transcript collision attacks
play

Transcript collision Attacks Breaking Authentication in TLS, IKE, - PowerPoint PPT Presentation

Mar 07, 2024 •40 likes •370 views

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20

  1. Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20 Gaëtan Leurent, Karthikeyan Bhargavan Inria, France Dagstuhl Seminar 16012 Symmetric Cryptography

  2. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 2 / 20 Key exchange protocols Conclusion Channel Binding Downgrade Attack A B g x mod p g y mod p k = kdf ( g xy mod p ) k = kdf ( g xy mod p ) Diffje-Hellman key exchange

  3. Introduction g x Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) Client Authentication g y Key exchange protocols Conclusion Channel Binding Downgrade Attack 2 / 20 A MitM B g x ′ g y ′ k A = kdf ( g xy ′ ) Knows k A , k B k B = kdf ( g x ′ y ) Forwards messages Diffje-Hellman key exchange broken by Man in the Middle

  4. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 2 / 20 Conclusion Key exchange protocols Channel Binding Downgrade Attack A B m 1 = g x m 2 = g y k = kdf ( g xy ) k = kdf ( g xy ) sign ( sk A , m 1 ‖ m 2 ), mac ( k , A ) sign ( sk B , m 1 ‖ m 2 ), mac ( k , B ) SIGMA protocol: authenticated DH (in practice) [Krawczyk ’03] ▶ Add PKI: A known sk A , pk b , B knows sk B , pk A ▶ Sign transcript, prove knowledge of k

  5. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 2 / 20 Conclusion Key exchange protocols Channel Binding Downgrade Attack A B m 1 = g x , info A m 2 = g y , info B k = kdf ( g xy ) k = kdf ( g xy ) sign ( sk A , h ( m 1 ‖ m 2 )), mac ( k , A ) sign ( sk B , h ( m 1 ‖ m 2 )), mac ( k , B ) SIGMA protocol: authenticated DH (in practice) [Krawczyk ’03] ▶ Add info for parameters negotiation (flexible format) ▶ Signature uses a hash function (hash-and-sign)

  6. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) How bad is it? 3 / 20 Conclusion Weak Hash Functions in Internet Protocols Channel Binding Downgrade Attack ▶ Security proofs assume collision-resistance. ▶ In practice, many protocols support weak functions ▶ TLS ≤ 1.1 uses combinations of MD5 and SHA1 ▶ IKE, SSH use SHA1 (MD5 in some cases) ▶ Hash-function negotiation for the signature added in TLS 1.2 (2008) ▶ Introduces MD5 as an option... ▶ HMAC-MD5 is still mostly secure ▶ In most cases, the hash include fresh nonces

  7. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) How bad is it? 3 / 20 Conclusion Weak Hash Functions in Internet Protocols Channel Binding Downgrade Attack ▶ Security proofs assume collision-resistance. ▶ In practice, many protocols support weak functions ▶ TLS ≤ 1.1 uses combinations of MD5 and SHA1 ▶ IKE, SSH use SHA1 (MD5 in some cases) ▶ Hash-function negotiation for the signature added in TLS 1.2 (2008) ▶ Introduces MD5 as an option... ▶ HMAC-MD5 is still mostly secure ▶ In most cases, the hash include fresh nonces

  8. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) How bad is it? 3 / 20 Conclusion Weak Hash Functions in Internet Protocols Channel Binding Downgrade Attack ▶ Security proofs assume collision-resistance. ▶ In practice, many protocols support weak functions ▶ TLS ≤ 1.1 uses combinations of MD5 and SHA1 ▶ IKE, SSH use SHA1 (MD5 in some cases) ▶ Hash-function negotiation for the signature added in TLS 1.2 (2008) ▶ Introduces MD5 as an option... ▶ HMAC-MD5 is still mostly secure ▶ In most cases, the hash include fresh nonces

  9. MD5 AND SHA1 ARE BROKEN? MD5 AND SHA1 ARE BROKEN? WE PROBABLY DON’T NEED WE PROBABLY DON’T NEED COLLISION RESISTANCE COLLISION RESISTANCE

