Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Horst Görtz InsFtute for IT Security
Ruhr-University Bochum
1st BIU Security Day: The Current Status of TLS Security
May 1, 2016
Bar-Ilan University, Israel - Sponsored by vpnMentor.com
15. Bleichenbacher agacks over and over
• Bleichenbacher (CRYPTO 1998)
• Klima et al. (CHES 2003)
• Jager et al. (ESORICS 2012)
• Degabriele et al. (CT-RSA 2012)
• Bardou et al. (CRYPTO 2012)
• Zhang et al. (ACM CCS 2014)
• Meyer et al. (USENIX Security 2014)
• …
AssumpIon: Bleichenbacher-like agacks remain
a realisFc threat
15
Many different
techniques to
construct the
required oracle
16. Bleichenbacher agacks over and over
• Bleichenbacher (CRYPTO 1998)
• Klima et al. (CHES 2003)
• Jager et al. (ESORICS 2012)
• Degabriele et al. (CT-RSA 2012)
• Bardou et al. (CRYPTO 2012)
• Zhang et al. (ACM CCS 2014)
• Meyer et al. (USENIX Security 2014)
• Aviram et al. (DROWN 2016)
• …
AssumpIon: Bleichenbacher-like agacks remain
a realisFc threat
16
Many different
techniques to
construct the
required oracle
30. PracFcal Impact
30
• PracFcal impact on TLS 1.3 rather limited
– Typical Bleichenbacher-agacks take hours or days
– Machine-to-machine communicaFon?
• Nevertheless:
– Backwards compaIbility must be considered
(cf. Jager, Paterson, Somorovsky, NDSS 2013)
– Future improvements of Bleichenbacher’s agack?
• DROWN techniques: compute signature in one
minute on a single CPU
– Leverages new vulnerability in openSSL
– All openSSL versions from 1998 to early 2015:
– 26% of HTTPS servers were vulnerable
31. PracFcal Impact
31
• PracFcal impact on TLS 1.3 rather limited
– Typical Bleichenbacher-agacks take hours or days
– Machine-to-machine communicaFon?
• Nevertheless:
– Backwards compaIbility must be considered
(cf. Jager, Paterson, Somorovsky, NDSS 2013)
– Future improvements of Bleichenbacher’s agack?
• DROWN techniques: compute signature in one
minute on a single CPU
– Leverages new vulnerability in openSSL
– All openSSL versions from 1998 to early 2015:
– 26% of HTTPS servers were vulnerable
32. PracFcal Impact
32
• PracFcal impact on TLS 1.3 rather limited
– Typical Bleichenbacher-agacks take hours or days
– Machine-to-machine communicaFon?
• Nevertheless:
– Backwards compaIbility must be considered
(cf. Jager, Paterson, Somorovsky, NDSS 2013)
– Future improvements of Bleichenbacher’s agack?
• Use DROWN technique to forge signature in
one minute on a single CPU
– Leverages vulnerability in openSSL
– All openSSL versions from 1998 to early 2015
– 26% of HTTPS servers were vulnerable