the 9 lives of bleichenbacher s cat
play

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS - PowerPoint PPT Presentation

Mar 21, 2024 •158 likes •1.36k views

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert Gillham, Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom Transport Layer Security (TLS) The most widely used cryptographic protocol

  1. ME WANT COOKIE! • Session cookies give access to the users ’ data • Are sent in the beginning of each TLS connection • Attack scenario for RSA KX: • Sniff TLS handshake and first message • Use Bleich. to decrypt premaster secret • Decrypt first message

  2. ME WANT COOKIE! • Session cookies give access to the users ’ data • Are sent in the beginning of each TLS connection • Attack scenario for RSA KX: • Sniff TLS handshake and first message • Use Bleich. to decrypt premaster secret • Decrypt first message • COOKIE!

  3. Attack Scenario RSA KX: Sniff + Cache timing side channel

  4. Attack Scenario RSA KX: Sniff + Cache timing side channel

  5. Attack Scenario RSA KX: Sniff + Cache timing side channel

  6. Attack Scenario RSA KX: Sniff + Cache timing side channel

  7. Attack Scenario RSA KX: Sniff + Cache timing side channel

  8. Attack Scenario RSA KX: Sniff + Cache timing side channel

  9. Attack Scenario RSA KX: Sniff + Cache timing side channel

  10. Attack Scenario RSA KX: Sniff + Cache timing side channel

  11. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX

  12. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack

  13. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack • Only requires server support for RSA KX

  14. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack • Only requires server support for RSA KX • Works also on TLS 1.3 [JSS 15]

  15. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack • Only requires server support for RSA KX • Works also on TLS 1.3 [JSS 15] • Require active MiTM attack

  16. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack • Only requires server support for RSA KX • Works also on TLS 1.3 [JSS 15] • Require active MiTM attack • COOKIE?

  17. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack • Only requires server support for RSA KX • Works also on TLS 1.3 [JSS 15] • Require active MiTM attack • COOKIE? • Time to finish attack < 30 sec

  18. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack • Only requires server support for RSA KX • Works also on TLS 1.3 [JSS 15] • Require active MiTM attack • COOKIE? • Time to finish attack < 30 sec • Need many queries • Have time for < 600 •

  19. Downgrade attack on Firefox • We can prevent timeout in Firefox ’ s TLS handshakes using TLS warning alerts [ABDG+15]

  20. Downgrade attack on Firefox • We can prevent timeout in Firefox ’ s TLS handshakes using TLS warning alerts [ABDG+15] • Do MiTM downgrade attack

  21. Downgrade attack on Firefox • We can prevent timeout in Firefox ’ s TLS handshakes using TLS warning alerts [ABDG+15] • Do MiTM downgrade attack • Keep session alive during padding attack

  22. Downgrade attack on Firefox • We can prevent timeout in Firefox ’ s TLS handshakes using TLS warning alerts [ABDG+15] • Do MiTM downgrade attack • Keep session alive during padding attack • Finish the TLS handshake with decrypted premaster secret

  23. Downgrade attack on Firefox • We can prevent timeout in Firefox ’ s TLS handshakes using TLS warning alerts [ABDG+15] • Do MiTM downgrade attack • Keep session alive during padding attack • Finish the TLS handshake with decrypted premaster secret • Cookie?

  24. Downgrade attack on Firefox • We can prevent timeout in Firefox ’ s TLS handshakes using TLS warning alerts [ABDG+15] • Do MiTM downgrade attack • Keep session alive during padding attack • Finish the TLS handshake with decrypted premaster secret • Cookie? • The user will notice the delay

  25. The Boost of the BEAST • BEAST like attack can help!

  26. The Boost of the BEAST • BEAST like attack can help! • JavaScript in browser allows the attacker to repeatedly reopen connections in the background, without the user ’ s knowledge.

