Secure Sockets Layer Transport Layer Security BEAST Attack Dan - - PowerPoint PPT Presentation

secure sockets layer transport layer security beast attack
SMART_READER_LITE
LIVE PREVIEW

Secure Sockets Layer Transport Layer Security BEAST Attack Dan - - PowerPoint PPT Presentation

May 08, 2023 287 likes •443 views

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de> Wed Apr 18, 2012 University of the German Federal Armed Forces, Munich Slide 1 Outline History Design Goals SSL/TLS Stack

slide-1
SLIDE 1

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 1

Secure Sockets Layer Transport Layer Security BEAST Attack

slide-2
SLIDE 2

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 2

Outline

  • History
  • Design Goals
  • SSL/TLS Stack
  • Attacks
  • Attack on CBC
  • BEAST
  • Solution

CBC Cipher Block Chaining BEAST Browser Exploit Against SSL/TLS

slide-3
SLIDE 3

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 3

History

2012 1996 1994

Netscape SSL 2.0 IETF TLS 1.0 TLS 1.1 TLS 1.2

1999 2008 2006

SSL 3.0 TLS 1.2 “refined”

2011

complete redesign

  • minor changes
  • no interoperation

with SSL3

  • can downgrade

connections to SSL3

changes version

  • MD5-SHA-1

SHA-256 ↣

  • authenticated encryption

e.g. AES in CCM mode

  • protection against CBC-attacks
  • implicit IV

explicit IV ↣

MAC Message Authentication Code MD5 Message Digest Algorithm IETF Internet Engineering Task Force SHA Secure Hash Algorithm CBC Cipher Block Chaining AES Advanced Encryption Standard IV Initialization Vector CCM Counter with CBC-MAC

slide-4
SLIDE 4

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 4

Design Goals

  • Cryptographic security
  • establish secure connections
  • secure existing connections
  • data confidentiality
  • authentication
  • reliability
  • Interoperability
  • applications exchange parameters with each other
  • applications establish connections with each other
  • specified protocols
slide-5
SLIDE 5

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 5

Design Goals

  • Extensibility
  • SSL/TLS provides a framework
  • cryptographic methods can be added

– public key – bulk encryption

  • no extensive library/protocol rewriting
  • Relative efficiency
  • ability to adopt to its environment
  • session caching (saves CPU)
  • minimal messaging (saves network bandwidth)
slide-6
SLIDE 6

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 6

SSL/TLS in Common Models

Session Transport Network Data Link Physical Application Transport Internet Link

ISO/OSI model TCP/IP model

Presentation Record Handshake Change Cipher Spec Alert Application Data Application

slide-7
SLIDE 7

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 7

SSL/TLS Protocol Stack

Record Handshake Change Cipher Spec Alert Application Data

  • provides shared transaction layer
  • ensures
  • cryptographic security (data confidentiality)
  • integrity of payload
  • optional payload compression
  • negotiates session
  • crypt. methods
  • versions
  • authentication (opt.)
  • one-way
  • two-way

transports upper layer payload tells the other party to apply previously negotiated parameters error reporting

slide-8
SLIDE 8

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 8

BEAST

  • Browser Exploit Against SSL/TLS (BEAST)
  • Chosen Plaintext Attack
  • Targets deterministic Initialization Vectors of

Cipher-Block Chaining

slide-9
SLIDE 9

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 9

Please note that this is a simplified example, consult reference Educated Guesswork for details.

TLS 1.0 CBC

Attack Scenario

Alice Bob Mallory

  • wants to know secret P[16]
  • eavesdrops encrypted data

between Alice and Bob

  • can force Alice to send

chosen plaintext

  • can force Alice to send P
slide-10
SLIDE 10

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 10

Ciphertext Ciphertext

Cipher-Block Chaining

Block Cipher Encryption Block Cipher Encryption Plaintext Plaintext IV

C0 = E(Key, IV M ⊕

0)

Ci = E(Key, Ci-1 M ⊕

i)

slide-11
SLIDE 11

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 11

CBC Chosen Plaintext Attack

  • Force Alice to send P
  • Eavesdrop and get C

p= E(Key, C p-1 ⊕ P)

  • Let G be a blind guess of P
  • Force Alice to send plaintext C

i-1 ⊕ C p-1 ⊕ G

  • Alice sends C

i = E(Key, C i-1

⊕ C

i-1 ⊕ C p-1 ⊕ G)

  • C

i = E(Key, C p-1 ⊕ G)

  • If C

i==C p then G==P

This requires a lot of guessing and it is not very handy!

slide-12
SLIDE 12

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 12

BEAST

  • Force Alice to send NULL[0-14] P[0]
  • Eavesdrop and get

Cp= E(Key, Cp-1 ⊕ NULL[0-14] P[0])

  • Let G be a blind guess of P[0]
  • Force Alice to send plaintext

Ci-1 ⊕ Cp-1 ⊕ NULL[0-14] G

  • Alice sends

Ci = E(Key, Ci-1 ⊕ Ci-1 ⊕ Cp-1 ⊕ NULL[0-14] G) Ci = E(Key, Cp-1 ⊕ NULL[0-14] G)

  • If Ci==Cp then G==P[0]

This requires up to 28=256

  • guesses. We can do this!
slide-13
SLIDE 13

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 13

BEAST

Ci-1 C ⊕

p-1

NULL[0-13] ⊕ P[0] P[0]P[1] Ci-1 C ⊕

p-1

NULL[0-14] ⊕ P[0-15]

. . . 256 possible ciphertexts 256 possible ciphertexts voilà!

known unknown legend:

16 byte block

slide-14
SLIDE 14

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 14

Solution: Explicit IV

Ciphertext Ciphertext Block Cipher Encryption IV Block Cipher Encryption IV Plaintext Plaintext

Ci = E(Key, IVi M ⊕

i)

C0 = E(Key, IV0 M ⊕

0)

slide-15
SLIDE 15

Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 15

Questions?

Thank you for your kind attention.

  • References
  • Jörg Schwenk. Sicherheit und Kryptographie im Internet: Von sicherer E-Mail bis zu IP-Verschlüsselung (German Edition).

Vieweg+Teubner Verlag, 2010.

  • T. Dierks and C. Allen. The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard), January 1999. Obsoleted by RFC

4346, updated by RFCs 3546, 5746, 6176.

  • T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard), April
  • 2006. Obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746, 6176.
  • Dan Goodin. Hackers break SSL encryption used by millions of sites. The Register, 2011.

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ (Retrieved 2012-04-13)

  • Security impact of the Rizzo/Duong CBC "BEAST" attack. Educated Guesswork, 2011.

http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html (Retrieved 2012-04-13)