This document provides an introduction and survey of Transport Layer Security (TLS). It begins with motivations for studying TLS and provides background information on topics like cryptography, the TLS handshake process, and cipher suites. The document then discusses the history of TLS and examples of attacks against it. It aims to educate about TLS security and the ongoing efforts by the Internet Engineering Task Force (IETF) to improve TLS mitigations against modern threats.
This presentation introduces the Basics of Cryptography and Network Security concepts. Heavily derived from content from William Stalling's book with the same title.
The presentation covers the following:
Basic Terms
Cryptography
The General Goals of Cryptography
Common Types of Attacks
Substitution Ciphers
Transposition Cipher
Steganography- “Concealed Writing”
Symmetric Secret Key Encryption
Types of Symmetric Algorithms
Common Symmetric Algorithms
Asymmetric Secret Key Encryption
Common Asymmetric Algorithms
Public Key Cryptography
Hashing Techniques
Hashing Algorithms
Digital Signatures
Transport Layer Security
Public key infrastructure (PKI)
This presentation introduces the Basics of Cryptography and Network Security concepts. Heavily derived from content from William Stalling's book with the same title.
The presentation covers the following:
Basic Terms
Cryptography
The General Goals of Cryptography
Common Types of Attacks
Substitution Ciphers
Transposition Cipher
Steganography- “Concealed Writing”
Symmetric Secret Key Encryption
Types of Symmetric Algorithms
Common Symmetric Algorithms
Asymmetric Secret Key Encryption
Common Asymmetric Algorithms
Public Key Cryptography
Hashing Techniques
Hashing Algorithms
Digital Signatures
Transport Layer Security
Public key infrastructure (PKI)
Cryptography and network security Nit701Amit Pathak
Cryptography and network security descries the security parameter with the help of public and private key. Digital signature is one of the most important area which we apply in our daily life for transferring the data.
I presented this overview lecture at Computer Applications for the 21st century – Synergies and Vistas organized by Vidyasagar College, Kolkata in 2008
Cryptography is both an art and a science – the use of deception and mathematics, to hide, transmit, and receive data. This short course covers Cryptography as it relates to the CISSP certification. The full video course is located here: http://resources.infosecinstitute.com/cryptography-CISSP-use-of-cryptography
Information and network security 31 public key cryptographyVaibhav Khanna
Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys, and private keys. The generation of such key pairs depends on cryptographic algorithms which are based on mathematical problems termed one-way function
The presentation describes basics of cryptography and information security. It covers goals of cryptography, history of cipher symmetric and public key cryptography
A short introduction to cryptography. What is public and private key cryptography? What is a Caesar Cipher and how do we decrypt it? How does RSA work?
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
[Defcon] Hardware backdooring is practicalMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
Cryptography and network security Nit701Amit Pathak
Cryptography and network security descries the security parameter with the help of public and private key. Digital signature is one of the most important area which we apply in our daily life for transferring the data.
I presented this overview lecture at Computer Applications for the 21st century – Synergies and Vistas organized by Vidyasagar College, Kolkata in 2008
Cryptography is both an art and a science – the use of deception and mathematics, to hide, transmit, and receive data. This short course covers Cryptography as it relates to the CISSP certification. The full video course is located here: http://resources.infosecinstitute.com/cryptography-CISSP-use-of-cryptography
Information and network security 31 public key cryptographyVaibhav Khanna
Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys, and private keys. The generation of such key pairs depends on cryptographic algorithms which are based on mathematical problems termed one-way function
The presentation describes basics of cryptography and information security. It covers goals of cryptography, history of cipher symmetric and public key cryptography
A short introduction to cryptography. What is public and private key cryptography? What is a Caesar Cipher and how do we decrypt it? How does RSA work?
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
[Defcon] Hardware backdooring is practicalMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
Talk given at Devoxx UK 2014
Caveat - without the video these slides can be taken out of context, see Parleys for the full video.
RSA is the oldest kid in the public-key cryptography playground, and its position of toughest and fastest is under sharp competition from ECC (Elliptic Curve Cryptography). We look at the mathematical difference between the two cryptosystems, showing why ECC is faster and “harder” than RSA, but also very energy efficient hence its unique advantage in the mobile space. We show how to use ECC in your Java and Android applications. Before finally summarising the “state of the union” for RSA and ECC in the light of the Snowden leaks, and the likely near-future for public-key cryptography.
NdP_ Akamon lanza VIVA! Bingo & Slots, una nueva suite de juegos sociales de ...Akamon Entertainment
Akamon Entertainment, la compañía líder en juegos sociales especializada en juegos tradicionales y de casino en América Latina y el sur de Europa ha lanzado VIVA!, una nueva suite de juegos de social casino que incluye juegos de Bingo, Slots y VideoBingo.
Con VIVA!, Akamon entra en la categoría del VideoBingo, un tipo de juego de casino muy popular especialmente en América Latina, y lanza una oferta de productos muy enfocados a los mercados estratégicos de la compañía.
Conceptual design of a bus emergency exit rampmaputi
Abstract: Bus mass transport vehicles are designed to ferry passengers along routes in cities and between cities. Advancement of technology in the 21st century has resulted in various designs of buses. Innovation in bus design has been centered on lightweight materials, formability and aesthetic appeal of the bus interior and exterior. Meanwhile the bus structure has not developed in terms of emergency exit tools to aid quick passenger egress in the case of emergency. This paper focuses on the design on a bus emergency exit tool. This tool will be applicable at designated emergency exit windows. The tool will assist passengers to escape the bus as soon as an accident occurs while emergency services have not yet arrived. The design will be modelled using SolidWorks software.
Starke Kinder - der Weg der Mitte. (Sabine Erath-Stark)gemeindelingenau
Gesunde Ernährung für große und kleine Kinder aus Sicht des ganzheitlichen Gesundheits- und Ernährungsverständnis der Traditionell Chinesischen Medizin-TCM.
Was nährt unsere Kinder?
Was tut ihnen gut?
Was schwächt sie?
Ist weniger manchmal mehr?
Wie können wir sie für Wind und Wetter rüsten?
Wie können wir ihnen mit einer einfachen und vor allem natürlichen Ernährungsweise helfen eine stabile Mitte und eine stabiles Immunsystem zu entwickeln?
Email Matters - Two Case Studies from Acquisition to ConversionGood Works
A joint presentation with Holly Wagg from Good Works and Nicola Leckie from the Cornell Lab of Ornithology at NTEN, Washington, DC, March 2014.
