revisiting ssl tls implementations new bleichenbacher
play

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels - PowerPoint PPT Presentation

Aug 26, 2023 •275 likes •818 views

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

  1. Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de

  2. About me Security Researcher at: ● Chair for Network and Data Security, Ruhr University Bochum – ● Prof. Dr. Jörg Schwenk ● Web Services, Single Sign-On, (Applied) Crypto, SSL, crypto currencies ● Provable security, attacks and defenses Horst Görtz Institute for IT-Security – ● Further topics: embedded security, malware, crypto… Co-founder of 3curity GmbH: ● Penetration tests, security analyses, security workshops… – Web, Single Sign-On, SSL, applied crypto – www.3curity.de – 2

  3. Publications ● XML Security: – All your Clouds Are Belong to us: Security Analysis of Cloud Management Interfaces (CCSW’11) – How to Break XML Encryption (CCS’11) – On Breaking SAML: Be Whoever you Want to Be (USENIX’12) – On the Insecurity of XML Security (Dissertation) ● Further topics: – Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks (USENIX’14) – Untrusted Third Parties: When IdPs Break Bad (in submission, by my colleagues Christian Mainka, Vladislav Mladenov and Jörg Schwenk) 3

  4. About this talk ● Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks ● Paper accepted at Usenix Security 2014 ● Authors: Christopher Meyer, Juraj Somorovsky, Eugen Weiss, Jörg Schwenk, Sebastian Schinzel, Erik Tews ● Describes new side channels in specific TLS implementations 4

  5. Overview ● TLS ● Bleichenbacher's Attack – Attack Intuition – Oracle Strength – Attack Challenges ● Attacks – Error Messages in JSSE – Additional Random Number Generation – Additional Exception in JSSE – Unexpected Timing Behavior by Hardware Appliances ● Conclusion 5

  6. TLS ● Invented by Netscape in 1994 – Name: Secure Sockets Layer ● Adopted by IETF in 1999 – Renamed to Transport Layer Security ● Versions: – SSL 1.0, 2.0, 3.0 – TLS 1.0, 1.1, 1.2, (1.3 in development) ● Implementations: – OpenSSL, GnuTLS, JSSE, Microsoft Schannel, MatrixSSL, LibreSSL, ... 6

  7. TLS ● Very complex ● Contains various crypto primitives: RSA, EC, AES-CBC, AES-GCM, RC4, 3DES, MD5, SHA1, MACs, Signatures, PRFs, ... ● Can be executed over TCP or UDP (DTLS) ● Contains various extensions ● TLS-Renegotiation 7

  8. TLS Handshake ● Used for negotiation of cryptographic keys for data transport ClientHello ServerHello Contains key material Certificate (PremasterSecret) ServerHelloDone ClientKeyExchange ChangeCipherSpec Client Finished ChangeCipherSpec Server Finished 8

  9. ClientKeyExchange ● Contains encrypted PremasterSecret (for example, encrypted using RSA or EC) ● PremasterSecret is used to derive all TLS session keys ● Decryption of PremasterSecret == decryption of the TLS traffic Snidely Whiplash (Dudley Do-Right of the Mounties) 9

  10. Overview ● TLS ● Bleichenbacher's Attack – Attack Intuition – Oracle Strength – Attack Challenges ● Attacks – Error Messages in JSSE – Additional Random Number Generation – Additional Exception in JSSE – Unexpected Timing Behavior by Hardware Appliances ● Conclusion 10

  11. RSA PKCS#1 v1.5 Encryption ● Used e.g. to distribute symmetric keys ● Textbook-RSA: C RSA = m e mod N – Short messages need padding – No randomization ● PKCS#1 adds randomized padding to the PremasterSecret, it works as follows: 256 Bytes – Take a PremasterSecret PMS non-zero padding Random 00 02 00 03 01 – Set m := 00 || 02 || pad || 00 || PMS 205 Bytes 48 Bytes PMS – Compute C PKCS = m e mod N ● A ciphertext is “valid”, if its decryption has the correct format 11

  12. Bleichenbacher's Attack ● 1998: Attack on RSA-PKCS#1 v1.5 (Bleichenbacher, Crypto 1998) ● SSL implementations applied an ad-hoc fix ● Well-noticed in crypto and security community ● PKCS#1 was updated to v2.0 (RSA-OAEP) – Still standardized in many applications, including TLS 12

