3. SMACK作者提供的資訊
• Slides from IEEE S&P 2015
• Preprint of the paper
• OpenSSL state monitor code verified with Frama-C
• Proof of transcript injectivity verified in F*
• Source code for the flexTLS tool
https://www.smacktls.com/
請自備8G記憶體以上的電腦 GG
4. Outline
• Public key system
• Certificate authority (CA)
• Diffie–Hellman key exchange
• RSA key exchange
• Transport Layer Security (TLS)
• SMACK: State Machine AttaCKs
10. The TLS State Machine
Client/Server雙方say hello
• 同步他們的狀態
• 同意的session ID
• 同意的ciphersuite
• 各自交換的
Random numbers
(nonces)
• …
11. The TLS State Machine
ServerCertificate
• CA概念,所以client
會有個signature,
server必須傳public
key來給client進行
server的認證。
用哪種key exchange?
ciphersuite決定
Server可當CA?
可 (這就有問題了)
12. Client擁有server signature是怎來的@@?
• First, the client sends a client hello message with a maximum protocol
version pvmax, a random nonce cr, and a set of proposed ciphersuites
and extensions. The server chooses a version pv, a ciphersuite, and a
subset of these extensions, and responds with its own nonce sr and
session identifier sid . The server then sends its X.509 certificate chain
certS and public key pkS.
• 這..於是這篇paper開始用MAN-IN-THE-MIDDLE攻擊,下次會介紹。
“Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS”
13. The TLS State Machine
ServerKeyExchange
• 使用public key system
需交換public key透過
DHE
那使用RSA,如何進行
server認證?
概念是cleint/server都
用一把相同的private
key來解,假設中間人
沒有此private key。
14. The TLS State Machine
ServerHelloDone
• 經過server key exchange,
client會有一把CA’s
public key來解signature。
解完signature,client會
有一把public key,
之後用此key傳訊息給
server。之後其實沒有
多久,就會在換一把
key了。
• 當然此時,也會依據
negotiation parameters ,
是否要不要client認證。
19. 如何找出TLS State Machine未預期的行為
• 在TLS每階段結束時,client/server各自送出illegal message,並各自等待回
• 回傳的訊息會有三種: correct/ unsupported/ buggy (期待client/server會有怎樣
的illegal message處理)
• 在”Protocol state fuzzing of TLS implementations”,他送的不只illegal message,
來找TLS state machine的非預期行為。
為了automated testing發
展了FLEXTLS script
(compiler) ~”~
20. 驚人的事發生了
OpenSSL Client and Server State machine for HTTPS configurations. Unexpected transitions:
client in red on the right, server in green on the left
你要知道,紅色綠色是OpenSSL可
能會執行的行為