Transcript collision Attacks Breaking Authentication in TLS, IKE, - - PowerPoint PPT Presentation
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
Breaking Authentication in TLS, IKE, and SSH Gaëtan Leurent, Karthikeyan Bhargavan
Inria, France
Dagstuhl Seminar 16012 Symmetric Cryptography
Transcript collision Attacks Dagstuhl 16012 1 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
A B gx mod p gy mod p k = kdf(gxy mod p) k = kdf(gxy mod p) Diffje-Hellman key exchange
Transcript collision Attacks Dagstuhl 16012 2 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
A B MitM gx gx′ gy gy′ kA = kdf(gxy′) kB = kdf(gx′y) Knows kA, kB Forwards messages Diffje-Hellman key exchange broken by Man in the Middle
Transcript collision Attacks Dagstuhl 16012 2 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
A B m1 = gx m2 = gy k = kdf(gxy) k = kdf(gxy) sign(skA, m1‖m2), mac(k, A) sign(skB, m1‖m2), mac(k, B) SIGMA protocol: authenticated DH (in practice) [Krawczyk ’03]
▶ Add PKI: A known skA, pkb, B knows skB, pkA ▶ Sign transcript, prove knowledge of k
Transcript collision Attacks Dagstuhl 16012 2 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
A B m1 = gx, infoA m2 = gy, infoB k = kdf(gxy) k = kdf(gxy) sign(skA, h(m1‖m2)), mac(k, A) sign(skB, h(m1‖m2)), mac(k, B) SIGMA protocol: authenticated DH (in practice) [Krawczyk ’03]
▶ Add info for parameters negotiation (flexible format) ▶ Signature uses a hash function (hash-and-sign)
Transcript collision Attacks Dagstuhl 16012 2 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ Security proofs assume collision-resistance. ▶ In practice, many protocols support weak functions
▶ TLS ≤ 1.1 uses combinations of MD5 and SHA1 ▶ IKE, SSH use SHA1 (MD5 in some cases) ▶ Hash-function negotiation for the signature added in TLS 1.2 (2008) ▶ Introduces MD5 as an option...
How bad is it?
▶ HMAC-MD5 is still mostly secure ▶ In most cases, the hash include fresh nonces
Transcript collision Attacks Dagstuhl 16012 3 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ Security proofs assume collision-resistance. ▶ In practice, many protocols support weak functions
▶ TLS ≤ 1.1 uses combinations of MD5 and SHA1 ▶ IKE, SSH use SHA1 (MD5 in some cases) ▶ Hash-function negotiation for the signature added in TLS 1.2 (2008) ▶ Introduces MD5 as an option...
How bad is it?
▶ HMAC-MD5 is still mostly secure ▶ In most cases, the hash include fresh nonces
Transcript collision Attacks Dagstuhl 16012 3 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ Security proofs assume collision-resistance. ▶ In practice, many protocols support weak functions
▶ TLS ≤ 1.1 uses combinations of MD5 and SHA1 ▶ IKE, SSH use SHA1 (MD5 in some cases) ▶ Hash-function negotiation for the signature added in TLS 1.2 (2008) ▶ Introduces MD5 as an option...
How bad is it?
▶ HMAC-MD5 is still mostly secure ▶ In most cases, the hash include fresh nonces
Transcript collision Attacks Dagstuhl 16012 3 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ We show a class of transcript collision attack
▶ man-in-the-middle can tamper with the key exchange messages ▶ if messages collide, signature still valid
▶ Applications to TLS, IKE, SSH key-exchange ▶ Main results: SLOTH attack
▶ Almost practical client impersonation for TLS 1.2 with MD5 ▶ Almost practical break of tls-unique channel binding
(credential forwarding attack on client authentication mechanisms)
Transcript collision Attacks Dagstuhl 16012 5 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
A B MitM m1 = gx, infoA Finds x′, y′, info′
A, info′ B s.t.
h(gx‖ infoA ‖gy′‖ info′
B) = h(gx′‖ info′ A ‖gy‖ infoB)
m′
1 = gx′, info′ A
m2 = gy, infoB m′
2 = gy′, info′ B
h(m1‖m′
2) = h(m′ 1‖m2)
sign(skA, m1‖m′
2), mac(gxy′, A) sign(skA, m′ 1‖m2), mac(gx′y, A)
sign(skB, m′
1‖m2), mac(gx′y, B)
sign(skB, m1‖m′
2), mac(gxy′, B)
Transcript collision Attacks Dagstuhl 16012 6 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
Finds x′, y′, info′
A, info′ B s.t.