  13. Attack Applied to ... ● SSL / TLS: – D. Bleichenbacher: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, Crypto’98 ● Cryptographic Hardware: – Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Graham Steel, and Joe-Kai Tsay. Efficient Padding Oracle Attacks on Cryptographic Hardware, Crypto‘12 ● XML Encryption: – Tibor Jager, Sebastian Schinzel, Juraj Somorovsky: Bleichenbacher’s Attack Strikes Again: Breaking PKCS#1 v1.5 in XML Encryption, ESORICS'12 13

  14. Motivation ● Attack worked in 1998... ● Is PKCS#1 v1.5 implemented correctly in TLS now? 14

  15. Overview ● TLS ● Bleichenbacher's Attack – Attack Intuition – Oracle Strength – Attack Challenges ● Attacks – Error Messages in JSSE – Additional Random Number Generation – Additional Exception in JSSE – Unexpected Timing Behavior by Hardware Appliances ● Conclusion 15

  16. Bleichenbacher's Attack ● Requires a “ciphertext validity oracle” ● Adaptive Chosen-ciphertext attack XML Encryption ciphertext C = Enc(M) ClientKeyExchange Chosen ciphertext C 1 valid/invalid Chosen ciphertext C 2 TLS Server Client valid/invalid Dec(C PKCS ) = Snidely Whiplash … 00 || 02 || “bytes” (Dudley Do-Right of the Mounties) (repeated several times) ??? M = Dec(C) 16

  17. Attack Intuition ● d: private key ● (e,N): public key ● m = 00 || 02 || “bytes” ● In RSA we can multiply the encrypted plaintext without knowing the private key ● m = c d mod N ● c = m e mod N ● c’ = (c · s e ) mod N s ∈ Z N ● c’ = (ms) e mod N 17

  18. Attack Intuition OK, so we can multiply a plaintext ... ● We define: B = 2 (|N|-2) , where |N| is byte length ● – Example: 2B = 00 02 00 … 00 Attack Approach: ● – Multiply “plaintext” with s: c’ = (c · s e ) mod N – Query oracle if the decrypted plaintext is in interval <2B,3B) Somewhere here Modulo is the secret m x Reduction! s=s x s=2 s=3 s=4 s=s x -1 s=s x 0 2B 3B N valid 18

  19. Attack Intuition m x s=2 s=3 s=4 s=s x -1 s=s x s=s x 0 2B 3B N m y s=s y -1 s=s y s=2 s=3 s=4 s=5 s=6 s=s y -2 s=s y -1 0 2B 3B N ● s y > s x ● Intuition: – Large s value indicates m is in the near of 2B – Small s value indicates m is in the near of 3B 19

  20. Attack ● s x allows us to compute new interval for m: 2B ≤ m x s x − N < 3B ● From this follows: (2B + N) / s x < m x < (3B + N) / s x ● Full algorithm: – Searches for further s values – Reduces the interval 20

  21. Demo Time 21

  22. Attack Countermeasure generate a random PMS R decrypt the ciphertext: m := dec(c) if ( (m ? 00||02||PS||00||k) OR (|k| ? 48) ) then proceed with PMS := PMS R else proceed with PMS := k 22

  23. Overview ● TLS ● Bleichenbacher's Attack – Attack Intuition – Oracle Strength – Attack Challenges ● Attacks – Error Messages in JSSE – Additional Random Number Generation – Additional Exception in JSSE – Unexpected Timing Behavior by Hardware Appliances ● Conclusion 23

  24. Attack Performance ● Bleichenbacher's attack is also called Million Messages attack ● The attack performance varies: it depends on the oracle message validation ● The oracle responds with “valid” when: – The message starts with 00 02 – (and) the PremasterSecret is of valid length? – Further checks? Ciphertext C non-zero padding Random 00 02 00 03 01 24 205 Bytes 48 Bytes PMS

  25. Oracle Strength ● Oracle with less checks brings better performance ● Oracle strength: Probability the oracle responds with “valid” when the message starts with 00 02 ● Why important? m x s=2 s=3 s=4 s=s x -1 s=s x s=s x 0 2B 3B N valid invalid 25

  26. Overview ● TLS ● Bleichenbacher's Attack – Attack Intuition – Oracle Strength – Attack Challenges ● Attacks – Error Messages in JSSE – Additional Random Number Generation – Additional Exception in JSSE – Unexpected Timing Behavior by Hardware Appliances ● Conclusion 26

  27. Attack Challenges ● Implement an oracle based on the server behavior – Using different error messages, timing Ciphertext C TLS Handshake (C) Valid / invalid TLS Server ● Analyze oracle strength – Probability – If timing: how many server requests are needed to respond one oracle request ● Execute Bleichenbacher's attack 27

