A Messy State of the Union: Taming the Composite State Machine of TLS

Slides:

Advertisements

Similar presentations

Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)

Advertisements

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.

Web security: SSL and TLS

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

TESTING CRYPTOGRAPHIC PROTOCOL IMPLEMENTATIONS. Verifying crypto protocols  Lots of formal methods  Good representative: Blanchet’s ProVerif Mainly.

Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Secure Socket Layer (SSL)

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.

Web Security Network Systems Security

Tunneling and Securing TCP Services Nathan Green.

Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.

Logjam: new dangers for secure protocols Dmitry Belyavskiy, TCI ENOG 9, Kazan, June 9-10, 2015.

SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

A Cross-Protocol Attack on the TLSProtocol Nikos Mavrogiannopoulos, Frederik Vercauteren, VesselinVelichkov, Bart Preneel. Presented by: Nitin Subramanian.

1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

SSL(HandShake) Protocol By J.STEPHY GRAFF IIM.SC(C.S)

1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

8-1 CSE 4707/5850 Network Security (2) SSL/TLS. 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Cryptography CSS 329 Lecture 13:SSL.

Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

Security Handshake Pitfalls. Client Server Hello (K)

Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.

Executive Director and Endowed Chair

The Secure Sockets Layer (SSL) Protocol

IT443 – Network Security Administration Instructor: Bo Sheng

CSCI 555 Adv Computer Security

Web Applications Security Cryptography 1

Cryptography CS 555 Topic 34: SSL/TLS.

Reviews Rocky K. C. Chang 20 April 2007.

Practical issue with Diffie-hellman key exchange (DH)

Secure Sockets Layer (SSL)

CSCE 715: Network Systems Security

COMP3220 Web Infrastructure COMP6218 Web Architecture

Originally by Yu Yang and Lilly Wang Modified by T. A. Yang

CSE 4095 Transport Layer Security TLS, Part II

CSE 4095 Transport Layer Security TLS

Public-Key Cryptography

CSE 4095 TLS Attacks Continued

CS 465 TLS Last Updated: Oct 31, 2017.

Secure Web Application-SSL

TLS 1.3: What has changed Dmitry Belyavskiy Cryptocom.

SSL (Secure Socket Layer)

Chapter 7 WEB Security.

Security at the Transport Layer: SSL and TLS

CSCE 815 Network Security Lecture 16

TLS and DLP Behind the green lock.

The Secure Sockets Layer (SSL) Protocol

Chapter 7 WEB Security.

Transport Layer Security (TLS)

Security at the Transport Layer

TLS Encryption and Decryption

Presentation transcript:

A Messy State of the Union: Taming the Composite State Machine of TLS Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cedric Fournety, Markulf Kohlweissy,Alfredo Pironti, Pierre-Yves Strubz, Jean Karim Zinzindohoue Presented by Nan Liu

TLS 1.The Transport Layer Security(TLS) protocol is widely used to provide secure channels in a variety of scenarios. 2.TLS implementations are typically written as a set of functions that generate and parse each message, and perform the relevant cryptographic operations. 3. The composite state machine that this process must implement is not standardized, and differs between implementations.

Outline The TLS State Machine Testing Implementations with FlexTLS State Machine Flaws in TLS Implementations Attacks on TLS Implementations A Verified State Machine for OpenSSL Towards Security Theorems for OpenSSL

The TLS State Machine Message Sequences: Each TLS connection begins with either a full handshake or an abbreviated handshake. Negotiation Parameters: the protocol version (v ), the key exchange method in the ciphersuite (kx ) and so on. Implementation Pitfalls: first, the order of messages in the protocol has been carefully designed and it must be respected.

The TLS State Machine Implementation Pitfalls: Second, it is not enough to implement a linear sequence of sends and receives. Third, one must be careful to not prematurely calculate session parameters and secrets. Other Versions: state machines are different for different versions. Extensions:renegotiation,false start.

Testing Implementations with FlexTLS FlexTLS scripting:provides a class equipped with send and receive functions, and a record that holds its parsed contents. Searching for deviant traces:Skip, Hop and Repeat. Skip: for every prefix of a valid message sequence, we skip a message if it is mandatory. Hop: if two valid traces have the same prefix, up to their parameters, and they differ on their next message, we create a deviant trace from the context of the first trace and the next message of the second trace.

Testing Implementations with FlexTLS Repeat: for every prefix of a valid message sequence, we take any message that has appeared before and send it again if this results in a deviant trace. Automated testing: We generate a FlexTLS script for every deviant trace, and we run this script against a target implementation. Turing bugs into exploits

State Machine Flaws in TLS Implementations Implementation bugs in openSSL:early CCS, DH Certificate, Server-Gated Crypto(SGC), Export RSA, Static DH. Early CCS:CCS can (incorrectly) appear at any point after ServerHello . Receiving a CCS message triggers the setup of a record key derived from the session key. It may enable both client and server impersonation attacks,

State Machine Flaws in TLS Implementations DH Certificate: OpenSSL servers allow clients to omit the ClientCertificateVerify message after sending a Diffie-Hellman certificate. However, we found that sending a ClientKeyExchange along with a DH certificate enables a new client impersonation attack. Server-Gated Crypto(SGC): SGC that allows clients to start over a handshake after receiving a ServerHello.

State Machine Flaws in TLS Implementations Export RSA: the server sends a signed, but weak (at most 512 bits) RSA modulus in the ServerKeyExchange message. However, if such a message is received during a handshake that uses a stronger, non-export RSA ciphersuite, the weak ephemeral modulus will still be used to encrypt the client’s pre-master secret. Static DH: OpenSSL clients allow the server to skip the ServerKeyExchange message when a DHE or ECDHE ciphersuite is negotiated.

State Machine Flaws in TLS Implementations Implementation bugs in JSSE:client flaws, server flaws. Implementation bugs in other implementation: NSS,Mono,CyaSSL, SecureTransport, GnuTLS, miTLS and others.

Attacks on TLS Implementations Early Finished:server impersonation(Java,CyaSSL) Skip Verify:client impersonation (Mono,CyaSSL,OpenSSL) Skip ServerKeyExchange:forward secrecy rollback(NSS, OpenSSL) Inject ServerKeyExchange:RSA_Export Flashback

A Verified State Machine for OpenSSL OpenSSL Clients and Servers A new state machine Experimental Evaluation Logical Specification of the State Machine Verification with Frama-C

Towards Security Theorems for OpenSSL The first step to prove this property is to show that the OpenSSL state machine correctly implements our chosen ciphersuite, and that message sequences are disjoint from all other supported ciphersuites. The second hurdle is to show that the use of the same longterm signing key in different ciphersuites is safe. The third challenge is to show that the session secrets of our verified ciphersuite are cryptographically independent from any other ciphersuite.

Questions Which three well-defined rules can we use to generate deviant traces? What advantage of generating deviant traces according to the three rules? Why we develop FlexTLS?