Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
No Need for Black
Chambers
Testing TLS in the E-mail
Ecosystem at Large
ARES16
Wilfried Mayer, Aaron Zauner,
Martin Schmie...
Scanned all e-mail servers
Probed all cryptographic primitives
Shed light on the current status
2
Background
Transport Layer Security
• Most widely used cryptographic protocol
• Lots of research for HTTPS
• Not for syste...
Background
E-Mail
• Public mail services heavily used
• Millions of smaller mail-daemons
• E-mail not invented with securi...
Background
Port TLS Protocol Usage
25 STARTTLS SMTP Transmission
110 STARTTLS POP3 Retrieval
143 STARTTLS IMAP Retrieval
4...
Background
Implicit TLS STARTTLS
6
Background
TLS Handshake
7
Background
8
Methodology
Cipher Suite Scan
9
Methodology
General Process
10
Methodology
Hardware
11
Methodology
Software Architecture
12
Methodology
Organization
• Inform all responsible people
• Upstream ISP that is willing to help
13
Methodology
Transparent Scanning
• WHOIS / RIPE entry explaining
• Webpage on the scan host explaining
• No attempt to hid...
Methodology
Abuse contact
• Blacklisting mechanism
• People complained
• Handled professionally
15
Methodology
Considerations
• People will be annoyed!
• ... they even might write to your
management or unrelated 3rd parti...
Results
Data collection
• 7 TCP ports
• 5 TLS versions
• ∼50 cipher suites
• ∼10 billion TLS handshakes
• April to August ...
Results
Protocol Version Support / TCP Port
0
10
20
30
40
50
60
70
80
90
100
SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2
%
25
110
14...
Results
Protocol Version Support / TCP Port
25 465 587 Retrieval
SSLv2 + SSLv3 < 0.2%
TLSv1.0 upwards 8% 45% 18% 32–37%
TL...
Results
Key exchange security - Diffie-Hellman
• DH primes in SMTP
◦ Large amount of 512 bit (EXPORT)
◦ One 512-bit prime us...
Results
Key exchange security - Elliptic Curve
Diffie-Hellman
• SMTP: 99% use secp256r1 curve
• POP/IMAP: ∼70% use secp384r1...
Results
Selected primitives / TCP Port
22
Results
AUTH-PLAIN
• Not crypto related
• Plaintext authentication before upgrade
to TLS
23
Results
X.509: Trust / TCP Port
0
10
20
30
40
50
60
70
ok self signed unable
%
25
110
143
465
587
993
995
Compared to Mozi...
Results
X.509 Certificates
• 99% of leafs use RSA (vs. e.g. ECDSA)
• Trusted: ≥ 90% 2048 bit, ≤ 10% 4096 bit
• Self-signed:...
Results
X.509: Weak RSA keys
• Similar to Heninger et al.
• 40,268,806 certificates analyzed
• 2,354,090 unique RSA moduli
...
Results
Additional findings
• Open-source mail daemons are easily
DoS’ed - (Re)discovered a dovecot bug:
(CVE-2015-3420, Ha...
Mitigation
Solid server configurations & awareness
• bettercrypto.org
• Mozilla Server TLS Security guide
• RFC 7457 – Summ...
Mitigation
DNSSEC / DANE
• DNS-Based Authentication of Named
Entities
• DNSSEC shifts trust to TLDs instead of CAs
• It’s ...
Mitigation
E-Mail ecosystem
• DKIM (DomainKeys Identified Mail)
• SPF (Sender Policy Framework)
• DMARC (Domain-based Messa...
Mitigation
New efforts
• Let’s Encrypt by EFF et al.
• DEEP (Deployable Enhanced Email
Privacy) - similar to how HSTS works...
Questions?wmayer@sba-research.org
32
Upcoming SlideShare
Loading in …5
×

