secure sockets layer transport layer security beast attack
play

Secure Sockets Layer Transport Layer Security BEAST Attack Dan - PowerPoint PPT Presentation

May 08, 2023 •287 likes •439 views

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de> Wed Apr 18, 2012 University of the German Federal Armed Forces, Munich Slide 1 Outline History Design Goals SSL/TLS Stack

  1. Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 1

  2. Outline ● History ● Design Goals ● SSL/TLS Stack ● Attacks ● Attack on CBC ● BEAST ● Solution CBC Cipher Block Chaining BEAST Browser Exploit Against SSL/TLS Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 2

  3. History version Netscape IETF TLS 1.2 SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 “refined” 1994 1996 1999 2006 2008 2011 2012 changes ● minor changes ● MD5-SHA-1 complete SHA-256 ↣ ● no interoperation ● authenticated encryption redesign with SSL3 e.g. AES in CCM mode ● can downgrade ● protection against CBC-attacks connections to ● implicit IV SSL3 explicit IV ↣ MAC Message Authentication Code MD5 Message Digest Algorithm IETF Internet Engineering Task Force SHA Secure Hash Algorithm CBC Cipher Block Chaining AES Advanced Encryption Standard IV Initialization Vector CCM Counter with CBC-MAC Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 3

  4. Design Goals ● Cryptographic security ● establish secure connections ● secure existing connections ● data confidentiality ● authentication ● reliability ● Interoperability ● applications exchange parameters with each other ● applications establish connections with each other ● specified protocols Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 4

  5. Design Goals ● Extensibility ● SSL/TLS provides a framework ● cryptographic methods can be added – public key – bulk encryption ● no extensive library/protocol rewriting ● Relative efficiency ● ability to adopt to its environment ● session caching (saves CPU) ● minimal messaging (saves network bandwidth) Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 5

  6. SSL/TLS in Common Models ISO/OSI model TCP/IP model Application Cipher Spec Application Handshake Change Alert Data Presentation Application Session Transport Transport Record Network Internet Data Link Link Physical Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 6

  7. SSL/TLS Protocol Stack tells the other party to apply previously negotiated parameters error reporting ● negotiates session transports upper Cipher Spec Application Handshake ● crypt. methods layer payload Change ● versions Alert Data ● authentication (opt.) ● one-way ● two-way Record ● provides shared transaction layer ● ensures ● cryptographic security (data confidentiality) ● integrity of payload ● optional payload compression Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 7

  8. BEAST ● Browser Exploit Against SSL/TLS (BEAST) ● Chosen Plaintext Attack ● Targets deterministic Initialization Vectors of Cipher-Block Chaining Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 8

  9. Attack Scenario TLS 1.0 Alice Bob CBC ● wants to know secret P[16] Mallory ● eavesdrops encrypted data between Alice and Bob ● can force Alice to send chosen plaintext ● can force Alice to send P Please note that this is a simplified example, consult reference Educated Guesswork for details. Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 9

  10. Cipher-Block Chaining Plaintext Plaintext IV Block Cipher Block Cipher Encryption Encryption Ciphertext Ciphertext C 0 = E(Key, IV M 0 ) C i = E(Key, C i-1 M i ) ⊕ ⊕ Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 10

  11. CBC Chosen Plaintext Attack ● Force Alice to send P ● Eavesdrop and get C p = E(Key, C p-1 ⊕ P) ● Let G be a blind guess of P ● Force Alice to send plaintext C i-1 ⊕ C p-1 ⊕ G ● Alice sends C i = E(Key, C i-1 ⊕ C i-1 ⊕ C p-1 ⊕ G) ● C i = E(Key, C p-1 ⊕ G) ● If C i == C p then G == P This requires a lot of guessing and it is not very handy! Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 11

  12. BEAST ● Force Alice to send NULL[0-14] P[0] ● Eavesdrop and get C p = E(Key, C p-1 ⊕ NULL[0-14] P[0]) ● Let G be a blind guess of P[0] ● Force Alice to send plaintext C i-1 ⊕ C p-1 ⊕ NULL[0-14] G ● Alice sends C i = E(Key, C i-1 ⊕ C i-1 ⊕ C p-1 ⊕ NULL[0-14] G) C i = E(Key, C p-1 ⊕ NULL[0-14] G) This requires up to 2 8 =256 ● If C i == C p then G == P[0] guesses. We can do this! Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 12