  10. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 5 / 20 Conclusion Outline Channel Binding Downgrade Attack ▶ We show a class of transcript collision attack ▶ man-in-the-middle can tamper with the key exchange messages ▶ if messages collide, signature still valid ▶ Applications to TLS, IKE, SSH key-exchange ▶ Main results: SLOTH attack ▶ Almost practical client impersonation for TLS 1.2 with MD5 ▶ Almost practical break of tls-unique channel binding (credential forwarding attack on client authentication mechanisms)

  11. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) B A 6 / 20 Conclusion Downgrade Attack Channel Binding Man-in-the-Middle attack against SIGMA’ A MitM B m 1 = g x , info A Finds x ′ , y ′ , info ′ A , info ′ B s.t. h ( g x ‖ info A ‖ g y ′ ‖ info ′ B ) = h ( g x ′ ‖ info ′ A ‖ g y ‖ info B ) 1 = g x ′ , info ′ m ′ 2 = g y ′ , info ′ m ′ m 2 = g y , info B h ( m 1 ‖ m ′ 2 ) = h ( m ′ 1 ‖ m 2 ) 2 ), mac ( g xy ′ , A ) sign ( sk A , m ′ 1 ‖ m 2 ), mac ( g x ′ y , A ) sign ( sk A , m 1 ‖ m ′ 2 ), mac ( g xy ′ , B ) 1 ‖ m 2 ), mac ( g x ′ y , B ) sign ( sk B , m 1 ‖ m ′ sign ( sk B , m ′

  12. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 7 / 20 Conclusion Transcript collisions Channel Binding Downgrade Attack Finds x ′ , y ′ , info ′ A , info ′ B s.t. h ( g x ‖ info A ‖ g y ′ ‖ info ′ B ) = h ( g x ′ ‖ info ′ A ‖ g y ‖ info B ) 1 If g y and info B are predictable, generic collision attack ▶ Complexity 2 64 for MD5

  13. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) A B 7 / 20 Downgrade Attack Channel Binding Conclusion Transcript collisions Finds x ′ , y ′ , info ′ A , info ′ B s.t. h ( g x ‖ info A ‖ g y ′ ‖ info ′ B ) = h ( g x ′ ‖ info ′ A ‖ g y ‖ info B ) 2 If no message boundaries in concatenation ▶ Assume that garbage after info is ignored ▶ Impersonate B with: 2 = g x ‖ info A ‖ g y ′ ‖ info M ‖ g y ‖ info B T A = m 1 ‖ m ′ 􏿌􏻱􏻱􏻱􏿍􏻱􏻱􏻱􏿎 info ′ T B = m ′ 1 ‖ m 2 = g x ‖ info A ‖ g y ′ ‖ info M ‖ g y ‖ info B 􏿌􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿍􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿎 info ′ ▶ Forward signatures, compute A’s key with g y ′

  14. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) A C 2 B 7 / 20 Downgrade Attack Transcript collisions Channel Binding Conclusion Finds x ′ , y ′ , info ′ A , info ′ B s.t. h ( g x ‖ info A ‖ g y ′ ‖ info ′ B ) = h ( g x ′ ‖ info ′ A ‖ g y ‖ info B ) 3 If messages prefixed by message length ▶ Assume that garbage after info is ignored ▶ Use a chosen-prefix collision attack: 2 = g x ‖ len A ‖ info A ‖ g y ′ ‖ len ′ T A = m 1 ‖ m ′ B ‖ C 1 ‖ g y ‖ len B ‖ info B 􏿌􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿍􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿎 info ′ 1 ‖ m 2 = g x ′ ‖ len ′ T B = m ′ A ‖ ‖ g y ‖ len B ‖ info B 􏿌􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿍􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿎 info ′ ▶ Cost ≈ 2 39 for MD5 (1 hour on 48 cores) [Stevens & al. ’09] ▶ Cost ≈ 2 77 for SHA1 or MD5 ‖ SHA-1 [Stevens ’13, Joux ’04]

  15. Introduction Client Authentication Downgrade Attack Channel Binding Conclusion TLS 1.2 G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 8 / 20

