David Adrian, Karthikeyan Bhargavan, etc. Presented by Eunyoung Cho.

Slides:



Advertisements
Similar presentations
L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.
Advertisements

Web security: SSL and TLS
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Bronson Jastrow. Outline  What is cryptography?  Symmetric Key Cryptography  Public Key Cryptography  How Public Key Cryptography Works  Authenticating.
Digital Signatures. Anononymity and the Internet.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.
ASYMMETRIC CIPHERS.
Lecture 6: Public Key Cryptography
SSH Secure Login Connections over the Internet
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Secure Socket Layer (SSL)
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
BASIC CRYPTOGRAPHIC CONCEPTS. Public Key Cryptography  Uses two keys for every simplex logical communication link.  Public key  Private key  The use.
Chapter 21 Public-Key Cryptography and Message Authentication.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Some Perspectives on Smart Card Cryptography
AES-CCM Cipher Suites Daniel Bailey Matthew Campagna David McGrew
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.
Symmetric Cryptography, Asymmetric Cryptography, and Digital Signatures.
Understanding Cryptography by Christof Paar and Jan Pelzl These slides were prepared by Christof Paar and Jan Pelzl Chapter 8 –
Logjam: new dangers for secure protocols Dmitry Belyavskiy, TCI ENOG 9, Kazan, June 9-10, 2015.
Cryptography Chapter 7 Part 3 Pages 812 to 833. Symmetric Cryptography Security Services – Only confidentiality, not authentication or non- repudiation.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
Potential vulnerabilities of IPsec-based VPN
Public Key Algorithms Lesson Introduction ●Modular arithmetic ●RSA ●Diffie-Hellman.
The “WeakDH” Result and its Significance for Security and Privacy Jason Perry Lewis University CaMS December 1, 2015.
By Sandeep Gadi 12/20/  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
A Cross-Protocol Attack on the TLSProtocol Nikos Mavrogiannopoulos, Frederik Vercauteren, VesselinVelichkov, Bart Preneel. Presented by: Nitin Subramanian.
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Cryptography in the Real World Diffie-Hellman Key Exchange RSA Analysis RSA Performance SSH Protocol Page 1.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Reviews Rocky K. C. Chang 20 April 2007.
Practical issue with Diffie-hellman key exchange (DH)
Tutorial on Creating Certificates SSH Kerberos
Tutorial on Creating Certificates SSH Kerberos
CSE 4095 TLS Attacks Continued
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
Presentation transcript:

David Adrian, Karthikeyan Bhargavan, etc. Presented by Eunyoung Cho

These objects embed some cryptography. Protocols includes various kinds of primitives. Symmetric cryptography (AES, …) Hash functions (md5, SHA-1, SHA-3,…) Public-key cryptography (RSA, DSA,...) What does security depend on?

Cryptographic protocols Implementation of cryptographic software Auditing implementations Scrutiny of cryptographic primitives Oppositely… Breaking a public-key cryptographic primitive by solving a mathematical problem Various fields of study

Breaking a public-key cryptographic primitive Usual measurement unit is public key size When key size grows The mathematical problem is harder to solve. The hardness of the mathematical problem depends on the algorithm used. Legitimate computation is less efficient. A compromise is to be found when deploying public-key cryptography. Goals

Short review of Diffie-Hellman using a Video clip (< 3min) Public Parameters p : a prime g : < p group generator (often 2 or 5) Diffie-Hellman 1976

Protocol support for “mod p” Diffie-Hellman in Spring 2015 was DHKE is extremely common on the internet

What is key exchange useful for?

Goal : given, find x The Number Field Sieve

Key exchange uses Diffie-Hellan : DHE or ECDHE For DHE, primes are Internet-wide scan of HTTPS servers using Zmap 14.3M hosts, 24% support DHE 70,000 distinct groups (p,g) Composite-order groups with short exponents 4800 groups where (p-1)/2 was not prime Got prime factors for 750 groups on 40K connection Some servers used short exponents : 128/160 bits Used Pohlig-Hellman to compute Full secret exponent for 159 servers Partial exponent for 460 servers Key Size

Of the Top 1M sites that support DHE in HTTPS 84% (2.9M) servers uses a 1024-bit or smaller group With 94% of these using one of five groups 2.6%(90K) servers use 768-bit primes % (2.6K) servers use 512-bit primes Key Size – Small-sized safe primes

TLS 1.0 supported weakened ciphers to comply with export regulations in 1990s. DHE_EXPORT groups limited to 512 bits key. Computation is easy. This is never the preferred choice in a TLS connection However…. …but only when client asks for it. Key Size : what about 512-bit keys?

