Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 4095 TLS Attacks Continued

Published byAudra Vivian Doyle Modified over 6 years ago

Similar presentations

Presentation on theme: "CSE 4095 TLS Attacks Continued"— Presentation transcript:

1 CSE 4095 TLS Attacks Continued

2 TLS Attack Overview Saw several subtle problems with TLS:
RSA does not prevent message manipulation Lead to development of OAEP padding in TLS 1.1 and 1.2 CBC mode of operation has multiple vulnerabilities Banning of CBC in TLS 1.0, move to RC4 Development of encryption mechanisms that simultaneously check integrity (authenticated encryption) RC4 stream cipher is broken No good record encryption schemes in TLS 1.0

3 More attacks Focus on two attacks: Discuss TLS 1.3 Draft
CRIME targets compression LOGJAM targets protocol version Discuss TLS 1.3 Draft

4 Handshake Protocol Diagram
Focus of first attack

5 CRIME Compression Ratio Info-Leak Made Easy developed by Rizzo and Duong (also developed BEAST attack) Attack will have similar attack scenario to BEAST attack Will target completely different part of protocol

6 CRIME Attack Cookie 1 Evil.com Cookie 1 Guess for Cookie Not-Evil.com
1. Provides client with javascript Cookie 1 Cookie 2 Cookie 3 Not-Evil.com Cookie 1 Guess for Cookie Initiates connection to legitimate site TLS connection automatically occurs Client provides cookies to site automatically Applet inserts plaintext blocks and guesses cookie values Can initiate connection multiple times for multiple guesses Relays values back to Evil.com New mechanism for checking if guess is correct

7 Compression Most compression on the Internet uses DEFLATE
Session is vulnerable if compression is used either by application or TLS

8 DEFLATE Lossless compression mechanism (means there are no errors)
Two sub algorithms: LZ77 and Huffman coding LZ77 replaces substrings that have appeared prior with a reference (distance backwards and how many characters to substitute) Google is so googley is replaced with: Google is so g(-13,5)y

9 Huffman Coding Replaces common bytes with short values
Construct binary tree where weight of left/right subtree are equal Example: `this is an example of a huffman tree’ a e f h i l m n o p r s _ t u x 4 3 2 1 7 010 000 1101 1010 1000 11001 0111 0010 00110 10011 11000 1011 111 0110 00111 10010

10 Huffman Coding Tree 36 16 20 8 8 8 12 ‘a’ 4 ‘e’ 4 4 4 4 4 5 ‘ ’ 7
‘s’ 2 ‘f’ 3 ‘o’ 1 ‘u’ 1 ‘x’ 1 ‘r’ 1 ‘p’ 1 ‘l’ 1

11 DEFLATE Lossless compression mechanism (means there are no errors)
Two sub algorithms: LZ77 and Huffman coding In both sub-algorithms if a block already appears in the text it will be compressed to smaller size than new block Can use this to check guesses

12 CRIME Attack Cookie 1 Evil.com Cookie 1 Guess for Cookie Not-Evil.com
1. Provides client with javascript Cookie 1 Cookie 2 Cookie 3 Not-Evil.com Cookie 1 Guess for Cookie The guess for cookie can have multiple parts The amount they are compressed indicates redundancy with Cookie 1 Rest of attack proceeds just like BEAST Attack worked by 45% of browsers and 40% of TLS servers including Dropbox, Github Takes only 6 requests to learn one byte, very fast

13 CRIME Mitigation What went wrong? What should be fixed?
Extended in BREACH attack by Prado, Harris, and Gluck Does not rely on TLS compression, targets HTTP compression Length Randomization Randomize cookies 11/14/2018

14 Logjam attack Protocol Downgrade
Export compliance: in the early 1990s cryptography was classified as a munition and its export is controlled by the US state department Many servers have two sets of Diffie-Hellman parameters: standard ones (1024 bit or bits) and export ones (512 bits) No modern browser asks to use 512 bit export Diffie Hellman Cryptanalytic attack on Diffie Hellman 11/14/2018

15 Core of handshake protocol
Version, CR, Ciphersuites= DHE Chosen ciphersuite =DHE, SR, Cert, g, p, gb, Sig(CR, SR, g, gb) Client Server Client Key ga, ChangeCipherSpec, Finished ChangeCipherSpec, Finished= Integrity(master_secret, transcript) Why can’t I change the ciphersuite list? 11/14/2018

16 Core of handshake protocol
Version, CR, Ciphersuites= DHE Attacker Version, CR, Ciphersuites= None Chosen ciphersuite =None, SR Client Server Alert Was not in the client list, client aborts 11/14/2018

17 Core of handshake protocol
Version, CR, Ciphersuites= DHE, DHEExport Version, CR, DHEExport Attacker DHEExport Chosen ciphersuite =DHE, SR, Cert, g, p, gb, Sig(CR, SR, g, gb) Client Server Client Key ga, ChangeCipherSpec, Finished ChangeCipherSpec, Finished= Integrity(master_secret, transcript) Finished messages should not match: two parties have different views of transcript 11/14/2018

18 Changing Ciphersuites
Because ciphersuites and version numbers are included in the finished message it should not be possible for an attacker to change the ciphersuite However, security of the handshake messages depends on the selected ciphersuite If an attacker can break the security of the selected ciphersuite, can produce legitimate looking finished messages 11/14/2018

19 Does not forge signature, Client is unaware it is using export
Logjam Attack Version, CR, Ciphersuites= DHE, Attacker Version, CR, DHEExport Chosen ciphersuite =DHE, SR, Cert, g, p, gb, Sig(CR, SR, g, gb) Client Server Attacker Needs to compute b Only 512 bits Client Key ga, ChangeCipherSpec, Finished ChangeCipherSpec, Finished Does not forge signature, Client is unaware it is using export 11/14/2018

20 Breaking Diffie-Hellman
Attacker must be able to compute b in a reasonable time (before client aborts connection) Effort in breaking Diffie-Hellman can be divided into two parts, precomputation for a prime p, and finding single b from a value ga mod p Precomputation took 90,000 core hours Individual log about 70 seconds (on two 18 core machines) Most servers use predictable primes and only vary p 11/14/2018

21 What went wrong? How to fix it?
Logjam Version, CR, Ciphersuites= DHEExport Attacker Version, CR, DHEExport Chosen ciphersuite =DHE, SR, Cert, g, p, gb, Sig(CR, SR, g, gb) Client Server Attacker Needs to compute b Only 512 bits Client Key ga, ChangeCipherSpec, Finished ChangeCipherSpec, Finished What went wrong? How to fix it? 11/14/2018

22 TLS 1.3 Currently in development on draft 19 of the standard
Major philosophical changes: Only use ephemeral keys for agreement Long-term keys for signing only Authenticated encryption mode must be used in record layer No backwards compatibility, entirely new ciphersuites Client assumes their ciphersuite will be accepted Handshake takes one message on each side in common case 11/14/2018

23 TLS 1.3 Handshake Version, CR, Ciphersuites, chosen suite, ga
SR, Cert, g, p, gb, Sig(CR, SR, g, gb), Finished Client Server Finished, Encrypted Data 11/14/2018

Download ppt "CSE 4095 TLS Attacks Continued"

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)

Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
Web security: SSL and TLS

Web security: SSL and TLS
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
ITA, 2.11.2011, 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.

ITA, , 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.

0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Similar presentations

Ads by Google