TLS/SSL MAC security flaw

Nate Lawson
Nate LawsonEngineer at Root Labs
TLS/SSL MAC security flaw Nate Lawson nate@rootlabs.com Jan. 10, 2008
Decoding with WireShark
Overview of typical session Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished ApplicationData ApplicationData
TLS 1.1 security fixes • Two security flaws fixed since TLS 1.0 – Implicit Initialization Vector (IV) is replaced with an explicit one – Handling of padding errors changed to not report decryption_failed Credit for both: Bodo Moeller of OpenSSL • More details and discussion on my blog: http://rootlabs.com (select Blog)
CBC encryption P1 P2 P3 IV + + + AESEnc AESEnc AESEnc C1 C2 C3
CBC decryption C1 C2 C3 AESDec AESDec AESDec IV + + + P1 P2 P3
TLS CBC padding • Padding needed if message is not multiple of cipher block size – Pad remaining bytes of block with bytes of PaddingLen - 1 – 3 bytes of padding = 0x2 0x2 0x2 • Example: AES-CBC, 30 bytes data – P1: 16 bytes data – P2: 14 bytes data || 0x1 0x1
Padding error timing attack • Two different errors – If padding verification fails, “padding_error” – If subsequent integrity check fails, “bad_record_mac” • Attacker can’t see these (encrypted) – But, server may exit out early if padding incorrect and not bother to check MAC – Creates an exploitable timing channel
CBC padding attack • Allows guessing the last byte of a sniffed encrypted record • Attack overview – Modify and replay entire record – Observe how long it takes for error to be returned – Repeat until it takes a little longer – Padding passed check and thus server proceeded to check the MAC of the data
Example attack scenario • Original message 32 bytes data – C1: AES(IV ⊕ 16 bytes data) – C2: AES(C1 ⊕ 16 bytes data) • Attacker modifies message – C1: 15 bytes garbage || (GuessByte ⊕ 0x0) – C2: same – Truncates external length to 31 bytes • If guess byte is correct, padding verifies and server proceeds to MAC stage – P2: 15 bytes garbage || 0x0 – GuessByte ⊕ RealByte ⊕ 0x0 = 0 – PaddingLen = 1 means append one byte of 0x0
Conclusion • Detailed error reporting harmful to crypto – Surprise! You want nothing more than a big, giant FAIL at the end of your protocol • Side channels reveal enough for an attack, even when data is encrypted – Surprise! Proceed (with caution) even when an error is encountered
Recommended reading • [TLS06] The Transport Layer Security (TLS) Protocol, Version 1.1. http://tools.ietf.org/html/rfc4346 • [Resc02] Rescarola, E. Introduction to OpenSSL programming. http://www.rtfm.com/openssl-examples/ • [WS96] David Wagner and Bruce Schneier. Analysis of the SSL 3.0 Protocol. 1996. http://citeseer.ist.psu.edu/wagner96analysis.html • [BB03] D. Boneh and D. Brumley. Remote Timing Attacks are Practical. Proceedings of the 12th USENIX Security Symposium, August 2003. http://citeseer.ist.psu.edu/article/boneh03remote.html • [M04] B. Moeller. Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures. May 2004. http://www.openssl.org/~bodo/tls-cbc.txt
1 of 12

TLS/SSL MAC security flaw

Download to read offline
TechnologyEducation

Analysis of one of the CBC attacks on TLS that resulted in the bump from 1.0 to 1.1. Talk given at iSec Forum on Jan 10, 2008.

Nate Lawson
Nate LawsonEngineer at Root Labs

Recommended

When Crypto Attacks! (Yahoo 2009) by
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)Nate Lawson
3K views26 slides
VisualWorks Security Reloaded - STIC 2012 by
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012Martin Kobetic
801 views21 slides
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz by
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
1.3K views57 slides
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies) by
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Ontico
1.2K views45 slides
Kerberos, NTLM and LM-Hash by
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashAnkit Mehta
6.3K views25 slides
Abusing Microsoft Kerberos - Sorry you guys don't get it by
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
43.1K views53 slides

