stone knives and bear skins why does the internet still
play

Stone Knives and Bear Skins: Why does the Internet still run on - PowerPoint PPT Presentation

May 01, 2023 •272 likes •860 views

Stone Knives and Bear Skins: Why does the Internet still run on pre-historic cryptography? Eric Rescorla ekr@rtfm.com Indocrypt 2011 Indocrypt 2011 Eric Rescorla 1 Overview Our cryptographic protocols use ancient algorithms In many

  1. Stone Knives and Bear Skins: Why does the Internet still run on pre-historic cryptography? Eric Rescorla ekr@rtfm.com Indocrypt 2011 Indocrypt 2011 Eric Rescorla 1

  2. Overview • Our cryptographic protocols use ancient algorithms • In many cases these algorithms have known flaws – Or are used in ways known to be unsafe • Why don’t people upgrade? – Easier to patch – Backward compatibility – Collective action problems – Confusing security implications • This turns out to be surprisingly hard to fix Indocrypt 2011 Eric Rescorla 2

  3. Important Internet Security Protocols (Personal View) • SSL/TLS (really HTTPS) • OAuth • IPsec • SSH • S/MIME, PGP, ... • I will mostly be talking about SSL/TLS – But these comments apply more generally Indocrypt 2011 Eric Rescorla 3

  4. � � � � � � Review: The SSL/TLS Handshake [DR08] Client Server ClientHello ServerHello, Certificate ServerKeyExchange*, ServerHelloDone ClientKeyExchange, ChangeCipherSpec Finished ChangeCipherSpec Finished Encrypted traffic Indocrypt 2011 Eric Rescorla 4

  5. � � � � � � Review: The SSL/TLS Handshake Version, Available Ciphers � ♣♣♣♣♣♣♣♣♣♣♣♣ Client Server ClientHello ServerHello, Certificate ServerKeyExchange*, ServerHelloDone ClientKeyExchange, ChangeCipherSpec Finished ChangeCipherSpec Finished Encrypted traffic Indocrypt 2011 Eric Rescorla 5

  6. � � � � � � � Review: The SSL/TLS Handshake Version, Available Ciphers � ♣♣♣♣♣♣♣♣♣♣♣♣ Client Server ClientHello Version, Selected Cipher ❩ ❩ ❩ ❩ ❩ ❩ ❩ ❩ ❩ ❩ ServerHello, Certificate ServerKeyExchange*, ServerHelloDone ClientKeyExchange, ChangeCipherSpec Finished ChangeCipherSpec Finished Encrypted traffic Indocrypt 2011 Eric Rescorla 6

  7. � � � � � � � Review: The SSL/TLS Handshake Version, Available Ciphers � ♣♣♣♣♣♣♣♣♣♣♣♣ Client Server ClientHello Version, Selected Cipher RSA Key ❩ � ❤❤❤❤❤❤ ❩ ❩ ❩ ❩ ❩ ❩ ❩ ❩ ❩ ServerHello, Certificate ServerKeyExchange*, ServerHelloDone ClientKeyExchange, ChangeCipherSpec Finished ChangeCipherSpec Finished Encrypted traffic Indocrypt 2011 Eric Rescorla 7

  8. � � � � � � � � Review: The SSL/TLS Handshake Version, Available Ciphers � ♣♣♣♣♣♣♣♣♣♣♣♣ Client Server ClientHello Version, Selected Cipher RSA Key ❩ � ❤❤❤❤❤❤ ❩ ❩ ❩ ❩ ❩ ❩ ❩ ❩ ❩ ServerHello, Certificate ServerKeyExchange*, ServerHelloDone ClientKeyExchange, ChangeCipherSpec ❞ ❞ ❞ ❞ ❞ ❞ ❞ ❞ ❞ ❞ ❞ Finished ❞ ❞ ❞ Encrypted Random Value ChangeCipherSpec Finished Encrypted traffic Indocrypt 2011 Eric Rescorla 8