No matter the size of your fundraising shop (small, medium, or large), email levels the playing field. Email is a single touch point in your online program, and we're going to focus on what has worked (and failed to work) to build your new supporter pipeline and boost the conversion rate for each and every fundraising email you send. This is an interactive dialogue kicking off with two case studies of email programs in action from The UN Refugee Agency Canada and Cornell Lab of Ornithology.
What participants will learn:
1) How to use inbound marketing strategies such as organic search and google grant traffic to build your list (we increased our file by 56%).
2) How to grow an integrated email program with the goal of making it the biggest slice of your direct response pie (email revenue has increased by 50% in 2014
En la vispra del día del libro, bajo la lluvia, se presenta el número 10 de nuestra revista.
La receta de esta semana está llena de placeres. En Portada, un héroe descalzo, protagonista de la obra 'La dama boba', estrenada con gran éxito el domingo pasado.
De segundo, los dioses mitológicos emplatados por Erein, con Saturno y su fábula del tiempo, para todas las mentes que les guste 'de pensar'
Pasaremos al sorbete con La maja endoscópica, que nos acerca un poco más al asfalto irregular del día a día.
Y sin querer, besamos el suelo en el tercer plato, con el gran reserva ElFer, recordando que la suerte y las miserias no son igual para todos.
Levantamos el vuelo con los postres, que nos trae Pacorro en su crónica semanal maratoniana, esta vez atrapado en la barra de una caseta de feria.
Y como todos los jueves, los eventos de ocio para el fin de semana en zaragoza. Un poco de todo.
Difícil resistirse. Y ya sabes, si encuentras algo mejor, mándamelo :-)
What solar panels did BMW use? How did Gehry include solar PV in his Basel building ? Clever engineering from Sunways AG excites and delights in these reference photos showing the solar dream
Charla: Análisis Forense de Dispositivos Android, impartida por Antonio Díaz de Informática 64 para el curso de Especialización en Dispositivos Móviles que tuvo lugar en la Facultad de Informática de la Universidad de A Coruña del 20 al 22 de Junio de 2012. Diapositivas 2/3
Northeast Wireless Safety Summit February 4, 2015 PresentationsIlissa Miller
Northeast Wireless Safety Summit (NEWSS), founded by HPC Wireless, hosted the first annual Wireless Safety Summit in Tarrytown, NY on February 4, 2015. The panel of presenters delivered these slides during the full day program.
Nowadays cloud computing is emerging technology which gives open resources on the internet. It is offering large amount of data to the users and distributed data over the network. Cloud computing denotes sharing of resources rather than having local servers to handle applications. It provides services to servers, storage and applications over the internet. And this cloud computing environment is used by all small and large company users. Since all the data is stored in the cloud, backing it up and restoring the same is relatively much easier than storing the same on a physical device. Cloud computing provide a convenient way to work group of people together on a common project or applications in an effective manner. there are also many factors supporting cloud computing like virtualization process, distributed storage, fast and inexpensive server, broadband internet access etc.
But the major drawback is security in providing data over the internet. Each and every cloud searcher is raising a question to cloud provider that whether it contains security policies and procedures before hosting their applications. Due to poor security, there exists poor applications, data loss, hijacking, traffic etc. But the main issue is it does not have any security in distributing data. It becomes the main obstacle in cloud computing environment. So to enhance the security, so to protect the data, we proposed an algorithm called RSA algorithm. It is a new approach and it met the requirements of public key systems. By using this algorithm it will increase the data security This algorithm uses various data block size and various size keys. It has asymmetric keys for both encryption and decryption. It uses two prime numbers to generate the public and private keys. These two different keys are used for encryption and decryption purpose. This algorithm can be broadly classified in to three stages; key generation by using two prime numbers, encryption and decryption.
Many cryptographic asymmetric algorithms are available to solve data security issue in cloud. Algorithms hide data from unauthorized users. Encryption Algorithms have vital role in the data security of cloud computing. Examples of such algorithms are Diffie-hellman ,ECC,DSA,RSA etc. Since Diffie-helman algorithm is not for encryption or decryption but it enable two parties who are involved in communication to generate a shared secret key for exchanging information confidentially. Elliptic Curve Cryptography (ECC) is only for smaller devices like cell phones. When Digital Signature Algorithm (DSA) is used, the process of creating the digital signature is faster than validating it. When RSA is used, the process of validating the digital signature is faster than creating it.RSA has two keys one public and the other is private, The public key is known to all, and the private key is kept secret and is mostly used in hybrid encryption schemes and digital signatures.
METHODS TOWARD ENHANCING RSA ALGORITHM : A SURVEYIJNSA Journal
Cryptography defines different methods and technologies used in ensuring communication between two parties over any communication medium is secure, especially in presence of a third part. This is achieved through the use of several methods, such as encryption, decryption, signing, generating of pseudo-random numbers, among many others. Cryptography uses a key, or some sort of a password to either encrypt or decrypt a message that needs to be kept secret. This is made possible using two classes of key-based encryption and decryption algorithms, namely symmetric and asymmetric algorithms. The best known and the most widely used public key system is RSA. This algorithm comprises of three phases, which are the key generation phase, encryption phase, and the decryption phase. Owing to the advancement in computing technology, RSA is prone to some security risks, which makes it less secure. The following paper preview different proposals on different methods used to enhance the RSA algorithm and increase its security. Some of these enhancements include combining the RSA algorithm with Diffie-Hellman or ElGamal algorithm, modification of RSA to include three or four prime numbers, offline storage of generated keys, a secured algorithm for RSA where the message can be encrypted using dual encryption keys, etc.
Bluetooth technology is an emerging wireless networking standard, which is based on chip that provides short-range wireless frequency hopping communication. Now, Bluetooth technology is mainly applied to the communication between mobile terminal devices, such as palm computers, mobile phones, laptops and so on. However, the phenomenon of data-leaking frequently arises in using the Bluetooth technology for data transfer. To enhance the security of data transmission in Bluetooth communication, a hybrid encryption algorithm based on DES and RSA is proposed. The currently used encryption algorithm employed by the Bluetooth to protect the confidentiality of data during transport between two or more devices is a 128-bit symmetric stream cipher called E0. The proposed hybrid encryption algorithm, instead of the E0 encryption, DES algorithm is used for data transmission because of its higher efficiency in block encryption, and RSA algorithm is used for the encryption of the key of the DES because of its management advantages in key cipher. Under the dual protection with the DES algorithm and the RSA algorithm, the data transmission in the Bluetooth system will be more secure. This project is extended with triple des in place of des to enhance more security.
Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...Aaron Zauner
Over the past year multiple people have been engaging language maintainers and designers to change their use of CSPRNGs (mainly relying on user-land RNGs like the one from OpenSSL, and sometimes suggesting "adding entropy" by various means from user-land daemons like haveged). In this short presentation we'll survey the struggle of cryptographers, developers and security engineers to change the path various high-profile languages have taken to provide randomness to their userbase. Affected languages include but are not limited to: Ruby, node.js and Erlang. We outline better approaches for language maintainers and implementers as well as coming changes within the Linux kernel crypto subsystem (i.e. /dev/random and /dev/urandom) w.r.t. security and performance. Recently these changes were merged into mainline Linux (4), problems with languages implementations however remain. We'll also discuss operating system provided randomness testing, attacks/mitigation in embedded and virtualized environments.
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...Aaron Zauner
https://eprint.iacr.org/2016/475
We investigate nonce-reuse issues with the Galois/Counter Mode (GCM) algorithm as used in TLS. Nonce reuse in GCM allows an attacker to recover the authentication key and forge messages as described by Joux. With an Internet-wide scan we identified over 70,000 HTTPS servers that are at risk of nonce reuse. We also identified 184 HTTPS servers repeating nonces directly in a short connection. Affected servers include large corporations, financial institutions, and a credit card company. We implement a proof of concept attack allowing us to violate the authenticity of affected HTTPS connections and inject content.
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...Aaron Zauner
Presented at hack.lu 2015.
Abstract—TLS is the most widely used cryptographic protocol on the Internet. While many recent studies focused on its use in HTTPS, none so far analyzed TLS usage in e-mail related protocols, which often carry highly sensitive information. Since end-to-end encryption mechanisms like PGP are seldomly used, today confidentiality in the e-mail ecosystem is mainly based on the encryption of the transport layer. A well-positioned attacker may be able to intercept plaintext passively and at global scale.
We collected and scanned a massive data-set of 20 million IP/port combinations of all related protocols (SMTP, POP3, IMAP) and legacy ports. Over a time span of approx. three months we conducted more than 10 billion TLS handshakes. Additionally, we show that securing server-to-server communication using e.g. SMTP is inherently more difficult than securing client-to- server communication. Lastly, we analyze the volatility of TLS certificates and trust anchors in the e-mail ecosystem and argue that while the overall trend points in the right direction, there are still many steps needed towards secure e-mail.
[TALK WAS HELD IN GERMAN DUE TO AUDIENCE]
The BetterCrypto Project started out in the fall of 2013 as a collaborative community effort by systems engineers, security engineers, developers and cryptographers to build up a sound set of recommendations for strong cryptography and privacy enhancing technologies catered towards the operations community in the face of overarching wiretapping and data-mining by nation-state actors. The project has since evolved with a lot of positive feedback from the open source and operations community in general with input from various browser vendors, linux distribution security teams and researchers. This talk will give a concise guide on how to properly deploy networked services in a secure fashion that is applicable today. We will also give an update on the project as well as new development on the front of cryptography, attacks and TLS protocol standardization.
Although the "Modules" system has been around since the early 1990ties it has yet to find widespread adoption outside of the scientific computing and HPC community. Most FOSS developers rely on a wide range of tools to abstract and manage their Linux and UN!X environments for different scripting languages, compiler toolchains and applications. This problem has been long solved in the world of High Performance Computing where optimization of applications, toolchains and libraries is paramount. Environment Modules are a wonderful tool that will save time, help ease of development processes, reproducibility, and management of your development environment. This talk will give insight into how Modules work, which implementations are out there and how to use Modules instead of language bound tools as well as a comparison with common tools that the community uses to develop on Python and Ruby (for example) projects.
I intend to give a 20 min overview of the "Environment Modules" system as deployed on many scientific and HPC sites to FOSS developers, students and linux enthusiasts.
This will include a comparison of different Modules implementations their history and typical use cases in HPC and development environments and how Modules can be of help to FOSS developers and systems administrators. As a developer and systems engineer, I am familiar with a lot of different systems to manage multiple installations of e.g. script languages their environments and libraries. I'll give a short overview and comparison of those and compare these systems with Modules and show how developers and engineers alike can save time and effort in managing their environment for all applications, toolchains and script languages.
3. Motivation
TLS is something we deal with on a daily basis, so this is an
obvious topic for education.
Keep in mind that these attacks are not only possible for
nation-state actors, some of them I can mount on this very laptop.
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 1/91
8. Background
Disclaimer
Unfortunately this is not a talk about InfoSec nor cryptography, so I
will only cover the very basics needed to understand the topic
properly. Background information on Information Security and
Cryptography herein is fitted to TLS only.
I will recommend appropriate resources for those who want to gain
a deeper understanding at the end of my talk.
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 6/91
9. Background
Basics
Information Security mandates at minimum the following three
properties in a secure protocol:
Confidentiality
Integrity
Availability (discussed later)
..this is commonly known as the “CIA triad” (seriously). You will see
later on why these are paramount. The triad is usually extended by:
Authenticity & Non-repudiation
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 7/91
10. Background
Confidentiallity
Prevent unauthorized disclosure of information
Encryption and Decryption of confidential data
Example: Rijndael cipher. Later renamed AES (Advanced
Encryption Standard) after winning a NIST challenge by the same
name.
Symmetric 128, 192 or 256 bit block cipher
Stick figure guide to AES: http://www.moserware.com/
2009/09/stick-figure-guide-to-advanced.html
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 8/91
11. Background
Confidentiallity: Block cipher modes
Block ciphers operate on fixed size blocks of data.
Online communication is defined by streams of data.
Block cipher modes repeatedly apply a given cipher to a stream of
data. Examples include:
Cipher-Block Chaining Mode (CBC)
Counter Mode (CTR)
Galois-Counter Mode (GCM) [authenticated]
Counter with CBC-MAC (CCM) [authenticated]
Offset Codebook Mode (OCB) [authenticated]
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 9/91
14. Background
Integrity
Assures consistency of data
e.g. tampered data will be detected (and may be discarded)
Cryptographic hash functions like SHA can provide integrity by
acting as a Hash based Message Authentication Code (HMAC)
on the message to be sent and recieved
Hash-functions need to be collission-resistant: Two different
inputs should never produce the same hash!
Ideally messages should be encrypted first then MACed
(encrypt-then-mac, ETM) to prevent against attacks (CCA,
CPA) and to provide for integrity of ciphertexts and plaintexts.
