the rocky road to the rocky road to
play

The Rocky Road to The Rocky Road to Hanno Bck https://hboeck.de - PowerPoint PPT Presentation

The Rocky Road to The Rocky Road to Hanno Bck https://hboeck.de @hanno 1 Transport Layer Security Transport Layer Security A protocol to create an encrypted and authenticated layer around other protocols 2 TLS 1.3 was published in


  1. Bleichenbacher attack countermeasures Bleichenbacher attack countermeasures TLS 1.0 TLS 1.1 TLS 1.2 Note: An attack discovered by Daniel Bleichenbacher [BLEI] can be used Note: An attack discovered by Daniel Bleichenbacher [BLEI] can be Note: Attacks discovered by Bleichenbacher [BLEI] and Klima et al. to attack a TLS server which is using PKCS#1 encoded RSA. The used to attack a TLS server that is using PKCS#1 v 1.5 encoded [KPR03] can be used to attack a TLS server that reveals whether a attack takes advantage of the fact that by failing in different RSA. The attack takes advantage of the fact that, by failing particular message, when decrypted, is properly PKCS#1 formatted, ways, a TLS server can be coerced into revealing whether a in different ways, a TLS server can be coerced into revealing contains a valid PreMasterSecret structure, or has the correct particular message, when decrypted, is properly PKCS#1 formatted whether a particular message, when decrypted, is properly version number. or not. PKCS#1 v1.5 formatted or not. As described by Klima [KPR03], these vulnerabilities can be avoided The best way to avoid vulnerability to this attack is to treat The best way to avoid vulnerability to this attack is to treat by treating incorrectly formatted message blocks and/or mismatched incorrectly formatted messages in a manner indistinguishable from incorrectly formatted messages in a manner indistinguishable version numbers in a manner indistinguishable from correctly correctly formatted RSA blocks. Thus, when it receives an from correctly formatted RSA blocks. Thus, when a server formatted RSA blocks. In other words: incorrectly formatted RSA block, a server should generate a receives an incorrectly formatted RSA block, it should generate random 48-byte value and proceed using it as the premaster a random 48-byte value and proceed using it as the premaster 1. Generate a string R of 46 random bytes secret. Thus, the server will act identically whether the secret. Thus, the server will act identically whether the received RSA block is correctly encoded or not. received RSA block is correctly encoded or not. 2. Decrypt the message to recover the plaintext M [PKCS1B] defines a newer version of PKCS#1 encoding that is 3. If the PKCS#1 padding is not correct, or the length of message more secure against the Bleichenbacher attack. However, for M is not exactly 48 bytes: maximal compatibility with TLS 1.0, TLS 1.1 retains the pre_master_secret = ClientHello.client_version || R original encoding. No variants of the Bleichenbacher attack else If ClientHello.client_version <= TLS 1.0, and version are known to exist provided that the above recommendations are number check is explicitly disabled: followed. pre_master_secret = M else: Implementation Note: Public-key-encrypted data is represented as an pre_master_secret = ClientHello.client_version || M[2..47] opaque vector <0..2^16-1> (see Section 4.7). Thus, the RSA-encrypted PreMasterSecret in a Note that explicitly constructing the pre_master_secret with the ClientKeyExchange is preceded by two length ClientHello.client_version produces an invalid master_secret if the bytes. These bytes are redundant in the case of client has sent the wrong version in the original pre_master_secret. RSA because the EncryptedPreMasterSecret is the only data in the ClientKeyExchange and its An alternative approach is to treat a version number mismatch as a length can therefore be unambiguously PKCS-1 formatting error and randomize the premaster secret determined. The SSLv3 specification was not completely: clear about the encoding of public-key-encrypted data, and therefore many SSLv3 implementations 1. Generate a string R of 48 random bytes do not include the length bytes, encoding the RSA encrypted data directly in the 2. Decrypt the message to recover the plaintext M ClientKeyExchange message. 