  27. The Boost of the BEAST • BEAST like attack can help! • JavaScript in browser allows the attacker to repeatedly reopen connections in the background, without the user ’ s knowledge. • At the start of each connection, the same session cookie is sent in the first packet

  28. The Boost of the BEAST • BEAST like attack can help! • JavaScript in browser allows the attacker to repeatedly reopen connections in the background, without the user ’ s knowledge. • At the start of each connection, the same session cookie is sent in the first packet • Need to break just one connection

  29. The Boost of the BEAST • BEAST like attack can help! • JavaScript in browser allows the attacker to repeatedly reopen connections in the background, without the user ’ s knowledge. • At the start of each connection, the same session cookie is sent in the first packet • Need to break just one connection • COOKIE!

  30. Attack Scenario Firefox: MiTM + Cache timing side channel

  31. Attack Scenario Firefox: MiTM + Cache timing side channel

  32. Attack Scenario Firefox: MiTM + Cache timing side channel

  33. Attack Scenario Firefox: MiTM + Cache timing side channel .COM

  34. Attack Scenario Firefox: MiTM + Cache timing side channel

  35. Attack Scenario Firefox: MiTM + Cache timing side channel

  36. Attack Scenario Firefox: MiTM + Cache timing side channel

  37. Attack Scenario Firefox: MiTM + Cache timing side channel

  38. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds

  39. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds • Many companies reuse certificate on multiple servers

  40. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds • Many companies reuse certificate on multiple servers • We can parallelize the attack across multiple servers

  41. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds • Many companies reuse certificate on multiple servers • We can parallelize the attack across multiple servers • Each server is a separate oracle

  42. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds • Many companies reuse certificate on multiple servers • We can parallelize the attack across multiple servers • Each server is a separate oracle • Many previous works mention parallelization

  43. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds • Many companies reuse certificate on multiple servers • We can parallelize the attack across multiple servers • Each server is a separate oracle • Many previous works mention parallelization • Cookie?

  44. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds • Many companies reuse certificate on multiple servers • We can parallelize the attack across multiple servers • Each server is a separate oracle • Many previous works mention parallelization • Cookie? • Need at least 2048 sequential adaptive queries • Have time for < 600

  45. A little Manger background • Assume we have the following Manger oracle

  46. A little Manger background • Assume we have the following Manger oracle • We start with a blinding phase to find s such that

  47. A little Manger background • Assume we have the following Manger oracle • We start with a blinding phase to find s such that 0 N -1

  48. A little Manger background • Assume we have the following Manger oracle • We start with a blinding phase to find s such that 0 N -1

  49. A little Manger background • Iteratively reduce size of possible interval 0 N -1

  50. A little Manger background • Iteratively reduce size of possible interval • After additional i sequential queries we learn that 0 N -1

  51. A little Manger background • Iteratively reduce size of possible interval • After additional i sequential queries we learn that 0 N -1

  52. A little Manger background • Iteratively reduce size of possible interval • After additional i sequential queries we learn that 0 N -1

  53. A little Manger background • Iteratively reduce size of possible interval • After additional i sequential queries we learn that 0 N -1

  54. A little Manger background • Iteratively reduce size of possible interval • After additional i sequential queries we learn that 0 N -1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom SudParis GreHack 2019 15 novembre 2019 Levillain &amp; Rasoamanana Wombat 1/27 Plan RSA and PKCS#1 v1.5 in a nutshell Bleichenbacher : the

845 views • 48 slides
Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai

Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai

slides from presentation at Real World Crypto 2019 Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai Duong with contributions by Haris Andrianakis , Thanh Bui , Thomas Holenstein , Charles Lee , Erhan

657 views • 38 slides
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

818 views • 53 slides
New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi Tibouchi 1 , 2 Masayuki Abe 1 , 2 September 12, 2018 1 Kyoto University 2 NTT Secure Platform Laboratories 1 Outline Introduction Contribution 1.

