Attacks on TLS Douglas Stebila Last updated April 5, 2019
Advanced functionality Attacks on TLS Stebila • 2019-09-05 Components of TLS Crypto primitives RSA, DSA, ECDSA Diffie–Hellman, ECDH HMAC MD5, SHA1, SHA-2 DES, 3DES, RC4, AES Export grade Ciphersuite details Data structures Key derivation Encryption modes, IVs Padding Advanced functionality Alerts & errors Certification / revocation Negotiation Renegotiation Session resumption Key reuse Compression State machine Libraries OpenSSL LibreSSL, BoringSSL NSS GnuTLS SChannel Java JSSE Everest / miTLS s2n Applications Web browsers: Chrome, Firefox, IE/Edge, Safari Web servers: Apache, IIS, nginx, node, … Application SDKs Certificates Protocols HTTP, IMAP, ..
Provable security analysis of TLS Attacks on TLS Stebila • 2019-09-05 Provable security analysis of TLS Crypto primitives RSA, DSA, ECDSA Diffie–Hellman, ECDH HMAC MD5, SHA1, SHA-2 DES, 3DES, RC4, AES Export grade Ciphersuite details Data structures Key derivation Encryption modes, IVs Padding Advanced functionality Alerts & errors Certification / revocation Negotiation Renegotiation Session resumption Key reuse Compression State machine Libraries OpenSSL LibreSSL, BoringSSL NSS GnuTLS SChannel Java JSSE Everest / miTLS s2n Applications Web browsers: Chrome, Firefox, IE/Edge, Safari Web servers: Apache, IIS, nginx, node, … Application SDKs Certificates Protocols HTTP, IMAP, .. Provable security Record layer: sLHAE Handshake layer: ACCE
Provable security and formal methods analysis of TLS Attacks on TLS Stebila • 2019-09-05 Provable security and formal methods analysis of TLS Crypto primitives RSA, DSA, ECDSA Diffie–Hellman, ECDH HMAC MD5, SHA1, SHA-2 DES, 3DES, RC4, AES Export grade Ciphersuite details Data structures Key derivation Encryption modes, IVs Padding Advanced functionality Alerts & errors Certification / revocation Negotiation Renegotiation Session resumption Key reuse Compression State machine Libraries OpenSSL LibreSSL, BoringSSL NSS GnuTLS SChannel Java JSSE Everest / miTLS s2n Applications Web browsers: Chrome, Firefox, IE/Edge, Safari Web servers: Apache, IIS, nginx, node, … Application SDKs Certificates Protocols HTTP, IMAP, .. Provable security Record layer: sLHAE Handshake layer: ACCE Formal methods
Attacks on TLS Termination, Cookie Cutter SLOTH Bleichenbacher Stebila • 2019-09-05 Attacks on TLS Termination, Cookie Cutter SLOTH Bleichenbacher Debian OpenSSL entropy bug POODLE Crypto primitives RSA, DSA, ECDSA Diffie–Hellman, ECDH HMAC MD5, SHA1, SHA-2 DES, 3DES, RC4, AES Export grade Ciphersuite details Data structures Key derivation Encryption modes, IVs Padding Advanced functionality Alerts & errors Certification / revocation Negotiation Renegotiation Session resumption Key reuse Compression State machine Libraries OpenSSL LibreSSL, BoringSSL NSS GnuTLS SChannel Java JSSE Everest / miTLS s2n Applications Web browsers: Chrome, Firefox, IE/Edge, Safari Web servers: Apache, IIS, nginx, node, … Application SDKs Certificates Protocols HTTP, IMAP, .. Goldberg & Wagner Netscape PRNG attack Bleichenbacher, BEAST SSL 2.0 downgrade, FREAK, Logjam Cross-protocol DH/ECDH attack Heartbleed Collisions goto fail; BERserk Lucky13 Selfie Triple handshake attack Ray & Dispensa “Most dangerous code…” MalloDroid Frankencerts CA breaches Sweet32 Cross-protocol DH/ECDH attack RC4 biases, rc4nomore, Bar Mitzvah CRIME, BREACH, HEIST Jager et al. Lucky microseconds FREAK, Logjam CCS injection DROWN STARTTLS injection SMACK SSL stripping Virtual host confusion
Attacks on TLS Attacks on TLS Stebila • 2019-09-05 * denotes theoretical basis for later practical attack
Attacks on TLS Attacks on TLS Stebila • 2019-09-05 * denotes theoretical basis for later practical attack