tls
play

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck - PowerPoint PPT Presentation

Jan 18, 2023 •244 likes •693 views

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno Bck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Find and fix security vulnerabilities and bugs in free soware (Fuzzing Project,

  1. TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Böck https://hboeck.de/ 1

  2. WHO AM I? Hanno Böck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Find and fix security vulnerabilities and bugs in free so�ware (Fuzzing Project, supported by Linux Foundation's Core Infrastructure Initiative) Monthly Bulletproof TLS Newsletter 2

  3. EVERY IMAGINABLE TLS IMPLEMENTATION FLAW CAN BE FOUND IN THE WILD. 3

  4. TLS IMPLEMENTATION BUGS 4

  5. OMMITTING CHECKS TLS implementations should check various things to assure correctness of connection, like: Padding (since TLSv1.0) MAC / authentication tag FinishedMessage 5

  6. POODLE TLS The POODLE attack relies on the undefined padding of SSLv3 - TLSv1.0 defines padding. Some implementations didn't check padding. Affects F5, A10, Fortinet, Cisco, IBM, Juniper "The POODLE bites again", Adam Langley (2014) 6

  7. MORE POODLES Maybe you check only some bytes of the padding? Cisco (Cavium), Citrix, GnuTLS "There are more POODLEs in the forest", Yngve Petterssen (2015) 7

  8. MAC / FINISHEDMESSAGE MACE: Completely ommit MAC check (no authentication). F5, Cisco, Fortinet Don't check FinishedMessage (protects handshake). F5, Juniper "The POODLE has friends" (Pettersen, 2015) 8

  9. GCM NONCE REUSE GCM needs a nonce value. If one uses the same nonce and key twice everything falls appart. 9

  10. TLS / GCM NONCES TLS gives no guidance how to select a nonce. A counter is secure. Some implementations get it wrong: Duplicate nonces (Radware, Cavium), random nonces (IBM, A10, Sangfor). "Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS", Böck, Zauner, Devlin, Somorovsky, Jovanovic (2016) 10

  11. DIFFIE HELLMAN PARAMETERS Diffie Hellman uses a set of parameters - a prime and a generator. But sometimes the prime isn't prime - why? 11

  12. DIFFIE HELLMAN NON-PRIME socat: new parameters, "prime" is not prime (CVE-2016- 2217). Could that be a backdoor? (see Wong, 2016 ) Internet-wide scan found 500 IPs with non-prime ( Dorey, Chang-Fong, Essex 2016 ) 12

  13. DIFFIE HELLMAN PARAMETER CONFUSION However, some servers in our scans used Java’s DSA primes as p but mistakenly used the DSA group order q in the place of the generator g. We found 5,741 hosts misconfigured this way. This substitution of q for g is likely due to a usability problem: the canonical ASN.1 representation of Diffie-Hellman key exchange parameters (coming from PKCS#3) is a sequence (p, g), while that of DSA parameters (coming from PKIX) is (p, q, g); we conjecture that the confusion between these formats led to a simple programming error. ( Logjam paper, 2015 ) 13

  14. SAFE PRIMES One can use "safe primes" for DH. Or other primes, but then one can't reuse the ephemeral key (OpenSSL, CVE-2016-0701). 14

  15. DH PARAMETER CHECKING IMPOSSIBLE Diffie Hellman parameters can contain undetectable backdoors that cannot be prevented with parameter checking ( Fried, Gaudry, Heninger, Thome 2016 ). 15

  16. RSA-CRT CRT-optimization of RSA: Split private key signature operation into two calculations. Dangerous: If one calculation produces wrong result this leaks the private key. Citrix, Hillstone Networks, ZyXEL, Radware (all Cavium chip), Alteon/Nortel, Viprinet, QNO, BEJY "Factoring RSA Keys With TLS Perfect Forward Secrecy", Florian Weimer (2015) 16

  17. MATH Cryptography is based on mathematics. Math libraries can have bugs. 17

  18. CVE-2014-3570 Bug in BN_sqr() function of OpenSSL. Produces wrong results in some cases. 18

  19. DIFFERENTIAL FUZZ-TESTING CVE-2015-3193: bug in BN_mod_exp() / OpenSSL CVE-2016-1938: bug in mp_div()/mp_exptmod() / NSS CVE-2015-8803/CVE-2015-8804: Bugs in elliptic curve multiplications / Nettle Recently: Several bugs in Poly1305 / OpenSSL CVE-2016-6885/CVE-2016-6886/CVE-2016-6887/CVE-2016- 8671: pstm_exptmod() / MatrixSSL Usually carry propagation bugs, all thanks to american fuzzy lop. 19

  20. BUGS IN CALCULATIONS Hard or impossible to test remotely. Even testing without source tricky. 20

  21. HANDSHAKE SIZE With new extensions and ciphers the TLS handshake grew. F5 load balancers couldn't handle handshakes larger than 256 bytes. 21

  22. "If you use F5/BIG-IP devices to terminate SSL connections, please update the firmware on the things! We're trying to run an Internet here and old versions of these devices are a real problem for deploying new TLS features." ( Adam Langley, 2013 ) 22

  23. 22 F5 HANDSHAKE PROBLEM It turned out F5 load balancers fail with handshakes between 256 and 512 bytes. Solution: If your handshake is bigger than 256 bytes pad it to be bigger than 512 bytes. TLS Padding Extension (RFC 7685). 23

  24. AND THEN... There are other TLS implementations that fail with handshakes bigger than 512 bytes (Cisco Ironport). 24

  25. 25

  26. 25 DOWNGRADES 26

  27. SSL/TLS VERSIONS DURING HANDSHAKE ClientHello: "Dear server, the maximum version I support is TLSv1.2" ServerHello: "I don't support that new TLSv1.2 stuff, let's use TLSv1.0" 27

  28. BUT SOMETIMES... ClientHello: "Dear server, the maximum version I support is TLSv1.2" Server thinks: "I never heard of TLSv1.2... Maybe I better say nothing at all or send an error..." Version intolerance (this is always a server bug) 28

  29. IT'S AN OLD ISSUE Known at least since 2003. 29

  30. WHAT BROWSERS DID Browser tries to connect with TLSv1.2. No answer? Browser retries with TLsv1.1, TLSv1.0, SSLv3. Retries all supported versions. Behavior has been called "Protocol Dance". 30

  31. THE SNI BUG Sometimes bad internet connections caused downgrade from TLSv1.0 to SSLv3 (1.1/1.2 wasn't implemented yet). SSLv3 does not support SNI - therefore wrong certificate. My server was behaving fine - but Mozilla refused to fix it, because they wanted to retain compatibility with broken servers. 31

  32. BLACK HAT 2014 Antoine Delignat-Lavaud presents Virtual Host Confusion attack. 32

  33. POODLE (2014) Padding Oracle On Downgraded Legacy Encryption Another Padding Oracle that only works against SSLv3. Good for the attacker: We can downgrade users. 33

  34. SOLUTION SCSV (RFC 7507): Server signals browser that it is not broken. 34

  35. PROTOCOL DANCE AND SCSV 1. We have a version negotiation mechanism 2. Servers have broken TLS implementations. 3. Browsers implement workaround. 4. Workaround introduces security issue. 5. Workaround for security issue introduced by workaround gets standardized. 35

  36. VERSION INTOLERANCE Issue was known and documented since at least 2003. By now most browser downgrades have been removed. But what about TLS 1.3? 36

  37. VERSION INTOLERANCE "It's taken about 15 years to get to the point where web browsers don't have to work around broken version negotiation in TLS and that's mostly because we only have three active versions of TLS. When we try to add a fourth (TLS 1.3) in the next year, we'll have to add back the workaround, no doubt." Adam Langley (2016) 37

  38. VENDORS IBM: "I expect both releases towards the end of the year as 8.5.5.10 and 9.0.0.1 are already at the tail end of their release processes. Citrix: "Our investigation indicates that this is not a security issue. We also have this issue on our radar and plan to address it in an upcoming Citrix NetScaler version." Cisco: "when it comes to devices or releases that have passed the last day of support (not the end of life), we can't do anything about them." 38