1.89k views • 81 slides
I believe that in all men's lives at certain periods, and in many men's lives at all periods

I believe that in all men's lives at certain periods, and in many men's lives at all periods

I believe that in all men's lives at certain periods, and in many men's lives at all periods between infancy and extreme old age, one of the most dominant elements is the desire to be inside the C.S. Lewis local Ring and the terror of

558 views • 18 slides
Shared Lives: the connection test Alex Fox, CEO Shared Lives Plus www.SharedLivesPlus.org.uk

Shared Lives: the connection test Alex Fox, CEO Shared Lives Plus www.SharedLivesPlus.org.uk

Shared Lives: the connection test Alex Fox, CEO Shared Lives Plus www.SharedLivesPlus.org.uk http://alexfoxblog.wordpress.com http://vimeo.com/108993357 Kent Shared Lives Karl and Clare with Shared Lives carers Blossom and Mike, at their

541 views • 15 slides
Better Advice, Better Lives Adults Select Committee 21 st June Usk 1 Better Advice, Better Lives

Better Advice, Better Lives Adults Select Committee 21 st June Usk 1 Better Advice, Better Lives

Better Advice, Better Lives Monmouthshire County Citizens Advice Better Advice, Better Lives Adults Select Committee 21 st June Usk 1 Better Advice, Better Lives Introduction As you are no doubt aware, in 2012, the Government announced plans

84 views • 4 slides
East Lancashire Transforming Lives Programme Steve Rides East Lancashire Transforming Lives

East Lancashire Transforming Lives Programme Steve Rides East Lancashire Transforming Lives

East Lancashire Transforming Lives Programme Steve Rides East Lancashire Transforming Lives Project Lead What is Transforming Lives To develop a multi-agency model of working that delivers better outcomes; reduces demand and lowers costs,

278 views • 15 slides
We Are Mission Vision Medicaid Medicare MLTC Specialty 1,576,259 305,865 124,484

We Are Mission Vision Medicaid Medicare MLTC Specialty 1,576,259 305,865 124,484

We Are Mission Vision Medicaid Medicare MLTC Specialty 1,576,259 305,865 124,484 918,565 Lives Lives Lives Lives *As of April 2019. Specialty includes: PACE, Duals, SNP 4.3M calls 7.9M trips Geography 7 languages per year

461 views • 15 slides
A tax that saves lives. www.RaiseItforHealthIN.com Before we begin, lets watch

A tax that saves lives. www.RaiseItforHealthIN.com Before we begin, lets watch

Raising Indianas cigarette tax to save lives, protect youth and strengthen our workforce Kent Mitchell, Director of Outreach and Engagement KMitchell@tobaccofreekids.org A tax that saves lives. www.RaiseItforHealthIN.com Before we begin,

178 views • 17 slides
Feelings about Suicide Suicide is an emotional subject, to patient, provider, and Strong emotions

Feelings about Suicide Suicide is an emotional subject, to patient, provider, and Strong emotions

10/29/2015 Advancing treatment. Transforming lives. Advancing treatment. Transforming lives. Advancing treatment. Transforming lives. Advancing treatment. Transforming lives. Agenda Mindfulness, Acceptance, and Discuss the emotional impact

336 views • 10 slides
Plymouth Larissa Milden, Active for All Service Manager What is Im Improving Lives Plymouth?

Plymouth Larissa Milden, Active for All Service Manager What is Im Improving Lives Plymouth?

Improving Lives Plymouth Larissa Milden, Active for All Service Manager What is Im Improving Lives Plymouth? Improving Lives Plymouth is a local health and wellbeing charity Previously known as Plymouth Guild, Improving Lives

144 views • 11 slides
Saving Lives at MVD August 2018 September 4, 2018 1 You are Saving Lives!! AUTHORIZED BY

Saving Lives at MVD August 2018 September 4, 2018 1 You are Saving Lives!! AUTHORIZED BY

Saving Lives at MVD August 2018 September 4, 2018 1 You are Saving Lives!! AUTHORIZED BY REGISTRY IN 2017 71% Organ Donors 69% Tissue Donors 68% Eye Donors LIVES SAVED &amp; ENHANCED 153 Organ Transplants 5,000 Tissue for Transplant

