protecting tls from legacy crypto
play

Protecting TLS from Legacy Crypto http://mitls.org Karthikeyan - PowerPoint PPT Presentation

Feb 14, 2023 •181 likes •690 views

Protecting TLS from Legacy Crypto http://mitls.org Karthikeyan Bhargavan + + many, many other ers . (INRIA, Microsoft Research, LORIA, IMDEA, Univ of Pennsylvania, Univ of Michigan, JHU) Popular cryptographic protocols evolve Agility :

  1. Protecting TLS from Legacy Crypto http://mitls.org Karthikeyan Bhargavan + + many, many other ers . (INRIA, Microsoft Research, LORIA, IMDEA, Univ of Pennsylvania, Univ of Michigan, JHU)

  2. Popular cryptographic protocols evolve Agility : graceful transition from old to new What can go wrong? • Downgrade attacks that exploit obsolete legacy crypto

  3. • FREAK Export-grade 512-bit RSA [Mar’15] • LOGJAM Export-grade 512-bit DH [May’15] • SLOTH RSA-MD5 signatures [Jan’16] • TLS was supposed to prevent downgrade attacks • What went wrong? How do we fix it in TLS 1.3?

  4. 2016? TLS1.3 OpenSSL, SecureTransport, NSS, SChannel, GnuTLS, JSSE, PolarSSL, … many bugs, attacks, patches every year mostly for small simplified models of TLS

  5. Client Server

  6. Protocol versions Key exchanges Authentication modes Authenticated Encryption Schemes 100s of possible protocol combinations!

  7. TLS_RSA_WITH_AES_128_CBC_SHA RSA Key Transport RS AE AES-CB CBC C + + HM HMAC C • RSA-PKCS#1 v1.5 encryption • MAC-Encode-Encrypt Scheme • [1998] Bleichenbacher • [2002] Vaudenay attack attack and fixes • [2011] Crypto proof for TLS MEE-CBC • [2013] Crypto proof for TLS-RSA • [2013] Lucky 13 attack • [2016] DROWN attack: • [2014] Poodle attack on SSLv3 downgrade to SSLv2 • [2016] Verified implementation

  8. Textbook crypto proofs not applicable to TLS Theoretical attacks not always exploitable

  9. Most crypto proofs are for single constructs Many attacks appear only in composition Too many compositions to prove by hand • We need automated verification tools that can analyze both protocols and implementations

  10. A verified reference implementation of TLS Specification and verification using types A joint effort by a large research team

  11. Triple Handshake Attacks [S&P 2014] • Breaking client authentication by composing three different handshake modes State Machine Attacks (e.g. FREAK) [S&P 2015] • Bugs in the composite state machines implemented by mainstream TLS libraries Logjam [CCS 2015] • DH group downgrade using DHE_EXPORT SLOTH [NDSS 2016]

  12. Downgrade Attacks on Agile Key Exchange

  13. Anonymous Diffie-Hellman (DH anon )

  14. Man-in-the-Middle attack on DH anon Active Network Attacker or Malicious Peer

  15. SIGMA: Authenticated DH PKI Sign-and-MAC the transcript: prevents most MitM attacks

  16. SIGMA with Group Negotiation DH Group Negotiation Why? backwards compatibility, export regulations,…

  17. Export-Grade 512-bit DHE in TLS TLS 1.0 supported deliberately weakened ciphers to comply with export regulations in 1990s EXPORT deprecated in 2000 but still supported by TLS in 2015 • 8.4% of Top 1M websites in March 2015 • Browsers only support DHE, not DHE_EXPORT but will accept 512-bit DH groups for DHE • Protocol flaw: Server’s DHE and DHE_EXPORT key-shares and signatures look the same to a TLS client

  18. Logjam: MitM Group Downgrade Attack Remove Strong Groups Compute discrete logs on 512-bit DH groups in real-time Client/Server Impersonation

  19. Downgrade Protection in TLS 1.2 • In TLS 1.2, both client and server MAC the full transcript to prevent tampering: mac ( k , [ G 2048 , G 512 ] | G 512 | m 1 | m 2 ) • But it’s too late, we already used G 512 to compute k k = kdf( g xy mod p 512 ) so, the attacker can compute k and forge the MAC The TLS 1.2 downgrade protection mechanism itself depends on downgradeable parameters! • We can break it if we can compute the discrete log while the connection is still live

  20. Logjam Most TLS servers use well-known 512-bit groups • 92% of DHE_EXPORT servers use one of two groups • 1-2 weeks of precomputation per group (CADO-NFS) • 90 seconds to compute discrete log for each key • Practitioners seemingly unaware of this optimization!