  9. � � � � � � � � Review: The SSL/TLS Handshake Version, Available Ciphers � ♣♣♣♣♣♣♣♣♣♣♣♣ Client Server ClientHello Version, Selected Cipher RSA Key ❩ � ❤❤❤❤❤❤ ❩ ❩ ❩ ❩ ❩ ❩ ❩ ❩ ❩ ServerHello, Certificate ServerKeyExchange*, ServerHelloDone ClientKeyExchange, ChangeCipherSpec ❞ ❞ ❞ ❞ ❞ ❞ ❞ ❞ ❞ ❞ ❞ Finished ❞ ❞ � ❭❭❭❭❭❭ ❞ Encrypted Random Value Handshake MAC ChangeCipherSpec � ❥❥❥❥❥❥❥❥❥ Finished Encrypted traffic Indocrypt 2011 Eric Rescorla 9

  10. RSA Key Exchange • TLS uses PKCS#1 v1.5 [JK03] – Over twenty years old • Arguably superior alternatives exist – Optimal Asymmetric Encryption Padding [BR96] – Actually defined in RFC 3447 “Two encryption schemes are specified in this document: RSAES-OAEP and RSAES-PKCS1-v1 5. RSAES-OAEP is recommended for new applications; RSAES-PKCS1-v1 5 is included only for compatibility with existing applications, and is not recommended for new applications.” [JK03] Indocrypt 2011 Eric Rescorla 10

  11. Reminder: PKCS#1 Padding 00 02 Random Bytes 00 Message Indocrypt 2011 Eric Rescorla 11

  12. PKCS#1 1.5 + TLS was actually insecure • Bleichenbacher [Ble98] and Klima show adaptive chosen ciphertext attacks • Basic idea: use server as a PKCS#1 formatting oracle – Capture one ClientKeyExchange (RSA-encrypted secret) – Send modified versions and see if the server believes they are correctly formatted ∗ Server generates an “alert” message if not – Triangulate in on original plaintext (takes about 2 20 messages) • OAEP resists this attack – Chance of random generating a correctly formatted message is very low Indocrypt 2011 Eric Rescorla 12

  13. TLS Countermeasures to Bleichenbacher Attack • Don’t generate an error with incorrectly formatted data – Instead, randomly generate a fake random master secret and proceed with the handshake – What would have happened if the CKE was correctly formatted • Handshake will fail at the Finished stage – Client and server don’t share the same keys Indocrypt 2011 Eric Rescorla 13

  14. Why this solution? • Initially, this countermeasure was faster – Could be implemented solely on the server side – Didn’t require any change to the client – Server side countermeasure needed in any case ∗ Some clients won’t upgrade • Why didn’t later versions of TLS adopt OAEP? – Inertia – Lack of clear benefit – Need for protocol mechanisms to negotiate it Indocrypt 2011 Eric Rescorla 14

  15. Digression: Negotiating Protocol Versions • All agents start out supporting version n • We want to introduce n + 1 while retaining backward compatibility – Need some kind of version negotiation mechanism • Problems – How to negotiate securely? – When can you discard version n ? (probably never) Client Version Server Version n n/n + 1 n n n n/n + 1 n n + 1 Table 1: Desired Negotiation Outcome Indocrypt 2011 Eric Rescorla 15

  16. SSL/TLS Negotiation Mechanisms • Version number • Cipher suites • “certificate types” field in CertificateRequest • Extensions (published in 2003) [BWNH + 03] Indocrypt 2011 Eric Rescorla 16

  17. Options for Introducing OAEP • Have clients unilaterally use OAEP – This creates obvious breakage • Do an entirely new version of SSL/TLS – Very heavyweight – Not politically feasible as TLS 1.0 was still in process • Introduce new RSA cipher suites that mean OAEP – Only really workable solution – Pretty ugly • Remember: protection still needed for old cipher suites Indocrypt 2011 Eric Rescorla 17

  18. The Best (Worst?)-Case Scenario: Debian PRNG • In 2006, Debian version of OpenSSL patched to fix Valgrind warnings – Accidentally wipes out nearly all entropy in PRNG (˜ 16 bits left) • Noticed in 2008 by Luciano Bello • About 1% of servers had predictable private keys – Easily remotely detectable – Completely breaks RSA cipher suites against passive attack – Breaks DHE cipher suites against active attack or fancy passive attack [YRS + 09] • Imperative that servers fix – Fix was compatible and easy (get a new certificate) Indocrypt 2011 Eric Rescorla 18