366 views • 8 slides
Improving homes and lives every day. Service Coordination Business Unit Improving homes and lives

Improving homes and lives every day. Service Coordination Business Unit Improving homes and lives

Improving homes and lives every day. Service Coordination Business Unit Improving homes and lives every day. Agenda Whats New Department Updates - Heather Follow Up: Things to Remember Operations Updates Annette QA

565 views • 23 slides
Supporting the Black Lives Matter when teaching pronunciation Movement when teaching

Supporting the Black Lives Matter when teaching pronunciation Movement when teaching

Supporting the Black Lives Matter when teaching pronunciation Movement when teaching pronunciation What is the #BlackLivesMatter was founded in 2013 in Black Lives response to the acquittal of Trayvon Martins murderer. Black Lives

398 views • 18 slides
Engage Rotary Change Lives Engage Rotary Change Lives President: Faure

Engage Rotary Change Lives Engage Rotary Change Lives President: Faure

Engage Rotary Change Lives Engage Rotary Change Lives President: Faure Gnassingbe (2005 Current) Land area: 21,000 sq mi Total area: 21,925 sq mi Population 6,961,049 Median Age: 19.1 (US 37.1) 0-14 years: 40.8% (male

453 views • 20 slides
User Authentication in Perl 1. Using .htaccess Check out:

User Authentication in Perl 1. Using .htaccess Check out:

User Authentication in Perl 1. Using .htaccess Check out: http://www.wpi.edu/Academics/CCC/Help/Unix/Webdev/htaccess.html The above site is pretty self-explanatory. The main steps if you want to allow two users with username/password as

284 views • 3 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web

CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web

CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web framework written in Python First release was in 2010 Current version (1.1.1) was released in July 2019 Currently powers LinkedIn and

278 views • 8 slides
How online tracking works Lorrie Faith Cranor Chief Technologist US Federal Trade

How online tracking works Lorrie Faith Cranor Chief Technologist US Federal Trade

The Future of Advertising &amp; Privacy How online tracking works Lorrie Faith Cranor Chief Technologist US Federal Trade Commission 1 Agenda Types of ads Web tracking with cookies Web tracking beyond cookies Tracking

1.43k views • 118 slides
Security ty, P Privacy cy, &amp; &amp; Us User E Expect ectati tion ons: Case Studies in

Security ty, P Privacy cy, &amp; &amp; Us User E Expect ectati tion ons: Case Studies in

Security ty, P Privacy cy, &amp; &amp; Us User E Expect ectati tion ons: Case Studies in Web Tracking and Application Permissions Franzi ziska Roesner er Assistant Professor Computer Science &amp; Engineering University of Washington

710 views • 52 slides
Web Security: Cross-Site Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen,

Web Security: Cross-Site Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen,

Web Security: Cross-Site Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca

849 views • 61 slides
Tracking Web Visitors Aaron Stevens Computer Science What Youll Learn Today Computer Science

Tracking Web Visitors Aaron Stevens Computer Science What Youll Learn Today Computer Science

4/17/13 CS108: Lecture 26 Tracking Web Visitors Aaron Stevens Computer Science What Youll Learn Today Computer Science How do you know whos using your Application? Using hidden fields to keep session state HTTP Environment

347 views • 10 slides
Web client programming JavaScript/AJAX Web requests with JavaScript/AJAX Needed for

Web client programming JavaScript/AJAX Web requests with JavaScript/AJAX Needed for

Web client programming JavaScript/AJAX Web requests with JavaScript/AJAX Needed for reverse-engineering homework site Web request via jQuery JavaScript library jQuery.ajax({ 'type': 'GET', 'url': 'http://vulnerable/ajax.php',

335 views • 22 slides
Nemesis: Preventing Web Authentication &amp; Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication &amp; Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication &amp; Access Control Vulnerabilities Michael Dalton , Christos Kozyrakis Stanford University Nickolai Zeldovich Massachusetts Institute of Technology Web Application Overview User: webdb User: httpd

446 views • 22 slides

More recommend