Attacks on TLS Douglas Stebila Last updated April 5, 2019.

Slides:



Advertisements
Similar presentations
Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)
Advertisements

Cryptography and Network Security Chapter 16
Web security: SSL and TLS
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.
ECE 454/CS 594 Computer and Network Security
Lecture 6: Web security: SSL
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
TESTING CRYPTOGRAPHIC PROTOCOL IMPLEMENTATIONS. Verifying crypto protocols  Lots of formal methods  Good representative: Blanchet’s ProVerif Mainly.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 8, 2013.
Real-world cryptography – SSL/TLS Joshua Davies Director of Architecture – 2Xoffice Author of “Implementing SSL/TLS Using Cryptography and PKI”
ITA, , 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements Presented by: Zhengyang Qu.
Presented By: Atish Baul Module: CSYM020, Internet Security Course: MSc Internet Computing.
By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
Introduction to Information Security SSL & TLS Story of a protocol Part II Itamar Gilad (infosec15 at modprobe dot net)
Secure Socket Layer (SSL)
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Network Security Essentials Chapter 5
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Logjam: new dangers for secure protocols Dmitry Belyavskiy, TCI ENOG 9, Kazan, June 9-10, 2015.
T HE W ORLD OF TLS Security, Attacks, TLS AND FTPS:// AND ….  Have you done any of the following today?  E-shopping: Amazon, Ebay, Audible,
Can SSL and TOR be intercepted? Secure Socket Layer.
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
David Adrian, Karthikeyan Bhargavan, etc. Presented by Eunyoung Cho.
Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.
SSL(HandShake) Protocol By J.STEPHY GRAFF IIM.SC(C.S)
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
Communication protocols 2. HTTP Hypertext Transfer Protocol, is the protocol of World Wide Web (www) Client web browser Web server Request files Respond.
TLS/SSL Protocol Presented by: Vivek Nelamangala Includes slides presented by Miao Zhang on April Course: CISC856 - TCP/IP and Upper Layer Protocols.
Apache HTTP Server SSL End-to-End
Computer and Network Security
Executive Director and Endowed Chair
SSL/TLS configuration in OpenEdge
Avishai Wool Slides credit: Itamar Gilad
Cryptography and Network Security
Secure Sockets Layer (SSL)
Visit for more Learning Resources
BINF 711 Amr El Mougy Sherif Ismail
SSL/TLS Hipsterism Finding implementation* bugs outside the mainstream
CSE 4095 TLS Attacks.
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
CSE 4095 Transport Layer Security TLS
A Messy State of the Union: Taming the Composite State Machine of TLS
Cryptography and Network Security
Cryptography and Network Security Chapter 16
CSE 4095 TLS Attacks Continued
CS 465 TLS Last Updated: Oct 31, 2017.
Practical DROWNing Putting a well known, highly computationally heavy crypto attack into practice in real time. Where What Who Ruxmon Melbourne Practical.
SSL – Secure Socket Layer and TLS – Transport Layer Security
TLS 1.3: What has changed Dmitry Belyavskiy Cryptocom.
Virtual Private Networks (VPN)
Cryptography and Network Security
SSL (Secure Socket Layer)
Security at the Transport Layer: SSL and TLS
TLS and DLP Behind the green lock.
Cryptography and Network Security Chapter 16
Transport Layer Security (TLS)
SSL/TLS.
TLS/1.2 and TLS/1.3 Highlights
Cryptography and Network Security
Cryptography Lecture 27.
TLS Encryption and Decryption
Presentation transcript:

Attacks on TLS Douglas Stebila Last updated April 5, 2019

Advanced functionality Attacks on TLS Stebila • 2019-09-05 Components of TLS Crypto primitives RSA, DSA, ECDSA Diffie–Hellman, ECDH HMAC MD5, SHA1, SHA-2 DES, 3DES, RC4, AES Export grade Ciphersuite details Data structures Key derivation Encryption modes, IVs Padding Advanced functionality Alerts & errors Certification / revocation Negotiation Renegotiation Session resumption Key reuse Compression State machine Libraries OpenSSL LibreSSL, BoringSSL NSS GnuTLS SChannel Java JSSE Everest / miTLS s2n Applications Web browsers: Chrome, Firefox, IE/Edge, Safari Web servers: Apache, IIS, nginx, node, … Application SDKs Certificates Protocols HTTP, IMAP, ..