h(gx‖ infoA ‖gy′‖ info′
B) = h(gx′‖ info′ A ‖gy‖ infoB) 1 If gy and infoB are predictable, generic collision attack
▶ Complexity 264 for MD5
Transcript collision Attacks Dagstuhl 16012 7 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
Finds x′, y′, info′
A, info′ B s.t.
h(gx‖ infoA ‖gy′‖ info′
B) = h(gx′‖ info′ A ‖gy‖ infoB) 2 If no message boundaries in concatenation
▶ Assume that garbage after info is ignored ▶ Impersonate B with:
TA = m1‖m′
2 = gx‖ infoA ‖gy′‖ infoM ‖ gy‖ infoB
info′
B
TB = m′
1‖m2 = gx‖ infoA ‖gy′‖ infoM
info′
A
‖gy‖ infoB
▶ Forward signatures, compute A’s key with gy′
Transcript collision Attacks Dagstuhl 16012 7 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
Finds x′, y′, info′
A, info′ B s.t.
h(gx‖ infoA ‖gy′‖ info′
B) = h(gx′‖ info′ A ‖gy‖ infoB) 3 If messages prefixed by message length
▶ Assume that garbage after info is ignored ▶ Use a chosen-prefix collision attack:
TA = m1‖m′
2 = gx ‖ lenA ‖ infoA ‖gy′‖ len′ B ‖ C1‖gy‖ lenB ‖ infoB
info′
B
TB = m′
1‖m2 = gx′‖ len′ A ‖
C2
info′
A
‖gy‖ lenB ‖ infoB
▶ Cost ≈ 239 for MD5 (1 hour on 48 cores)
[Stevens & al.’09]
▶ Cost ≈ 277 for SHA1 or MD5 ‖SHA-1
[Stevens ’13, Joux ’04]
Transcript collision Attacks Dagstuhl 16012 7 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
Transcript collision Attacks Dagstuhl 16012 8 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ Server signs only nonce and DH parameters (not transcript)
▶ Cannot use transcript collisions for server impersonation ▶ On the other hand, this allows LogJam ▶ In proposed TLS 1.3 draft, server signs transcript
▶ Client sends gx and signature together
▶ Not flexible message after sending gx ▶ SIGMA attack not applicable
Transcript collision Attacks Dagstuhl 16012 8 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
Introduction Breaking Client Authentication Downgrade Attack Breaking Channel Binding Conclusion
Transcript collision Attacks Dagstuhl 16012 9 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ Assume client connects to M,
authenticates with certificate also used for S.
▶ We make the client DH share predictable in a bogus group
▶ With p = g2 − g (not prime), ∀x, gx ≡ g mod p
▶ We can stufg data in
▶ ClientHello extensions (C → S) ▶ CertificateRequest list of accepted CA (S → C)
TC = 𝙳𝙸‖𝚃𝙸′‖𝚃𝙳′‖𝚃𝙻𝙵′‖SCR(C1, 𝚃𝙸‖𝚃𝙳‖𝚃𝙻𝙵‖𝚃𝙳𝚂) TS = CH(nC, C2)‖𝚃𝙸‖𝚃𝙳‖𝚃𝙻𝙵‖𝚃𝙳𝚂
▶ Forward the client signature,
Finish connection with known DH keys
Transcript collision Attacks Dagstuhl 16012 10 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
Transcript collision Attacks Dagstuhl 16012 10 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ Important changes in TLS 1.3 (draft-11):
▶ DH shares sent in Hello messages (1-RTT) ▶ Server signs the transcript to authenticate
▶ This makes the SIGMA attack possible against TLS 1.3
▶ Breaks both server and client authentication
TC = CH(nc, gx, exc)‖SH(n′
s, gy′, ex′ s‖C1‖SH(ns, exs))
TS = CH(n′
c, gx′, ex′ c‖
C2)‖SH(ns, exs)
▶ Note: MD5 and SHA1 have been deprecated in the latest drafts
Transcript collision Attacks Dagstuhl 16012 11 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
Transcript collision Attacks Dagstuhl 16012 11 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ Important changes in TLS 1.3 (draft-11):
▶ DH shares sent in Hello messages (1-RTT) ▶ Server signs the transcript to authenticate
▶ This makes the SIGMA attack possible against TLS 1.3
▶ Breaks both server and client authentication
TC = CH(nc, gx, exc)‖SH(n′
s, gy′, ex′ s‖C1‖SH(ns, exs))
TS = CH(n′
c, gx′, ex′ c‖
C2)‖SH(ns, exs)
▶ Note: MD5 and SHA1 have been deprecated in the latest drafts
Transcript collision Attacks Dagstuhl 16012 11 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ DTLS is a UDP version of TLS ▶ It uses a cookie mechanism to protect against DoS
▶ Client repeats Hello with cookie ▶ Cookie not authentified
▶ Proposed client_keyshare extension