See: http://bit.ly/1kZA6WR
Authenticated Encryption with Associated Data (AEAD) can be
used instead (e.g. GCM, CCM, OCB)
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 12/91
15. Background
Authenticity & Non-repudiation
Assures that the involved parties are genuine
i.e. are who they say they are
Injection attacks
Man-In-The-Middle (MITM) attacks
Various cryptographic attack vectors
Examples:
RSA (Rivest, Shamir, Adleman)
DSA (Digital Signature Algorithm)
ECDSA (Elliptic Curve DSA)
Ed25519 (http://ed25519.cr.yp.to)
ElGamal Signature System
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 13/91
16. Background
Authenticity & Non-repudiation: RSA
RSA
Used for:
Signatures
Certificates
Authenticated Key-Exchanges (don’t)
Encryption
Security based on the difficulty of factoring integers:
p, q are large prime numbers (e.g. ≈ 1024bits)
N = p × q
find factors of N
Best known algorithm (∼1994): General Number Field Sieve
Computational complexity for n-bits: O exp (64
9 n)
1
3 (log n)
2
3
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 14/91
17. Background
Authenticity & Non-repudiation: RSA
RSA Key Generation
integer N is the product of two large primes p and q
φ(N) = (p − 1)(q − 1)
choose an integer e (usually 65537), such that
1 < e < φ(N)
gcd(e, φ(N)) = 1
Public Key: N (modulus), e (public exponent)
Private Key: d ≡ e−1 (mod φ(N))
gcd and φ denote the Greatest Common Divisor (Euclidian algorithm) and Euler totient function, respectively.
Math background: Modular arithmetic.
Proof: Euler’s theorem and Fermat’s little theorem.
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 15/91
18. Background
Authenticity & Non-repudiation: RSA
Alice sends her public key (modulus N and exponent e) to Bob
Bob sends his public key (modulus N and exponent e) to Alice
RSA Encryption:
Bob wants to send a
message M to Alice, turns M
into an integer m
(0 ≤ m < N) using a
common padding-scheme
..computes ciphertext
c ≡ me (mod N)
RSA Decryption:
Bob sends ciphertext to Alice
Alice computes
m ≡ cd (mod N)
..recoveres Bob’s message M
by reversing the common
padding-scheme
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 16/91
19. Background
Authenticity & Non-repudiation: RSA padding
..a secure padding scheme is really important.
Example: Bleichenbacher attack on PKCS#1
http://tinyurl.com/bleichenbacher (real world SSLv3 attack)
Not going into that here has been explained in detail in a 31c3 talk
yesterday, see also: http://tinyurl.com/rsa-padding
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 17/91
20. Background
Key Agreement
A key exchange algorithm exchanges cryptographic keys (i.e. shared
secrets) among parties which want to communicate confidentialy.
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 18/91
21. Background
Key Agreement: Diffie-Hellman
The Diffie-Hellman key exchange algorithm (1976) was the first
scheme devised to exchange cryptographic keys among multiple
parties. It is the most widely used key exchange algorithm to this
date.
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 19/91
22. Background
Key Agreement: Diffie-Hellman
Alice and Bob want to communicate with each other and thus agree
on a large prime number p and a generator g (0 < g < p)
Alice choses a secret integer x (private key)
..and calculates gx (mod p) as her public key
Bob choses a secret integer y (private key)
..and calculates gy (mod p) as his public key
Math Background: Multiplicative group of integers modulo p
https://en.wikipedia.org/wiki/Multiplicative_group_of_integers_modulo_n
http://tinyurl.com/multiplicativegroupmodp
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 20/91
23. Background
Key Agreement: Diffie-Hellman
Alice and Bob exchange their public keys
Alice doesn’t know Bob’s y
Bob doesn’t know Alice’s x
But,..
Alice however knows x and gy
..therefore calculates (gy )x (mod p) = gyx (mod p)
Bob however knows y and gx
..therefore calculates (gx )y (mod p) = gxy (mod p)
They now have established a shared secret: gxy (mod p)
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 21/91
24. Background
Key Agreement: Forward secrecy
Forward secrecy (aka Perfect Forward Secrecy - PFS) ensures that
only ephemeral session keys are used.
Even if a key is compromised in the future, not all communication
that may have been recorded is compromised.
Simple, at the end of a session:
Alice discards her public-key x
Bob discards his public-key y
Hence: Ephemeral Diffie-Hellman (DHE and ECDHE).
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 22/91
25. Background
Ciphersuites
In SSL/TLS terminology; a ciphersuite combines the previously
mentioned cryptographic techniques to work together and forms part
of a secure (online) communication protocol
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 23/91
26. Background
Ciphersuites
Example:
Elliptic Curve Diffie-Hellman (Ephemeral - PFS)
RSA
AES128
in Galois Counter Mode (GCM)
SHA256
IANA standardized TLS parameters:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 24/91
28. Background
Transport Layer Security
Before talking about the history and attacks of TLS it just makes
sense to point out how TLS actually works (TLS 1.2).
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 26/91
29. Background
Transport Layer Security: TLS records
TLS deals in “records”. Different types of records exist: Handshake,
ChangeCipherSpec, Application data and Alert.
In general TLS record looks like this:
1 Byte 1 Byte 1 Byte 1 Byte
+−−−−−−−−+−−−−−−−−+−−−−−−−−+−−−−−−−−+
| type | |
+−−−−−−−−+−−−−−−−−+−−−−−−−−−−−−−−−−−+
| v e r s i o n | length |
+−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−+
| message N |
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+
| . |
.
.
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 27/91
30. Background
Transport Layer Security: TLS records
Handshake records do have a different message structure
Alert records basically just send an error code (1 byte) and
description (1 byte) instead of a full message.
Besides Handshake and ChangeCipherSpec records - any records
may optionally contain a MAC and padding (up to 4 bytes each) at
the end, depending on the previously negotiated ciphersuite.