  16. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 8 / 20 TLS 1.2 Conclusion Channel Binding Downgrade Attack ▶ Server signs only nonce and DH parameters (not transcript) ▶ Cannot use transcript collisions for server impersonation ▶ On the other hand, this allows LogJam ▶ In proposed TLS 1.3 draft, server signs transcript ▶ Client sends g x and signature together ▶ Not flexible message after sending g x ▶ SIGMA attack not applicable

  17. Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Outline Introduction Breaking Client Authentication Downgrade Attack Breaking Channel Binding Conclusion G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 9 / 20

  18. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 10 / 20 Conclusion Breaking client authentication in TLS 1.2 Channel Binding Downgrade Attack ▶ Assume client connects to M , authenticates with certificate also used for S . ▶ We make the client DH share predictable in a bogus group ▶ With p = g 2 − g (not prime), ∀ x , g x ≡ g mod p ▶ We can stufg data in ▶ ClientHello extensions ( C → S ) ▶ CertificateRequest list of accepted CA ( S → C ) T C = 𝙳𝙸‖𝚃𝙸 ′ ‖𝚃𝙳 ′ ‖𝚃𝙻𝙵 ′ ‖ SCR ( C 1 , 𝚃𝙸‖𝚃𝙳‖𝚃𝙻𝙵‖𝚃𝙳𝚂) T S = CH ( n C , C 2 )‖𝚃𝙸‖𝚃𝙳‖𝚃𝙻𝙵‖𝚃𝙳𝚂 ▶ Forward the client signature, Finish connection with known DH keys

  19. Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Breaking client authentication in TLS 1.2 G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 10 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE http://sloth-attack.org Karthikeyan Bhargavan Gatan Leurent Crypto protocols and applications evolve Agility: graceful transition from old to new

228 views • 18 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]:

10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]:

10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]: automatic suggestions about the motions of objects immediately following a collision; animation systems using dynamical simulation inherently must respond

767 views • 53 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December 2010 Amir Moradi E Embedded Security Group, Ruhr University Bochum b dd d S it G R h U i it B h m, Germany G Embedded Security Group Outline

495 views • 26 slides
Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128 Florian Mendel 1 , Tomislav

Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128 Florian Mendel 1 , Tomislav

Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128 Florian Mendel 1 , Tomislav Nad 2 , Martin Schl affer 2 Katholieke Universiteit Leuven, ESAT/COSIC and IBBT, Belgium Graz University of Technology, IAIK, Austria FSE 2012

650 views • 34 slides
Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security Yiqun Lisa Yin Independent Consultant Recent Advances in Hash Collision Attacks Efficient collisions found for MD4, MD5 Improved techniques

442 views • 28 slides
Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security Yiqun Lisa Yin Independent Consultant Recent Advances in Hash Collision Attacks Efficient collisions found for MD4, MD5 Improved techniques

800 views • 10 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
Collision Detection Part 2. Narrow Phase Collision Detection The Narrow Phase Exact collision

Collision Detection Part 2. Narrow Phase Collision Detection The Narrow Phase Exact collision

Collision Detection Part 2. Narrow Phase Collision Detection The Narrow Phase Exact collision detection: Where precisely have objects touched, where to apply forces, torques? Collision Response The following is an equation for Rigid Body

1.06k views • 79 slides
Q44.2 Consider the collision p + p -> p + p + 0 p + p + Consider the collision p + p

Q44.2 Consider the collision p + p -> p + p + 0 p + p + Consider the collision p + p

Q44.2 Consider the collision p + p -> p + p + 0 p + p + Consider the collision p + p A. It is exoergic. g B. It is endoergic C These terms dont apply to this type of collision C. These terms don t apply to this type of collision

596 views • 20 slides
Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

07 Tutorial: Broadphase Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known weaknesses Fixed-timestep weakness All-pairs weakness Pair-processing weakness Two-phase collision detection

833 views • 20 slides
I. Introduction II. Collision of Domain Walls in 5D Minkowski Space III. Reheating by Collision

I. Introduction II. Collision of Domain Walls in 5D Minkowski Space III. Reheating by Collision

I. Introduction II. Collision of Domain Walls in 5D Minkowski Space III. Reheating by Collision of Branes IV. Fermion Localization at Collision V. Collision of Domain Walls in Asymptotically AdS Space VI. Summary Kei-ichi Maeda Waseda Univ.