3. If the PKCS#1 padding is not correct, or the length of message This specification requires correct encoding of M is not exactly 48 bytes: the EncryptedPreMasterSecret complete with pre_master_secret = R length bytes. The resulting PDU is incompatible else If ClientHello.client_version <= TLS 1.0, and version with many SSLv3 implementations. Implementors number check is explicitly disabled: upgrading from SSLv3 must modify their premaster secret = M implementations to generate and accept the else If M[0..1] != ClientHello.client_version: correct encoding. Implementors who wish to be premaster secret = R compatible with both SSLv3 and TLS should make else: their implementation's behavior dependent on the premaster secret = M protocol version. Although no practical attacks against this construction are known, Implementation Note: It is now known that remote timing-based attacks Klima et al. [KPR03] describe some theoretical attacks, and therefore on SSL are possible, at least when the client the first construction described is RECOMMENDED. and server are on the same LAN. Accordingly, implementations that use static RSA keys SHOULD In any case, a TLS server MUST NOT generate an alert if processing an use RSA blinding or some other anti-timing RSA-encrypted premaster secret message fails, or the version number technique, as described in [TIMING]. is not as expected. Instead, it MUST continue the handshake with a randomly generated premaster secret. It may be useful to log the Note: The version number in the PreMasterSecret MUST be the version real cause of failure for troubleshooting purposes; however, care offered by the client in the ClientHello, not the version must be taken to avoid leaking the information to an attacker negotiated for the connection. This feature is designed to (through, e.g., timing, log files, or other channels.) prevent rollback attacks. Unfortunately, many implementations use the negotiated version instead, and therefore checking the The RSAES-OAEP encryption scheme defined in [PKCS1] is more secure version number may lead to failure to interoperate with such against the Bleichenbacher attack. However, for maximal incorrect client implementations. Client implementations, MUST compatibility with earlier versions of TLS, this specification uses and Server implementations MAY, check the version number. In the RSAES-PKCS1-v1_5 scheme. No variants of the Bleichenbacher practice, since the TLS handshake MACs prevent downgrade and no attack are known to exist provided that the above recommendations are good attacks are known on those MACs, ambiguity is not followed. considered a serious security risk. Note that if servers choose to check the version number, they should randomize the Implementation note: Public-key-encrypted data is represented as an PreMasterSecret in case of error, rather than generate an opaque vector <0..2^16-1> (see Section 4.7). Thus, the RSA-encrypted alert, in order to avoid variants on the Bleichenbacher attack. PreMasterSecret in a ClientKeyExchange is preceded by two length [KPR03] bytes. These bytes are redundant in the case of RSA because the EncryptedPreMasterSecret is the only data in the ClientKeyExchange and its length can therefore be unambiguously determined. The SSLv3 specification was not clear about the encoding of public-key- encrypted data, and therefore many SSLv3 implementations do not include the length bytes -- they encode the RSA-encrypted data directly in the ClientKeyExchange message. This specification requires correct encoding of the EncryptedPreMasterSecret complete with length bytes. The resulting PDU is incompatible with many SSLv3 implementations. Implementors upgrading from SSLv3 MUST modify their implementations to generate and accept the correct encoding. Implementors who wish to be compatible with both SSLv3 and TLS should make their implementation's behavior dependent on the protocol version. Implementation note: It is now known that remote timing-based attacks on TLS are possible, at least when the client and server are on the same LAN. Accordingly, implementations that use static RSA keys MUST use RSA blinding or some other anti-timing technique, as described in [TIMING]. 46

  2. With every new TLS version the With every new TLS version the countermeasures became more countermeasures became more complicated complicated 47

  3. Many more attacks on poor choices in Many more attacks on poor choices in TLS 1.2 and earlier TLS 1.2 and earlier SLOTH, FREAK, Logjam, SWEET32, Triple Handshake 48

