Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 4095 TLS Attacks.

Published byAgnes Johns Modified over 6 years ago

Similar presentations

Presentation on theme: "CSE 4095 TLS Attacks."— Presentation transcript:

1 CSE TLS Attacks

2 Handshake Protocol Diagram

3 TLS Attack Overview TLS seems very well designed (it is well designed)
Most used security protocol on the Internet Very strong incentive to attack the protocol The attacks are clever, tricky, and difficult Focus on the idea behind the attack and what we can learn Omit some crucial details that can be found in research paper Almost all attack target the handshake protocol Most attacks target confidentiality of a session key

4 Handshake Protocol Diagram
Start here

5 Recall RSA Public key is a modulus n = pq and an exponent e
Secret key is factorization and secret exponent d such that for any m, med = m mod n Encryption of m is just c = me mod n Decryption of c is m = cd mod n Important property of RSA it is homomorphic, if c1, c2 are encryptions of m1, m2 then c1*c2 is encryption of m1*m2

6 Homomorphism is dangerous
Basic RSA scheme is deterministic: if the same message is encrypted twice it produces the same ciphertext Homomorphism is also dangerous, it allows an attacker to change the message in a predictable way To deal with both of these problems RSA encryption uses padding

7 RSA PKCS 1 v1.5 Padding PKCS padding also removes homomorphism
00 02 8 bytes of random Actual Message Used to prevent overflow Specifies encryption Provides randomization (nonzero) Specifies end of random PKCS padding also removes homomorphism Unlikely that the product of two padded messages will be a a valid padded message This padding was used in early TLS versions Server uses alert protocol if decrypted message is not properly padded

8 Bleichenbacher attack
Client and Server TLS Negotiation c = (00 | 02 | rand | 00 | premaster)e Agreed on premaster secret Agreed on premaster secret Wants to eavesdrop on the conversation between Alice and Bob Records their entire conversation, needs to learn premaster secret “Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1” Dan Bleichenbacher, CRYPTO 1998

9 Bleichenbacher attack
Client and Server TLS Negotiation cse Agreed on premaster secret Engages in TLS negotiation with server Server either responds with alert message or continues to finished messages (where it becomes clear attacker doesn’t know key) Attacker can distinguish these cases! Performs this negotiation multiple times with different s, probability of not having alert message is roughly 1/224 By birthday bound takes 212 messages for at least one to continue to finished By some math attacker learns that 2* 262< ms mod n < 3* 262

10 Bleichenbacher attack
Client and Server TLS Negotiation cse Agreed on premaster secret By some math attacker learns that 2* 262< ms mod n < 3* 262 By iterating the attack with different s, can gain different constraints on m Eventually can determine premaster secret completely The attack takes around 220 or 1 Million negotiations Seems like a lot but powerful servers process this all the time Google processes 105 searches a second, only 10 seconds for 1 Million negotiations (many searches use session resumption which we haven’t covered)

11 Bleichenbacher attack
Client and Server TLS Negotiation cse Agreed on premaster secret Exercise: What went wrong here? What can be done to fix it?

12 Bleichenbacher(cont’d)
Proposed remediations: OAEP (optimal asymmetric encryption padding) new padding mechanism for RSA, greatly decreases chance of valid message, requires a cryptographic hash function, used in PKCS 1 v2.1 Try to silence the alert mechanism, have the server continue until the finished message Requires the server to prepare messages in a way that can’t be detected by the client What does server use as premaster secret? LESSON: A small amount of information, whether a message is properly padded, can be devastating

13 Review of record encryption protocols
AES CBC Camellia CBC ARIA CBC SEED CBC 3DES CBC GOST CNT IDEA CBC RC2 CBC RC4 (stream cipher) Most cipher suites use cipher block chaining to create an encryption scheme out of block cipher AES CBC was most common method

14 Cipher block chaining Identical plaintext blocks are encrypted into different ciphertext blocks each block of plaintext is XORed with the previous ciphertext block before being encrypted Initialization vector (IV) is used in the first block IV: even when the same plaintext is encrypted multiple times independently with the same key gives distinct ciphertexts IV not reused under the same key

15 CBC Data Injection P0 IV P1 P2 Enc Enc Enc C0 C1 C2 Seemingly minor fact, if P2 = P1 ⊕ C1 ⊕ C0, then C2 = C1 C2 = Enc(P1 ⊕ C1 ⊕ C0 ⊕ C0) = Enc(P1 ⊕ C1) =C1

16 CBC Data Injection P0 IV P1 P2 Enc Enc Enc C0 C1 C2 Seemingly minor fact, if P2 = P1 ⊕ C1 ⊕ C0, then C2 = C1 How could an attacker exploit this fact?

17 BEAST Attack How to actually pull this off?
Client and Server Record Protocol Encrypted/MAC’d Messages Attacker tries to insert malicious data into record protocol If attacker has guess x for plaintext block, can insert P1 ⊕ C1 ⊕ C0 into stream and check correctness As a result can learn about client’s private data How to actually pull this off?

18 BEAST Attack Cookie 1 Evil.com Cookie 1 Guess for Cookie Not-Evil.com
1. Provides client with java applet Cookie 1 Cookie 2 Cookie 3 Not-Evil.com Cookie 1 Guess for Cookie Initiates connection to legitimate site TLS connection automatically occurs Client provides cookies to site automatically Applet inserts plaintext blocks and guesses cookie values Can initiate connection multiple times for multiple guesses Relays values back to Evil.com

19 BEAST Attack EXERCISE What went wrong? What could we do to fix it?
Cryptographically Non-cryptographically LESSONS?

20 BEAST Remediations Same Origin Policy
Prevents java from accessing data on another connection unless those connections are to the same site Same Origin Policy should have actually prevented this problem, BEAST exploited an implementation flaw TLS completely moved away from using CBC mode, what is left?

21 Review of record encryption protocols
AES CBC Camellia CBC ARIA CBC SEED CBC 3DES CBC GOST CNT IDEA CBC RC2 CBC RC4 (stream cipher) Developed by Soviet/Russian government, not widely used

22 Lets go RC4! Several attacks exploit CBC (BEAST, Varduney, Lucky Thirteen) Varduney exploits the way data is padded to form a last block Lucky 13 extends this attack to only use timing information Use the structure of how CBC prepares data Belief: block ciphers will always have these problems Lets try a stream cipher RC4 is only option Saw RC4 in the WEP protocol

23 RC4 Stream cipher designed in early 90s
Was not attacked in WEP (were so many weak points) Started researchers in attacking the protocol The first bytes of RC4 output are biased and reveal about key/plaintext First byte output See more biases at:

24 RC4 Probability of recovering byte at position x with 224 ciphertexts
Attack almost 100% with 232 ciphertexts On the Security of RC4 in TLS Al Fardan, Bernstein, Paterson, Poettering, Schdult, 2013

25 RC4 Banned from TLS in 2015 What can we learn from this process?
More attacks next class (compression and protocol downgrade attacks)

Download ppt "CSE 4095 TLS Attacks."

Similar presentations

Web security: SSL and TLS

Web security: SSL and TLS
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Lecture 6: Web security: SSL

Lecture 6: Web security: SSL
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.

Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.

0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
Dan Boneh Authenticated Encryption Case study: TLS Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Case study: TLS Online Cryptography Course Dan Boneh.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.

Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.

Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Various Attacks on Cryptosystems slides (c) 2012 by Richard Newman.

Various Attacks on Cryptosystems slides (c) 2012 by Richard Newman.
Giuseppe Bianchi Warm-up example 2 802.11 WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.

Giuseppe Bianchi Warm-up example WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Similar presentations

Ads by Google