tls record protocol security analysis and defense in
play

TLS Record Protocol: Security Analysis and Defense-in-depth - PowerPoint PPT Presentation

May 03, 2023 •167 likes •793 views

TLS Record Protocol: Security Analysis and Defense-in-depth Countermeasures for HTTPS Olivier Levillain, Baptiste Gourdin, Herv Debar ANSSI, Sekoia, Tlcom SudParis ASIACCS 2015 Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol

  1. TLS Record Protocol: Security Analysis and Defense-in-depth Countermeasures for HTTPS Olivier Levillain, Baptiste Gourdin, Hervé Debar ANSSI, Sekoia, Télécom SudParis ASIACCS 2015 Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 1 / 31

  2. TLS in a nutshell Client Server ClientHello ServerHello Certificate Two phases ServerHelloDone ◮ secure channel establishment ClientKeyExchange ChangeCipherSpec ◮ algorithm negotiation Finished ◮ server authentication ChangeCipherSpec ◮ key exchange to obtain a shared secret Finished ◮ application data exchanges using this Application Data channel Cleartext Ciphertext Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 2 / 31

  3. TLS in a nutshell Client Server ClientHello ServerHello Certificate Two phases ServerHelloDone ◮ secure channel establishment ClientKeyExchange ChangeCipherSpec ◮ algorithm negotiation Finished ◮ server authentication ChangeCipherSpec ◮ key exchange to obtain a shared secret Finished ◮ application data exchanges using this Application Data channel Cleartext Ciphertext This talk focuses on the second phase, the Record Protocol Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 2 / 31

  4. TLS Record Protocol After the handshake, records can be protected using 3 different schemes: Plaintext P |P| < 2 14 Compression (optional) Compressed C |C| < |P| + 1024 MAC MAC C MAC C MAC Padding AEAD step P Encryption (XOR) C C MAC MAC a d Encryption (CBC) MAC'ed then MAC'ed then Padded Authenticated and Encrypted record then Encrypted record Encrypted record Stream cipher mode CBC mode AEAD mode Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 3 / 31

  5. Well, all started... in 2011 ◮ 2011 : BEAST ◮ CBC mode with implicit IV ◮ 2012 : CRIME (followed by TIME and BREACH) ◮ Compression attacks ◮ 2013 - 2014 : Lucky13 (followed by POODLE) ◮ CBC Padding Attacks ◮ 2014 : RC4 biases (no real name) ◮ RC4 statistical biases Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 4 / 31

  6. The cookie monsters ◮ BEAST, TIME, CRIME, BREACH, Lucky13, POODLE, RC4 biases, ... ◮ all the PoCs went after cookies ◮ all relies on having the cookie repeated inside the TLS channel Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 5 / 31

  7. Model Web Application (PHP, Python, NodeJS, …) Application page (Django, ...) Web Server Web Client HTTP + SSL/TLS (Chrome, Firefox, IE, ...) Session Cookie (Apache2, IIS, Nginx) Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 6 / 31

  8. RFC6265: HTTP State Management Mechanism Web Client Server application setcookie('session_id', 'C564A5F3EB', httponly, secure) Set-Cookie: session_id=C564A5F3EB; httponly;secure Cookie: session_id=C564A5F3EB $_COOKIE['session_id'] $_COOKIE['session_id'] contains 'C564A5F3EB' contains 'C564A5F3EB' Cookie: session_id=C564A5F3EB $_COOKIE['session_id'] $_COOKIE['session_id'] contains 'C564A5F3EB' contains 'C564A5F3EB' Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 7 / 31

  9. Attacker Model Attacker Web Application (PHP, Python, NodeJS, …) Application Attacker (Django, ...) page Page Web Server Web Client HTTP + SSL/TLS (Chrome, Firefox, IE, ...) (Apache2, IIS, Nginx) Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 8 / 31

  10. Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31

  11. Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31

  12. Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31

  13. Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31

  14. Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31

  15. Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31

  16. Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31

  17. Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31

  18. Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31

  19. Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31

  20. Summary ◮ Since 2011, seven attacks affecting the Record Protocol Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 10 / 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptographic Analysis of TLS Kenny Paterson FOSAD 2013 Information Security Group 1 Outline

Cryptographic Analysis of TLS Kenny Paterson FOSAD 2013 Information Security Group 1 Outline

Cryptographic Analysis of TLS Kenny Paterson FOSAD 2013 Information Security Group 1 Outline TLS overview TLS Record Protocol Theory Attacks Security analysis TLS Handshake Protocol Security analysis Discussion 2

1.78k views • 173 slides
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols Data handled by computers: Banking details Emails Messaging Adult websites Private files Mobile devices 2 Goal of dissertation Is the

758 views • 51 slides
Automated Reasoning for Security Protocol Analysis The ASW Protocol Revisited: A Unified View

Automated Reasoning for Security Protocol Analysis The ASW Protocol Revisited: A Unified View

Automated Reasoning for Security Protocol Analysis The ASW Protocol Revisited: A Unified View Paul Hankes Drielsma and Sebastian M odersheim Information Security, ETH Zurich ARSPA Paul Hankes Drielsma 1 Introduction ASW: an

508 views • 14 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA IIT Delhi, Fall 2010 Lecture 1: WriCng Secure Web ApplicaCons

472 views • 25 slides
1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

Probabilistic Polynomial-Time Standard analysis methods Process Calculus for Security Finite-state analysis Protocol Analysis Easier Dolev-Yao model Symbolic search of protocol runs Proofs of correctness in formal logic

258 views • 7 slides
Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver Florian Adamsky,

Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver Florian Adamsky,

Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver Florian Adamsky, Syed Ali Khayam, Rudolf Jger and Muukrishnan Rajarajan The 4th

557 views • 38 slides
OpenBSC network-side GSM stack A tool for GSM protocol level security analysis Harald Welte

OpenBSC network-side GSM stack A tool for GSM protocol level security analysis Harald Welte

GSM/3G security Implementing GSM protocols Security analysis Summary OpenBSC network-side GSM stack A tool for GSM protocol level security analysis Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.de SSTIC

1.16k views • 34 slides
Relating Strands and Multiset Rewriting For Security Protocol Analysis Iliano Cervesato Nancy

Relating Strands and Multiset Rewriting For Security Protocol Analysis Iliano Cervesato Nancy

Relating Strands and Multiset Rewriting For Security Protocol Analysis Iliano Cervesato Nancy Durgin, Patrick Lincoln John Mitchell, Andre Scedrov July 3 rd , 2000 CSFW-13 Cambridge, UK Representing Security Protocols Several recent

632 views • 38 slides
1958: Americas Response to Sputnik U.S. Defense budget increased to a peace- time record

1958: Americas Response to Sputnik U.S. Defense budget increased to a peace- time record

1958: Americas Response to Sputnik U.S. Defense budget increased to a peace- time record $74 billion DARPA - Defense Advanced Research Projects Agency National Defense Education Act $3 billion invested in high schools and

423 views • 28 slides
Defense Security Service Defense Security Service Cybersecurity Operations Division

Defense Security Service Defense Security Service Cybersecurity Operations Division

UNCLASSIFIED//FOUO Defense Security Service Defense Security Service Cybersecurity Operations Division Counterintelligence UNCLASSIFIED//FOUO UNCLASSIFIED Defense Security Service DSS Mission Capability DSS Supports national security and

490 views • 33 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 4: Security

348 views • 34 slides
Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

IN3210 Network Security Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals: Authentication Integrity Confidentiality Transparent security protocol between TCP and application

1k views • 66 slides
Extending Security Protocol Analysis : New Challenges Mike Bond, Jolyon Clulow {Mike.Bond,

Extending Security Protocol Analysis : New Challenges Mike Bond, Jolyon Clulow {Mike.Bond,

Extending Security Protocol Analysis : New Challenges Mike Bond, Jolyon Clulow {Mike.Bond, Jolyon.Clulow}@cl.cam.ac.uk Workshop on Automated Reasoning for Security Protocols Analysis (ARSPA 2004) 4 th July 2004 Outline An introduction to

764 views • 31 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 3: Coding

527 views • 36 slides
IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security

IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security

IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code for applications and malware is not

1.1k views • 58 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 2: A

530 views • 41 slides
Dynamo: Theme and Varia0ons @shanley Riak 150

Dynamo: Theme and Varia0ons @shanley Riak 150

Dynamo: Theme and Varia0ons @shanley Riak 150 Services Global access Mul3ple machines

1.07k views • 93 slides
Childrens National Health System Engaging Patients and Families at the Point of Care Kathleen

Childrens National Health System Engaging Patients and Families at the Point of Care Kathleen

Childrens National Health System Engaging Patients and Families at the Point of Care Kathleen Chavanu Gorman, MSN, RN, FAAN EVP, Patient Care Services and COO National Academy of Medicine May 18, 2016 Childrens National 1870-2016

319 views • 21 slides
Interactive Exploratory Data Visualization in R A workshop introduction to loon and related

Interactive Exploratory Data Visualization in R A workshop introduction to loon and related

Interactive Exploratory Data Visualization in R A workshop introduction to loon and related packages Wayne Oldford June 6, 2020 Making this work 1. You should already have your machine set up as described in the preparations Most recent R

917 views • 25 slides
Lifelong Visual Mapping Linguang Zhang Princeton Vision Group Papers Toward lifelong object

Lifelong Visual Mapping Linguang Zhang Princeton Vision Group Papers Toward lifelong object

Lifelong Visual Mapping Linguang Zhang Princeton Vision Group Papers Toward lifelong object segmentation from change detection in dense rgb-d maps. Towards Semantic KinectFusion. Slam++: Simultaneous localisation and mapping at the

640 views • 37 slides
polymorphism (intro only) Class class Nov. 24, 2017 1 Primitive Type Conversion double In

polymorphism (intro only) Class class Nov. 24, 2017 1 Primitive Type Conversion double In

COMP 250 Lecture 33 type conversion polymorphism (intro only) Class class Nov. 24, 2017 1 Primitive Type Conversion double In COMP 273, you will non-integers learn details of how float number representations long are related to each

823 views • 37 slides
Shared Portable Moodle Taking online learning offline to support disadvantaged students Stephen

Shared Portable Moodle Taking online learning offline to support disadvantaged students Stephen

Shared Portable Moodle Taking online learning offline to support disadvantaged students Stephen Grono, School of Education sgrono2@une.edu.au University of New England, Armidale @calvinbal Shared Portable Moodle Taking online learning

343 views • 22 slides
Instance Variables The JOptionPane Class The JOptionPane Class displays a dialog for user

Instance Variables The JOptionPane Class The JOptionPane Class displays a dialog for user

Instance Variables The JOptionPane Class The JOptionPane Class displays a dialog for user information and interaction... ... it is part of the javax.swing package and must be imported before you can use it. import

1.12k views • 76 slides
Cipher Techniques Chapter 12 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Cipher Techniques Chapter 12 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Cipher Techniques Chapter 12 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-1 Overview Problems What can go wrong if you naively use ciphers Cipher types Stream or block ciphers? Networks Link vs

1.79k views • 129 slides

More recommend