  19. How fast did people fix affected servers? [YRS + 09] Indocrypt 2011 Eric Rescorla 19

  20. Certificate churn versus natural replacement rate Indocrypt 2011 Eric Rescorla 20

  21. Certificate Signature Algorithms • Nearly all certificates are signed with either – RSA PKCS#1 1.5 with MD5 [Riv92] – RSA PKCS#1 1.5 with SHA-1 [NIS02] (Designed in 1993) • Virtually no use of PSS • Minimal use of SHA-256 or greater Indocrypt 2011 Eric Rescorla 21

  22. Security of MD5 and SHA-1 • MD5 is completely broken against collisions – Work factor is about 2 24 – Preimage attacks still impractical • SHA-1 is severely compromised – Status is a little unclear (at least to me) – Collision factor appears to be about 2 63 (better results seem to be unconfirmed) – No actual collisions have been found • Even collisions are a threat to certificates [SSA + 09] – Though countermeasures (sequence number randomization) are available Indocrypt 2011 Eric Rescorla 22

  23. New hashes, old protocols • How do we transition to a new algorithm? • Authenticating parties need two certificates – One for SHA-1 (or maybe MD5) – One for SHA-x • Relying parties need to support SHA-1 and SHA-x – Until nearly all authenticating parties have SHA-x certificates Indocrypt 2011 Eric Rescorla 23

  24. A certificate with a strong hash doesn’t help ME • Threat is an attacker getting a certificate in my name – The existence of a weak certificate for me doesn’t help them – Modifying that certificate requires a second preimage attack ∗ Existing attacks involve (easier) collision-finding ∗ Easier to modify certificate name rather than public key? • I want relying parties to stop accepting weak hashes – But my actions don’t really affect that • Classic collective action problem Indocrypt 2011 Eric Rescorla 24

  25. Hash algorithm transitions in SSL/TLS [BR06] • Problem: incremental deployment of new hash functions – “Easy” part: certificates – Hard part: MD5 and SHA-1 are hardwired into TLS before 1.2 • This turns out to be a huge hassle – Design finished in 2008 – Only starting to roll out now Indocrypt 2011 Eric Rescorla 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Traditional Programming Models: Traditional Programming Models: Stone Knives and Bearskins in the

Traditional Programming Models: Traditional Programming Models: Stone Knives and Bearskins in the

<Insert Picture Here> Traditional Programming Models: Traditional Programming Models: Stone Knives and Bearskins in the Google Age Cameron Purdy Cameron Purdy Vice President, Development <Insert Picture Here> Multi-server.

604 views • 28 slides
Please turn off your mobile phone Banana Skins : The risks facing the microfinance industry 29

Please turn off your mobile phone Banana Skins : The risks facing the microfinance industry 29

Please turn off your mobile phone Banana Skins : The risks facing the microfinance industry 29 th Midi de linclusion financire Micr Microfinanc ofinance Ba e Banana nana Skins 20 Skins 2014 14 What are the main risks the industry is

403 views • 36 slides
2 At that time the Lord said to Joshua, Make for yourself flint knives and circumcise again the

2 At that time the Lord said to Joshua, Make for yourself flint knives and circumcise again the

2 At that time the Lord said to Joshua, Make for yourself flint knives and circumcise again the sons of Israel the second time. 3 So Joshua made himself flint knives and circumcised the sons of Israel at Gibeathhaaraloth. 4 This is the

501 views • 29 slides
Nuclear radii in density functional theory Witold Nazarewicz (FRIB/MSU) Neutron Skins in Nuclei

Nuclear radii in density functional theory Witold Nazarewicz (FRIB/MSU) Neutron Skins in Nuclei

Nuclear radii in density functional theory Witold Nazarewicz (FRIB/MSU) Neutron Skins in Nuclei MITP, Mainz,, May 17-27, 2016 Perspective Theoretical strategies Nuclear DFT Radii, skins, and halos Uncertainty

717 views • 34 slides
PBJ Diversion Sponsored by Bear lake SWCD Garth Boehme Chairman Project location Bear Lake HUC

PBJ Diversion Sponsored by Bear lake SWCD Garth Boehme Chairman Project location Bear Lake HUC