▶ Client DH share sent in ClientHello (borrowed from TLS 1.3)
A B CH(ns, exs) HVR(ck) CH(ns, ck, exs)
Transcript collision Attacks Dagstuhl 16012 12 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ DTLS is a UDP version of TLS ▶ It uses a cookie mechanism to protect against DoS
▶ Client repeats Hello with cookie ▶ Cookie not authentified
▶ Proposed client_keyshare extension
▶ Client DH share sent in ClientHello (borrowed from TLS 1.3)
A B CH(ns, gx, exs) HVR(ck) CH(ns, ck, gx, exs)
Transcript collision Attacks Dagstuhl 16012 12 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ Hypothetical client/server using DTLS 1.2+client_keyshare ▶ Man-in-the-Middle has access to the network
C S MitM CH(ns, gx, exs) HVR(ck) CH(ns, ck, gx, exs) CH(ns, ck′, gx′, ex′
s)
Forwards handshake messages CCV(sign(skC, h(logC))) CCV(sign(skC, h(logS))) k = kdf(gx′y) k = kdf(gx′y)
Transcript collision Attacks Dagstuhl 16012 13 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
Using a common-prefjx collision
▶ We need h(CH(ns, ck, gx, exs)) = h(CH(ns, ck′, gx′, ex′ s)) ▶ Common-prefix collision attack
CH(ns, sid, ck, gx, exs) = 𝙸𝙴𝚂‖ns‖sid ‖lck‖C1‖gx′‖ex′
s‖gx‖exs
CH(ns, sid′, ck′, gx′, ex′
s) = 𝙸𝙴𝚂‖ns‖sid′
71bytes
‖l′
ck‖C2‖gx′‖ex′ s‖gx‖exs
▶ 2-block prefix 𝙸𝙴𝚂‖ns‖sidL ▶ First collision block start with sidR, difgerence in lck (byte 7) ▶ Somewhat practical with SHA1 signatures ▶ Constraints on first block don’t afgect the cost much ▶ Estimated complexity ≈ 261
Transcript collision Attacks Dagstuhl 16012 14 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
Introduction Breaking Client Authentication Downgrade Attack Breaking Channel Binding Conclusion
Transcript collision Attacks Dagstuhl 16012 15 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ The TLS MAC is computed as macK(h(log))
▶ Collisions in h give forgeries! ▶ h is MD5 ‖SHA-1 in TLS 1.0/1.1 ▶ CP-Collisions in ≈ 277 ▶ h is SHA-256 in TLS 1.2
▶ Downgrade attack
▶ Modify Hello messages to negotiate weak ciphers ▶ If transcript collide, key exchange is successful ▶ Break weak cipher later and decipher
TC = CH(nc, exc)‖SH(n′
s, ex′ s‖C1‖SH(ns, exs))
TS = CH(n′
c, ex′ c
‖C2)‖SH(ns, exs)
Transcript collision Attacks Dagstuhl 16012 16 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
Introduction Breaking Client Authentication Downgrade Attack Breaking Channel Binding Conclusion
Transcript collision Attacks Dagstuhl 16012 17 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ Many protocols authenticate only the server
during the TLS key-exchange
▶ And authenticate the client inside the session (e.g. SCRAM) ▶ Authentication must be linked to TLS session
to avoid credential forwarding tls-unique
▶ Use the first MAC (Finished message) as an identifier ▶ Default method for XMPP (Jabber)
Transcript collision Attacks Dagstuhl 16012 18 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
▶ Assume client connects to M,
authenticates with credential also used for S.
▶ As a MitM we choose gx′, gy′
▶ We know the keys on both connection ▶ We can make the MAC collide with a generic collision attack
▶ tls-unique is a 96-bit identifier ▶ Complexity ≈ 248 (20 days on 4 GPUs) ▶ Security as a MAC is not suffjcient
Transcript collision Attacks Dagstuhl 16012 19 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
Transcript collision Attacks Dagstuhl 16012 19 / 20
Introduction Client Authentication Downgrade Attack Channel Binding Conclusion
SLOTH: Security Losses from Obsolete and Truncated Transcript Hashes https://www.mitls.org/pages/attacks/SLOTH
▶ MD5 is still in standards ▶ Collision attacks do break key-exchange ▶ Also applications to SSH and IKE ▶ TLS libraries removed support for MD5 signatures ▶ Latest TLS 1.3 draft doesn’t truncate the MAC ▶ TLS 1.3 draft removed MD5 and deprecated SHA1 for signatures ▶ tls-unique being withdrawn
Transcript collision Attacks Dagstuhl 16012 20 / 20