uncovering cryptographic failures with internet wide
play

Uncovering Cryptographic Failures with Internet-Wide Measurement - PowerPoint PPT Presentation

Jun 30, 2023 •133 likes •632 views

Uncovering Cryptographic Failures with Internet-Wide Measurement Zakir Durumeric University of Michigan Who am I? My research focuses on measurement-driven security. Developing tools for researchers to better measure the

  1. Uncovering Cryptographic Failures 
 with Internet-Wide Measurement Zakir Durumeric University of Michigan

  2. Who am I? My research focuses on measurement-driven security. � Developing tools for 
 researchers to better 
 measure the Internet � Using this perspective 
 to understand how 
 systems are deployed 
 in practice

  3. Neither Snow Nor Rain Nor MITM... 
 An Empirical Analysis of Email Delivery Security Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, 
 Kurt Thomas, Vijay Eranti, Nicholas Lidzborski, 
 Elie Bursztein, Michael Bailey, J. Alex Halderman

  4. E-mail Security in Practice As originally conceived, SMTP had no built-in security We’ve extended with SMTP with new extensions to: 1. Encrypt e-mail in transit 
 2. Authenticate email on receipt However, deployment is voluntary and message security is hidden from the end user

  5. STARTTLS: TLS for SMTP Allow TLS session to be started during an SMTP connection Mail is transferred over the encrypted session Sender Mail server Recipient Mail server (Alice) (smtp.destination.com) (Bob) (smtp.source.com) Passive Eavesdropper

  6. STARTTLS Protocol TCP handshake 220 Ready EHLO 250 STARTTLS STARTTLS Recipient Sender 220 GO HEAD TLS negotiation Encrypted email

  7. 
 Opportunistic Encryption Only Unlike HTTPS, STARTTLS is 
 used opportunistically 
 Senders do not validate 
 “A publicly-referenced SMTP destination servers — the 
 server MUST NOT require use of alternative is cleartext the STARTTLS extension in order to deliver mail locally. This rule prevents the STARTTLS Many servers do not support 
 extension from damaging the STARTTLS interoperability of the Internet's SMTP infrastructure.” (RFC3207)

  8. STARTTLS Usage as seen by Gmail

  9. STARTTLS Usage as seen by Gmail Yahoo and Hotmail 
 deploy STARTTLS

  10. 100 Inbound Outbound 80 Percent of Gmail Connections 60 40 Poodle 
 Vulnerability 20 0 01/2014 03/2014 05/2014 07/2014 09/2014 11/2014 01/2015 03/2015

  11. Long Tail of Mail Operators These numbers are dominated by a few large providers. Of the Alexa Top 1M with Mail Servers: - 81.8% support STARTTLS 
 - 34% have certificates that match MX server - 0.6% have certificates that match domain 
 (which would allow true authentication) Not currently feasible to require STARTTLS

  12. Attack 1: STARTTLS Stripping TCP handshake 220 Ready EHLO 250 XXXXXXXX 250 STARTTLS Recipient Sender Cleartext Email

  13. STARTTLS Stripping in the Wild Country Tunisia 96.1% Iraq 25.6% Papua New Guinea 25.0% Nepal 24.3% Kenya 24.1% Uganda 23.3% Lesotho 20.3% Sierra Leone 13.4% New Caledonia 10.1% Zambia 10.0%

  14. Authenticating Email

  15. Authenticating Email DomainKeys Identified Mail (DKIM) Sender signs messages with cryptographic key Sender Policy Framework (SPF) Sender publishes list of IPs authorized to send mail Domain Message Authentication, Reporting and Conformance (DMARC) Sender publishes policy in DNS that specifies 
 what to do if DKIM or SPF validation fails

  16. E-mail Authentication in Practice DKIM SPF 2% 11% No Auth 6% SPF & DKIM 81% Gmail Authentication

  17. E-mail Authentication in Practice DKIM Technology Top 1M SPF 2% 11% SFP Enabled 47% No Auth DMARC Policy 1% 6% DMARC Policy Top 1M SPF & DKIM Reject 20% 81% Quarantine 8% Empty 72% Gmail Authentication Top Million Domains