PBJ Diversion Sponsored by Bear lake SWCD Garth Boehme Chairman Project location Bear Lake HUC # 16010201 Stream Effected: Ovid Creek and Bear River Pollutants: Sediment Beneficial uses Cold Water Aquatic Life Secondary Contact

250 views • 6 slides
Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on

Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on

Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on Computation and Society Harvard University Talk Outline Why Phishing Works Dynamic Security Skins Embedded Security Indicators Talk

731 views • 57 slides
There are at least 4 types of bears indigenous to this country. They are from least dangerous

There are at least 4 types of bears indigenous to this country. They are from least dangerous

There are at least 4 types of bears indigenous to this country. They are from least dangerous to most dangerous: Teddy Bear Black Bear (U. americanus) Brown or Grizzly Bear (U. Arctos) Chicago Bear (D. Butkus) Two types exist in New Mexico

420 views • 25 slides
Grizzly Bear Conservation in Southwest BC Dr. Bruce McLellan Redlist Authority IUCN Bear

Grizzly Bear Conservation in Southwest BC Dr. Bruce McLellan Redlist Authority IUCN Bear

Grizzly Bear Conservation in Southwest BC Dr. Bruce McLellan Redlist Authority IUCN Bear Specialist Group Bear Specialist Group Conservation-related issues regarding 7 species of terrestrial bears 190 members 61 range countries and

934 views • 37 slides
STONE PAPER COMPANY Presentation MINERAL RESIN The Raw Materials An Eco-Innovation Stone

STONE PAPER COMPANY Presentation MINERAL RESIN The Raw Materials An Eco-Innovation Stone

STONE PAPER COMPANY Presentation MINERAL RESIN The Raw Materials An Eco-Innovation Stone Paper Sustainable No Water Pollution Minimized CO 2 Photo Degradable Production Easy to Recycle What is Stone Paper? Stone Paper is an unique

899 views • 24 slides
FOOD CONCEPT All day a la carte finger food menu, no forks, no knives, plated from the kitchen,

FOOD CONCEPT All day a la carte finger food menu, no forks, no knives, plated from the kitchen,

FOOD CONCEPT All day a la carte finger food menu, no forks, no knives, plated from the kitchen, working on the same principle as a tea time concept where different varieties of bite size foods are presented on T-Stand upon order. (No cooking

187 views • 5 slides
October 17, 2019 6:30 PM Luck Stone produces crushed stone and gravel used as the foundation

October 17, 2019 6:30 PM Luck Stone produces crushed stone and gravel used as the foundation

October 17, 2019 6:30 PM Luck Stone produces crushed stone and gravel used as the foundation for roads, bridges, and buildings in the Southeast. Proposed New Quarry and Processing Plant: Highway 9, Chester SC 550 tons per hour Stone

377 views • 12 slides
New Skins for an Old Ceremony The Conformal Bootstrap and the Ising Model Sheer El-Showk

New Skins for an Old Ceremony The Conformal Bootstrap and the Ising Model Sheer El-Showk

New Skins for an Old Ceremony The Conformal Bootstrap and the Ising Model Sheer El-Showk Ecole Polytechnique & CEA Saclay Based on: arXiv:1203.6064 with M. Paulos, D. Poland, S. Rychkov, D. Simmons-Duffin, A. Vichi

633 views • 41 slides
A Comparison of Knives for Bread Slicing Alekh Jindal*, Endre Palatinus, Vladimir Pavlov, Jens

A Comparison of Knives for Bread Slicing Alekh Jindal*, Endre Palatinus, Vladimir Pavlov, Jens

A Comparison of Knives for Bread Slicing Alekh Jindal*, Endre Palatinus, Vladimir Pavlov, Jens Dittrich Information Systems Group Saarland University *MIT CSAIL Data Layout 2 Row-layout CUSTKEY NATIONKEY NAME MKTSEGMENT ADDRESS COMMENT

418 views • 39 slides
Michigans largest landscape stone & building stone quarry . 330 Austin Road P.O. Box 335

Michigans largest landscape stone & building stone quarry . 330 Austin Road P.O. Box 335

