ~1994 • SSL v3 (1996) still widely supported • TLS = IETF standardization of SSL • TLS v1.0 in RFC 2246 (1999) • Based on SSL v3 but not compatible • TLS v1.1 in RFC 4346 (2006) • TLS v1.2 in RFC 5246 (2008) 4

  5. Simplified View of TLS Used by client and server to 1. Negotiate ciphersuite 2. Authenticate 3. Establish keys used in the Record Protocol Client Server Handshake Protocol Record Protocol Provides confidentiality and authenticity of application layer data using keys from Handshake Protocol 5

  6. TLS Record Protocol: MAC-Encode-Encrypt SQN || HDR Payload MAC Payload MAC tag Padding Encrypt HDR Ciphertext HMAC-MD5, HMAC-SHA1, HMAC-SHA256 MAC CBC-AES128, CBC-AES256, CBC-3DES, RC4-128 Encrypt 6

  7. TLS Record Protocol: RC4-128 SQN || HDR Payload MAC Payload MAC tag ⊕ RC4 Keystream HDR Ciphertext 7

  8. TLS Record Protocol: RC4-128 SQN || HDR Payload RC4 State Byte permutation and indices i and j S MAC RC4 Keystream generation RC4 Key scheduling begin begin i ← i + 1 mod 256 for i = 0 to 255 do Payload MAC tag j ← j + S [ i ] mod 256 S [ i ] ← i swap( S [ i ], S [ j ]) end ⊕ Z ← S [ S [ i ] + S [ j ] mod 256 ] j ← 0 RC4 Keystream return Z for i = 0 to 255 do end j ← j + S [ i ] + K [ i mod keylen ] mod 256 swap( S [ i ], S [ j ]) end i , j ← 0 HDR Ciphertext end 8

  9. TLS Record Protocol: Authenticated Encryption • TLS 1.2 additionally supports authenticated encryption • AES-GCM in RFC 5288 • AES-CCM in RFC 6655 • However, TLS 1.2 is not widely supported SSL Pulse: Webserver TLS support Browser TLS support (out-of-the-box) TLS v1.1 TLS v1.1 TLS v1.0 TLS v1.0 TLS v1.0 9

  10. Use of RC4 in TLS • Recent attacks on CBC-based ciphersuites in TLS: • BEAST attack, Lucky 13 • In face of these, switching to RC4 has been a recommended mitigation approach (e.g. Qualys, F5) • Use of RC4 in the wild: ICSI Certificate Notary Recent survey of 16 billion TLS connections: Approx. 50% protected via RC4 ciphersuites • Problem: RC4 is known to have statistical weaknesses 10

  11. Single-byte Biases in the RC4 Keystream Z i = value of i - th keystream byte • [Mantin-Shamir 2001]: 1 Pr[ Z 2 = 0] ≈ 128 • [Mironov 2002]: • Described distribution of (bias away from 0, sine-like distribution) Z 1 • [Maitra-Paul-Sen Gupta 2011]: for 3 ≤ r ≤ 255 1 Pr[ Z r = 0] = 256 + 0.242811 ≤ c r ≤ 1.337057 c r 256 2 • [Sen Gupta-Maitra-Paul-Sakar 2011]: 1 1 l = keylength Pr[ Z l = 256 − l ] ≥ 256 + 256 2 11

  12. Complete Keystream Byte Distributions • Our approach • Based on the output from 2 44 random independent 128 bit RC4 keys, estimate the keystream byte distribution of the first 256 bytes Ciphertext distribution at position 1 Ciphertext distribution at position 2 Ciphertext distribution at position 3 0.00395 0.00395 0.00395 ... ... Probability Probability Probability 0.00390625 0.00390625 0.00390625 0.003878 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value [0...255] Byte value [0...255] ... Z 1 Z 2 Z 3 • Revealed many new biases in the RC4 keystream • (Some of these were independently discovered by [Isobe et al. 2013]) 12

  13. Keystream Distribution at Position 1 Ciphertext distribution at position 1 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  14. Keystream Distribution at Position 2 Ciphertext distribution at position 2 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  15. Keystream Distribution at Position 3 Ciphertext distribution at position 3 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  16. Keystream Distribution at Position 4 Ciphertext distribution at position 4 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  17. Keystream Distribution at Position 5 Ciphertext distribution at position 5 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  18. Keystream Distribution at Position 6 Ciphertext distribution at position 6 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  19. Keystream Distribution at Position 7 Ciphertext distribution at position 7 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  20. Keystream Distribution at Position 8 Ciphertext distribution at position 8 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  21. Keystream Distribution at Position 9 Ciphertext distribution at position 9 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  22. Keystream Distribution at Position 10 Ciphertext distribution at position 10 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  23. Keystream Distribution at Position 11 Ciphertext distribution at position 11 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  24. Keystream Distribution at Position 12 Ciphertext distribution at position 12 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  25. Keystream Distribution at Position 13 Ciphertext distribution at position 13 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  26. Keystream Distribution at Position 14 Ciphertext distribution at position 14 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  27. Keystream Distribution at Position 15 Ciphertext distribution at position 15 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  28. Keystream Distribution at Position 16 Ciphertext distribution at position 16 0.00395 0.003950 Probability Probability 0.00390625 0.003906 0.003878 0.003878 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 255 Byte value [0...255] Byte value