451 views • 26 slides
Class 29: More collisions Simple collision problem in 1D Before collision: m 1 m 2 #2 v 2i v 1i

Class 29: More collisions Simple collision problem in 1D Before collision: m 1 m 2 #2 v 2i v 1i

Class 29: More collisions Simple collision problem in 1D Before collision: m 1 m 2 #2 v 2i v 1i #1 After collision: m 2 m 1 #1 v 1f v 2f #2 Equation of motion: m 1 v 1i + m 2 v 2i = m 1 v 1f + m 2 v 2f Can solve for any one unknown from v 1i , v

452 views • 9 slides
Collision Detection http://www.cse.iitd.ac.in/ Collision Detection IIT Delhi Collision handling

Collision Detection http://www.cse.iitd.ac.in/ Collision Detection IIT Delhi Collision handling

IIT Delhi Collision Detection http://www.cse.iitd.ac.in/ Collision Detection IIT Delhi Collision handling is fundamental to animation or dynamic scenes in virtual environments. http://www.cse.iitd.ac.in/ Applications IIT Delhi Games

519 views • 23 slides
From the Bluetooth Standard to Standard-Compliant 0-days Daniele Antonioli and Mathias Payer

From the Bluetooth Standard to Standard-Compliant 0-days Daniele Antonioli and Mathias Payer

Hardwear.io Virtual Con 2020 From the Bluetooth Standard to Standard-Compliant 0-days Daniele Antonioli and Mathias Payer Daniele Antonioli ( @francozappa ) Mathias Payer ( @gannimo ) From the Bluetooth Standard to Standard-Compliant 0-days 1

876 views • 35 slides
Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with

Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with

Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with A. D. Jaggard, A. Scedrov, J.-K. Tsay, and C. Walstad) Partially supported by ONR and NSF Information and Software Engineering Department 30

278 views • 26 slides
Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle attack Diffie-Hellman Alice Bob new na new nb g na g nb K = (g nb ) na K = (g na ) nb Man-in-the-middle attack Diffie-Hellman Alice Bob Alice

401 views • 25 slides
1 Multilevel Security Different security levels for resources Important systems A

1 Multilevel Security Different security levels for resources Important systems A

Last time Threats Introduction Threat analysis Policy Introduction to access Specification control matrix Design Implementation Operation and Maintenance 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 1 Security in the

444 views • 13 slides
Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from

Lecture 7 Public Key Cryptography I: Encryption + Signatures [lecture slides are adapted from previous slides by Prof. Gene Tsudik] 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and

478 views • 23 slides
DiffieHellman Key Exchange Algorithm Analysis of DHKE Man-in-the-Middle Attack on DHKE

DiffieHellman Key Exchange Algorithm Analysis of DHKE Man-in-the-Middle Attack on DHKE

Cryptography DiffieHellman Key Exchange DiffieHellman Key Exchange DiffieHellman Key Exchange Algorithm Analysis of DHKE Man-in-the-Middle Attack on DHKE Cryptography Implementations of DHKE DiffieHellman in School of

753 views • 18 slides
On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39 Introduction to Distance-Bounding 1 Some Insecurity Case

600 views • 39 slides
Operating Channel Validation M. Vanhoef 1 , N. Bhandaru 2 , T. Derham 2 , I. Ouzieli 3 , F.

Operating Channel Validation M. Vanhoef 1 , N. Bhandaru 2 , T. Derham 2 , I. Ouzieli 3 , F.

Operating Channel Validation M. Vanhoef 1 , N. Bhandaru 2 , T. Derham 2 , I. Ouzieli 3 , F. Piessens 1 1 KU Leuven 2 Broadcom 3 Intel WiSec, Stockholm (Sweden), 18 June 2018 Contributions Paper: attacks & high-level defense

703 views • 18 slides

More recommend