For reference, see: https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_record
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 28/91
31. Background
Transport Layer Security: Handshake
[ C l i e n t ] [ Server ]
C l i e n t H e l l o −−−−−−−−>
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 29/91
32. Background
Transport Layer Security: Handshake
[ C l i e n t ] [ Server ]
C l i e n t H e l l o −−−−−−−−>
ServerHello
C e r t i f i c a t e ∗
ServerKeyExchange ∗
C e r t i f i c a t e R e q u e s t ∗
<−−−−−−−− ServerHelloDone
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 30/91
33. Background
Transport Layer Security: Handshake
[ C l i e n t ] [ Server ]
C l i e n t H e l l o −−−−−−−−>
ServerHello
C e r t i f i c a t e ∗
ServerKeyExchange ∗
C e r t i f i c a t e R e q u e s t ∗
<−−−−−−−− ServerHelloDone
C e r t i f i c a t e ∗
ClientKeyExchange
C e r t i f i c a t e V e r i f y ∗
[ ChangeCipherSpec ]
Finished −−−−−−−−>
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 31/91
34. Background
Transport Layer Security: Handshake
[ C l i e n t ] [ Server ]
C l i e n t H e l l o −−−−−−−−>
ServerHello
C e r t i f i c a t e ∗
ServerKeyExchange ∗
C e r t i f i c a t e R e q u e s t ∗
<−−−−−−−− ServerHelloDone
C e r t i f i c a t e ∗
ClientKeyExchange
C e r t i f i c a t e V e r i f y ∗
[ ChangeCipherSpec ]
Finished −−−−−−−−>
[ ChangeCipherSpec ]
<−−−−−−−− Finished
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 32/91
35. Background
Transport Layer Security: Handshake
[ C l i e n t ] [ Server ]
C l i e n t H e l l o −−−−−−−−>
ServerHello
C e r t i f i c a t e ∗
ServerKeyExchange ∗
C e r t i f i c a t e R e q u e s t ∗
<−−−−−−−− ServerHelloDone
C e r t i f i c a t e ∗
ClientKeyExchange
C e r t i f i c a t e V e r i f y ∗
[ ChangeCipherSpec ]
Finished −−−−−−−−>
[ ChangeCipherSpec ]
<−−−−−−−− Finished
A p p l i c a t i o n Data <−−−−−−−> A p p l i c a t i o n Data
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 33/91
36. Background
Session Resumption and False-start
Session-resumption and False-start are TLS extensions minimizing
round-trip time and CPU cost.
Session-resumption:
An “abbreviated handshake” is used
Previously negotiated Handshake parameters are reused
False-start (somewhat deprecated):
Optional extension to send data before the Handshake is
completed
After ChangeCipherSpec and Finished messages Client or
Server data may be sent
Even if the other side has not acknowledged yet
For a good description see: http://chimera.labs.oreilly.com/books/1230000000545/ch04.html
http://blog.cryptographyengineering.com/2012/04/so-long-false-start-we-hardly-knew-ya.html
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 34/91
37. Background
OCSP
Online Certificate Status Protocol (OCSP) is a mechanism to check
for the validity and revocation of certificates.
OCSP has recieved a lot of critique:
MITM attackers may also interfere with OCSP requests
OCSP stapling can be used to mitigate this problem
OCSP latency for large CAs is usually in the hundreds of
milliseconds
OCSP infrastructure completely broke down during Heartbleed
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 35/91
38. Background
HTTP Strict Transport Security
HTTP Strict Transport Security (HSTS) is a security policy that
enforces HTTPS connections on following requests (e.g. upgrade
every HTTP requests to HTTPS).
A small downside: the first HSTS header must be sent over HTTPS
to ensure it cannot be tampered with.
Effectively disables ssl-stripping attacks.
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 36/91
39. Background
TLS Renegotiation Indication Extension
RFC5746 defines a TLS extension that prevents for TLS Handshake
renegotiaton attacks by sending a special Signaling Cipher Suite
Value (SCSV) in the ClientHello which ties a renegotiation request
to a TLS connection.
Called “Secure Renegotiation”.
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 37/91
40. Background
SPDY, NPN, ALPN and so forth
Google drafted specifications for protocol upgrade to SPDY
including NPN and ALPN which SPDY effectively relies on. SPDY
is the basis for the work in the IETF HTTPBIS-WG that will
standardize HTTP2.
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 38/91
41. Background
Web-of-Trust and X.509
X.509, and Web-of-(mis)trust and ASN.1 would require a two hour
talk on their own.
Certificate Authorities should and can not be trusted, they are
known to behave maliciously at times, give away sub-CAs for DPI
to large companies and nations and regularly fuck up their own
security processes.
Read for example:
http://www.certificate-transparency.org/what-is-ct
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 39/91
42. History & Attacks
Now that you have an idea of the necessary background, let’s take
a look at the history of TLS (in)security.
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 40/91
43. History & Attacks
Internet Dark Ages
SSLv1 engineered at Netscape, never released to the public
Kipp Hickman of Netscape introduces SSLv2 as an IETF draft
back in 1995:
The SSL Protocol is designed to provide privacy
between two communicating applications (a client
and a server). Second, the protocol is designed
to authenticate the server, and optionally the
client. [...]
http://tools.ietf.org/html/draft-hickman-netscape-ssl-00
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 41/91
44. History & Attacks
Internet Dark Ages
SSLv2 was fundamentally broken and badly designed.
Basically full loss of Confidentiallity and integrity of on-wire
data thus susceptible to MITM attacks, see:
http://osvdb.org/56387
CipherSpec is sent in the clear
Size of Block-cipher padding is sent in the clear
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 42/91
45. History & Attacks
Internet Dark Ages
SSLv3 was introduced in 1996 by Paul Kocher, Phil Karlton
and Alan Freier, utilizing an algoritm by Taher ElGamal, a
known cryptographer and Chief Scientist at Netscape at the
time: https://tools.ietf.org/html/rfc6101
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 43/91
46. History & Attacks
Internet Dark Ages
On a side note; back then the choice algorithms was limited and
export ciphers (low security) common as recommended by NSA and
mandated by US law. Google: “Bernstein vs. United States”
encryption algorithms (Confidentiality): NULL,
FORTEZZA-CBC (NSA), IDEA-CBC, RC2-CBC-40 (40bit
security), RC4-128, DES40-CBC (40bit security), DES-CBC
(56bit security), Triple-DES-EDE-CBC
hash functions (integrity): NULL, MD5 and SHA
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 44/91
47. History & Attacks
Internet Dark Ages
David Wagner and Bruce Schneier publish a paper entitled
“Analysis of the SSL 3.0 protocol”:
Keyexchange algorithm rollback
Protocol fallback to SSLv2
Protocol leaks known plaintexts - may be used in cryptanalysis
Replay attacks on Anonymous DH (don’t use it anyway!)
https://www.schneier.com/paper-ssl.pdf
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 45/91
48. History & Attacks
TLS appears
1999. The SSL protocol is renamed to TLS (version 1) with little
improvements over SSLv3. The spec. is almost identical.
Diffie-Hellman, DSS and Triple-DES are now required by
implementors
most SSLv3 security issues are still present in TLS 1.0
(RFC2246)
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 46/91
49. History & Attacks
TLS gets padding attacks
2002. Vaudenay publishes a paper entitled “Security Flaws Induced
by CBC Padding Applications to SSL, IPSEC, WTLS...”