  18. Moving Forward Two IETF proposals to solve real world issues: SMTP Strict Transport Security Equivalent to HTTPS HSTS (key pinning) Authenticated Received Chain (ARC) DKIM replacement that handles mailing lists

  19. Gmail STARTTLS Indication Insecure Received Insecure Sending

  20. Inbound Gmail Protected by STARTLES Google Deploys 
 STARTTLS Indicator

  21. Imperfect Forward Secrecy: 
 How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J . Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Beguelin, and Paul Zimmermann

  22. Diffie-Hellman Key Exchange First published key exchange algorithm Public Parameters p (a large prime) - g (generator for group p ) - g a mod p g b mod p g ab mod p == g ba mod p

  23. Diffie-Hellman on the Internet Diffie-Hellman is pervasive on the Internet today Primary Key Exchange SSH - IPSEC VPNs - Ephemeral Key Exchange HTTPS - SMTP, IMAP, POP3 - all other protocols that use TLS -

  24. “Sites that use perfect forward secrecy can provide better security to users in cases where the encrypted data is 
 being monitored and recorded by a third party.” “Ideally the DH group would match or exceed the RSA 
 key size but 1024-bit DHE is arguably better than straight 2048-bit RSA so you can get away with that if you want to.” “With Perfect Forward Secrecy, anyone possessing 
 the private key and a wiretap of Internet activity can 
 decrypt nothing.”

  25. 2015 Diffie-Hellman Support Protocol Support HTTPS (Top Million Websites) 68% HTTPS (IPv4, Browser Trusted) 24% SMTP + STARTTLS 41% IMAPS 75% POP3S 75% SSH 100% IPSec VPNs 100%

  26. Breaking Diffie-Hellman Computing discrete log is best known attack against DH In other words, Given g x ≡ y mod p, compute x Number Field Sieve linear polynomial sieving descent algebra selection y, g log db p x precomputation individual log

  27. Breaking Diffie-Hellman Computing discrete log is best known attack against DH In other words, Given g x ≡ y mod p, compute x Number Field Sieve linear polynomial sieving descent algebra selection y, g log db p x precomputation individual log Pre-computation is only dependent on p !

  28. Breaking Diffie-Hellman Number Field Sieve linear polynomial sieving descent algebra selection y, g log db p x precomputation individual log Sieving Linear Algebra Descent DH-512 2.5 core years 7.7 core years 10 core min.

  29. Lost in Translation This was known within the cryptographic community However, not within the systems community 66% of IPSec VPNs use a single 1024-bit prime

  30. Lost in Translation This was known within the cryptographic community However, not within the systems community 66% of IPSec VPNs use a single 1024-bit prime Are the groups used in practice still secure given this “new” information?

  31. 512-bit Keys and the 
 Logjam Attack on TLS

  32. Diffie-Hellman in TLS The majority of HTTPS websites use 1024-bit DH keys However, nearly 8.5% of Top 1M still support Export DHE Source Popularity Apache 82% mod_ssl 10% Other (463 distinct primes) 8%

  33. Normal TLS Handshake client hello: client random, ciphers (… DHE …) server hello: server random, chosen cipher

  34. Normal TLS Handshake client hello: client random, ciphers (… DHE …) server hello: server random, chosen cipher certificate, p, g, g a , Sign CertKey (p, g, g a ) g b K ms : KDF( g ab , client random, server random)

  35. Normal TLS Handshake client hello: client random, ciphers (… DHE …) server hello: server random, chosen cipher certificate, p, g, g a , Sign CertKey (p, g, g a ) g b K ms : KDF( g ab , client random, server random) client finished: Sign Kms (Hash(m1 | m2 | …)) server finished: Sign Kms (Hash(m1 | m2 | …))