  28. With the help of T.I.M.E. ● T.I.M.E.: TLS Inspection Made Easy ● Automatic scanning of TLS implementations ● Written (mainly) by Christopher Meyer: – http://www-brs.ub.ruhr-uni-bochum.de/netahtml/HSS /Diss/MeyerChristopher/diss.pdf ● Supports further features like TLS fingerprinting 28

  29. For Timing Measurements... ● T.I.M.E. was not appropriate, caused too much noise ● We used our Bleichenbacher attack module with a patched MatrixSSL library ● NetTimer for response times evaluation: – http://sebastian-schinzel.de/nettimer TLS Handshake (C) C Valid / invalid TLS Server MatrixSSL Bleichenbacher Measurement 29 machine

  30. Overview ● TLS ● Bleichenbacher's Attack – Attack Intuition – Oracle Strength – Attack Challenges ● Attacks – Error Messages in JSSE – Additional Random Number Generation – Additional Exception in JSSE – Unexpected Timing Behavior by Hardware Appliances ● Conclusion 30

  31. Error Messages in JSSE ● With T.I.M.E. we sent differently formatted PKCS#1 messages to a JSSE server ● Server responded with: – INTERNAL ERROR and – HANDSHAKE FAILURE 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert Gillham, Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom Transport Layer Security (TLS) The most widely used cryptographic protocol

1.36k views • 120 slides
Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom SudParis GreHack 2019 15 novembre 2019 Levillain &amp; Rasoamanana Wombat 1/27 Plan RSA and PKCS#1 v1.5 in a nutshell Bleichenbacher : the

845 views • 48 slides
Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai

Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai

slides from presentation at Real World Crypto 2019 Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai Duong with contributions by Haris Andrianakis , Thanh Bui , Thomas Holenstein , Charles Lee , Erhan

657 views • 38 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi Tibouchi 1 , 2 Masayuki Abe 1 , 2 September 12, 2018 1 Kyoto University 2 NTT Secure Platform Laboratories 1 Outline Introduction Contribution 1.

1.89k views • 81 slides
Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations : inst 1 , inst 2 Contracts vs. Implementations Boolean expressions for Contracts: exp 1 , exp 2 , exp 3 , exp 4 , exp 5 feature -- Commands

231 views • 6 slides
Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge-

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge-

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge- hammer Ioanna M. Dimitriou H. and Peter Koepke, University of Bonn, Germany AITP 2016 Obergurgl, Austria, April 3-7, 2016 Revisiting Paulsons

703 views • 33 slides
Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array Vector Linked Chain 2 Stack ADT #ifndef STACK_H_ #define STACK_H_ template&lt;&lt;typename ItemType&gt; class

1.19k views • 71 slides
REVISITING GENDER AND HOUSEWORK IN Dawn Mannay CONTEMPORARY URBAN SOUTH WALES

REVISITING GENDER AND HOUSEWORK IN Dawn Mannay CONTEMPORARY URBAN SOUTH WALES

WHO SHOULD DO THE DISHES NOW? REVISITING GENDER AND HOUSEWORK IN Dawn Mannay CONTEMPORARY URBAN SOUTH WALES MannayDI@Cardiff.ac.uk REVISITING Jane Pilchers (1994) seminal work Who should do the dishes? Three generations of Welsh women

250 views • 11 slides
Revisiting the Estim ation of the Revisiting the Estim ation of the Marginal Cost of Highw ay

Revisiting the Estim ation of the Revisiting the Estim ation of the Marginal Cost of Highw ay

The 6 th Conference on Applied I nfrastructure Research ( I nfraday) The 6 th Conference on Applied I nfrastructure Research ( I nfraday) Berlin - - October 2 0 0 7 October 2 0 0 7 Berlin Revisiting the Estim ation of the Revisiting the Estim

206 views • 20 slides
Theory and applications 1 Roadmap to Lecture 6 Part 2 1. Revisiting the Reynolds stress

Theory and applications 1 Roadmap to Lecture 6 Part 2 1. Revisiting the Reynolds stress

Turbulence and CFD models: Theory and applications 1 Roadmap to Lecture 6 Part 2 1. Revisiting the Reynolds stress transport equation and the turbulent kinetic energy equation 2. Revisiting the closure problem 3. Two equations models

598 views • 36 slides
Revisiting Old Friends: Is CoDel Really Achieving What RED Cannot? Nicolas Kuhn 1 Emmanuel Lochin

Revisiting Old Friends: Is CoDel Really Achieving What RED Cannot? Nicolas Kuhn 1 Emmanuel Lochin