Provable security analysis of TLS Attacks on TLS Stebila • 2019-09-05 Provable security analysis of TLS Crypto primitives RSA, DSA, ECDSA Diffie–Hellman, ECDH HMAC MD5, SHA1, SHA-2 DES, 3DES, RC4, AES Export grade Ciphersuite details Data structures Key derivation Encryption modes, IVs Padding Advanced functionality Alerts & errors Certification / revocation Negotiation Renegotiation Session resumption Key reuse Compression State machine Libraries OpenSSL LibreSSL, BoringSSL NSS GnuTLS SChannel Java JSSE Everest / miTLS s2n Applications Web browsers: Chrome, Firefox, IE/Edge, Safari Web servers: Apache, IIS, nginx, node, … Application SDKs Certificates Protocols HTTP, IMAP, .. Provable security Record layer: sLHAE Handshake layer: ACCE

Provable security and formal methods analysis of TLS Attacks on TLS Stebila • 2019-09-05 Provable security and formal methods analysis of TLS Crypto primitives RSA, DSA, ECDSA Diffie–Hellman, ECDH HMAC MD5, SHA1, SHA-2 DES, 3DES, RC4, AES Export grade Ciphersuite details Data structures Key derivation Encryption modes, IVs Padding Advanced functionality Alerts & errors Certification / revocation Negotiation Renegotiation Session resumption Key reuse Compression State machine Libraries OpenSSL LibreSSL, BoringSSL NSS GnuTLS SChannel Java JSSE Everest / miTLS s2n Applications Web browsers: Chrome, Firefox, IE/Edge, Safari Web servers: Apache, IIS, nginx, node, … Application SDKs Certificates Protocols HTTP, IMAP, .. Provable security Record layer: sLHAE Handshake layer: ACCE Formal methods

Attacks on TLS Termination, Cookie Cutter SLOTH Bleichenbacher Stebila • 2019-09-05 Attacks on TLS Termination, Cookie Cutter SLOTH Bleichenbacher Debian OpenSSL entropy bug POODLE Crypto primitives RSA, DSA, ECDSA Diffie–Hellman, ECDH HMAC MD5, SHA1, SHA-2 DES, 3DES, RC4, AES Export grade Ciphersuite details Data structures Key derivation Encryption modes, IVs Padding Advanced functionality Alerts & errors Certification / revocation Negotiation Renegotiation Session resumption Key reuse Compression State machine Libraries OpenSSL LibreSSL, BoringSSL NSS GnuTLS SChannel Java JSSE Everest / miTLS s2n Applications Web browsers: Chrome, Firefox, IE/Edge, Safari Web servers: Apache, IIS, nginx, node, … Application SDKs Certificates Protocols HTTP, IMAP, .. Goldberg & Wagner Netscape PRNG attack Bleichenbacher, BEAST SSL 2.0 downgrade, FREAK, Logjam Cross-protocol DH/ECDH attack Heartbleed Collisions goto fail; BERserk Lucky13 Selfie Triple handshake attack Ray & Dispensa “Most dangerous code…” MalloDroid Frankencerts CA breaches Sweet32 Cross-protocol DH/ECDH attack RC4 biases, rc4nomore, Bar Mitzvah CRIME, BREACH, HEIST Jager et al. Lucky microseconds FREAK, Logjam CCS injection DROWN STARTTLS injection SMACK SSL stripping Virtual host confusion

Attacks on TLS Attacks on TLS Stebila • 2019-09-05 * denotes theoretical basis for later practical attack

Attacks on TLS Attacks on TLS Stebila • 2019-09-05 * denotes theoretical basis for later practical attack