More Related Content

What's hot

Web acceleration mechanics by
Web acceleration mechanicsWeb acceleration mechanics
Web acceleration mechanicsAlexander Krizhanovsky
362 views60 slides
Cryptography for Absolute Beginners (May 2019) by
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
1.9K views40 slides
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак by
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакPositive Hack Days
562 views51 slides
Abusing Microsoft Kerberos - Sorry you guys don’t get it by
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itE Hacking
1.1K views53 slides
OpenSSL Basic Function Call Flow by
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
5.2K views17 slides
SSL Checklist for Pentesters (BSides MCR 2014) by
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
4.6K views31 slides

What's hot(20)

Web acceleration mechanics by Alexander Krizhanovsky
Web acceleration mechanicsWeb acceleration mechanics
Web acceleration mechanics
Alexander Krizhanovsky362 views
Cryptography for Absolute Beginners (May 2019) by Svetlin Nakov
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
Svetlin Nakov1.9K views
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак by Positive Hack Days
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Positive Hack Days562 views
Abusing Microsoft Kerberos - Sorry you guys don’t get it by E Hacking
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get it
E Hacking1.1K views
OpenSSL Basic Function Call Flow by William Lee
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
William Lee5.2K views
SSL Checklist for Pentesters (BSides MCR 2014) by Jerome Smith
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith4.6K views
Cryptography in PHP: use cases by Enrico Zimuel
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use cases
Enrico Zimuel14.5K views
Cryptography For The Average Developer - Sunshine PHP by Anthony Ferrara
Cryptography For The Average Developer - Sunshine PHPCryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHP
Anthony Ferrara23.9K views
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose) by Svetlin Nakov
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Svetlin Nakov522 views
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018) by Svetlin Nakov
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Svetlin Nakov3K views
OpenSSL programming (still somewhat initial version) by Shteryana Shopova
OpenSSL programming (still somewhat initial version)OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)
Shteryana Shopova3.8K views
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019) by Svetlin Nakov
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Svetlin Nakov2.5K views
Securing your MySQL server by Marian Marinov
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL server
Marian Marinov294 views
第0回ワススタ!! #wasbookを読もう by Tatsuya Tobioka
第0回ワススタ!! #wasbookを読もう第0回ワススタ!! #wasbookを読もう
第0回ワススタ!! #wasbookを読もう
Tatsuya Tobioka1.2K views
Ntlm Unsafe by Guang Ying Yuan
Ntlm UnsafeNtlm Unsafe
Ntlm Unsafe
Guang Ying Yuan3.3K views
Gauntlt: Go Ahead, Be Mean to your Code by James Wickett
Gauntlt: Go Ahead, Be Mean to your CodeGauntlt: Go Ahead, Be Mean to your Code
Gauntlt: Go Ahead, Be Mean to your Code
James Wickett1.1K views
Challenges Building Secure Mobile Applications by Masabi
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile Applications
Masabi1.1K views
Crypto With OpenSSL by Zhi Guan
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSL
Zhi Guan17.6K views
hbaseconasia2019 Further GC optimization for HBase 2.x: Reading HFileBlock in... by Michael Stack
hbaseconasia2019 Further GC optimization for HBase 2.x: Reading HFileBlock in...hbaseconasia2019 Further GC optimization for HBase 2.x: Reading HFileBlock in...
hbaseconasia2019 Further GC optimization for HBase 2.x: Reading HFileBlock in...
Michael Stack159 views
Observability tips for HAProxy by Willy Tarreau
Observability tips for HAProxyObservability tips for HAProxy
Observability tips for HAProxy
Willy Tarreau3.4K views

Viewers also liked

SSL TLS Protocol by
SSL TLS ProtocolSSL TLS Protocol
SSL TLS ProtocolDevang Badrakiya
1.3K views19 slides
SSL/TLS by
SSL/TLSSSL/TLS
SSL/TLSSirish Kumar
1.4K views12 slides
SSL-image by
SSL-imageSSL-image
SSL-imageRajat Toshniwal
387 views4 slides
An analysis of TLS handshake proxying by
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
2.4K views40 slides
ACPI and FreeBSD (Part 1) by
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)Nate Lawson
1.6K views16 slides
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007) by
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Nate Lawson
3K views30 slides

Viewers also liked(20)

SSL TLS Protocol by Devang Badrakiya
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
Devang Badrakiya1.3K views
SSL/TLS by Sirish Kumar
SSL/TLSSSL/TLS
SSL/TLS
Sirish Kumar1.4K views
SSL-image by Rajat Toshniwal
SSL-imageSSL-image
SSL-image
Rajat Toshniwal387 views
An analysis of TLS handshake proxying by Nick Sullivan
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxying
Nick Sullivan2.4K views
ACPI and FreeBSD (Part 1) by Nate Lawson
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)
Nate Lawson1.6K views
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007) by Nate Lawson
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Nate Lawson3K views
Foundations of Platform Security by Nate Lawson
Foundations of Platform SecurityFoundations of Platform Security
Foundations of Platform Security
Nate Lawson830 views
ACPI and FreeBSD (Part 2) by Nate Lawson
ACPI and FreeBSD (Part 2)ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)
Nate Lawson3.5K views
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004) by Nate Lawson
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Nate Lawson862 views
Crypto Strikes Back! (Google 2009) by Nate Lawson
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)
Nate Lawson3.7K views
An introduction to MQTT - Pub / Sub for the masses by Dominik Obermaier
An introduction to MQTT - Pub / Sub for the massesAn introduction to MQTT - Pub / Sub for the masses
An introduction to MQTT - Pub / Sub for the masses
Dominik Obermaier11.9K views
Highway to Hell: Hacking Toll Systems (Blackhat 2008) by Nate Lawson
Highway to Hell: Hacking Toll Systems (Blackhat 2008)Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Nate Lawson3.1K views
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007) by Nate Lawson
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Nate Lawson1.8K views
Designing and Attacking DRM (RSA 2008) by Nate Lawson
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)
Nate Lawson3.5K views
SSL by theekuchi
SSLSSL
SSL
theekuchi3K views
TLS Optimization by Nate Lawson
TLS OptimizationTLS Optimization
TLS Optimization
Nate Lawson7.7K views
TLS/SSL Protocol Design 201006 by Nate Lawson
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
Nate Lawson3K views
Wireshark by ashiesh0007
WiresharkWireshark
Wireshark
ashiesh00075.4K views
TLS/SSL Protocol Design by Nate Lawson
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
Nate Lawson8.4K views
Protocoles SSL/TLS by Thomas Moegli
Protocoles SSL/TLSProtocoles SSL/TLS
Protocoles SSL/TLS
Thomas Moegli4.6K views

Similar to TLS/SSL MAC security flaw

Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp... by
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Cybersecurity Education and Research Centre
1.3K views53 slides
Poodle by
PoodlePoodle
PoodleSamit Anwer
447 views11 slides
New flaws in WPA-TKIP by
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
3.5K views44 slides
What every Java developer should know about network? by
What every Java developer should know about network?What every Java developer should know about network?
What every Java developer should know about network?aragozin
3.2K views39 slides
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar... by
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
614 views10 slides
Computer network (3) by
Computer network (3)Computer network (3)
Computer network (3)NYversity
416 views39 slides

Similar to TLS/SSL MAC security flaw(20)

Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp... by Cybersecurity Education and Research Centre
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Cybersecurity Education and Research Centre1.3K views
Poodle by Samit Anwer
PoodlePoodle
Poodle
Samit Anwer447 views
New flaws in WPA-TKIP by vanhoefm
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
vanhoefm3.5K views
What every Java developer should know about network? by aragozin
What every Java developer should know about network?What every Java developer should know about network?
What every Java developer should know about network?
aragozin3.2K views
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar... by idsecconf
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
idsecconf614 views
Computer network (3) by NYversity
Computer network (3)Computer network (3)
Computer network (3)
NYversity416 views
Fundamentals of network hacking by Pranshu Pareek
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
Pranshu Pareek91 views
Cours4.pptx by Bellaj Badr
Cours4.pptxCours4.pptx
Cours4.pptx
Bellaj Badr6 views
Jaimin chp-3 - data-link layer- 2011 batch by Jaimin Jani
Jaimin chp-3 - data-link layer- 2011 batchJaimin chp-3 - data-link layer- 2011 batch
Jaimin chp-3 - data-link layer- 2011 batch
Jaimin Jani3.6K views
Technical Overview of QUIC by shigeki_ohtsu
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
shigeki_ohtsu16.4K views
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack... by Aaron Zauner
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
Aaron Zauner992 views
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps) by Art Schanz
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)
Art Schanz85 views
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat... by CODE BLUE
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
CODE BLUE78 views
TLS - 2016 Velocity Training by Patrick Meenan
TLS - 2016 Velocity TrainingTLS - 2016 Velocity Training
TLS - 2016 Velocity Training
Patrick Meenan970 views
Introduction to data link layer by Shashank HP
Introduction to data link layerIntroduction to data link layer
Introduction to data link layer
Shashank HP96 views
Recover A RSA Private key from a TLS session with perfect forward secrecy by Priyanka Aash
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecy
Priyanka Aash1.1K views
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost) by Ericom Software
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
Ericom Software3.8K views
How to bypass an IDS with netcat and linux by Kirill Shipulin
How to bypass an IDS with netcat and linuxHow to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linux
Kirill Shipulin989 views
Network Programming: Data Plane Development Kit (DPDK) by Andriy Berestovskyy
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
Andriy Berestovskyy2.3K views
Docker networking basics & coupling with Software Defined Networks by Adrien Blind
Docker networking basics & coupling with Software Defined NetworksDocker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined Networks
Adrien Blind65.6K views

Recently uploaded

PharoJS - Zürich Smalltalk Group Meetup November 2023 by
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023Noury Bouraqadi
132 views17 slides
Case Study Copenhagen Energy and Business Central.pdf by
Case Study Copenhagen Energy and Business Central.pdfCase Study Copenhagen Energy and Business Central.pdf
Case Study Copenhagen Energy and Business Central.pdfAitana
16 views3 slides
Microsoft Power Platform.pptx by
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptxUni Systems S.M.S.A.
53 views38 slides
virtual reality.pptx by
virtual reality.pptxvirtual reality.pptx
virtual reality.pptxG036GaikwadSnehal
14 views15 slides
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Safe Software
280 views86 slides
"Running students' code in isolation. The hard way", Yurii Holiuk by
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk Fwdays
17 views34 slides

Recently uploaded(20)

PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi132 views
Case Study Copenhagen Energy and Business Central.pdf by Aitana
Case Study Copenhagen Energy and Business Central.pdfCase Study Copenhagen Energy and Business Central.pdf
Case Study Copenhagen Energy and Business Central.pdf
Aitana16 views
Microsoft Power Platform.pptx by Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.53 views
virtual reality.pptx by G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal14 views
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software280 views
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays17 views
Scaling Knowledge Graph Architectures with AI by Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge38 views
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by Dr. Jimmy Schwarzkopf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
Dr. Jimmy Schwarzkopf20 views
Democratising digital commerce in India-Report by Kapil Khandelwal (KK)
Democratising digital commerce in India-ReportDemocratising digital commerce in India-Report
Democratising digital commerce in India-Report
Kapil Khandelwal (KK)18 views
Mini-Track: Challenges to Network Automation Adoption by Network Automation Forum
Mini-Track: Challenges to Network Automation AdoptionMini-Track: Challenges to Network Automation Adoption
Mini-Track: Challenges to Network Automation Adoption
Network Automation Forum13 views
PRODUCT PRESENTATION.pptx by angelicacueva6
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptx
angelicacueva615 views
Design Driven Network Assurance by Network Automation Forum
Design Driven Network AssuranceDesign Driven Network Assurance
Design Driven Network Assurance
Network Automation Forum15 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman36 views
Evolving the Network Automation Journey from Python to Platforms by Network Automation Forum
Evolving the Network Automation Journey from Python to PlatformsEvolving the Network Automation Journey from Python to Platforms
Evolving the Network Automation Journey from Python to Platforms
Network Automation Forum13 views
Mini-Track: AI and ML in Network Operations Applications by Network Automation Forum
Mini-Track: AI and ML in Network Operations ApplicationsMini-Track: AI and ML in Network Operations Applications
Mini-Track: AI and ML in Network Operations Applications
Network Automation Forum10 views
Network Source of Truth and Infrastructure as Code revisited by Network Automation Forum
Network Source of Truth and Infrastructure as Code revisitedNetwork Source of Truth and Infrastructure as Code revisited
Network Source of Truth and Infrastructure as Code revisited
Network Automation Forum27 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson92 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
IttrainingIttraining58 views
Serverless computing with Google Cloud (2023-24) by wesley chun
Serverless computing with Google Cloud (2023-24)Serverless computing with Google Cloud (2023-24)
Serverless computing with Google Cloud (2023-24)
wesley chun11 views
Vertical User Stories by Moisés Armani Ramírez
Vertical User StoriesVertical User Stories
Vertical User Stories
Moisés Armani Ramírez14 views

TLS/SSL MAC security flaw

  • 1. TLS/SSL MAC security flaw Nate Lawson nate@rootlabs.com Jan. 10, 2008
  • 3. Overview of typical session Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished ApplicationData ApplicationData
  • 4. TLS 1.1 security fixes • Two security flaws fixed since TLS 1.0 – Implicit Initialization Vector (IV) is replaced with an explicit one – Handling of padding errors changed to not report decryption_failed Credit for both: Bodo Moeller of OpenSSL • More details and discussion on my blog: http://rootlabs.com (select Blog)
  • 5. CBC encryption P1 P2 P3 IV + + + AESEnc AESEnc AESEnc C1 C2 C3
  • 6. CBC decryption C1 C2 C3 AESDec AESDec AESDec IV + + + P1 P2 P3
  • 7. TLS CBC padding • Padding needed if message is not multiple of cipher block size – Pad remaining bytes of block with bytes of PaddingLen - 1 – 3 bytes of padding = 0x2 0x2 0x2 • Example: AES-CBC, 30 bytes data – P1: 16 bytes data – P2: 14 bytes data || 0x1 0x1
  • 8. Padding error timing attack • Two different errors – If padding verification fails, “padding_error” – If subsequent integrity check fails, “bad_record_mac” • Attacker can’t see these (encrypted) – But, server may exit out early if padding incorrect and not bother to check MAC – Creates an exploitable timing channel
  • 9. CBC padding attack • Allows guessing the last byte of a sniffed encrypted record • Attack overview – Modify and replay entire record – Observe how long it takes for error to be returned – Repeat until it takes a little longer – Padding passed check and thus server proceeded to check the MAC of the data
  • 10. Example attack scenario • Original message 32 bytes data – C1: AES(IV ⊕ 16 bytes data) – C2: AES(C1 ⊕ 16 bytes data) • Attacker modifies message – C1: 15 bytes garbage || (GuessByte ⊕ 0x0) – C2: same – Truncates external length to 31 bytes • If guess byte is correct, padding verifies and server proceeds to MAC stage – P2: 15 bytes garbage || 0x0 – GuessByte ⊕ RealByte ⊕ 0x0 = 0 – PaddingLen = 1 means append one byte of 0x0
  • 11. Conclusion • Detailed error reporting harmful to crypto – Surprise! You want nothing more than a big, giant FAIL at the end of your protocol • Side channels reveal enough for an attack, even when data is encrypted – Surprise! Proceed (with caution) even when an error is encountered
  • 12. Recommended reading • [TLS06] The Transport Layer Security (TLS) Protocol, Version 1.1. http://tools.ietf.org/html/rfc4346 • [Resc02] Rescarola, E. Introduction to OpenSSL programming. http://www.rtfm.com/openssl-examples/ • [WS96] David Wagner and Bruce Schneier. Analysis of the SSL 3.0 Protocol. 1996. http://citeseer.ist.psu.edu/wagner96analysis.html • [BB03] D. Boneh and D. Brumley. Remote Timing Attacks are Practical. Proceedings of the 12th USENIX Security Symposium, August 2003. http://citeseer.ist.psu.edu/article/boneh03remote.html • [M04] B. Moeller. Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures. May 2004. http://www.openssl.org/~bodo/tls-cbc.txt