  13. BEAST 16 byte block 256 possible C i-1 C p-1 NULL[0-14] ⊕ ⊕ ciphertexts P[0] 256 possible C i-1 C p-1 NULL[0-13] ⊕ ⊕ P[0]P[1] ciphertexts . . . voilà! P[0-15] legend: known unknown Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 13

  14. Solution: Explicit IV Plaintext Plaintext IV IV Block Cipher Block Cipher Encryption Encryption Ciphertext Ciphertext C 0 = E(Key, IV 0 M 0 ) C i = E(Key, IV i M i ) ⊕ ⊕ Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 14

  15. Questions? Thank you for your kind attention. ● References ● Jörg Schwenk. Sicherheit und Kryptographie im Internet: Von sicherer E-Mail bis zu IP-Verschlüsselung (German Edition). Vieweg+Teubner Verlag, 2010. ● T. Dierks and C. Allen. The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard), January 1999. Obsoleted by RFC 4346, updated by RFCs 3546, 5746, 6176. ● T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard), April 2006. Obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746, 6176. ● Dan Goodin. Hackers break SSL encryption used by millions of sites. The Register, 2011. http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ (Retrieved 2012-04-13) ● Security impact of the Rizzo/Duong CBC "BEAST" attack. Educated Guesswork, 2011. http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html (Retrieved 2012-04-13) Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL:

Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL:

Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL: Secure Sockets Layer v widely deployed security v original goals: protocol Web e-commerce transactions supported by almost all browsers,

609 views • 21 slides
Lecture 13 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL:

Lecture 13 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL:

Lecture 13 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL: Secure Sockets Layer v widely deployed security v original goals: protocol Web e-commerce supported by almost all transactions browsers, web

570 views • 21 slides
1 Transport Layer Transport Layer Outline Message, Segment, Datagram Transport-layer

1 Transport Layer Transport Layer Outline Message, Segment, Datagram Transport-layer

Transport Layer Transport Layer Chapter 3: Transport Layer Mobile network Our goals: Global ISP understand principles learn about transport Chapter 3 behind transport layer protocols in the Transport Layer Internet: layer

678 views • 5 slides
SSL and TLS SSL Secure Socket Layer TLS Transport Layer Security The common

SSL and TLS SSL Secure Socket Layer TLS Transport Layer Security The common

SSL and TLS SSL Secure Socket Layer TLS Transport Layer Security The common standards for securing network applications in Internet E.g., web browsing Essentially, standards to negotiate, set up, and apply crypto

2.93k views • 13 slides
Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons

Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons

Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons SSH Secure shell (remote login) IPSec IP Security suite, originally for use with IPv6 SSL/TLS Secure Sockets Layer / Transport Layer

322 views • 18 slides
1 Transport Layer Transport Layer RTT Estimation RTT Estimation Basic Idea SampleRTT :

1 Transport Layer Transport Layer RTT Estimation RTT Estimation Basic Idea SampleRTT :

Transport Layer Transport Layer Outline Mobile network Transport-layer Connection-oriented Global ISP services transport: TCP Transport Layer Multiplexing and segment structure Home network demultiplexing reliable data

264 views • 5 slides
The Transport Layer: TCP and UDP Jean Yves Le Boudec 2017 1 Contents 1. The transport layer,

The Transport Layer: TCP and UDP Jean Yves Le Boudec 2017 1 Contents 1. The transport layer,

COLE POLYTECHNIQUE FDRALE DE LAUSANNE The Transport Layer: TCP and UDP Jean Yves Le Boudec 2017 1 Contents 1. The transport layer, UDP 2. TCP Basics: Sliding Window and Flow Control 3. TCP Connections and Sockets 4. More TCP Bells

695 views • 67 slides
Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

IN3210 Network Security Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals: Authentication Integrity Confidentiality Transparent security protocol between TCP and application

1k views • 66 slides
TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication Confidentiality by applying block &amp; stream ciphers - Integrity with MACs - Authenticity with certificates - Predecessor: SSL (secure

557 views • 13 slides
Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Recall Transport layer provides end-to-end connectivity across

1.91k views • 168 slides
Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Recall Transport layer provides end-to-end connectivity across

528 views • 31 slides
Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Recall Transport layer provides end-to-end connectivity across

1.96k views • 165 slides
Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities

Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities

Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities and Services Overall: message delivery End-to-end&quot; communications between processes ( i.e. running programs) Communicating