  21. Logjam The TLS transcript MAC does not prevent Diffie-Hellman group downgrades Must disable all weak DH groups and elliptic curves • Browsers moving to 1024-bit minimum group size • Breaking 768-bit and 1024-bit groups will have a • catastrophic impact on TLS, SSH, and IPsec Could we do better by relying on transcript signatures for downgrade protection?

  22. Downgrade Protection via Signatures IKEv1 : both A and B sign the offered groups • sign ( sk B , hash ([ G 2048 , G 512 ] | m 1 | m 2 )) • no agreement on chosen group! IKEv2 : each party signs its own messages • sign ( sk A , hash ([ G 2048 , G 512 ] | m 1 )) • sign ( sk B , hash ( G 512 | m 2 )) • no agreement on offered groups! SSH-2 and TLS 1.3 : sign the full transcript • sign ( k , hash ([ G 2048 , G 512 ] | G 512 | m 1 | m 2 )) • Prevents Logjam (but what about other downgrades?)

  23. SIGMA with Generic Negotiation Version/Group/ Cipher Parameters Signed Transcript

  24. Downgrade Protection via Signatures • Sign the full transcript – sign ( sk B , hash ( m 1 | m 2 )) – Example : TLS 1.3, SSH-2, TLS 1.2 client auth • How weak can the hash function be? – do we need collision resistance? – do we only need 2 nd preimage resistance? – Is it still safe to use MD5, SHA-1 in TLS, IKE, SSH? – Disagreement : cryptographers vs. practitioners (see Schneier vs. Hoffman, RFC4270)

  25. SLOTH: Transcript Collision Attacks Man-in-the-Middle : network attacker/malicious server Parameter Downgrade Server Client Impersonation Impersonation

  26. Computing a Transcript Collision hash ( m 1 | m’ 2 ) = hash ( m’ 1 | m 2 ) • We need to compute a collision, not a preimage – Attacker controls parts of both transcripts – If we know the black bits, can we compute the red bits? – This can sometimes be set up as a generic collision • If we’re lucky, we can set up a shortcut collision – Common-prefix : collision after a shared transcript prefix – Chosen-prefix: collision after attacker-controlled prefixes

  27. Primer on Hash Collision Complexity • MD5: known attack complexities – MD5 second preimage 2 128 hashes – MD5 generic collision: 2 64 hashes (birthday) – MD5 chosen-prefix collision: 2 39 hashes (1 hour) – MD5 common-prefix collision: 2 16 hashes (seconds) • SHA1: estimated attack complexities – SHA1 second preimage 2 160 hashes 2 80 hashes – SHA1 generic collision: (birthday) 2 77 hashes (?) – SHA1 chosen-prefix collision: 2 61 hashes (?) – SHA1 common-prefix collision:

  28. Computing Transcript Collisions A MitM B hash hash len 1 len 1 ’ m 1 m 1’ g x g x’ params A params’ A len 2 len 2 ’ m 2 m 2’ g y g y’ params B params’ B

  29. Generic Transcript Collisions A MitM B hash hash Try random nonces len 1 len 1 ’ len 1 ’ until collision len 1 ’ g x g x’ g x’ g x’ nonce A nonce 1 nonce 2 nonce N len 2 len 2 ’ len 2 ’ len 2 ’ N = 2 | hash |/2 g static g y’ g y’ g y’ MD5: 2 64 Predictable: nonce A nonce 1 SHA-1: 2 80 Static DH key, nonce 2 nonce N HMAC/96: 2 48 no fresh nonce

  30. Chosen-Prefix Transcript Collisions A MitM B len 1 m 1 g x blob A len 2 m 2 g y Known length, blob B ephemeral DH key, arbitrary BLOB

  31. A MitM B hash hash len 1 len 1 ’ m 1 m 1’ g x g x’ blob A 00000000 len 2 ’ 00000000 blob A ’ Find Chosen-Prefix g y’ 00000000 Collision C 1 , C 2 C 1 C 2 len 2 len 2 N = 2 CPC ( hash ) blob B ’ m 2’ m 2 g y g y MD5: 2 39 Merkle-Damgard SHA-1: 2 77 blob B blob B hash extension

  32. Downgrading and Attacking TLS 1.2 TLS 1.2 upgraded the hash functions used in TLS • TLS 1.1 hard-coded the use of MD5 || SHA-1 • TLS 1.2 uses SHA-256 for all handshake constructions • Allows negotiation of hash functions: SHA-256/384/512 TLS 1.2 added support for MD5-based signatures! • Even if the client and server prefer RSA-SHA256 , the connection can be downgraded to RSA-MD5! Transcript collisions break TLS 1.2 client signatures • Chosen prefix collision exploiting flexible message formats • Demo: Takes 1 hour/connection on a 48-core workstation • Not very practical : connection must be live during attack

  33. Attacking TLS Server Auth • TLS 1.2 server signatures are harder to break – Irony : the weakness that enables Logjam blocks SLOTH – Needs 2 X prior connections + 2 128-X hashes/connection – Not practical for academics, as far as we know • TLS 1.3 server signatures is potentially vulnerable – New : MD5, SHA-1 sigs now explicitly forbidden in TLS 1.3

  34. Other Hash Constructions in TLS • When used as transcript hash functions many constructions are not collision resistant – MD5 (x) | SHA1 (x) not much better than SHA1 – HMAC-MD5 (k,x) not much better than MD5 – HMAC-SHA256 (k,MD5(x)) not much better than MD5 – Truncated HMAC-SHA256 (k,x) to N bits not much better than a N bit hash function

  35. Other SLOTH Vulnerabilities Reduced security for TLS 1.*, IKEv1, IKEv2, SSH • Impersonation attack on TLS channel bindings • Exploits downgrades + transcript collisions • Protocol flaws, not implementation bugs • Only mitigation is to disable weak hash functions

  36. Logjam and SLOTH: Lessons Learned Legacy crypto can remain hidden for a long time • Finding DHE_EXPORT, RSA-MD5 enabled was surprising Important to demonstrate concrete attacks, not just theoretical weaknesses • Concrete attacks can help motivate new cryptanalytic optimizations, and justify implicit proof assumptions TLS 1.2 does not prevent some downgrades • Need for a formal model of downgrade resilience and a new protocol that provably achieves it

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Legacy Crypto Never Dies (Why won't DES just die???) David Hulton <david@toorcon.org>

Legacy Crypto Never Dies (Why won't DES just die???) David Hulton <david@toorcon.org>

Legacy Crypto Never Dies (Why won't DES just die???) David Hulton <david@toorcon.org> crack.sh is a service of the ToorCon Information Security RECON BRUSSELS 2017 Conference and is provided for research purposes only. DefCon 2012 Recap

578 views • 36 slides
S an Diego Audubon: A Legacy of Protecting CA Least Terns and Other S eabirds Reliant on

S an Diego Audubon: A Legacy of Protecting CA Least Terns and Other S eabirds Reliant on

Presented by: Megan Flaherty, Restoration Program Manager Presented to: Pacific Fishery Management Council Agenda Item E.5.b November 5, 2018 Supplemental Public Presentation1 November 2018 S an Diego Audubon: A Legacy of Protecting CA Least

473 views • 13 slides
no more downgrades : protec)ng TLS from legacy crypto karthik bhargavan INRIA joint work with:

no more downgrades : protec)ng TLS from legacy crypto karthik bhargavan INRIA joint work with:

no more downgrades : protec)ng TLS from legacy crypto karthik bhargavan INRIA joint work with: g. leurent, c. brzuska, c. fournet, m. green, m. kohlweiss, s. zanella-beguelin TLS: a long year of downgrade aFacks POODLE TLS 1.2 SSLv3

487 views • 22 slides
MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in

MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in

MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in Children v. 13-16 Legacy in Eternity v. 17-31 LEGACY IN MARRIAGE 2 Schools of thought 1. Rabbi Sammai- Strict interpretation. Divorce only

775 views • 9 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy

Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy

Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy and the spirit of Truc Lam Yen Zen Buddhism, the Legacy Yen Tu is an inspiring journey into the past. It offers travelers a stay filled with storied

688 views • 32 slides
L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L M E E T I N G 1 WELCOME The

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L M E E T I N G 1 WELCOME The

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L M E E T I N G 1 WELCOME The Legacy Residents Association was created for the homeowners of Legacy, with the intent of augmenting the lifestyle in Legacy. The goal is to create

1.18k views • 56 slides
L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L G E N E R A L M E E T I N G

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L G E N E R A L M E E T I N G

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L G E N E R A L M E E T I N G WELCOME The Legacy Residents Association was created for the homeowners of Legacy, with the intent of augmenting the lifestyle in Legacy. The goal

412 views • 40 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
LEAVE A LEGACY Qubec And your legacy! What will it be? Action Plan 2010 LEAVE A LEGACY TM

LEAVE A LEGACY Qubec And your legacy! What will it be? Action Plan 2010 LEAVE A LEGACY TM

LEAVE A LEGACY Qubec And your legacy! What will it be? Action Plan 2010 LEAVE A LEGACY TM Qubec , is comprised of 163 charitable organizations that support its mission which is to encourage the population of Quebec to make a planned

312 views • 18 slides
Migrating Legacy.com Migrating a top 50 most visited site in the U.S. onto Drupal - Legacy.com

Migrating Legacy.com Migrating a top 50 most visited site in the U.S. onto Drupal - Legacy.com