  39. SITE OPERATORS apple.com: no reply paypal.com: "SSL issues are out of scope for PayPal Bug Bounty Program" ebay.com: no reply 39

  40. TLS 1.3 NEW VERSION NEGOTIATION Old version field gets deprecated. List of versions in an extension. Caveat: Instead of two version numbers from which one is useless we'd then have three version numbers from which two are useless. 40

  41. GREASE GREASE (Generate Random Extensions And Sustain Extensibility), proposal by David Benjamin (Google). Reserve garbage values for version numbers (and ciphers, extensions, ...) that get sent ocassionally to make sure implementations don't mess things up too badly. 41

  42. GREASE PARADIGM Design new protocols in a way that they can get deployed despite a broken ecosystem. Create protocols that are hard to mess up. 42

  43. WILL GREASE WORK? It's still possible to create version intolerance in a GREASE- scenario: Just whitelist the GREASE values. Will there be vendors that are so stupid? We'll see. 43

  44. THANKS FOR LISTENING Questions? https://hboeck.de/ 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OpenFlow for QoS-Monitoring Supervisor:Prof. Dr.-Ing. Georg Carle Advisor: M.Sc. Daniel Raumer

OpenFlow for QoS-Monitoring Supervisor:Prof. Dr.-Ing. Georg Carle Advisor: M.Sc. Daniel Raumer

Network Architectures and Services, Georg Carle Faculty of Informatics Technische Universitt Mnchen, Germany OpenFlow for QoS-Monitoring Supervisor:Prof. Dr.-Ing. Georg Carle Advisor: M.Sc. Daniel Raumer M.Sc. Lukas Schwaighofer Agenda

344 views • 18 slides
Opportunity Act A Workshop, February 29, 2020 SPONSORED BY HAVERHILL EDUCATION COALITION WITH

Opportunity Act A Workshop, February 29, 2020 SPONSORED BY HAVERHILL EDUCATION COALITION WITH

1 HEC SOA Workshop February 29, 2020 Haverhill Plans for the Student Opportunity Act A Workshop, February 29, 2020 SPONSORED BY HAVERHILL EDUCATION COALITION WITH DATA FROM BENCHMARK HAVERHILL SCHOOLS . COM 2 Student Opportunity Act

736 views • 41 slides
Lock Inference in the Presence of Large Libraries Khilan

Lock Inference in the Presence of Large Libraries Khilan

Lock Inference in the Presence of Large Libraries Khilan Gudka, Imperial College London* Tim Harris, Microso8 Research Cambridge Susan Eisenbach, Imperial

438 views • 29 slides
Samba in love with GnuTLS Samba in love with GnuTLS SambaXP 2019 SambaXP 2019 Andreas Schneider

Samba in love with GnuTLS Samba in love with GnuTLS SambaXP 2019 SambaXP 2019 Andreas Schneider

6/6/2019 Samba in love with GnuTLS Samba in love with GnuTLS Samba in love with GnuTLS SambaXP 2019 SambaXP 2019 Andreas Schneider Red Hat Samba Maintainer localhost:8000/?print-pdf#/ 1/51 6/6/2019 Samba in love with GnuTLS About me

781 views • 51 slides
NetKATA Formal System for the Verification of Networks Dexter Kozen Cornell University

NetKATA Formal System for the Verification of Networks Dexter Kozen Cornell University

NetKATA Formal System for the Verification of Networks Dexter Kozen Cornell University AutoMathA 2015 Leipzig 7 May 2015 NetKAT Collaborators Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin, Dexter Kozen, Cole

1.03k views • 56 slides
Constraint Satisfaction Constraint Satisfaction Problems Problems Some material from: D Lin, J

Constraint Satisfaction Constraint Satisfaction Problems Problems Some material from: D Lin, J

RN, Chapter 5 Constraint Satisfaction Constraint Satisfaction Problems Problems Some material from: D Lin, J You, JC Latombe 1 Search Overview Introduction to Search Blind Search Techniques Heuristic Search Techniques

1.09k views • 83 slides
THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck https://hboeck.de/ 1 WHO AM I?

THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck https://hboeck.de/ 1 WHO AM I?

THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno Bck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Started Fuzzing Project November 2014 Since May 2015: Supported by Linux

457 views • 35 slides
Cornwall Park Home Residents Event 1 st November 2019 St. Erme Community Centre Information

Cornwall Park Home Residents Event 1 st November 2019 St. Erme Community Centre Information

Information Classification: CONTROLLED Cornwall Park Home Residents Event 1 st November 2019 St. Erme Community Centre Information Classification: CONTROLLED Park Home Residents Survey 2019 Information Classification: CONTROLLED

522 views • 28 slides
Ian Go Gough gh Lond London on School hool of of Econ onom omics ICH ICHEM, CB CBOS OS

Ian Go Gough gh Lond London on School hool of of Econ onom omics ICH ICHEM, CB CBOS OS

Ian Go Gough gh Lond London on School hool of of Econ onom omics ICH ICHEM, CB CBOS OS A AND ND IPR PR SE SEMI MINAR Un Univ iversity ty of of Bath th 20 Feb ebruary 2 2018 What are the social impacts of climate

873 views • 49 slides
Social'balance'and'cohesion'are' core'to'successful'communities

Social'balance'and'cohesion'are' core'to'successful'communities

A ction'for B alanced C ommunities AN#INITIATIVE#FORMED#WITH#COMMUNITY#SUPPORT#FROM Chandos(Road(Community(Associa1on Cli3on(&(Hotwells(Improvement(Society Cli3on(Down(Community(Associa1on Hampton(Park(and(Cotham(Hill(Community(Group

609 views • 12 slides
The final word on the application of the statutory priority regime to insolvent corporate

The final word on the application of the statutory priority regime to insolvent corporate

The final word on the application of the statutory priority regime to insolvent corporate trustees: High Court decision in Re Amerind Christopher Caleo QC (Chair) Stewart Maiden QC Christopher Brown Liability limited by a scheme approved under

627 views • 24 slides
Research Reactors: Purpose and Future Danas Ridikas, Mikhail Khoroshev Presented by Mikhail

Research Reactors: Purpose and Future Danas Ridikas, Mikhail Khoroshev Presented by Mikhail

Research Reactors: Purpose and Future Danas Ridikas, Mikhail Khoroshev Presented by Mikhail Khoroshev Nuclear Power Technology Development Section Former: Research Reactor Section Department of Nuclear Energy Joint ICTP/IAEA Workshop

788 views • 42 slides
Jian Tang, Yibing Zhang Sun Yat-Sen University, Guangzhou Yu-Feng Li Institute of High-Energy

Jian Tang, Yibing Zhang Sun Yat-Sen University, Guangzhou Yu-Feng Li Institute of High-Energy

Search for new physics with accelerator neutrino experiments Jian Tang, Yibing Zhang Sun Yat-Sen University, Guangzhou Yu-Feng Li Institute of High-Energy Physics, CAS Emilio Ciuffoli, Jarah Evslin, Qiang Fu Institute of Modern Physics, CAS

803 views • 23 slides
FREIA Laboratory Facility for Research Instrumentation and Accelerator Development Roger Ruber

FREIA Laboratory Facility for Research Instrumentation and Accelerator Development Roger Ruber

FREIA Laboratory Facility for Research Instrumentation and Accelerator Development Roger Ruber Inst. fr fysik och astronomi 24 mars 2014, Uppsala What & Whom? Facility for Research Instrumentation and Accelerator Development

359 views • 11 slides
Tyler C. Borgwardt Tyler C. Borgwardt South Dakota School of Mines and Technology Prepared for:

Tyler C. Borgwardt Tyler C. Borgwardt South Dakota School of Mines and Technology Prepared for:

Tyler C. Borgwardt Tyler C. Borgwardt South Dakota School of Mines and Technology Prepared for: 1 st International Electronic Conference on Geosciences Benefits of Photon Activation Analysis Broad spectrum, typically 30+ elements can be

507 views • 18 slides
FREIA Facility for Research Instrumentation and Accelerator Development Infrastructure and