467 views • 17 slides
CSCE 515: Computer Network Transport Layer TCP UDP Programming ------ Sockets ICMP, ARP

CSCE 515: Computer Network Transport Layer TCP UDP Programming ------ Sockets ICMP, ARP

Process Layer Process Process CSCE 515: Computer Network Transport Layer TCP UDP Programming ------ Sockets ICMP, ARP Network Layer IP &amp; Wenyuan Xu RARP Department of Computer Science and Engineering University of South Carolina

400 views • 8 slides
Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Three-Way Handshake (3) Suppose delayed, duplicate Active

709 views • 50 slides
Introduction to the Transport Layer CSC 249 Feb 13, 2018 1 Transport Layer Overview q Tasks

Introduction to the Transport Layer CSC 249 Feb 13, 2018 1 Transport Layer Overview q Tasks

Introduction to the Transport Layer CSC 249 Feb 13, 2018 1 Transport Layer Overview q Tasks performed by the transport layer v Services provided to the application layer v Services expected from the network layer q Multiplexing and

437 views • 8 slides
Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich

Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich

Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich with attack vectors to exploit. This presentation explores the many potential PostgreSQL external vulnerabilities and shows how they can be

318 views • 29 slides
Universit degli Studi di Napoli Federico II Corso di Applicazioni Telematiche a. a. 2008-2009

Universit degli Studi di Napoli Federico II Corso di Applicazioni Telematiche a. a. 2008-2009

Universit degli Studi di Napoli Federico II Corso di Applicazioni Telematiche a. a. 2008-2009 Simon Pietro Romano spromano@unina.it Corso AT AA2008-09 Simon Pietro Romano 1 Session Initiation Protocol (SIP) SIP overview

357 views • 32 slides
Modern Security Model for Linux Operating Systems Aleksander Zdyb S OFTWARE E NGINEER T IZEN P

Modern Security Model for Linux Operating Systems Aleksander Zdyb S OFTWARE E NGINEER T IZEN P

Aleksander Zdyb Modern Security Model for Linux Operating Systems Aleksander Zdyb S OFTWARE E NGINEER T IZEN P LATFORM S ECURITY a.zdyb@samsung.com https://github.com/azdyb Briefly about security requirements About Tizen operating system

920 views • 46 slides
CS 204: Advanced Computer Networks Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social

CS 204: Advanced Computer Networks Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social

CS 204: Advanced Computer Networks Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social Sciences 1403 http://www.cs.ucr.edu/~jiasi/teaching/cs204_spring17/ 1 Why Networks? Supports the applications that we use today Social media

725 views • 46 slides
Session Management e t Software and Web Security 2 a age Sess o sws2 Recall from last week

Session Management e t Software and Web Security 2 a age Sess o sws2 Recall from last week

1 Session Management e t Software and Web Security 2 a age Sess o sws2 Recall from last week Server and client, i ie. web application and browser, b li ti d b communicate by HTTP requests and responses HTTP response can be

631 views • 44 slides
Overview Trust Management mechanism. Overview Trust Management mechanism. Trust among parties

Overview Trust Management mechanism. Overview Trust Management mechanism. Trust among parties

P RIVACY -P RESERVING T RUST M ANAGEMENT M ECHANISMS FROM P RIVATE M ATCHING S CHEMES O RIOL F ARRS J OSEP D OMINGO -F ERRER A LBERTO B LANCO -J USTICIA Universitat Rovira i Virgili, Tarragona, Catalonia D ATA P RIVACY M ANAGEMENT 2013 Overview

1.26k views • 93 slides
CSCI-UA.9480 Introduction to Computer Security Session 1.4 Transport Layer Security Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.4 Transport Layer Security Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.4 Transport Layer Security Prof. Nadim Kobeissi 1.4a HTTPS and TLS 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi What is TLS? The S in HTTP S . Most likely

852 views • 35 slides
CSE 127: Introduction to Security Lecture 15: TLS Deian Stefan UCSD Fall 2019 Material from

CSE 127: Introduction to Security Lecture 15: TLS Deian Stefan UCSD Fall 2019 Material from

CSE 127: Introduction to Security Lecture 15: TLS Deian Stefan UCSD Fall 2019 Material from Nadia Heninger, Dan Boneh, Stefan Savage Reminder: Network Attacker Threat Model Network Attacker: Controls infrastructure: Routers, DNS

1.29k views • 76 slides

More recommend