Revisiting Old Friends: Is CoDel Really Achieving What RED Cannot? Nicolas Kuhn 1 Emmanuel Lochin 2 Olivier Mehani 3 1 IMT Telecom Bretagne, France 2 Universit e de Toulouse, France 3 National ICT Australia, Australia 1/21 Revisiting Old

838 views • 40 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
1 Revisiting the Roman Masculine Ideal 1. Confident public speaker

1 Revisiting the Roman Masculine Ideal 1. Confident public speaker

Class 8a REAL (CHRISTIAN) MEN: AN OXYMORON? Outline Revisiting the Roman Masculine Ideal How Christian Men Measured Up Research Cluster

412 views • 4 slides
Re Revisiting Multilateral Co Cooperation o on N NTS S Is Issues es in in ASEAN: Th The

Re Revisiting Multilateral Co Cooperation o on N NTS S Is Issues es in in ASEAN: Th The

Re Revisiting Multilateral Co Cooperation o on N NTS S Is Issues es in in ASEAN: Th The Cas ase of f AHA Centre Is Is mu mult ltila ilater eral al coop ooper eration ion need eeded ed? In In wh what s situation m

332 views • 15 slides
Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Introduction Methodology Implementations Results Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla Kishore Kumar Surapathi Bilal Habib Susheel Vadlamudi Smriti Gurung John Pham Cryptographic

461 views • 29 slides
Lo Loyal alty ty on th the blockchai ain September 2018 The loyalty market We believe We

Lo Loyal alty ty on th the blockchai ain September 2018 The loyalty market We believe We

Lo Loyal alty ty on th the blockchai ain September 2018 The loyalty market We believe We believe $1,000b th that at every $500b loyalty points bran and will Prospective loyalty token in circulation hav ave its ts own

510 views • 12 slides
The OECD and the Blockchain Revolution Presentation by Greg Medcraft Director, Financial and

The OECD and the Blockchain Revolution Presentation by Greg Medcraft Director, Financial and

The OECD and the Blockchain Revolution Presentation by Greg Medcraft Director, Financial and Enterprise Affairs, OECD OECD Friends of Going Digital Meeting, Paris Thursday 29 March Check against delivery Ambassadors and colleagues. Many of

555 views • 10 slides
Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government Scrutiny of

Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government Scrutiny of

Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government Scrutiny of Cryptocurrency Transactions May 16, 2018 Speakers Basil Godellas Lawrence Hill Rachel Ingwer Partner and Co-Chair, Disruptive Partner and Chair,

1.1k views • 64 slides
Institutionalizing Crypto Asset Management Powered by Disclaimer This confidential Management

Institutionalizing Crypto Asset Management Powered by Disclaimer This confidential Management

Institutionalizing Crypto Asset Management Powered by Disclaimer This confidential Management Presentation has been prepared by Caspian, Ltd. and Caspian Holdings, Ltd. This Management Presentation may include certain statements, estimates and

573 views • 16 slides
Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST)

Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST)

Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST) When will a quantum computer be built that breaks current crypto? 15 years, $1 billion USD, nuclear power plant (to break RSA-2048)

432 views • 16 slides
Cryptogaz Ventures Ltd. P r i v a t e a n d C o n f i d e n t i a l / A u g u s t

Cryptogaz Ventures Ltd. P r i v a t e a n d C o n f i d e n t i a l / A u g u s t

Cryptogaz Ventures Ltd. P r i v a t e a n d C o n f i d e n t i a l / A u g u s t 1 5 , 2 0 1 9 1 Cryptogaz Ventures Ltd. Confidential Information &amp; Assumptions Strictly Private and Confidential While the information

590 views • 30 slides
TO STAY? Hello! Im Chris Dannen from Iterative Capital Management in New York, NY. Large

TO STAY? Hello! Im Chris Dannen from Iterative Capital Management in New York, NY. Large

IS CRYPTOCURRENCY HERE TO STAY? Hello! Im Chris Dannen from Iterative Capital Management in New York, NY. Large scale miner, investment manager, and wholesale dealer. 1. Getting oriented Seeing past the propaganda to understand the

736 views • 40 slides
The State of Blockchain and Its Impact on Finance Profession What do Blockchain and

The State of Blockchain and Its Impact on Finance Profession What do Blockchain and

The State of Blockchain and Its Impact on Finance Profession What do Blockchain and cryptocurrency really mean and what are the opportunities? What about the risks that come with such wholesale change to business processes. Learn this and more

1.22k views • 32 slides

More recommend