  36. Logjam Attack cr, ciphers (… DHE …) cr, ciphers ( EXPORT_DHE )

  37. Logjam Attack cr, ciphers (… DHE …) cr, ciphers ( EXPORT_DHE ) sr, cipher: DHE sr, cipher: EXPORT_DHE

  38. Logjam Attack cr, ciphers (… DHE …) cr, ciphers ( EXPORT_DHE ) sr, cipher: DHE sr, cipher: EXPORT_DHE certificate, p 512 , g, g a , Sign CertKey (p 512 , g, g a ) g b K ms : KDF( g ab , client random, server random)

  39. Logjam Attack cr, ciphers (… DHE …) cr, ciphers ( EXPORT_DHE ) sr, cipher: DHE sr, cipher: EXPORT_DHE certificate, p 512 , g, g a , Sign CertKey (p 512 , g, g a ) g b K ms : KDF( g ab , client random, server random) Sign Kms (Hash(m1 | m2 | …)) Sign Kms (Hash(m1 | m2 | …)) Sign Kms (Hash(m1 | m2 | …)) Sign Kms (Hash(m1 | m2 | …))

  40. Computing 512-bit Discrete Logs We modified CADO-NFS to compute two common primes 1 week pre-computation, individual log ~70 seconds

  41. Logjam Mitigation Browsers have raised minimum size to 768-bits - plan to move to 1024-bit in the future - plan to drop all support for DHE - Server Operators Disable export ciphers!! - Use a 2048-bit or larger DHE key - If stuck using 1024-bit, generate a unique prime - Moving to ECDHE -

  42. 768- and 1024-bit Keys

  43. Breaking One 1024-bit DH Key Estimation process is convoluted due to the number of parameters that can be tuned. Crude estimations based on asymptotic complexity:

  44. Custom Hardware If you went down this route, you would build ASICs Prior work from Geiselmann and Steinwandt (2007) estimates ~80x speed up from custom hardware. ≈ $100Ms of HW precomputes one 1024-bit prime/year

  45. Custom Hardware If you went down this route, you would build ASICs Prior work from Geiselmann and Steinwandt (2007) estimates ~80x speed up from custom hardware. ≈ $100Ms of HW precomputes one 1024-bit prime/year For context… annual budgets for the U.S. - Consolidated Cryptographic Program: 10.5B - Cryptanalyic IT Services: 247M - Cryptanalytic and exploitation services: 360M

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

INVITED PAPER Latent Failures in the Hangar: Uncovering Organizational Deficiencies in

INVITED PAPER Latent Failures in the Hangar: Uncovering Organizational Deficiencies in

INVITED PAPER Latent Failures in the Hangar: Uncovering Organizational Deficiencies in Maintenance Operations Dr Alan Hobbs SJSU/NASA-Ames Research Center, USA Author Biography: Alan Hobbs is a Senior Research Associate with the San Jose

467 views • 11 slides
Internet Resiliency to Attacks and Failures under BGP Policy Routing D. Dolev, S. Jamin, O.

Internet Resiliency to Attacks and Failures under BGP Policy Routing D. Dolev, S. Jamin, O.

Internet Resiliency to Attacks and Failures under BGP Policy Routing D. Dolev, S. Jamin, O. Morkyn, Y. Shavitt Presenter: Shiva Kasiviswanathan Pennsylvania State University University Park Internet Resiliency to Attacks and Failures under BGP

920 views • 61 slides
Uncovering Internet Censorship International Journalism Festival, 6 th April 2017 Arturo Filast

Uncovering Internet Censorship International Journalism Festival, 6 th April 2017 Arturo Filast

Uncovering Internet Censorship International Journalism Festival, 6 th April 2017 Arturo Filast & Maria Xynou Free software project (under the Tor Project) aimed at empowering decentralized efforts in increasing transparency of Internet

452 views • 32 slides
4. The Internet and the World Wide Web 4.1 History of the Internet 4.2 The World Wide Web and

4. The Internet and the World Wide Web 4.1 History of the Internet 4.2 The World Wide Web and

4. The Internet and the World Wide Web 4.1 History of the Internet 4.2 The World Wide Web and the Browser 4.3 What Browsers Can Do for Us 4.4 What is a Website? 4.5 Website Design 4.6 Other Creatures on the Web 4.7 Key Web Software