  4. Fixing bugs like TLS 1.2 and earlier Fixing bugs like TLS 1.2 and earlier 49

  5. Use workarounds for known security issues 50

  6. If workarounds are insufficient use more workarounds 51

  7. Create optional secure modes, but keep the insecure ones 52

  8. Fixing bugs like TLS 1.3 Fixing bugs like TLS 1.3 53

  9. Remove insecure cryptographic constructions 54

  10. TLS 1.3 Deprecations TLS 1.3 Deprecations CBC-Modes, RC4, Triple-DES GCM with explicit nonces RSA Encryption, PKCS #1 1.5 MD5, SHA1 Diffie Hellman with custom or small parameters Obscure, custom and insecure Elliptic Curves 55

  11. Formal Verification Formal Verification Researchers have started to formally analyze TLS in recent years 56

  12. Many vulnerabilities were found during protocol analysis 57

  13. These analyses have contributed to and guided the design of TLS 1.3 58

  14. Security is nice, but there's something Security is nice, but there's something else we care about: else we care about: Speed! Speed! 59

  15. TLS Fresh Handshake TLS Fresh Handshake TLS 1.2 TLS 1.3 60

  16. TLS 1.3 handshake removes one round trip from fresh handshakes 61

  17. Handshake improves forward secrecy on session resumption and protects more data 62

  18. TLS 1.3 has a faster and more secure handshake Watch 33C3 talk 63

  19. TLS 1.3 Zero Round Trip (0-RTT) TLS 1.3 Zero Round Trip (0-RTT) 64

  20. If we previously connected we can use a pre-shared Key (PSK) to send data without any round trip 65

  21. More speed! More speed! 66

  22. But 0-RTT is not for free But 0-RTT is not for free 67

  23. Replay attacks Replay attacks 68

  24. 0-RTT should only be used where it's 0-RTT should only be used where it's safe safe 69

  25. Example HTTPS Example HTTPS GET Request: Idempotent POST Request: Not Idempotent 70

  26. In theory HTTP GET requests are In theory HTTP GET requests are idempotent and safe for 0-RTT idempotent and safe for 0-RTT 71

  27. Do web developers know what Do web developers know what idempotent means? idempotent means? 72

  28. 0-RTT does not have strong forward secrecy 73

  29. Many speculate that future TLS 1.3 attacks will exploit 0-RTT 74

  30. 0-RTT is optional 75

  31. If it turns out being too bad we can disable it 76

  32. Deployment Deployment 77

  33. It's not enough to design a faster, more secure TLS protocol, you also have to deploy it 78

  34. On the Internet 79

  35. The real Internet 80

  36. The version number The version number 81

  37. This may sound trivial, but one other new thing that TLS 1.3 brings is a new version number 82

  38. 83

  39. 84

  40. 85

  41. TLS 1.0 came a�er SSL 3 86

  42. SSL 3 03 00 TLS 1.0 03 01 TLS 1.1 03 02 TLS 1.2 03 03 TLS 1.3 It's complicated 87

  43. TLS record layer TLS record layer A protocol inside the protocol which has its own meaningless version number 88

  44. We can't update the whole Internet at once 89

  45. When we deploy a new version of TLS we need to still support old versions 90

  46. Let's assume we have a client supporting TLS 1.2 and a server supporting TLS 1.0 91

  47. TLS Version Negotiation TLS Version Negotiation 92

  48. This is very simple This is very simple 93

  49. if (client_max_version < server_max_version) { connection_version = client_max_version; } else { connection_version = server_max_version; } 94

  50. There's no way anyone could possibly get that wrong 95

  51. Okay, we were talking about the real Internet 96

  52. There are Enterprise Products There are Enterprise Products 97

  53. TLS Version Negotiation Enterprise Edition TLS Version Negotiation Enterprise Edition 98

  54. Version intolerance Version intolerance 99

  55. Version intolerance shows up every single time a new TLS version is introduced 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend