How broken is TLS?

H
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
How broken is TLS?
A tale of BEAST, CRIME, Lucky Thirteen and Heartbleed
Hanno B¨ock, https://hboeck.de
2014-04-19
1 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Introduction
Motivation
History of SSL / TLS
Overview
Hanno B¨ock, freelance journalist, lives in Berlin
Often writes about cryptography for Golem.de and others
Also runs webhosting (https://schokokeks.org)
2 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Introduction
Motivation
History of SSL / TLS
Overview
TLS is the most important crypto protocol
There are problems on multiple layers (certificate authorities,
software, cryptography, protocols)
BEAST, CRIME, Lucky Thirteen, Heartbleed, ...
3 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Introduction
Motivation
History of SSL / TLS
Overview
SSL 1 - only internal (Netscape)
1994: SSL 2 (Netscape, severe security issues, disabled)
1996: SSL 3 (Netscape, no extensions, still used)
1999: TLS 1 (IETF standard, problems with CBC, til today de
facto standard)
2006: TLS 1.1 (half fix for CBC-problems)
2008: TLS 1.2 (introduces authenticated encryption with
GCM and SHA-2)
4 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Introduction
Motivation
History of SSL / TLS
Overview
X.509 certificate authority signs host-certificate,
host-certificate used to get a session key for TLS
Two protocols (X.509 and TLS)
So we have software, CAs, X.509 and TLS itself
5 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Heartbleed
Software
Featurebloat
C
Heartbleed is only a memory read error, just a software bug,
nothing with cryptography
So pretty boring, right?
6 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Heartbleed
Software
Featurebloat
C
SSL libraries have terrible code quality
OpenSSL Valhalla Rampage - have fun and be scared
Don’t blame OpenSSL. The others are just as bad
7 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Heartbleed
Software
Featurebloat
C
Who needs the heartbeat extension?
What other extensions are there in TLS and who needs them?
And who needs GOST, DSA, SEED, IDEA, Brainpool curves
or Camellia? (GOST is only a draft, OpenSSL still has code
for it)
TLS also supports DES or RC2 with 40 Bit
8 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Heartbleed
Software
Featurebloat
C
It is extremely difficult to write secure code in C (buffer
overflows etc.)
Which programming language is better? Not too exotic, not
too much overhead and usable on many different platforms,
but still memsafe?
And by the way: Constant time implementations needed
Can we do memsafe C? (Softbount/CETS, OpenBSD malloc)
9 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Certificate Authorities
2011 CA disaster
Revocation
Revocation that costs money
Fixing CAs
Main problem: Every certificate authority can do
Man-in-the-Middle-attacks on every website
You automatically trust all CAs in your browser and all sub
CAs
Weird: It doesn’t matter if your CA is trustworthy, only the
least trustworthy CA matters
10 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Certificate Authorities
2011 CA disaster
Revocation
Revocation that costs money
Fixing CAs
CA-disaster 2011
Diginotar, Comodo, T¨urktrust and others
EFF SSL Observatory finds many valid certificates that
shouldn’t exist (e.g. 512 Bit EV certificate)
Diginotar is the only case where it had consequences
Comodo issued fake certificates for mail.google.com,
www.google.com, login.yahoo.com, login.skype.com,
addons.mozilla.org and login.live.com erstellt
11 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Certificate Authorities
2011 CA disaster
Revocation
Revocation that costs money
Fixing CAs
CRL doesn’t scale, OCSP not privacy friendly
OCSP useless in Firefox and IE, disabled in Chrome
OCSP Stapling could fix things a bit
OCSP Stapling Required - only a draft
Revocation does not work right now
12 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Certificate Authorities
2011 CA disaster
Revocation
Revocation that costs money
Fixing CAs
Heartbleed: StartSSL charges for revocation
This is a problem: It gives incentives to do the wrong thing
Cynics might say: Doesn’t matter, it’s broken anyway
More general problem: It’s expensive and difficult to be secure
(certificates) - it should be the other way round
13 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Certificate Authorities
2011 CA disaster
Revocation
Revocation that costs money
Fixing CAs
Convergence: distributed access (MitM still possible if
attacker near server)
Sovereign Keys: EFF, complicated, uses append-only log
TACK: draft for TLS to pin certificates, shares many ideas
with Sovereign Keys
HTTP Key Pinning: draft from Google, only HTTPS
Certificate Transparency: from Google, append-only log, make
sure MitM gets detected
14 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Algorithms
Signaturen
Three public key types for X.509 certificates: RSA, DSA,
ECDSA
Everyone uses RSA and that’s a good thing
DSA/ECDSA have severe problems with bad randomness
15 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Algorithms
Signaturen
MD5 signatures were used until someone showed they are
really broken
SHA1 signatures are de facto standard
Few CAs do SHA256 signatures (about to change)
RSA signatures use old PKCS #1 1.5 scheme, RSA-PSS
(PKCS #1 2.1) would be better, lacks software support
16 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Algorithms
BEAST
CBC, MAC, Padding
From the TLS 1.2 standard
Lucky Thirteen
CBC
RC4
RC4 or CBC
TLS supports a lot of algorithm combinations
Example: ECDHE-RSA-AES256-GCM-SHA384
Key exchange with elliptic curves, signature with RSA,
encryption with AES, key size 256 bit, block mode GCM
(Galois/Counter Mode), MAC algorithm SHA385
17 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Algorithms
BEAST
CBC, MAC, Padding
From the TLS 1.2 standard
Lucky Thirteen
CBC
RC4
RC4 or CBC
Until TLS 1.0 AES CBC used an implicit initialization vector
This led to the BEAST attack
Fixed in TLS 1.1, but who implements better protocols with
more security if they don’t have to?
18 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Algorithms
BEAST
CBC, MAC, Padding
From the TLS 1.2 standard
Lucky Thirteen
CBC
RC4
RC4 or CBC
TLS needs confidentiality and authenticity
