Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Messy State of the Union: Taming the Composite State Machine of TLS

Published byΣαπφώ Αναγνώστου Modified over 6 years ago

Similar presentations

Presentation on theme: "A Messy State of the Union: Taming the Composite State Machine of TLS"— Presentation transcript:

1 A Messy State of the Union: Taming the Composite State Machine of TLS
Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cedric Fournety, Markulf Kohlweissy,Alfredo Pironti, Pierre-Yves Strubz, Jean Karim Zinzindohoue Presented by Nan Liu

2 TLS 1.The Transport Layer Security(TLS) protocol is widely used to provide secure channels in a variety of scenarios. 2.TLS implementations are typically written as a set of functions that generate and parse each message, and perform the relevant cryptographic operations. 3. The composite state machine that this process must implement is not standardized, and differs between implementations.

3 Outline The TLS State Machine Testing Implementations with FlexTLS
State Machine Flaws in TLS Implementations Attacks on TLS Implementations A Verified State Machine for OpenSSL Towards Security Theorems for OpenSSL

4 The TLS State Machine Message Sequences: Each TLS connection begins with either a full handshake or an abbreviated handshake. Negotiation Parameters: the protocol version (v ), the key exchange method in the ciphersuite (kx ) and so on. Implementation Pitfalls: first, the order of messages in the protocol has been carefully designed and it must be respected.

5 The TLS State Machine Implementation Pitfalls: Second, it is not enough to implement a linear sequence of sends and receives Third, one must be careful to not prematurely calculate session parameters and secrets. Other Versions: state machines are different for different versions. Extensions:renegotiation,false start.

6

7 Testing Implementations with FlexTLS
FlexTLS scripting:provides a class equipped with send and receive functions, and a record that holds its parsed contents. Searching for deviant traces:Skip, Hop and Repeat. Skip: for every prefix of a valid message sequence, we skip a message if it is mandatory. Hop: if two valid traces have the same prefix, up to their parameters, and they differ on their next message, we create a deviant trace from the context of the first trace and the next message of the second trace.

8 Testing Implementations with FlexTLS
Repeat: for every prefix of a valid message sequence, we take any message that has appeared before and send it again if this results in a deviant trace. Automated testing: We generate a FlexTLS script for every deviant trace, and we run this script against a target implementation. Turing bugs into exploits

9 State Machine Flaws in TLS Implementations
Implementation bugs in openSSL:early CCS, DH Certificate, Server-Gated Crypto(SGC), Export RSA, Static DH. Early CCS:CCS can (incorrectly) appear at any point after ServerHello . Receiving a CCS message triggers the setup of a record key derived from the session key. It may enable both client and server impersonation attacks,

10 State Machine Flaws in TLS Implementations
DH Certificate: OpenSSL servers allow clients to omit the ClientCertificateVerify message after sending a Diffie-Hellman certificate. However, we found that sending a ClientKeyExchange along with a DH certificate enables a new client impersonation attack. Server-Gated Crypto(SGC): SGC that allows clients to start over a handshake after receiving a ServerHello.

11 State Machine Flaws in TLS Implementations
Export RSA: the server sends a signed, but weak (at most 512 bits) RSA modulus in the ServerKeyExchange message. However, if such a message is received during a handshake that uses a stronger, non-export RSA ciphersuite, the weak ephemeral modulus will still be used to encrypt the client’s pre-master secret. Static DH: OpenSSL clients allow the server to skip the ServerKeyExchange message when a DHE or ECDHE ciphersuite is negotiated.

12 State Machine Flaws in TLS Implementations
Implementation bugs in JSSE:client flaws, server flaws. Implementation bugs in other implementation: NSS,Mono,CyaSSL, SecureTransport, GnuTLS, miTLS and others.

13

14 Attacks on TLS Implementations
Early Finished:server impersonation(Java,CyaSSL) Skip Verify:client impersonation (Mono,CyaSSL,OpenSSL) Skip ServerKeyExchange:forward secrecy rollback(NSS, OpenSSL) Inject ServerKeyExchange:RSA_Export Flashback

15 A Verified State Machine for OpenSSL
OpenSSL Clients and Servers A new state machine Experimental Evaluation Logical Specification of the State Machine Verification with Frama-C

16 Towards Security Theorems for OpenSSL
The first step to prove this property is to show that the OpenSSL state machine correctly implements our chosen ciphersuite, and that message sequences are disjoint from all other supported ciphersuites. The second hurdle is to show that the use of the same longterm signing key in different ciphersuites is safe. The third challenge is to show that the session secrets of our verified ciphersuite are cryptographically independent from any other ciphersuite.

17 Questions Which three well-defined rules can we use to generate deviant traces? What advantage of generating deviant traces according to the three rules? Why we develop FlexTLS?

Download ppt "A Messy State of the Union: Taming the Composite State Machine of TLS"

Similar presentations

Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)

Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.
Web security: SSL and TLS

Web security: SSL and TLS
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS 4362 - CIS 5357 Network Security.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.

Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
TESTING CRYPTOGRAPHIC PROTOCOL IMPLEMENTATIONS. Verifying crypto protocols  Lots of formal methods  Good representative: Blanchet’s ProVerif Mainly.

TESTING CRYPTOGRAPHIC PROTOCOL IMPLEMENTATIONS. Verifying crypto protocols  Lots of formal methods  Good representative: Blanchet’s ProVerif Mainly.
Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.

Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.
Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.

Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Secure Socket Layer (SSL)

Secure Socket Layer (SSL)
Introduction to Secure Sockets Layer (SSL) Protocol Based on: https://developer.mozilla.org/En/Introduction_to_SSL#The_SSL_Protocol.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

Similar presentations

Ads by Google