  29. Plaintext Recovery • Based on the keystream byte distribution, we can construct a plaintext recovery attack • Exploits all single-byte biases in the initial part of the RC4 keystream • Attack requires the same plaintext to be encrypted under many di ff erent keys • Applicable when using TLS? 29

  30. Targeting Secure HTTP Cookies TLS Secure cookie TLS HTTP request (cookie attached) Malicious https://secure.com Client server • Javascript • Uses XMLHttpRequest objects to generate POST requests • Request to secure site possible due to Cross-Origin Resource Sharing • Number of requests generated by script must be balanced to avoid browser overload 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Ensuring Mental Health Parity and Access Peter Bri Peter rickwed edde Assistant Commissioner

Ensuring Mental Health Parity and Access Peter Bri Peter rickwed edde Assistant Commissioner

Ensuring Mental Health Parity and Access Peter Bri Peter rickwed edde Assistant Commissioner of Government and External Affairs, Minnesota Department of Commerce Sh Sharon G Gabr brie ielson Executive Leader, Former Chair of Mayo Clinic

262 views • 15 slides
Investor Presentation Q2FY17 Agenda Byke Background and Overview 01 Key Growth Drivers 02

Investor Presentation Q2FY17 Agenda Byke Background and Overview 01 Key Growth Drivers 02

Investor Presentation Q2FY17 Agenda Byke Background and Overview 01 Key Growth Drivers 02 Hotel Segment (Owned + Leased) 03 Room Chartering Segment 04 Growth Strategy 05 Q2FY17 Financial Highlights 06 Byke Background and Overview

472 views • 36 slides
Metrics & Scoring Committee: Recommendations to Health Plan Quality Metrics Committee, 2019

Metrics & Scoring Committee: Recommendations to Health Plan Quality Metrics Committee, 2019

Metrics & Scoring Committee: Recommendations to Health Plan Quality Metrics Committee, 2019 Measure Set Will Brake, Committee Chair, AllCare Health Anna Jimenez, MD, Committee Vice-Chair, Family Care CCO November 9, 2017 HEALTH POLICY

191 views • 15 slides
Principles for Measurability From: ACM SIGCOMM in Protocol Design CCR Vol. 47 Issue 2 Mark

Principles for Measurability From: ACM SIGCOMM in Protocol Design CCR Vol. 47 Issue 2 Mark

Principles for Measurability From: ACM SIGCOMM in Protocol Design CCR Vol. 47 Issue 2 Mark Allman (ICSI) August 24, 2017 Robert Beverly (NPS) Brian Trammell (ETHZ) 1 Principles for Measurability From: ACM SIGCOMM in Protocol Design CCR

656 views • 44 slides
INVESTOR PRESENTATION Q3 F20 11 th February, 2020 V S Parthasarathy Economic ENVIRONMENT US

INVESTOR PRESENTATION Q3 F20 11 th February, 2020 V S Parthasarathy Economic ENVIRONMENT US

INVESTOR PRESENTATION Q3 F20 11 th February, 2020 V S Parthasarathy Economic ENVIRONMENT US growth to moderate - expected to moderate to 2% in 2020 from 2.3% in 2019 and decline further to 1.7% in 2021 on account of a return to neutral

713 views • 28 slides
Dabur India Ltd Investor Presentation August 2019 Agenda 1. Dabur Overview 2. Business

Dabur India Ltd Investor Presentation August 2019 Agenda 1. Dabur Overview 2. Business

Dabur India Ltd Investor Presentation August 2019 Agenda 1. Dabur Overview 2. Business Structure 3. India Business 4. International Business 5. The Way Forward 6. Our Capitals 7. Annexure 2 Dabur leader in Ayurveda & Natural

464 views • 43 slides
Q3 FY 2019-20 1 DI DISCLAIMER/IMPORTANT DI DISCLOSURE THIS PRESENTATION (PRESENTATION) IS NOT

Q3 FY 2019-20 1 DI DISCLAIMER/IMPORTANT DI DISCLOSURE THIS PRESENTATION (PRESENTATION) IS NOT

INVESTOR PRESENTATION Q3 FY 2019-20 1 DI DISCLAIMER/IMPORTANT DI DISCLOSURE THIS PRESENTATION (PRESENTATION) IS NOT AN OFFER TO SELL ANY SECURITIES OR A SOLICITATION TO BUY ANY SECURITIES OF NATCO PHARMA LIMITED OR ITS SUBSIDIARIES OR JOINT

361 views • 16 slides
March 2016 Company Presentation 1 TABLE OF CONTENTS Co mpany Overview Business Structure

March 2016 Company Presentation 1 TABLE OF CONTENTS Co mpany Overview Business Structure

TD POWER SYSTEMS LIMITED March 2016 Company Presentation 1 TABLE OF CONTENTS Co mpany Overview Business Structure Business Segments Strengths and Strategy Management Team Financial O verview 2 COMPANY OVERVIEW 3

293 views • 25 slides

More recommend