Logjam: new dangers for secure protocols Dmitry Belyavskiy, TCI ENOG 9, Kazan, June 9-10, 2015.

Slides:

Advertisements

Similar presentations

Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)

Advertisements

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

Diffie-Hellman Diffie-Hellman is a public key distribution scheme First public-key type scheme, proposed in 1976.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

Web security: SSL and TLS

Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Security in Internet: what is it now? A presentation by Dmitry Belyavsky, TCI ENOG 6 / RIPE NCC Regional Meeting Kiev, Ukraine, October 2013.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

Transport Layer Security (TLS) Bill Burr November 2, 2001.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.

CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez SSL/TLS: An Introduction.

Computer Science Public Key Management Lecture 5.

Strong Password Protocols

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

CSCI 6962: Server-side Design and Programming

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

Lecture 7b: The Diffie-Hellman Secret Sharing Scheme Wayne Patterson SYCS 653 Fall 2009.

Secure Socket Layer (SSL)

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.

TLS/SSL - How and Why PCI Flags it but why do we care? By: MadHat Unspecific.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 3: Securing TCP.

Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.

Can SSL and TOR be intercepted? Secure Socket Layer.

David Adrian, Karthikeyan Bhargavan, etc. Presented by Eunyoung Cho.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Chapter 14 Network Encryption

Network and Internet Security Prepared by Dr. Lamiaa Elshenawy

A Cross-Protocol Attack on the TLSProtocol Nikos Mavrogiannopoulos, Frederik Vercauteren, VesselinVelichkov, Bart Preneel. Presented by: Nitin Subramanian.

1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

 authenticated transmission  secure tunnel over insecure public channel  host to host transmission is typical  service independent WHAT IS NEEDED?

Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.

1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.

Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:

Information Security and Management 10. Other Public-key Cryptosystems Chih-Hung Wang Fall

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Cryptography CSS 329 Lecture 13:SSL.

- Richard Bhuleskar “At the end of the day, the goals are simple: safety and security” – Jodi Rell.

TLS: avoiding dangers A presentation by Dmitry Belyavsky, TCI Business Internet Conference Kiev, Ukraine, December 2013.

Practical issue with Diffie-hellman key exchange (DH)

Secure Sockets Layer (SSL)

CSE 4095 Transport Layer Security TLS, Part II

CSE 4095 Transport Layer Security TLS

A Messy State of the Union: Taming the Composite State Machine of TLS

Public-Key Cryptography

CSE 4095 TLS Attacks Continued

SSL (Secure Socket Layer)

Security at the Transport Layer: SSL and TLS

TLS and DLP Behind the green lock.

Transport Layer Security (TLS)

TLS Encryption and Decryption

Presentation transcript:

Logjam: new dangers for secure protocols Dmitry Belyavskiy, TCI ENOG 9, Kazan, June 9-10, 2015

Attack of 2015 – FREAK  Historical reasons  A lot of browsers  A lot of web-servers  512-bit temporary RSA is not secure!  CVE

Attack of 2015 – LogJam  In short: too weak Diffie- Hellman parameters (EXPORT DH)  All browsers (middle of May)  All web-servers (depending on settings)  SSH/VPN  512/768/1024 is not enough!

Diffie-Hellman scheme ALICE BOB = = = = Common Paint Secret Colours Common Secret Public Transport SSL Best Practices

Diffie-Hellman math

Handshake struct  In case of DH key exchange signed data includes: opaque client_random[32]; opaque server_random[32]; serverDHParams params;  DOES NOT include the negotiating Cipher Suite id  The result will be checked at the end of the handshake

Handshake in case of attack

Why does it work?  Too short parameters: Precalc for hard-coded values Add some timeouts to provide correct Finished message Profit!  2 primes used at 92% Apache sites  512 bits is too short  1024 bits can be attacked too

Who is under the attack?  SSH - 25% if 1024 bits is broken  IKEv1 (IPSEC VPNs) – 66% if 1024 is broken  HTTPS (7% popular sites)  IPSec  POP3S/IMAPS/SMPTP 8-15% Postfix enables EXPORT Ciphersuites by default  … all protocols using DH scheme

How to avoid the attack?  Switch to ECDH scheme  Clients should decline too short DH parameters Old Java versions – not longer 768 bits  Use longer custom parameters (2048 bits)

Questions?