Side-channel attack on CBC mode padding
valid/invalid padding causes different reactions
can be used to influence decryption operations
introduces “padding oracle attacks” in SSL
http://www.iacr.org/cryptodb/archive/2002/EUROCRYPT/2850/2850.pdf
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 47/91
50. History & Attacks
TLS gets extended
2003. TLS extensions get specified in RFC3546.
General: Extended Handshake, ClientHello and ServerHello
Server Name Indication (SNI) for virtual hosting
(SNI leaks metadata!)
Certificate Status Request (CSR) support via OCSP
(...)
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 48/91
51. History & Attacks
TLS gets timing attacks
2003. Brumley and Boneh publish a paper entitled “Remote timing
attacks are practical”.
Timing attack on RSA in SSL/TLS implementations (OpenSSL):
Send specially crafted ClientKeyExchange message
Mesure time between ClienyKeyExchange and Alert response
do a bit of statistics
retrieve Private Key
http://dl.acm.org/citation.cfm?id=1251354
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 49/91
52. History & Attacks
TLS gets padding oracle password retrieval
2003. Canvel, Hiltgen, Vaudenay, Vuagnoux publish “Password
Interception in a SSL/TLS Channel”.
Extend earlier work of Vaudenay and successfully intercept IMAP
passwords in TLS channels.
http://www.iacr.org/cryptodb/archive/2003/CRYPTO/1069/1069.pdf
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 50/91
53. History & Attacks
TLS gets chosen plaintext attacks
2004 & 2006. Bard demonstrates Chosen-Plaintext Attacks against
SSL and TLS1.0
Attack on CBC:
CBC exchanges an Initialization Vector (IV) during Handshake
these IVs turn out to be predictable
PINs and Passwords can be decrypted
VPNs/Proxies can also be used to accomplish this task
https://eprint.iacr.org/2004/111
https://eprint.iacr.org/2006/136
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 51/91
54. History & Attacks
TLS gets updated
2006. A new TLS protocol version is standardized: TLS 1.1
EXPORT ciphers removed
Session resumption
Protection against the CBC attacks by Bard
IANA TLS parameters standardized
(...)
(RFC4346)
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 52/91
55. History & Attacks
TLS gets modern crypto
2008. A new TLS protocol version is standardized: TLS 1.2
MD5/SHA1 removed as pseudorandom function (PRF)
configurable PRFs in ciphersuites (e.g. SHA256)
Authenticated encryption: CCM, GCM
AES ciphersuites
(...)
(RFC5246)
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 53/91
56. History & Attacks
Rouge CA Certificates
2008. Sotirov, Stevens, Appelbaum, Lenstra, Molnar, Osvik and de
Weger present a paper based on earlier work by Lenstra et al. at
25c3 entitled “MD5 considered harmful today”
MD5 Hash-collision of a CA Certificate
Create colliding (rouge) CA Certificates
Generate any Certificate for MITM you want
http://www.win.tue.nl/hashclash/rogue-ca/
https://www.youtube.com/watch?v=PQcWyDgGUVg
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 54/91
57. History & Attacks
sslstrip
2009. Moxie Marlinspike releases sslstrip at BlackHat DC 2009.
Client connects to server
Attacker intercepts session via MITM
Attacker sends HTTP 301 (moved permanently)
Attacker forwards requests to/from server via SSL/TLS
Client receives data via unencrypted channel
Attacker reads plaintext
http://www.thoughtcrime.org/software/sslstrip
http://vimeo.com/50018478
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 55/91
58. History & Attacks
Null-prefix attacks against Certificates
2009. Moxie Marlinspike publishes “Null prefix Attacks against
SSL/TLS Certificates”.
Specially crafted domain strings trick CA checking
null-terminate stuff in a domain name
ex.: www.paypal.com0.thoughtcrime.org is valid
ex.: *0.thoughtcrime.org is valid
CA ignores prefix
Client does not -> Certificate valid for prefix
Moxie updated his sslsniff project to carry out this attack.
http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf
http://thoughtcrime.org/software/sslsniff
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 56/91
59. History & Attacks
SSLv2 Forbidden
2011. IETF publishes and standardized a RFC to prohibit
negotiation and thus compatibility of SSLv2 in TLS1.0-1.2 entirely.
https://tools.ietf.org/html/rfc6176
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 57/91
60. History & Attacks
Comodo
2011. Comodo CA: Attacker issues 9 certificates via reseller account
for popular domains (google.com, yahoo.com, live.com, skype.com [...])
https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 58/91
61. History & Attacks
BEAST
2011. Doung and Rizzo publish the BEAST attack at ekoparty and
demo a live attack on PayPal. Based on Bards earlier work on
predictable IVs in CBC:
Phishing gets victim to visit a certain website
Script on said website makes request to genuine site
Attacker records encrypted cookie information
Tries to guess session-cookie with known CBC attack
Same Origin Policy (SOP) forbids this attack in client software. If
SOP can be bypassed (as shown by the authors with Java’s SOP)
this attack is still practical.
http://vnhacker.blogspot.co.at/2011/09/beast.html
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 59/91
62. History & Attacks
Trustwave
2012. Trustwave CA: Trustwave sells subordinate CAs to big
corporations to be used for Deep Packet Inspection.
A sub-CA can issue and fake any certificate for MITM attacks.
http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html
http://arstechnica.com/business/2012/02/
critics-slam-ssl-authority-for-minting-cert-used-to-impersonate-sites/
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 60/91
63. History & Attacks
DigiNotar
2012. DigiNotar CA: Attackers compromise DigiNotar in it’s
entirety.
attackers generate tons of certificates
Google Chromes certificate store detects mismatches
DigiNotar acknowledges breach
DigiNotar files for bankrupcy
FOX-IT never gets paid for the investigation
https://en.wikipedia.org/wiki/DigiNotar
http://cryptome.org/0005/diginotar-insec.pdf
http://nakedsecurity.sophos.com/2011/09/05/
operation-black-tulip-fox-its-report-on-the-diginotar-breach
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 61/91
64. History & Attacks
Certificate validation in non-browser software
2012. Georgiev, Iyengar, Jana, Anubhai, Boneh and Shmatikov
publish a paper entitled “The most dangerous code in the world:
validating SSL certificates in non-browser software”
Certificate validation vulnerabilities in:
OpenSSL
GnuTLS
JSSE
EC2 Java libraries & Amazon SDKs
PayPal SDKs
eCommerce/WebShop software
..cURL, PHP, Python, tons of Java middleware
https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 62/91
65. History & Attacks
CRIME
2012. Doung and Rizzo publish an attack against TLS Compression
and SPDY titled CRIME.
MITM attacker sees length of compressed ciphertext
compression has direct affect on the length
attacker makes client compress/encrypt data (or uses known
data) with secret data
attacker compares
correct guesses yield shorter messages due to compression
repeat until done
This is only feasible for small amounts of data, e.g. session strings,
cookies and so forth.
https://isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 63/91
66. History & Attacks
TIME
2013. Be’ery and Shulman present TIME at BlackHat Europe.
Extend on the CRIME Attack:
Attacker generates HTTP requests (XSS, injection,..)
Attacker exploits SOP design flaw and measures RTT
differences
determines correct or failed guesses by SOP timing leak
https://media.blackhat.com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.pdf
https://www.youtube.com/watch?v=rTIpFfTp3-w
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 64/91
67. History & Attacks
Lucky13
2013. AlFardan and Paterson present a novel attack against CBC
for TLS and DTLS based on timing analysis.
Attacker intercepts and modifies a message including padding
Attacker tempers with the padding of the message
MAC computation takes longer during decryption process
Attacker repeats and measures
Attacker performs padding oracle attack described earlier
(Extremely latency sensitive attack)
http://www.isg.rhul.ac.uk/tls/Lucky13.html
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 65/91
68. History & Attacks
RC4 Biases
2013. AlFardan, Bernstein, Paterson, Poettering and Schuldt
publish a generic attack on the RC4 cipher for TLS and WPA.
Statistical biases in the first 257 bytes of ciphertext
Recovery of the first 200 bytes after 228 to 232 encryption
operations of the same plaintext
A broadcast attack: mounted on unique keys
May also be mounted with a single key with repeating target
plaintexts
Only feasible for large amounts of data and very time
consuming
http://www.isg.rhul.ac.uk/tls
http://www.isg.rhul.ac.uk/tls/RC4biases.pdf
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 66/91
69. History & Attacks
NIST curves
2013 & 2014. Daniel J. Bernstein and Tanja Lange voice concern
about the NIST Elliptic Cuves that are widely implemented and
used in TLS for ECDH and ECDSA
NIST curves defined on recommendations by NSA’s Jerry
Solinas
Unclear why these curves and their parameters were chosen
NIST cites efficiency: more efficient and secure curves
available
Possible mathematical backdoor through previous analysis and
carefully chosen and unexplained parameters
Start SafeCurves project (ongoing)
http://www.hyperelliptic.org/tanja/vortraege/20130531.pdf
http://cr.yp.to/talks/2013.09.16/slides-djb-20130916-a4.pdf
http://safecurves.cr.yp.to
https://archive.org/details/ShmooCon2014_SafeCurves
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 67/91
70. History & Attacks
BREACH
2013. Gluck, Harris and Prado demonstrate yet another attack
based on CRIME at BlackHat USA.
Very similar to CRIME but the attack works based on information
leaks from HTTP compression instead of TLS compression.
http://breachattack.com
https://www.youtube.com/watch?v=CoNKarq1IYA
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 68/91
71. History & Attacks
Unused Certificates in Truststores
2014. Perl, Fahl, Smith publish a paper entitled “You Won’t Be
Needing These Any More: On Removing Unused Certificates From
Trust Stores”
Compared 48 mio. HTTP certificates
140 CA Certificates are unused in all major trust stores
Of 426 trusted root certificates only 66% are even used
http://fc14.ifca.ai/papers/fc14_submission_100.pdf
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 69/91
72. History & Attacks
Triple Handshakes Considered Harmful
2014. Bhargavan, Delignat-Lavaud, Pironti, Langley and Ray
present an attack one day before the IETF’89 meeting in London.
Limited to client-certificate authentication with renegotiation
MITM attack on renegotiation with a three-way handshake
Variations of the attack also discussed on their website
Can’t possibly fit this into one slide, homework: understand the
attack by reading their excellent description on the website
https://secure-resumption.com
https://secure-resumption.com/IETF-triple-handshakes.pdf
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 70/91
73. History & Attacks
Frankencerts
2014. Brubaker, Jana, Ray, Khurshid and Shmatikovy publish a
paper entitled “Using Frankencerts for Automated Adversarial
Testing of Certificate Validation in SSL/TLS Implementations”
Fuzzing of X.509 related code in all major implementations
shows serious weaknesses in certificate validation and handling
OpenSSL, NSS, GnuTLS, MatrixSSL, PolarSSL, CyaSSL,
cyptlib [...]
https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf
https://github.com/sumanj/frankencert
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 71/91
74. History & Attacks
Heartbleed
2014. Heartbleed is independently discovered by Codenomicon and
a Google Security engineer.
Faulty implementation in OpenSSL of the TLS Heartbleed
extension leaks memory content over the wire. This has been all
over the media and discussed in detail all over the internet. People
have successfully extracted sensitive information (password files et
cetera) from victim memory.
I wrote an nmap plugin to scan for Heartbleed:
https://github.com/azet/nmap-heartbleed
http://heartbleed.com
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 72/91
75. History & Attacks
Virtual Host Confusion
2014. At BlackHat Delignat-Lavaud presents an attack based on
SSLv3 downgrade and sharing of session caches
Attacker forces downgrade to SSLv3
For SSLv3: larger deployments share session caches
attacker exploits a server vulnerability where session caches
are reused
attacker requests different subdomain with SSLv3 using the
same session
vulnerable server will allow connection w/o authentication
www.company.com vs git.company.com
https://bh.ht.vc
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 73/91
76. History & Attacks
POODLE
2014. POODLE: Padding Oracle On Downgraded Legacy
Encryption - OpenSSL/Google
MITM attacker downgrades to SSLv3 (once again)
attacker does block duplication
takes on average 256 requests to decrypt 1 byte (!)
disabling SSLv3 or using the FALLBACK_SCSV TLS
extension (draft) mitigates this issue entirely
https://www.openssl.org/~bodo/ssl-poodle.pdf
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 74/91
77. History & Attacks
SChannel RCE
Patch tuesday Nov. 2014: Remote Code Execution in Microsoft
SChannel
Enables malicious attackers to initiate ClientCertificate exchange
(even if unsupported) with payload in the signature
http://blog.beyondtrust.com/triggering-ms14-066
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 75/91
78. History & Attacks
POODLE again
2014. POODLE on TLS 1.0-1.2
turns out some implementations (e.g. F5 load balancers) are
vulnerable to POODLE even for TLS 1.0 - TLS 1.2
since TLS 1.1 this should have been mitigated entirely, but
3.6% of servers vulnerable
https://www.imperialviolet.org/2014/12/08/poodleagain.html
https://vivaldi.net/blogs/entry/not-out-of-the-woods-yet-there-are-more-poodles
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 76/91
79. History & Attacks
Implementation Issues
There are tons of other issues with TLS stacks and software
implementations that have not been discussed.