Most common: Encryption with AES-CBC, authentication
with HMAC
TLS does MAC-then-Pad-then-Encrypt
Different error messages for padding and MAC errors allow
Padding Oracle attack
”Solution”: just one error message
19 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Algorithms
BEAST
CBC, MAC, Padding
From the TLS 1.2 standard
Lucky Thirteen
CBC
RC4
RC4 or CBC
”Canvel et al. [CBCTIME] have demonstrated a timing attack on
CBC padding based on the time required to compute the MAC. In
order to defend against this attack, implementations MUST ensure
that record processing time is essentially the same whether or not
the padding is correct. In general, the best way to do this is to
compute the MAC even if the padding is incorrect, and only then
reject the packet. For instance, if the pad appears to be incorrect,
the implementation might assume a zero-length pad and then
compute the MAC. This leaves a small timing channel, since
MAC performance depends to some extent on the size of the data
fragment, but it is not believed to be large enough to be
exploitable, due to the large block size of existing MACs and the
small size of the timing signal.” (TLS 1.2, RFC 5246, p. 23)
20 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Algorithms
BEAST
CBC, MAC, Padding
From the TLS 1.2 standard
Lucky Thirteen
CBC
RC4
RC4 or CBC
To translate this: We know there is a problem, but we don’t
think it’s a real problem
That was the Lucky Thirteen attack - it was already
mentioned in the TLS standard itself
21 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Algorithms
BEAST
CBC, MAC, Padding
From the TLS 1.2 standard
Lucky Thirteen
CBC
RC4
RC4 or CBC
For all problems with BEAST and Lucky Thirteen there are
workarounds in browsers
But after Lucky Thirteen many wanted to avoid CBC
Solution: RC4 (only non-CBC-algorithm left before TLS 1.2)
PCI verification (credit card standard) required RC4 for some
time
22 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Algorithms
BEAST
CBC, MAC, Padding
From the TLS 1.2 standard
Lucky Thirteen
CBC
RC4
RC4 or CBC
RC4 was developed 1994 by Ron Rivest, not for public use
Source was published in a newsgroup, is only a few lines long
and you can copy-and-paste it from Wikipedia
March 2013: Bernstein et al show an impractical attack on
RC4 in TLS, no workarounds
After Snowden some people speculate that NSA can attack
RC4 in real time
Today many people think RC4 has to die (draft)
23 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Algorithms
BEAST
CBC, MAC, Padding
From the TLS 1.2 standard
Lucky Thirteen
CBC
RC4
RC4 or CBC
RC4 or CBC with MAC-then-Encrypt? Both are bad, but for
CBC we have workarounds
BEAST, Lucky Thirteen, RC4-attacks are all not very
practical, but this is not good
AES-GCM: Authenticated encryption, only in TLS 1.2, only
new browsers
Encrypt-then-MAC for CBC: draft
ChaCha20/Poly1394: draft - very fast and probably very
secure cipher
24 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Forward Secrecy
Elliptic Curves
NIST Curves
Curve25519
Compression
Forward secrecy is great! If you do it right
but...
Apache before 2.4.7 only supports Diffie-Hellman (DHE) with
1024 bit, Java until 1.7 the same
And there are elliptic curves... (ECDHE)
25 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Forward Secrecy
Elliptic Curves
NIST Curves
Curve25519
Compression
Idea: Diffie-Hellman and El Gamal/DSA use a ”group” (some
math structure)
You can use any group you like
Assumption: If you use an elliptic curve that’s much more
secure (the best known attacks on discrete logarithms don’t
work in elliptic curves)
There are infinitely many elliptic curves - which one should we
use?
26 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Forward Secrecy
Elliptic Curves
NIST Curves
Curve25519
Compression
Solution: We ask the NSA - they have lots of skilled
cryptographers, they should know
In 1999 NIST published some good, well tested elliptic curves
The author works for the NSA
Where does 3045ae6f c8422f64 ed579528 d38120ea e12196d5
come from?
It is not very likely that the NSA has a backdoor, but we can’t
completely rule it out
27 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Forward Secrecy
Elliptic Curves
NIST Curves
Curve25519
Compression
Dan Bernstein developed a better elliptic curve: Curve25519,
255 bit
Draft for TLS
The SafeCurves project also has longer curves
ECDSA doesn’t work and is bad anyway, there is Ed25519 for
Curve25519
28 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Forward Secrecy
Elliptic Curves
NIST Curves
Curve25519
Compression
Compression leaks information about content and leads to
side channel attacks (CRIME attack)
Just disable it, your browser won’t use it anyway
Problem: Similar attacks work on HTTP compression,
workarounds are tricky and have to happen in the web
application (BREACH attack)
29 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Downgrades
F5 / BIG-IP
Frankencerts
Dual EC DRBG
Triple Handshake
SSL Stripping / HSTS
ASN.1
Quantum Computers
Tipps for server admins
TLS has an internal downgrade protection
But browsers have a ”workaround” for this protection: Try a
lower protocol if the higher one fails
Problem: Broken middleware and load balancers are
everywhere
Downgrades can happen with bad connections (mobile
Internet)
This is a problem for SNI (ServerNameIndication) and other
extensions - please disable SSLv3 everywhere
30 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Downgrades
F5 / BIG-IP
Frankencerts
Dual EC DRBG
Triple Handshake
SSL Stripping / HSTS
ASN.1
Quantum Computers
Tipps for server admins
BIG-IP from F5 is such a story...
One of the reasons for those ”workarounds”
Also there are devices that don’t like TLS handshakes between
256 and 512 bytes, so we now have a TLS padding extension
to add some useless data
But there is other hardware that breaks with the padding
extensions (Ironware SMTP servers from Cisco)
Browsers do workarounds for broken stuff all the time
There’s now a draft for better downgrade protection (a
workaround for a workaround for broken stuff)
31 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Downgrades
F5 / BIG-IP
Frankencerts
Dual EC DRBG
Triple Handshake
SSL Stripping / HSTS
ASN.1
Quantum Computers
Tipps for server admins
Frankencerts - take a bunch of real certificates, change things
randomly
And then check if they are valid
In a perfect world every library should come to the same
conclusion
In the real world they don’t
This uncovered severe bugs in MatrixSSL and GnuTLS and
smaller bugs in various other TLS implementations
32 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Downgrades
F5 / BIG-IP
Frankencerts
Dual EC DRBG
Triple Handshake
SSL Stripping / HSTS
ASN.1
Quantum Computers
Tipps for server admins
Dual EC DRBG has almost certainly a backdoor from the NSA
Research project: We replace the backdoor parameters with
our own parameters
This revealed private keys for DSA and ECDSA in TLS (told
you so: don’t use them)
RSA BSAFE used Dual EC by default
The TLS extended random extension makes this attack easier,
there exists a draft and code in RSA BSAFE (learn: don’t
invent extensions without a clear purpose. Oh, we already
knew that from Heartbleed)
Dual EC rarely used, so no real problem, but exciting research
33 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Downgrades
F5 / BIG-IP
Frankencerts
Dual EC DRBG
Triple Handshake
SSL Stripping / HSTS
ASN.1
Quantum Computers
Tipps for server admins
Bug in the logic of TLS handshakes and renegotiations
Browser workaround, Adam Langley has a check for your
browser
Interesting fact: some browsers accept insecure parameters for
Diffie-Hellman
Diffie-Hellman needs a large prime - some browsers think 17
or 15 are large primes
34 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Downgrades
F5 / BIG-IP
Frankencerts
Dual EC DRBG
Triple Handshake
SSL Stripping / HSTS
ASN.1
Quantum Computers
Tipps for server admins
SSL Stripping: Attacker prevents HTTPS by intercepting links
or first HTTP access
HSTS header forces browser to use TLS and forbids HTTP to
same host
Some browsers have build-in HSTS domains
WARNING: There is no way to do hybrid HTTPS/HTTP
solutions secure. Just protecting the login is wrong
35 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Downgrades
F5 / BIG-IP
Frankencerts
Dual EC DRBG
Triple Handshake
SSL Stripping / HSTS
ASN.1
Quantum Computers
Tipps for server admins
ASN.1 is the most horrible binary format to parse
Know any good software to handle it? I don’t
—–BEGIN CERTIFICATE—–
MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0w
DQYJKoZIhvcNAQEFBQAwXzELMAkG
36 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Downgrades
F5 / BIG-IP
Frankencerts
Dual EC DRBG
Triple Handshake
SSL Stripping / HSTS
ASN.1
Quantum Computers
Tipps for server admins
Quantum computers kill all public key and key exchange
algorithms in TLS
2012 Nobel price for research that could help building
quantum computers
Post quantum cryptography is very experimental, no
algorithm that could be deployed easily
Quantum cryptography won’t safe you, it is a nice thought
experiment, but it is completely impractical
37 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Downgrades
F5 / BIG-IP
Frankencerts
Dual EC DRBG
Triple Handshake
SSL Stripping / HSTS
ASN.1
Quantum Computers
Tipps for server admins
Use latest Apache
Support TLS 1.2 with AES-GCM and forward secrecy
Disable RC4, TLS compression, SSLv3 and all mostly unused
algorithms (EXPORT, NULL, SEED, IDEA, ...)
Enable OCSP stapling
Use RSA certificates with 2048 or 4096 bit, signed with
SHA256
Use the Qualys SSL test
38 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Two Possible Conclusions
Read and Learn
Sources
Sources
Sources
Final words
a) TLS is broken beyond repair, we need to get rid of it and
make something better
b) TLS is broken on many layers, but we have ideas and fixes
for many problems, we need to get them deployed
Choose your own conclusion - and help making it happen
39 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Two Possible Conclusions
Read and Learn
Sources
Sources
Sources
Final words
I often write about crypto on Golem.de (German) -
http://hboeck.de
Matthew Green‘s Blog
http://blog.cryptographyengineering.com/
Adam Langley‘s Blog https://www.imperialviolet.org/
Dan Bernstein‘s Blog (DJB) http://blog.cr.yp.to/
Very good online course by Dan Boneh on Coursera
https://www.coursera.org/course/crypto
40 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Two Possible Conclusions
Read and Learn
Sources
Sources
Sources
Final words
TLS 1.2, RFC 5246
http://www.ietf.org/rfc/rfc5246.txt
Heartbleed http://heartbleed.com/
OpenSSL Valhalla Rampage http://opensslrampage.org/
EFF SSL Observatory https://www.eff.org/observatory
Internet scans https://scans.io/
Sovereign Keys https://www.eff.org/sovereign-keys
Convergence http://convergence.io/
TACK http://tack.io/
HTTP Key Pinning http://tools.ietf.org/html/
draft-ietf-websec-key-pinning-01
Certificate Transparency
http://certificate-transparency.org
41 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Two Possible Conclusions
Read and Learn
Sources
Sources
Sources
Final words
OCSP Stapling Required http://tools.ietf.org/html/
draft-hallambaker-tlssecuritypolicy-03
MD5 broken
http://media.ccc.de/browse/congress/2008/
25c3-3023-en-making_the_theoretical_possible.html
RSA-PSS thesis https://rsapss.hboeck.de/
Padding Oracle http://www.iacr.org/cryptodb/
archive/2002/EUROCRYPT/2850/2850.pdf
BEAST http://ekoparty.org/2011/juliano-rizzo.php
Lucky Thirteen
http://www.isg.rhul.ac.uk/tls/Lucky13.html
RC4 attack http://www.isg.rhul.ac.uk/tls/
Prohibiting RC4 draft https://tools.ietf.org/html/
draft-popov-tls-prohibiting-rc4-02
BREACH http://breachattack.com/ 42 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Two Possible Conclusions
Read and Learn
Sources
Sources
Sources
Final words
SafeCurves http://safecurves.cr.yp.to/
Frankencerts
https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf
Dual EC http://dualec.org/
https://projectbullrun.org/dual-ec/
Triple Handshake https://secure-resumption.com/
Browser check for Triple Handshake
https://www.imperialviolet.org/2014/03/03/
triplehandshake.html
Browser check for DH parameters https://dh.tlsfun.de/
Post quantum cryptography http://pqcrypto.org/
TLS – Nuke it from Orbit
http://clearcryptocode.org/tls/
Qualys SSL-Test https://www.ssllabs.com/ssltest/
43 / 44
Introduction
Software
CAs
X.509
Symmetric encryption
TLS misc
Misc
End
Two Possible Conclusions
Read and Learn
Sources
Sources
Sources
Final words
Thank you Edward Snowden!
44 / 44
1 of 44

Recommended

TLS by
TLSTLS
TLSDaniel Stenberg
945 views37 slides
Random musings on SSL/TLS configuration by
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configurationextremeunix
1.2K views42 slides
Automated Analysis of TLS 1.3 by
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3vpnmentor
1.8K views69 slides
TLS: Past, Present, Future by
TLS: Past, Present, FutureTLS: Past, Present, Future
TLS: Past, Present, Futurevpnmentor
1.5K views45 slides
All you need to know about transport layer security by
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
455 views52 slides
HTTPS, Here and Now by
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and NowPhilippe De Ryck
1.7K views90 slides

More Related Content

What's hot

Transport layer security (tls) by
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
549 views17 slides
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon by
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDan York
1K views7 slides
Transport Layer Security by
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityHuda Seyam
339 views17 slides
HTTPS: All you need to know by
HTTPS: All you need to knowHTTPS: All you need to know
HTTPS: All you need to knowOVHcloud
2.7K views55 slides
Transport Layer Security - Mrinal Wadhwa by
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaMrinal Wadhwa
1.1K views25 slides
SSL/TLS by
SSL/TLSSSL/TLS
SSL/TLSSirish Kumar
1.4K views12 slides

What's hot(20)

DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon by Dan York
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
Dan York1K views
Transport Layer Security by Huda Seyam
Transport Layer SecurityTransport Layer Security
Transport Layer Security
Huda Seyam339 views
HTTPS: All you need to know by OVHcloud
HTTPS: All you need to knowHTTPS: All you need to know
HTTPS: All you need to know
OVHcloud2.7K views
Transport Layer Security - Mrinal Wadhwa by Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal Wadhwa
Mrinal Wadhwa1.1K views
TLS/SSL Internet Security Talk by Nisheed KM
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
Nisheed KM744 views
Secure Sockets Layer and Transport Layer Security by Al Mamun
Secure Sockets Layer and Transport Layer SecuritySecure Sockets Layer and Transport Layer Security
Secure Sockets Layer and Transport Layer Security
Al Mamun 576 views
DANE and DNSSEC Authentication Chain Extension for TLS by Shumon Huque
DANE and DNSSEC Authentication Chain Extension for TLSDANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLS
Shumon Huque493 views
TLS - Transport Layer Security by ByronKimani
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
ByronKimani322 views
Introduction to Secure Sockets Layer by Nascenia IT
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
Nascenia IT29.6K views
Introducing TLS 1.3 – The future of Encryption by RapidSSLOnline.com
Introducing TLS 1.3 – The future of EncryptionIntroducing TLS 1.3 – The future of Encryption
Introducing TLS 1.3 – The future of Encryption
RapidSSLOnline.com156 views
Ssl in a nutshell by Frank Kelly
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshell
Frank Kelly9.2K views
Introduction to TLS-1.3 by Vedant Jain
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3
Vedant Jain324 views
SSL/TLS Introduction with Practical Examples Including Wireshark Captures by JaroslavChmurny
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
JaroslavChmurny1.5K views
Ssl (Secure Sockets Layer) by Asad Ali
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali3.6K views

Viewers also liked

How (un)secure is SSL/TLS? by
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
1.5K views38 slides
TLS Interception considered harmful (Chaos Communication Camp 2015) by
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)hannob
1.5K views46 slides
Fail Well by
Fail WellFail Well
Fail WellJoshua Simmons
1.7K views21 slides
Black ops 2012 by
Black ops 2012Black ops 2012
Black ops 2012Dan Kaminsky
67.4K views88 slides
'The History of Metrics According to me' by Stephen Day by
'The History of Metrics According to me' by Stephen Day'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen DayDocker, Inc.
6.5K views32 slides
Prometheus design and philosophy by
Prometheus design and philosophy   Prometheus design and philosophy
Prometheus design and philosophy Docker, Inc.
2.7K views32 slides

Viewers also liked(7)

How (un)secure is SSL/TLS? by Microsoft
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?
Microsoft1.5K views
TLS Interception considered harmful (Chaos Communication Camp 2015) by hannob
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)
hannob1.5K views
Black ops 2012 by Dan Kaminsky
Black ops 2012Black ops 2012
Black ops 2012
Dan Kaminsky67.4K views
'The History of Metrics According to me' by Stephen Day by Docker, Inc.
'The History of Metrics According to me' by Stephen Day'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day
Docker, Inc.6.5K views
Prometheus design and philosophy by Docker, Inc.
Prometheus design and philosophy   Prometheus design and philosophy
Prometheus design and philosophy
Docker, Inc.2.7K views
Docker Online Meetup: Announcing Docker CE + EE by Docker, Inc.
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
Docker, Inc.24.2K views

Similar to How broken is TLS?

Cours4.pptx by
Cours4.pptxCours4.pptx
Cours4.pptxBellaj Badr
7 views37 slides
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack... by
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...Aaron Zauner
992 views41 slides
Hacking cable modems the later years by
Hacking cable modems the later yearsHacking cable modems the later years
Hacking cable modems the later yearsNullbyte Security Conference
9.6K views88 slides
Information Security Engineering by
Information Security EngineeringInformation Security Engineering
Information Security EngineeringMd. Hasan Basri (Angel)
212 views50 slides
Introduction to and survey of TLS Security by
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS SecurityAaron Zauner
2.5K views76 slides
Introduction to security_and_crypto by
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoYoung Alista
150 views43 slides

Similar to How broken is TLS?(20)