Michigans largest landscape stone & building stone quarry . 330 Austin Road P.O. Box 335 Napoleon, MI 49261 Tel: 517-536-4330 www.napoleonstone.com Napoleon Stone Natural sandstone quarry and stone fabrication business in the

790 views • 31 slides
TRUCKS, KNIVES, BOMBS, WHATEVER EXPLORING PRO-ISLAMIC STATE INSTRUCTIONAL MATERIAL ON TELEGRAM

TRUCKS, KNIVES, BOMBS, WHATEVER EXPLORING PRO-ISLAMIC STATE INSTRUCTIONAL MATERIAL ON TELEGRAM

TRUCKS, KNIVES, BOMBS, WHATEVER EXPLORING PRO-ISLAMIC STATE INSTRUCTIONAL MATERIAL ON TELEGRAM Bennett Clifford 10/19/2018 Key Questions How do English-speaking online supporters of the Islamic State share instructional material on

111 views • 10 slides
Himalayan Black Bear Conservation Awareness program in buffer of JKSNR. HIMALAYAN BLACK BEAR

Himalayan Black Bear Conservation Awareness program in buffer of JKSNR. HIMALAYAN BLACK BEAR

Himalayan Black Bear Conservation Awareness program in buffer of JKSNR. HIMALAYAN BLACK BEAR Asian black bears are dwelling in daytime , though they become nocturnal near human habitations. They may live in family groups consisting of

290 views • 13 slides
TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com TLS 1.3 Real-World Crypto 2015 1 Goals for TLS

TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com TLS 1.3 Real-World Crypto 2015 1 Goals for TLS

TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com TLS 1.3 Real-World Crypto 2015 1 Goals for TLS 1.3 Clean up: Remove unused or unsafe features Improve privacy: Encrypt more of the handshake Improve latency: Target: 1-RTT handshake for na ve

543 views • 27 slides
SSL Research with Bro Johanna Amann International Computer Science Institute johanna@icir.org

SSL Research with Bro Johanna Amann International Computer Science Institute johanna@icir.org

SSL Research with Bro Johanna Amann International Computer Science Institute johanna@icir.org http://www.icir.org/johanna SSL Client Server Client hello Server hello Certificate (Server Key Exchg) Client Key Exchange Change Cipher Spec

848 views • 66 slides
ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL (Secure Socket Layer) /

812 views • 25 slides
Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL:

Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL:

Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL: Secure Sockets Layer v widely deployed security v original goals: protocol Web e-commerce transactions supported by almost all browsers,

609 views • 21 slides
Networking in the Ethos Operating System Jon A. Solworth Dept. of Computer Science and Center

Networking in the Ethos Operating System Jon A. Solworth Dept. of Computer Science and Center

Networking in the Ethos Operating System Jon A. Solworth Dept. of Computer Science and Center for RITES University of Illinois at Chicago Dan Bernstein, Tanja Lange, Mike Petullo, Xu Zhang, Wenyuan Fei, Pat Gavin, Andrei Wartekin, Yaohua Li,

676 views • 34 slides
Secure Socket Layer (SSL) and Trnasport Layer Security (TLS) CSE598K/CSE545 - Advanced Network

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS) CSE598K/CSE545 - Advanced Network

547 views • 16 slides
Cryptography and Network Security IPSEC Security architecture and protocol stack Secure

Cryptography and Network Security IPSEC Security architecture and protocol stack Secure

Cryptography and Network Security IPSEC Security architecture and protocol stack Secure applications: Applicaz. (SHTTP) PGP, SHTTP, SFTP, or SSL/TLS Security down in the TCP protocol stack -SSL between TCP IPSEC and applic. layer

723 views • 59 slides
Open SSL in OpenVMS und STunnel Helmut Ammer OpenVMS Support CSSC Mnchen 2F06 Presentation

Open SSL in OpenVMS und STunnel Helmut Ammer OpenVMS Support CSSC Mnchen 2F06 Presentation

26. DECUS Symposium Bonn Open SSL in OpenVMS und STunnel Helmut Ammer OpenVMS Support CSSC Mnchen 2F06 Presentation Overview Product information What is the secure sockets layer (SSL)? Overview of SSL/OpenSSL/SSL on OpenVMS

657 views • 26 slides

More recommend