Migrating Legacy.com Migrating a top 50 most visited site in the U.S. onto Drupal - Legacy.com Case Study Migrating Legacy.com Jordan Ryan Product Owner Ankur Gupta Lead Developer Bassam Ismail Front-end Lakshmi Narasimhan RESTful

458 views • 45 slides
LEGACY/PACIFICSOURCE JOINT VENTURE George Brown, M.D. President and CEO, Legacy Health Systems

LEGACY/PACIFICSOURCE JOINT VENTURE George Brown, M.D. President and CEO, Legacy Health Systems

LEGACY/PACIFICSOURCE JOINT VENTURE George Brown, M.D. President and CEO, Legacy Health Systems I. Legacy Outline I. Legacy a) Mission and History b) People, Services, and Locations c) Financial Strength II. Partnership a)

603 views • 26 slides
- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops Did you know? Our payment system has ZERO FEES for processing payments How it works? It takes only a few minutes to complete Merchant Initiate

269 views • 11 slides
Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on Real-World Crypto January 2013 promote openness, innovation & opportunity on the Web. previously easy to deploy easy to use privacy

610 views • 22 slides
Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Florian Mendel and Robert Primas CHES 2020 Motivation www.tugraz.at Using crypto in the wild requires:

964 views • 64 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Timestamp /16 at LBL, sampled 1-in-1K 2nd /16, sampled 1-in-1K Number of relays 8000 6000

Timestamp /16 at LBL, sampled 1-in-1K 2nd /16, sampled 1-in-1K Number of relays 8000 6000

Timestamp /16 at LBL, sampled 1-in-1K 2nd /16, sampled 1-in-1K Number of relays 8000 6000 Relays 4000 Bridges 2000 0 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 The Tor Project https://metrics.torproject.org/ Directly

369 views • 24 slides
Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 El

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 El

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 El Gamal Encryption Public-Key Cryptography Lecture 9 El Gamal Encryption Public-Key Encryption from Trapdoor OWP Public-Key Cryptography Lecture

2.11k views • 163 slides
Category-level localization g y Cordelia Schmid Cordelia Schmid Recognition Recognition

Category-level localization g y Cordelia Schmid Cordelia Schmid Recognition Recognition

Category-level localization g y Cordelia Schmid Cordelia Schmid Recognition Recognition Classification Classification Object present/absent in an image Often presence of a significant amount of background clutter

879 views • 72 slides
Reynolds Parametricity Patricia Johann Appalachian State University cs.appstate.edu/

Reynolds Parametricity Patricia Johann Appalachian State University cs.appstate.edu/

Reynolds Parametricity Patricia Johann Appalachian State University cs.appstate.edu/ johannp Based on joint work with Neil Ghani, Fredrik Nordvall Forsberg, Federico Orsanigo, and Tim Revell OPLSS 2016 Course Outline Topic:

1.03k views • 89 slides
Security I retired slides Markus Kuhn Computer Laboratory, University of Cambridge

Security I retired slides Markus Kuhn Computer Laboratory, University of Cambridge

Security I retired slides Markus Kuhn Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/teaching/1213/SecurityI/ Lent 2013 Part I B 1 / 41 Secure hash functions A hash function h : { 0 , 1 } { 0 , 1 } n

670 views • 40 slides
Escaping from saddle points on Riemannian manifolds Yue Sun , Nicolas Flammarion , Maryam

Escaping from saddle points on Riemannian manifolds Yue Sun , Nicolas Flammarion , Maryam

Escaping from saddle points on Riemannian manifolds Yue Sun , Nicolas Flammarion , Maryam Fazel Department of Electrical and Computer Engineering, University of Washington, Seattle School of Computer and Communication Sciences,

409 views • 24 slides
Stokes waves with constant vorticity: Numerical computation Vera Mikyoung Hur with Sergey

Stokes waves with constant vorticity: Numerical computation Vera Mikyoung Hur with Sergey

Stokes waves with constant vorticity: Numerical computation Vera Mikyoung Hur with Sergey Dyachenko F . Trlrs do, Silva (md I ) . 298 A . 11. Peregrine Special thanks to ICERM (Image from Teles da Silva and Peregrine (1988)) FICCKE 1.5. X

288 views • 15 slides
An Introduc tion to We b Eng ine e ring We e k 1 Syllabus Syllabus

An Introduc tion to We b Eng ine e ring We e k 1 Syllabus Syllabus

An Introduc tion to We b Eng ine e ring We e k 1 Syllabus Syllabus http://www.csun.edu/~twang/595WEB/Syllab p // / g/ / y us Introduction Session Introduction Session Introduce yourself I t d lf Name, majors, expertise,

2.31k views • 32 slides

More recommend