No Need For Black Chambers

720 views

Published on

Testing TLS in the Email Ecosystem at Large
ARES 2016

Published in: Internet
  • Be the first to comment

  • Be the first to like this

No Need For Black Chambers

  1. 1. No Need for Black Chambers Testing TLS in the E-mail Ecosystem at Large ARES16 Wilfried Mayer, Aaron Zauner, Martin Schmiedecker, Markus Huber
  2. 2. Scanned all e-mail servers Probed all cryptographic primitives Shed light on the current status 2
  3. 3. Background Transport Layer Security • Most widely used cryptographic protocol • Lots of research for HTTPS • Not for systems like E-mail ◦ Durumeric et al. (IMC’15 and 32C3) ◦ Holz et al. (NDSS’16) 3
  4. 4. Background E-Mail • Public mail services heavily used • Millions of smaller mail-daemons • E-mail not invented with security in mind 4
  5. 5. Background Port TLS Protocol Usage 25 STARTTLS SMTP Transmission 110 STARTTLS POP3 Retrieval 143 STARTTLS IMAP Retrieval 465 Implicit SMTPS Submission 587 STARTTLS SMTP Submission 993 Implicit IMAPS Retrieval 995 Implicit POP3S Retrieval 5
  6. 6. Background Implicit TLS STARTTLS 6
  7. 7. Background TLS Handshake 7
  8. 8. Background 8
  9. 9. Methodology Cipher Suite Scan 9
  10. 10. Methodology General Process 10
  11. 11. Methodology Hardware 11
  12. 12. Methodology Software Architecture 12
  13. 13. Methodology Organization • Inform all responsible people • Upstream ISP that is willing to help 13
  14. 14. Methodology Transparent Scanning • WHOIS / RIPE entry explaining • Webpage on the scan host explaining • No attempt to hide 14
  15. 15. Methodology Abuse contact • Blacklisting mechanism • People complained • Handled professionally 15
  16. 16. Methodology Considerations • People will be annoyed! • ... they even might write to your management or unrelated 3rd parties • ... or call your office • ... or write offensive e-mails 16
  17. 17. Results Data collection • 7 TCP ports • 5 TLS versions • ∼50 cipher suites • ∼10 billion TLS handshakes • April to August 2015 • 20,270,768 scans 17
  18. 18. Results Protocol Version Support / TCP Port 0 10 20 30 40 50 60 70 80 90 100 SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 % 25 110 143 465 587 993 995 18
  19. 19. Results Protocol Version Support / TCP Port 25 465 587 Retrieval SSLv2 + SSLv3 < 0.2% TLSv1.0 upwards 8% 45% 18% 32–37% TLSv1.1 + TLSv1.2 < 0.5% 19
  20. 20. Results Key exchange security - Diffie-Hellman • DH primes in SMTP ◦ Large amount of 512 bit (EXPORT) ◦ One 512-bit prime used by 64%, one 1024-bit prime used by 69% (Postfix) ◦ ≤ 1024 bit is very common in all protocols 20
  21. 21. Results Key exchange security - Elliptic Curve Diffie-Hellman • SMTP: 99% use secp256r1 curve • POP/IMAP: ∼70% use secp384r1 curve 21
  22. 22. Results Selected primitives / TCP Port 22
  23. 23. Results AUTH-PLAIN • Not crypto related • Plaintext authentication before upgrade to TLS 23
  24. 24. Results X.509: Trust / TCP Port 0 10 20 30 40 50 60 70 ok self signed unable % 25 110 143 465 587 993 995 Compared to Mozilla Truststore: ssc: self-signed, ok: CA signed, local: unable to get local issuer 24
  25. 25. Results X.509 Certificates • 99% of leafs use RSA (vs. e.g. ECDSA) • Trusted: ≥ 90% 2048 bit, ≤ 10% 4096 bit • Self-signed: 15%–40% 1024 bit • Common name: Name Key Size IPs Parallels Panel - Parallels 2048 306,852 ... Automatic...IMAP SSL key - Courier Mail Server 1024 83,976 ... 25
  26. 26. Results X.509: Weak RSA keys • Similar to Heninger et al. • 40,268,806 certificates analyzed • 2,354,090 unique RSA moduli • Fast-GCD (djb/ Heninger et al.) • 456 RSA private keys recovered 26
  27. 27. Results Additional findings • Open-source mail daemons are easily DoS’ed - (Re)discovered a dovecot bug: (CVE-2015-3420, Hanno Boeck) • OpenSSL will establish EXPORT ciphersuites with TLSv1.1 + TLSv1.2 (although the RFC explicitly says MUST NOT). 27
  28. 28. Mitigation Solid server configurations & awareness • bettercrypto.org • Mozilla Server TLS Security guide • RFC 7457 – Summarizing Known Attacks on TLS and DTLS • RFC 7525 – Recommendations for Secure Use of TLS and DTLS • Educating administrators, managers and operational people 28
  29. 29. Mitigation DNSSEC / DANE • DNS-Based Authentication of Named Entities • DNSSEC shifts trust to TLDs instead of CAs • It’s still one option that could work, so why not deploy in addition? 29
  30. 30. Mitigation E-Mail ecosystem • DKIM (DomainKeys Identified Mail) • SPF (Sender Policy Framework) • DMARC (Domain-based Message Authentication, Reporting, and Conformance) 30
  31. 31. Mitigation New efforts • Let’s Encrypt by EFF et al. • DEEP (Deployable Enhanced Email Privacy) - similar to how HSTS works for HTTPS (MUA to Server) • SMTP-STS • Continued scans - published data sets 31
  32. 32. Questions?wmayer@sba-research.org 32

×