[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack... by Aaron Zauner
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
Aaron Zauner992 views
Introduction to and survey of TLS Security by Aaron Zauner
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS Security
Aaron Zauner2.5K views
Introduction to security_and_crypto by Young Alista
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
Young Alista150 views
Introduction to security_and_crypto by Fraboni Ec
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
Fraboni Ec414 views
Introduction to security_and_crypto by David Hoen
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
David Hoen191 views
Introduction to security_and_crypto by Harry Potter
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
Harry Potter352 views
Introduction to security_and_crypto by James Wong
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
James Wong94 views
Introduction to security_and_crypto by Tony Nguyen
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
Tony Nguyen145 views
Introduction to security_and_crypto by Luis Goldster
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
Luis Goldster95 views
Tcp Anonymous Authenticated ID by Jim MacLeod
Tcp Anonymous Authenticated IDTcp Anonymous Authenticated ID
Tcp Anonymous Authenticated ID
Jim MacLeod368 views
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014 by Aaron Zauner
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014 [Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
Aaron Zauner1.1K views
Cryptography - A Brief History by prasenjeetd
Cryptography - A Brief HistoryCryptography - A Brief History
Cryptography - A Brief History
prasenjeetd6.2K views
HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015) by Igalia
HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015)HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015)
HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015)
Igalia412 views
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection by CSCJournals
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionComparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
CSCJournals211 views
IT103Microsoft Windows XP/OS Chap11 by blusmurfydot1
IT103Microsoft Windows XP/OS Chap11IT103Microsoft Windows XP/OS Chap11
IT103Microsoft Windows XP/OS Chap11
blusmurfydot1351 views

More from hannob

The Fuzzing Project - 32C3 by
The Fuzzing Project - 32C3The Fuzzing Project - 32C3
The Fuzzing Project - 32C3hannob
1.7K views35 slides
Some tales about TLS by
Some tales about TLSSome tales about TLS
Some tales about TLShannob
1.7K views60 slides
Crypto workshop part 3 - Don't do this yourself by
Crypto workshop part 3 - Don't do this yourselfCrypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourselfhannob
992 views13 slides
Crypto workshop part 1 - Web and Crypto by
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Cryptohannob
1.2K views14 slides
Papierlos by
PapierlosPapierlos
Papierloshannob
1.3K views14 slides
Gehackte Webapplikationen und Malware by
Gehackte Webapplikationen und MalwareGehackte Webapplikationen und Malware
Gehackte Webapplikationen und Malwarehannob
926 views17 slides

More from hannob(9)

The Fuzzing Project - 32C3 by hannob
The Fuzzing Project - 32C3The Fuzzing Project - 32C3
The Fuzzing Project - 32C3
hannob1.7K views
Some tales about TLS by hannob
Some tales about TLSSome tales about TLS
Some tales about TLS
hannob1.7K views
Crypto workshop part 3 - Don't do this yourself by hannob
Crypto workshop part 3 - Don't do this yourselfCrypto workshop part 3 - Don't do this yourself
Crypto workshop part 3 - Don't do this yourself
hannob992 views
Crypto workshop part 1 - Web and Crypto by hannob
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Crypto
hannob1.2K views
Papierlos by hannob
PapierlosPapierlos
Papierlos
hannob1.3K views
Gehackte Webapplikationen und Malware by hannob
Gehackte Webapplikationen und MalwareGehackte Webapplikationen und Malware
Gehackte Webapplikationen und Malware
hannob926 views
SSL, X.509, HTTPS - How to configure your HTTPS server by hannob
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob4.7K views
Stromsparen by hannob
StromsparenStromsparen
Stromsparen
hannob975 views
Wirtschaftswachstum, klimawandel und Peak Oil by hannob
Wirtschaftswachstum, klimawandel und Peak OilWirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak Oil
hannob1.4K views

Recently uploaded

Amine el bouzalimi by
Amine el bouzalimiAmine el bouzalimi
Amine el bouzalimiAmine EL BOUZALIMI
6 views38 slides
Cracking the Code Decoding Leased Line Quotes for Connectivity Excellence.pptx by
Cracking the Code Decoding Leased Line Quotes for Connectivity Excellence.pptxCracking the Code Decoding Leased Line Quotes for Connectivity Excellence.pptx
Cracking the Code Decoding Leased Line Quotes for Connectivity Excellence.pptxLeasedLinesQuote
5 views8 slides
The Dark Web : Hidden Services by
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden ServicesAnshu Singh
22 views24 slides
Penetration Testing for Cybersecurity Professionals by
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals211 Check
49 views17 slides
ATPMOUSE_융합2조.pptx by
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptxkts120898
35 views70 slides
hamro digital logics.pptx by
hamro digital logics.pptxhamro digital logics.pptx
hamro digital logics.pptxtupeshghimire
11 views36 slides

Recently uploaded(13)

Cracking the Code Decoding Leased Line Quotes for Connectivity Excellence.pptx by LeasedLinesQuote
Cracking the Code Decoding Leased Line Quotes for Connectivity Excellence.pptxCracking the Code Decoding Leased Line Quotes for Connectivity Excellence.pptx
Cracking the Code Decoding Leased Line Quotes for Connectivity Excellence.pptx
The Dark Web : Hidden Services by Anshu Singh
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden Services
Anshu Singh22 views
Penetration Testing for Cybersecurity Professionals by 211 Check
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
211 Check49 views
ATPMOUSE_융합2조.pptx by kts120898
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptx
kts12089835 views
40th TWNIC Open Policy Meeting: A quick look at QUIC by APNIC
40th TWNIC Open Policy Meeting: A quick look at QUIC40th TWNIC Open Policy Meeting: A quick look at QUIC
40th TWNIC Open Policy Meeting: A quick look at QUIC
APNIC109 views
WITS Deck by W.I.T.S.
WITS DeckWITS Deck
WITS Deck
W.I.T.S.36 views
cis5-Project-11a-Harry Lai by harrylai126
cis5-Project-11a-Harry Laicis5-Project-11a-Harry Lai
cis5-Project-11a-Harry Lai
harrylai1269 views
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download by APNIC
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
APNIC112 views
40th TWNIC Open Policy Meeting: APNIC PDP update by APNIC
40th TWNIC Open Policy Meeting: APNIC PDP update40th TWNIC Open Policy Meeting: APNIC PDP update
40th TWNIC Open Policy Meeting: APNIC PDP update
APNIC106 views

How broken is TLS?

  • 1. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End How broken is TLS? A tale of BEAST, CRIME, Lucky Thirteen and Heartbleed Hanno B¨ock, https://hboeck.de 2014-04-19 1 / 44
  • 2. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Introduction Motivation History of SSL / TLS Overview Hanno B¨ock, freelance journalist, lives in Berlin Often writes about cryptography for Golem.de and others Also runs webhosting (https://schokokeks.org) 2 / 44
  • 3. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Introduction Motivation History of SSL / TLS Overview TLS is the most important crypto protocol There are problems on multiple layers (certificate authorities, software, cryptography, protocols) BEAST, CRIME, Lucky Thirteen, Heartbleed, ... 3 / 44
  • 4. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Introduction Motivation History of SSL / TLS Overview SSL 1 - only internal (Netscape) 1994: SSL 2 (Netscape, severe security issues, disabled) 1996: SSL 3 (Netscape, no extensions, still used) 1999: TLS 1 (IETF standard, problems with CBC, til today de facto standard) 2006: TLS 1.1 (half fix for CBC-problems) 2008: TLS 1.2 (introduces authenticated encryption with GCM and SHA-2) 4 / 44
  • 5. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Introduction Motivation History of SSL / TLS Overview X.509 certificate authority signs host-certificate, host-certificate used to get a session key for TLS Two protocols (X.509 and TLS) So we have software, CAs, X.509 and TLS itself 5 / 44
  • 6. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Heartbleed Software Featurebloat C Heartbleed is only a memory read error, just a software bug, nothing with cryptography So pretty boring, right? 6 / 44
  • 7. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Heartbleed Software Featurebloat C SSL libraries have terrible code quality OpenSSL Valhalla Rampage - have fun and be scared Don’t blame OpenSSL. The others are just as bad 7 / 44
  • 8. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Heartbleed Software Featurebloat C Who needs the heartbeat extension? What other extensions are there in TLS and who needs them? And who needs GOST, DSA, SEED, IDEA, Brainpool curves or Camellia? (GOST is only a draft, OpenSSL still has code for it) TLS also supports DES or RC2 with 40 Bit 8 / 44
  • 9. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Heartbleed Software Featurebloat C It is extremely difficult to write secure code in C (buffer overflows etc.) Which programming language is better? Not too exotic, not too much overhead and usable on many different platforms, but still memsafe? And by the way: Constant time implementations needed Can we do memsafe C? (Softbount/CETS, OpenBSD malloc) 9 / 44
  • 10. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Certificate Authorities 2011 CA disaster Revocation Revocation that costs money Fixing CAs Main problem: Every certificate authority can do Man-in-the-Middle-attacks on every website You automatically trust all CAs in your browser and all sub CAs Weird: It doesn’t matter if your CA is trustworthy, only the least trustworthy CA matters 10 / 44
  • 11. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Certificate Authorities 2011 CA disaster Revocation Revocation that costs money Fixing CAs CA-disaster 2011 Diginotar, Comodo, T¨urktrust and others EFF SSL Observatory finds many valid certificates that shouldn’t exist (e.g. 512 Bit EV certificate) Diginotar is the only case where it had consequences Comodo issued fake certificates for mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com erstellt 11 / 44
  • 12. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Certificate Authorities 2011 CA disaster Revocation Revocation that costs money Fixing CAs CRL doesn’t scale, OCSP not privacy friendly OCSP useless in Firefox and IE, disabled in Chrome OCSP Stapling could fix things a bit OCSP Stapling Required - only a draft Revocation does not work right now 12 / 44
  • 13. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Certificate Authorities 2011 CA disaster Revocation Revocation that costs money Fixing CAs Heartbleed: StartSSL charges for revocation This is a problem: It gives incentives to do the wrong thing Cynics might say: Doesn’t matter, it’s broken anyway More general problem: It’s expensive and difficult to be secure (certificates) - it should be the other way round 13 / 44
  • 14. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Certificate Authorities 2011 CA disaster Revocation Revocation that costs money Fixing CAs Convergence: distributed access (MitM still possible if attacker near server) Sovereign Keys: EFF, complicated, uses append-only log TACK: draft for TLS to pin certificates, shares many ideas with Sovereign Keys HTTP Key Pinning: draft from Google, only HTTPS Certificate Transparency: from Google, append-only log, make sure MitM gets detected 14 / 44
  • 15. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Algorithms Signaturen Three public key types for X.509 certificates: RSA, DSA, ECDSA Everyone uses RSA and that’s a good thing DSA/ECDSA have severe problems with bad randomness 15 / 44
  • 16. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Algorithms Signaturen MD5 signatures were used until someone showed they are really broken SHA1 signatures are de facto standard Few CAs do SHA256 signatures (about to change) RSA signatures use old PKCS #1 1.5 scheme, RSA-PSS (PKCS #1 2.1) would be better, lacks software support 16 / 44
  • 17. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Algorithms BEAST CBC, MAC, Padding From the TLS 1.2 standard Lucky Thirteen CBC RC4 RC4 or CBC TLS supports a lot of algorithm combinations Example: ECDHE-RSA-AES256-GCM-SHA384 Key exchange with elliptic curves, signature with RSA, encryption with AES, key size 256 bit, block mode GCM (Galois/Counter Mode), MAC algorithm SHA385 17 / 44
  • 18. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Algorithms BEAST CBC, MAC, Padding From the TLS 1.2 standard Lucky Thirteen CBC RC4 RC4 or CBC Until TLS 1.0 AES CBC used an implicit initialization vector This led to the BEAST attack Fixed in TLS 1.1, but who implements better protocols with more security if they don’t have to? 18 / 44
  • 19. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Algorithms BEAST CBC, MAC, Padding From the TLS 1.2 standard Lucky Thirteen CBC RC4 RC4 or CBC TLS needs confidentiality and authenticity Most common: Encryption with AES-CBC, authentication with HMAC TLS does MAC-then-Pad-then-Encrypt Different error messages for padding and MAC errors allow Padding Oracle attack ”Solution”: just one error message 19 / 44
  • 20. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Algorithms BEAST CBC, MAC, Padding From the TLS 1.2 standard Lucky Thirteen CBC RC4 RC4 or CBC ”Canvel et al. [CBCTIME] have demonstrated a timing attack on CBC padding based on the time required to compute the MAC. In order to defend against this attack, implementations MUST ensure that record processing time is essentially the same whether or not the padding is correct. In general, the best way to do this is to compute the MAC even if the padding is incorrect, and only then reject the packet. For instance, if the pad appears to be incorrect, the implementation might assume a zero-length pad and then compute the MAC. This leaves a small timing channel, since MAC performance depends to some extent on the size of the data fragment, but it is not believed to be large enough to be exploitable, due to the large block size of existing MACs and the small size of the timing signal.” (TLS 1.2, RFC 5246, p. 23) 20 / 44
  • 21. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Algorithms BEAST CBC, MAC, Padding From the TLS 1.2 standard Lucky Thirteen CBC RC4 RC4 or CBC To translate this: We know there is a problem, but we don’t think it’s a real problem That was the Lucky Thirteen attack - it was already mentioned in the TLS standard itself 21 / 44
  • 22. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Algorithms BEAST CBC, MAC, Padding From the TLS 1.2 standard Lucky Thirteen CBC RC4 RC4 or CBC For all problems with BEAST and Lucky Thirteen there are workarounds in browsers But after Lucky Thirteen many wanted to avoid CBC Solution: RC4 (only non-CBC-algorithm left before TLS 1.2) PCI verification (credit card standard) required RC4 for some time 22 / 44
  • 23. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Algorithms BEAST CBC, MAC, Padding From the TLS 1.2 standard Lucky Thirteen CBC RC4 RC4 or CBC RC4 was developed 1994 by Ron Rivest, not for public use Source was published in a newsgroup, is only a few lines long and you can copy-and-paste it from Wikipedia March 2013: Bernstein et al show an impractical attack on RC4 in TLS, no workarounds After Snowden some people speculate that NSA can attack RC4 in real time Today many people think RC4 has to die (draft) 23 / 44
  • 24. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Algorithms BEAST CBC, MAC, Padding From the TLS 1.2 standard Lucky Thirteen CBC RC4 RC4 or CBC RC4 or CBC with MAC-then-Encrypt? Both are bad, but for CBC we have workarounds BEAST, Lucky Thirteen, RC4-attacks are all not very practical, but this is not good AES-GCM: Authenticated encryption, only in TLS 1.2, only new browsers Encrypt-then-MAC for CBC: draft ChaCha20/Poly1394: draft - very fast and probably very secure cipher 24 / 44
  • 25. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Forward Secrecy Elliptic Curves NIST Curves Curve25519 Compression Forward secrecy is great! If you do it right but... Apache before 2.4.7 only supports Diffie-Hellman (DHE) with 1024 bit, Java until 1.7 the same And there are elliptic curves... (ECDHE) 25 / 44
  • 26. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Forward Secrecy Elliptic Curves NIST Curves Curve25519 Compression Idea: Diffie-Hellman and El Gamal/DSA use a ”group” (some math structure) You can use any group you like Assumption: If you use an elliptic curve that’s much more secure (the best known attacks on discrete logarithms don’t work in elliptic curves) There are infinitely many elliptic curves - which one should we use? 26 / 44
  • 27. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Forward Secrecy Elliptic Curves NIST Curves Curve25519 Compression Solution: We ask the NSA - they have lots of skilled cryptographers, they should know In 1999 NIST published some good, well tested elliptic curves The author works for the NSA Where does 3045ae6f c8422f64 ed579528 d38120ea e12196d5 come from? It is not very likely that the NSA has a backdoor, but we can’t completely rule it out 27 / 44
  • 28. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Forward Secrecy Elliptic Curves NIST Curves Curve25519 Compression Dan Bernstein developed a better elliptic curve: Curve25519, 255 bit Draft for TLS The SafeCurves project also has longer curves ECDSA doesn’t work and is bad anyway, there is Ed25519 for Curve25519 28 / 44
  • 29. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Forward Secrecy Elliptic Curves NIST Curves Curve25519 Compression Compression leaks information about content and leads to side channel attacks (CRIME attack) Just disable it, your browser won’t use it anyway Problem: Similar attacks work on HTTP compression, workarounds are tricky and have to happen in the web application (BREACH attack) 29 / 44
  • 30. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Downgrades F5 / BIG-IP Frankencerts Dual EC DRBG Triple Handshake SSL Stripping / HSTS ASN.1 Quantum Computers Tipps for server admins TLS has an internal downgrade protection But browsers have a ”workaround” for this protection: Try a lower protocol if the higher one fails Problem: Broken middleware and load balancers are everywhere Downgrades can happen with bad connections (mobile Internet) This is a problem for SNI (ServerNameIndication) and other extensions - please disable SSLv3 everywhere 30 / 44
  • 31. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Downgrades F5 / BIG-IP Frankencerts Dual EC DRBG Triple Handshake SSL Stripping / HSTS ASN.1 Quantum Computers Tipps for server admins BIG-IP from F5 is such a story... One of the reasons for those ”workarounds” Also there are devices that don’t like TLS handshakes between 256 and 512 bytes, so we now have a TLS padding extension to add some useless data But there is other hardware that breaks with the padding extensions (Ironware SMTP servers from Cisco) Browsers do workarounds for broken stuff all the time There’s now a draft for better downgrade protection (a workaround for a workaround for broken stuff) 31 / 44
  • 32. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Downgrades F5 / BIG-IP Frankencerts Dual EC DRBG Triple Handshake SSL Stripping / HSTS ASN.1 Quantum Computers Tipps for server admins Frankencerts - take a bunch of real certificates, change things randomly And then check if they are valid In a perfect world every library should come to the same conclusion In the real world they don’t This uncovered severe bugs in MatrixSSL and GnuTLS and smaller bugs in various other TLS implementations 32 / 44
  • 33. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Downgrades F5 / BIG-IP Frankencerts Dual EC DRBG Triple Handshake SSL Stripping / HSTS ASN.1 Quantum Computers Tipps for server admins Dual EC DRBG has almost certainly a backdoor from the NSA Research project: We replace the backdoor parameters with our own parameters This revealed private keys for DSA and ECDSA in TLS (told you so: don’t use them) RSA BSAFE used Dual EC by default The TLS extended random extension makes this attack easier, there exists a draft and code in RSA BSAFE (learn: don’t invent extensions without a clear purpose. Oh, we already knew that from Heartbleed) Dual EC rarely used, so no real problem, but exciting research 33 / 44
  • 34. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Downgrades F5 / BIG-IP Frankencerts Dual EC DRBG Triple Handshake SSL Stripping / HSTS ASN.1 Quantum Computers Tipps for server admins Bug in the logic of TLS handshakes and renegotiations Browser workaround, Adam Langley has a check for your browser Interesting fact: some browsers accept insecure parameters for Diffie-Hellman Diffie-Hellman needs a large prime - some browsers think 17 or 15 are large primes 34 / 44
  • 35. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Downgrades F5 / BIG-IP Frankencerts Dual EC DRBG Triple Handshake SSL Stripping / HSTS ASN.1 Quantum Computers Tipps for server admins SSL Stripping: Attacker prevents HTTPS by intercepting links or first HTTP access HSTS header forces browser to use TLS and forbids HTTP to same host Some browsers have build-in HSTS domains WARNING: There is no way to do hybrid HTTPS/HTTP solutions secure. Just protecting the login is wrong 35 / 44
  • 36. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Downgrades F5 / BIG-IP Frankencerts Dual EC DRBG Triple Handshake SSL Stripping / HSTS ASN.1 Quantum Computers Tipps for server admins ASN.1 is the most horrible binary format to parse Know any good software to handle it? I don’t —–BEGIN CERTIFICATE—– MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0w DQYJKoZIhvcNAQEFBQAwXzELMAkG 36 / 44
  • 37. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Downgrades F5 / BIG-IP Frankencerts Dual EC DRBG Triple Handshake SSL Stripping / HSTS ASN.1 Quantum Computers Tipps for server admins Quantum computers kill all public key and key exchange algorithms in TLS 2012 Nobel price for research that could help building quantum computers Post quantum cryptography is very experimental, no algorithm that could be deployed easily Quantum cryptography won’t safe you, it is a nice thought experiment, but it is completely impractical 37 / 44
  • 38. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Downgrades F5 / BIG-IP Frankencerts Dual EC DRBG Triple Handshake SSL Stripping / HSTS ASN.1 Quantum Computers Tipps for server admins Use latest Apache Support TLS 1.2 with AES-GCM and forward secrecy Disable RC4, TLS compression, SSLv3 and all mostly unused algorithms (EXPORT, NULL, SEED, IDEA, ...) Enable OCSP stapling Use RSA certificates with 2048 or 4096 bit, signed with SHA256 Use the Qualys SSL test 38 / 44
  • 39. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Two Possible Conclusions Read and Learn Sources Sources Sources Final words a) TLS is broken beyond repair, we need to get rid of it and make something better b) TLS is broken on many layers, but we have ideas and fixes for many problems, we need to get them deployed Choose your own conclusion - and help making it happen 39 / 44
  • 40. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Two Possible Conclusions Read and Learn Sources Sources Sources Final words I often write about crypto on Golem.de (German) - http://hboeck.de Matthew Green‘s Blog http://blog.cryptographyengineering.com/ Adam Langley‘s Blog https://www.imperialviolet.org/ Dan Bernstein‘s Blog (DJB) http://blog.cr.yp.to/ Very good online course by Dan Boneh on Coursera https://www.coursera.org/course/crypto 40 / 44
  • 41. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Two Possible Conclusions Read and Learn Sources Sources Sources Final words TLS 1.2, RFC 5246 http://www.ietf.org/rfc/rfc5246.txt Heartbleed http://heartbleed.com/ OpenSSL Valhalla Rampage http://opensslrampage.org/ EFF SSL Observatory https://www.eff.org/observatory Internet scans https://scans.io/ Sovereign Keys https://www.eff.org/sovereign-keys Convergence http://convergence.io/ TACK http://tack.io/ HTTP Key Pinning http://tools.ietf.org/html/ draft-ietf-websec-key-pinning-01 Certificate Transparency http://certificate-transparency.org 41 / 44
  • 42. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Two Possible Conclusions Read and Learn Sources Sources Sources Final words OCSP Stapling Required http://tools.ietf.org/html/ draft-hallambaker-tlssecuritypolicy-03 MD5 broken http://media.ccc.de/browse/congress/2008/ 25c3-3023-en-making_the_theoretical_possible.html RSA-PSS thesis https://rsapss.hboeck.de/ Padding Oracle http://www.iacr.org/cryptodb/ archive/2002/EUROCRYPT/2850/2850.pdf BEAST http://ekoparty.org/2011/juliano-rizzo.php Lucky Thirteen http://www.isg.rhul.ac.uk/tls/Lucky13.html RC4 attack http://www.isg.rhul.ac.uk/tls/ Prohibiting RC4 draft https://tools.ietf.org/html/ draft-popov-tls-prohibiting-rc4-02 BREACH http://breachattack.com/ 42 / 44
  • 43. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Two Possible Conclusions Read and Learn Sources Sources Sources Final words SafeCurves http://safecurves.cr.yp.to/ Frankencerts https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf Dual EC http://dualec.org/ https://projectbullrun.org/dual-ec/ Triple Handshake https://secure-resumption.com/ Browser check for Triple Handshake https://www.imperialviolet.org/2014/03/03/ triplehandshake.html Browser check for DH parameters https://dh.tlsfun.de/ Post quantum cryptography http://pqcrypto.org/ TLS – Nuke it from Orbit http://clearcryptocode.org/tls/ Qualys SSL-Test https://www.ssllabs.com/ssltest/ 43 / 44
  • 44. Introduction Software CAs X.509 Symmetric encryption TLS misc Misc End Two Possible Conclusions Read and Learn Sources Sources Sources Final words Thank you Edward Snowden! 44 / 44