1.02k views • 97 slides
WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a

WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a

WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a Global View the Internet is an evolving open system no central point, no typical network or user complexity everywhere: topology, usage

608 views • 13 slides
Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Fast Internet-Wide Scanning, ZMap Weak Keys and the HTTPS Certificate Ecosystem Zakir Durumeric Michael Bailey University of Michigan ZMap: Fast Internet-Wide Scanning, Weak Keys, and the HTTPS Certificate Ecosystem Zakir Durumeric

491 views • 46 slides
wide side of the Internet why 1/x distribu4on is so

wide side of the Internet why 1/x distribu4on is so

wide side of the Internet why 1/x distribu4on is so prevalent in Internet data? the spo:er team S. Laki Physics of Complex Systems P.

360 views • 24 slides
Tracking Catalog: Uncovering and analyzing user tracking on the Internet Tomasz Bujlow Valentn

Tracking Catalog: Uncovering and analyzing user tracking on the Internet Tomasz Bujlow Valentn

Introduction Tracking catalog Tracking mechanisms Open questions Tracking Catalog: Uncovering and analyzing user tracking on the Internet Tomasz Bujlow Valentn Carela-Espaol Pere Barlet-Ros Computer Architecture Dept. (DAC) UPC

581 views • 10 slides
Internet Observation with N-TAP: how it works and what it does Kenji Masui

Internet Observation with N-TAP: how it works and what it does Kenji Masui

10th CAIDA/WIDE Workshop - 1st CAIDA/WIDE/CASFI Workshop (2008-08-16) Internet Observation with N-TAP: how it works and what it does Kenji Masui kmasui@gsic.titech.ac.jp WIDE Project / Tokyo Institute of Technology Internet Observation with

309 views • 17 slides
H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning Vulnerability Mitigation with Internet wide Scanning J. Alex Halderman Mining Your Ps and Qs: Widespread Weak Keys in Network Devices Nadia Heninger, Zakir

640 views • 53 slides
Mobile Ad-hoc Network WIDE project/KEIO University ryuji@sfc.wide.ad.jp ToC Global Internet

Mobile Ad-hoc Network WIDE project/KEIO University ryuji@sfc.wide.ad.jp ToC Global Internet

Mobile Ad-hoc Network WIDE project/KEIO University ryuji@sfc.wide.ad.jp ToC Global Internet Connectivity MANET/NEMO integration IPv6 Support on MANET MANET on the Internet Where can MANET be deployed in our daily life?

564 views • 27 slides
Random number generation failures from Netscape to DUHK Nadia Heninger University of

Random number generation failures from Netscape to DUHK Nadia Heninger University of

Random number generation failures from Netscape to DUHK Nadia Heninger University of Pennsylvania June 18, 2018 A cartoon cryptographic communication protocol AES k ( m ) A cartoon cryptographic communication protocol g a g b AES k ( m ) k =

1.06k views • 70 slides
INTRODUCTION TO WEB DESIGN EHIMA PRINCE THE INTERNET AND THE WORLD WIDE WEB The Internet is the

INTRODUCTION TO WEB DESIGN EHIMA PRINCE THE INTERNET AND THE WORLD WIDE WEB The Internet is the

INTRODUCTION TO WEB DESIGN EHIMA PRINCE THE INTERNET AND THE WORLD WIDE WEB The Internet is the collection of huge network that is accessible to everyone and everywhere across the world. It connects millions of computers together globally,

338 views • 8 slides
Detecting and Localizing Anomalous Behavior to Discover Failures in Component-Based Internet

Detecting and Localizing Anomalous Behavior to Discover Failures in Component-Based Internet

Detecting and Localizing Anomalous Behavior to Discover Failures in Component-Based Internet Services Emre Kcman and Armando Fox {emrek, fox}@cs.stanford.edu 16th December 2003 Abstract mittently unavailable to end-users. Our conversations

804 views • 14 slides
Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator shall establish procedures for analyzing accidents and failures, including the selection of samples of the failed facility or equipment for

948 views • 55 slides
The Internet and World Wide Web CSE 190 M (Web Programming), Spring 2007 University of Washington