FREIA Facility for Research Instrumentation and Accelerator Development Infrastructure and

FREIA Facility for Research Instrumentation and Accelerator Development Infrastructure and Control Architecture Konrad Gajewski 10 September 2013, Uppsala Why FREIA? Several circumstances test stand for ESS needs large experiment space

531 views • 16 slides
Deep learning to diagnose the neutron star Kenji Fukushima The University of Tokyo Based on

Deep learning to diagnose the neutron star Kenji Fukushima The University of Tokyo Based on

Deep learning to diagnose the neutron star Kenji Fukushima The University of Tokyo Based on work with Yuki Fujimoto, Koichi Murase Deep Learning and Physics 2018 June 2, 2018 @ Osaka 1 Disclaimer I am a user of the deep

619 views • 24 slides
ANDES progress Meeting WP2: Uncertainties and covariances of nuclear data Task 2.4: Covariances

ANDES progress Meeting WP2: Uncertainties and covariances of nuclear data Task 2.4: Covariances

1 ANDES progress Meeting WP2: Uncertainties and covariances of nuclear data Task 2.4: Covariances for activation, decay and fission yields O. Cabellos Universidad Politcnica de Madrid (UPM) 19th November, 2010 NEA Data Bank,

314 views • 14 slides
Limitations of Optimization for Multi-site NFV Network Service Delivery Use Cases and Early

Limitations of Optimization for Multi-site NFV Network Service Delivery Use Cases and Early

Limitations of Optimization for Multi-site NFV Network Service Delivery Use Cases and Early Analysis Andy Veitch Premise Orchestration with integrated planning algorithms for SDN/NFV is necessary to deliver optimal utilization of compute

168 views • 16 slides
Modeling Framework for Detecting HEU in Seaborne Containers DNDO Grant Project Gary M. Gaukler

Modeling Framework for Detecting HEU in Seaborne Containers DNDO Grant Project Gary M. Gaukler

Modeling Framework for Detecting HEU in Seaborne Containers DNDO Grant Project Gary M. Gaukler Texas A&M University TAMU DNDO Research Effort combines Nuclear detector research Inverse and forward transportation calculation

398 views • 26 slides
NFV Testing Jose Lausuch (Ericsson) Trevor Cooper (Intel) Agenda NFV Testing with Open Source

NFV Testing Jose Lausuch (Ericsson) Trevor Cooper (Intel) Agenda NFV Testing with Open Source

NFV Testing Jose Lausuch (Ericsson) Trevor Cooper (Intel) Agenda NFV Testing with Open Source Projects Role of CI Performance Testing Intro to OPNFV OPNFV testing and integration project Additions Enhancements OPNFV testing and

547 views • 29 slides
Entrepreneurship and human capital development in children Neda Trifkovi University of

Entrepreneurship and human capital development in children Neda Trifkovi University of

Entrepreneurship and human capital development in children Neda Trifkovi University of Copenhagen With Kasper Brandt, Longinus Rutasitara, Onesmo Selejio NCDE, Helsinki 12 June 2018 Email: neda.trifkovic@econ.ku.dk Introduction

449 views • 18 slides
Thinking Like a Chemist About Electrochemistry III Potential, Free Energy & K UNIT 8 DAY 6

Thinking Like a Chemist About Electrochemistry III Potential, Free Energy & K UNIT 8 DAY 6

Thinking Like a Chemist About Electrochemistry III Potential, Free Energy & K UNIT 8 DAY 6 What are we going to learn today? Determine Voltage in Electrochemical Cells Containing Different Concentrations of Reactants Relationship between

321 views • 15 slides
Router Architectures CPU CPU Memory Memory packets NFE NFE Processor Processor Line Card

Router Architectures CPU CPU Memory Memory packets NFE NFE Processor Processor Line Card

Router Architectures CPU CPU Memory Memory packets NFE NFE Processor Processor Line Card Line Card Line Card CPU CPU CPU Line Card Line Card #1 #1 #4 Memory Memory Memory #4 #4 CPU CPU CPU CPU Line Card Line Card Line

1.15k views • 9 slides

More recommend