Diffie-Hellman TLS Handshake

DHE_EXPORT handshake looks just like DHE Server uses same long-term signing key for both Difference is prime-size, which clients don’t check Opens the way to a downgrade attack DHE_EXPORT

Protocol flaw : Server does not sign chosen cipher suite. Logjam Active TLS MITM downgrade attack to 512 bit export DHE

Downgrade to DHE_EXPORT A man-in-the-middle attacker can Impersonate any server that supports DHE_EXPORT At any client that accept 512-bit DHE groups Export cipher suites in TLS TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_DES40_CSC_SHA TLS_DH_RSA_EXPORT_WITH_DES40_CSC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CSC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CSC_SHA …….. Logjam

Carried out precomputation for Apache, mod_ssl primes. After 1 week precomputation, Per-connection descent computation: sec Median individual log time is 70 sec Computing 512-bit discrete logs

Parameters hard-coded in implementations or built into standards. 92% of DHE_EXPORT host choose one of two 512-bit primes. Top ten primes accounted for 99% of DHE_EXPORT-tolerant hosts. Most hosts use the same parameters

Some web browsers start sending data too early To optimize TLS performance for PFS ciphersuites No need to wait up to 150 sec for DLP Logjam can capture this early application data and compute DLP at leisure to read password/cookies ….. Logjam – Exploiting False Start

For DHE_EXPORT connections Connections between Chrome/Firefox/IE and 8.4% of websites can be broken offline( no forward secrecy) For regular DHE, they need to break bigger groups For academics, probably need to algorithmic improvements For governments, 768 bits is definitely reachable. Cost estimates for bigger groups

IKE key Exchange for VPNs/IPsec IKE chooses Diffie-Hellman parameters from standardized set. Decrypt the VPN traffic?

Find pre-Shared Key Locate complete paired collect Locate both IKE and ESP traffic Have collection sites do surveys for the IP’s Find better quality collect with rich metadata Refer to NSA VPN Attack Orchestration in the paper Decrypt the VPN traffic?

It seems plausible! A 1024-bit DH break is a parsimonious explanation for NSA’s large-scale passive decryption of VPN traffic. A well-designed “implant” would have fewer requirements. Decrypt the VPN traffic?

IKEv1, IKEv2, SSH all use 768-bit/1024-bit groups 6% of IKEv2 servers use Oakley 1 (768-bits) 64% of IKEv2 servers use Oakley 2 (1024-bits) 26% of SSH servers use Oakley 2 (1024-bits) 13% of HTTPS servers use 1024-bit Apache group Impact of breaking bigger groups

Precomputation for a single 1024-bit prime allows passive decryption of connections to 66% of VPN servers and 26% of SSH servers in Oakley Group 2 Precomputation for a second common 1024-bit prime allows passive decryption for 18% of top 1M HTTPS domains in Apache 2.2 Parameter reuse for 1024-bit Diffie-Hellman

Logjam Mitigation Security updates to major TLS libraries, web browsers, websites, mail servers Disable 512-bit, then 768-bit, then 1024 bit They recommend 2048-bit safe primes Major browsers have raised minimum DH lengths: IE, Chrome, Firefox to 1024 bits Safari to 768 bits TLS 1.3 draft anti-downgrade mechanism Solutions

1024-bit discrete log within range for governments Parameter reues allows wide-scale passive decryption Mitigations Move to elliptic curve cryptography If ECC is not an option, use 2048 bit primes. If 2048 bit primes are not an options, generate a fresh 1024 bit prime. Solutions

Stronger key exchanges, fewer options DCDHE and DHE by default, no RSA key transport Fixed DH groups (>2047 bits) and EC curves (>255 bits) Only AEAD ciphers(AES-GCM), no CBC, no RC4 Signatures, session keys bound to handshake parameters Server signature covers ciphersuite (preventing Logjam) Faster Lower latency with 1 round-trip A new protocol: TLS 1.3

Logjam is an active TLS MIMT ( ) Attack to 512-bit DHE ( )- grade cipher suites. The number field sieve algorithm for discrete log consists of a precomputation stage and an individual log computation stage. What is “four steps” in the stages? With a decent implementation, the computation takes an average of 70 sec. How can attacker work around this delay? Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.