The Internet and World Wide Web CSE 190 M (Web Programming), Spring 2007 University of Washington

CSE 190 M Slides: Internet/WWW Page 1 The Internet and World Wide Web CSE 190 M (Web Programming), Spring 2007 University of Washington Reading: Sebesta Ch. 1 sections 1.1 - 1.5.2, 1.7 - 1.8.5, 1.8.8, 1.9 What is the Internet? A "series

451 views • 6 slides
Email Marketing 201 How a SPAM Filter Works

Email Marketing 201 How a SPAM Filter Works

Email Marketing 201 How a SPAM Filter Works $!%

323 views • 21 slides
Introduction to the SPFPFS Community Logic Model Ohios SPFPFS Initiative: OnDemand

Introduction to the SPFPFS Community Logic Model Ohios SPFPFS Initiative: OnDemand

2/13/2018 Introduction to the SPFPFS Community Logic Model Ohios SPFPFS Initiative: OnDemand Learning Event Presented by Ohios SPFPFS Evaluation Team (OSET) About this learning event Learning Objectives: 1. Summarize

411 views • 14 slides
SPF classic Przem ek Jaroszew ski CERT Polska / NASK The 1 7 th TF-CSI RT and FI RST joint

SPF classic Przem ek Jaroszew ski CERT Polska / NASK The 1 7 th TF-CSI RT and FI RST joint

SPF classic Przem ek Jaroszew ski CERT Polska / NASK The 1 7 th TF-CSI RT and FI RST joint Event, Am sterdam , 2 3 -2 5 January 2 0 0 6 Agenda What is SPF and how does it work? History and current status Mitigations and

476 views • 16 slides
New strategies, targets, and leads for male contraception Nicholas Simmons, PhD Discovery

New strategies, targets, and leads for male contraception Nicholas Simmons, PhD Discovery

New strategies, targets, and leads for male contraception Nicholas Simmons, PhD Discovery Chemist Center for Drug Discovery Baylor College of Medicine Paris, 5/6/16 Targeting male germ cells Constant proliferation of Sertoli cell male

272 views • 4 slides
Security by Any Other Name: On the Effectiveness of Provider Based Email Security Ian Foster,

Security by Any Other Name: On the Effectiveness of Provider Based Email Security Ian Foster,

Security by Any Other Name: On the Effectiveness of Provider Based Email Security Ian Foster, Jon Larson, Max Masich, Alex C. Snoeren, Stefan Savage, and Kirill Levchenko University of California, San Diego Recent Email Communications

449 views • 28 slides
Assessing BYOD with the Smarthpone Pentest Framework Georgia

Assessing BYOD with the Smarthpone Pentest Framework Georgia

Assessing BYOD with the Smarthpone Pentest Framework Georgia Weidman BYOD Is Not New Contractor Laptop Rogue Access Point Gaming Console Tradi>onal Vulnerability Scanning

1.28k views • 95 slides
H OW D O F IRMS F ORM T HEIR E XPECTATIONS ? N EW S URVEY E VIDENCE Olivier Coibion Yuriy

H OW D O F IRMS F ORM T HEIR E XPECTATIONS ? N EW S URVEY E VIDENCE Olivier Coibion Yuriy

H OW D O F IRMS F ORM T HEIR E XPECTATIONS ? N EW S URVEY E VIDENCE Olivier Coibion Yuriy Gorodnichenko Saten Kumar UT Austin UC Berkeley Auckland University & NBER & NBER of Technology E XPECTATIONS AND THE C ENTRAL B ANK (II)

1.05k views • 56 slides
The Most Probable Explanation for Probabilistic Logic Programs with Annotated Disjunctions

The Most Probable Explanation for Probabilistic Logic Programs with Annotated Disjunctions

The Most Probable Explanation for Probabilistic Logic Programs with Annotated Disjunctions Dimitar Shterionov , Joris Renkens, Jonas Vlasselaer, Angelika Kimmig, Wannes Meert, Gerda Janssens ILP 2014 (Nancy, France) 1 3 1 2 0.6 0.3

985 views • 39 slides

More recommend