OpenSSL alone published 24 security advisories in 2014 until
today.
Apple’s GOTO fail
GnuTLS GOTO fail
various GnuTLS vulnerabilities
wrong use of OpenSSL API in server and client software
...
Clearly; a lot of people current have their eyes on this very topic.
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 77/91
80. History & Attacks
Implementation Issues
For this crowd: It’s up to you to find them and improve existing
implementations, protocols and standards.
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 78/91
81. IETF efforts
I n t e r n e t Society
|
I n t e r n e t A r c h i t e c t u r e Board
| |
IETF ( 1 ) IRTF ( 2 )
| |
Steering Group Steering Group
| | | | | |
WG WG WG. . WG WG WG. .
1 − I n t e r n e t Engineering Task Force
2 − I n t e r n e t Research Task Force
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 79/91
82. IETF efforts
post-Snowden
After the Snowden Leaks appeared in press the IETF began
discussion on how ‘’pervaisive monitoring” can be prevented
In September 2013 the ‘’PERPASS” (pervaisive, passive
monitoring) mailing list was started
People started working on drafts to circumvent ‘’pervaisive
monitoring”: http://down.dsg.cs.tcd.ie/misc/perpass.txt
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 80/91
83. IETF efforts
IETF 89 was accompanied by a meeting on the topic (STRINT)
with invited speakers on privacy, security and cryptography:
https://www.w3.org/2014/strint/
‘’strenghtening the internet against pervaisive monitoring”
a lot of good feedback and ideas
main takeaways: threat modeling, CFRG was tasked with
TLS-WG guidance on choices of ciphers and which
curves/parameters (ECC) to use
http://tools.ietf.org/html/draft-iab-strint-report-00
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 81/91
84. IETF efforts
New WGs and documents being worked on
UTA-WG (utilizing TLS in applications): working BCPs on
how to properly use/implement TLS
TLS-WG (transport layer security): TLS 1.3,
chacha20-poly1305, DJB curves (ECC), FALLBACK_SCSV
extension,..
TCPINC (TCP increased security): working on standardization
of opportunistic encryption on the TCP layer (similar to
tcpcrypt)
DPRIVE (DNS private exchange): working on DNS privacy
features
IAB (internet architecture board): threat model, see:
https://tools.ietf.org/html/draft-iab-privsec-confidentiality-threat
TRANS (Public Notary Transparency): fight malicious
certificate authorities with certificate transparency, see:
www.certificate-transparency.org
...
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 82/91
85. IETF efforts
Curves Curves Curves
CFRG (cryptography forum research group within IRTF) is
working on a standardized set of curves and curve parameters
for IETF WGs: expected by the end of 2014
+ Curve25519 (dan bernstein, et al.)
+ NUMS (microsoft)
+ ed448goldilocks (michael hamburg)
In comparison to NIST curves: most new proposals are plugable
into existing standards and can be reused within protocols and
IETF documents.
Good summary (by the Brainpool authors, so a bit biased):
http://eprint.iacr.org/2014/832.pdf
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 83/91
86. IETF efforts
Certificate Transparency is now being worked on as an IETF
standard: https://datatracker.ietf.org/wg/trans/charter/
discussion on mandatory encryption in HTTP2 (HTTPBIS-WG)
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 84/91
87. IETF efforts
On Nov. 14, 2014 Internet Architecture Board issued a statement
recommending deploying encryption by default throughout the
protocol stack in further developments.
Commended by Internet Society a day later.
https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/
http://www.internetsociety.org/news/
internet-society-commends-internet-architecture-board-recommendation-encryption-default
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 85/91
88. Mitigation
Get informed!
Luckily Mitigation does not require as much slides. Because it’s
rather simple:
Use current software and update regularly:
Most of these attacks are fixed upstream
Use peer-reviewed and solid configurations:
Check out https://bettercrypto.org
Listen to recommendations by security experts
Audit your infrastructure (possibly even pay external
contractors to take a look)
Keep track of TLS security and evolving security standards and
recommendations
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 86/91
89. Mitigation
Future work
IETF TLS-WG is currently working on TLS 1.3 to mitigate some of
the issues and concerns raised.
Drafts like new SCSVs would effectively prevent protocol
downgrade attacks. (constant-time) ciphers and curves and DH
parameter negotiation have been proposed along with protocol
improvements for efficiency, security and privacy. It’s still in the
making and worth to keep track of.
Cryptography libraries seem to be more actively audited now, which
has resulted in some of the disclosures in the paths months.
http://www.ietf.org/proceedings/89/slides/slides-89-tls-5.pdf
https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305
https://datatracker.ietf.org/doc/draft-gillmor-tls-negotiated-dl-dhe/?include_text=1
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 87/91
90. Mitigation
Future work
..and in Dec. 2014 W3C has established a working group to “secure
the web through encryption”:
https://w3ctag.github.io/web-https
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 88/91
91. Mitigation
Distribute Trust
Certificate Transparency and HPKP are only a few examples of
proposed solutions to tackle the issue of malicious certificate
authorities, certificate forgery and MITM attacks.
Letsencrypt: Free, Secure, audited and distribtued CA by
Cisco, Akamai, UMichigan, EFF and others
Cloudflare Keyless SSL: Have keys on central HSMs/servers
instead on each frontend.
Certificate Transparency: distributed consent, monitoring and
auditability of certificates and CAs in the wild
HPKP pins keys to certificates to prevent MITM and
certificate based attacks
https://letsencrypt.org/
https://www.cloudflare.com/keyless-ssl
http://www.certificate-transparency.org
https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 89/91
92. Conclusion
“Trust the Math” (Schneier)
Implementation is still a big issue
Software bugs are a big issue
Protocol design is hard and longsome
We’re going to see many more attacks on TLS
TLS and Crypto improvements are being constantly worked on
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 90/91
93. Thanks for your patience. Are there any questions?
Twitter:
@a_z_e_t
E-Mail:
azet@azet.org
XMPP:
azet@jabber.ccc.de
GitHub:
https://github.com/azet
GPG Fingerprint:
7CB6 197E 385A 02DC 15D8 E223 E4DB 6492 FDB9 B5D5
[I have ECDSA (Brainpool) & EdDSA (Curve25519) subkeys as well.]
BsidesHH - 28/12/2014 Introduction to and survey of TLS Security
Aaron Zauner 91/91