Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacks on TLS Douglas Stebila Last updated April 5, 2019.

Published byNóra Kozma Modified over 5 years ago

Similar presentations

Presentation on theme: "Attacks on TLS Douglas Stebila Last updated April 5, 2019."— Presentation transcript:

1 Attacks on TLS Douglas Stebila Last updated April 5, 2019

2 Advanced functionality
Attacks on TLS Stebila •  Components of TLS Crypto primitives RSA, DSA, ECDSA Diffie–Hellman, ECDH HMAC MD5, SHA1, SHA-2 DES, 3DES, RC4, AES Export grade Ciphersuite details Data structures Key derivation Encryption modes, IVs Padding Advanced functionality Alerts & errors Certification / revocation Negotiation Renegotiation Session resumption Key reuse Compression State machine Libraries OpenSSL LibreSSL, BoringSSL NSS GnuTLS SChannel Java JSSE Everest / miTLS s2n Applications Web browsers: Chrome, Firefox, IE/Edge, Safari Web servers: Apache, IIS, nginx, node, … Application SDKs Certificates Protocols HTTP, IMAP, ..

3 Provable security analysis of TLS
Attacks on TLS Stebila •  Provable security analysis of TLS Crypto primitives RSA, DSA, ECDSA Diffie–Hellman, ECDH HMAC MD5, SHA1, SHA-2 DES, 3DES, RC4, AES Export grade Ciphersuite details Data structures Key derivation Encryption modes, IVs Padding Advanced functionality Alerts & errors Certification / revocation Negotiation Renegotiation Session resumption Key reuse Compression State machine Libraries OpenSSL LibreSSL, BoringSSL NSS GnuTLS SChannel Java JSSE Everest / miTLS s2n Applications Web browsers: Chrome, Firefox, IE/Edge, Safari Web servers: Apache, IIS, nginx, node, … Application SDKs Certificates Protocols HTTP, IMAP, .. Provable security Record layer: sLHAE Handshake layer: ACCE

4 Provable security and formal methods analysis of TLS
Attacks on TLS Stebila •  Provable security and formal methods analysis of TLS Crypto primitives RSA, DSA, ECDSA Diffie–Hellman, ECDH HMAC MD5, SHA1, SHA-2 DES, 3DES, RC4, AES Export grade Ciphersuite details Data structures Key derivation Encryption modes, IVs Padding Advanced functionality Alerts & errors Certification / revocation Negotiation Renegotiation Session resumption Key reuse Compression State machine Libraries OpenSSL LibreSSL, BoringSSL NSS GnuTLS SChannel Java JSSE Everest / miTLS s2n Applications Web browsers: Chrome, Firefox, IE/Edge, Safari Web servers: Apache, IIS, nginx, node, … Application SDKs Certificates Protocols HTTP, IMAP, .. Provable security Record layer: sLHAE Handshake layer: ACCE Formal methods

5 Attacks on TLS Termination, Cookie Cutter SLOTH Bleichenbacher
Stebila •  Attacks on TLS Termination, Cookie Cutter SLOTH Bleichenbacher Debian OpenSSL entropy bug POODLE Crypto primitives RSA, DSA, ECDSA Diffie–Hellman, ECDH HMAC MD5, SHA1, SHA-2 DES, 3DES, RC4, AES Export grade Ciphersuite details Data structures Key derivation Encryption modes, IVs Padding Advanced functionality Alerts & errors Certification / revocation Negotiation Renegotiation Session resumption Key reuse Compression State machine Libraries OpenSSL LibreSSL, BoringSSL NSS GnuTLS SChannel Java JSSE Everest / miTLS s2n Applications Web browsers: Chrome, Firefox, IE/Edge, Safari Web servers: Apache, IIS, nginx, node, … Application SDKs Certificates Protocols HTTP, IMAP, .. Goldberg & Wagner Netscape PRNG attack Bleichenbacher, BEAST SSL 2.0 downgrade, FREAK, Logjam Cross-protocol DH/ECDH attack Heartbleed Collisions goto fail; BERserk Lucky13 Selfie Triple handshake attack Ray & Dispensa “Most dangerous code…” MalloDroid Frankencerts CA breaches Sweet32 Cross-protocol DH/ECDH attack RC4 biases, rc4nomore, Bar Mitzvah CRIME, BREACH, HEIST Jager et al. Lucky microseconds FREAK, Logjam CCS injection DROWN STARTTLS injection SMACK SSL stripping Virtual host confusion

6 Attacks on TLS Attacks on TLS Stebila • 2019-09-05
* denotes theoretical basis for later practical attack

7 Attacks on TLS Attacks on TLS Stebila • 2019-09-05
* denotes theoretical basis for later practical attack

Download ppt "Attacks on TLS Douglas Stebila Last updated April 5, 2019."

Similar presentations

Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)

Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)
Cryptography and Network Security Chapter 16

Cryptography and Network Security Chapter 16
Web security: SSL and TLS

Web security: SSL and TLS
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.
ECE 454/CS 594 Computer and Network Security

ECE 454/CS 594 Computer and Network Security
Lecture 6: Web security: SSL

Lecture 6: Web security: SSL
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
TESTING CRYPTOGRAPHIC PROTOCOL IMPLEMENTATIONS. Verifying crypto protocols  Lots of formal methods  Good representative: Blanchet’s ProVerif Mainly.

TESTING CRYPTOGRAPHIC PROTOCOL IMPLEMENTATIONS. Verifying crypto protocols  Lots of formal methods  Good representative: Blanchet’s ProVerif Mainly.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 8, 2013.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 8, 2013.
Real-world cryptography – SSL/TLS Joshua Davies Director of Architecture – 2Xoffice Author of “Implementing SSL/TLS Using Cryptography and PKI”

Real-world cryptography – SSL/TLS Joshua Davies Director of Architecture – 2Xoffice Author of “Implementing SSL/TLS Using Cryptography and PKI”
ITA, 2.11.2011, 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.

ITA, , 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements Presented by: Zhengyang Qu.

SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements Presented by: Zhengyang Qu.
Presented By: Atish Baul Module: CSYM020, Internet Security Course: MSc Internet Computing.

Presented By: Atish Baul Module: CSYM020, Internet Security Course: MSc Internet Computing.
By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.

By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Similar presentations

Ads by Google