TLS: Past, Present, Future

Outline Background Past Present Future
TLS: Past, Present, Future
Thyla van der Merwe
Royal Holloway, University of London
2 May 2016
TLS: Past, Present, Future – Thyla van der Merwe 1/ 30

Outline
2011$ 2016$
1 Background (what is TLS?)

Outline
2011$ 2016$
2 The Past

Outline
2011$ 2016$
2 The Past
3 The Present
Password recovery attacks against RC4 in TLS

Outline
2011$ 2016$
2 The Past
3 The Present
4 The Future

Outline
2011$ 2015$
PAST$ PRESENT$ FUTURE$
2011$ 2016$
2 The Past
3 The Present
4 The Future

Importance of TLS [KP]
Originally designed for secure e-commerce, now widely used
Access to online banking
Acesss to Gmail, Facebook, etc.
Mobile applications, including banking apps
TLS has become the de facto secure protocol of choice
Used by millions (billions?) of devices daily
Analysis is crucial

Highly Simpliﬁed View of TLS
Ku,$Kd$
Data$Link$
Internet$
Transport$
Applica7on$ TLS$h:p$
tcp$
hello, let’s chat
okay, let’s agree on algorithms,
establish keys to communicate
securely and here’s some assurance
as to my identity
Ku,$Kd$
let’s exchange application data
Handshake$protocol$
Record$protocol$
C S
Nego7ate$ciphersuite,$
authen7cate$en77es$and$establish$
keys$for$record$protocol$
Provide$conﬁden7ality$and$authen7city$of$applica7on$data$using$keys$
established$in$the$Handshake$protocol$

The TLS Ecosystem
TLS
versions

TLS
extensions

DTLS

TLS
Ecosystem

Servers
Clients

Cer1ﬁca1on

Authori1es
(CAs)

So:ware
vendors

Hardware
vendors

Researchers

Standards


Past
Started life as SSL, developed by Netscape
SSL 2.0 released in 1995 and SSL 3.0 in 1996
TLS 1.0 released in 1999, TLS 1.1 in 2006 and TLS 1.2 in
2008
Bleichenbacher Attack in 1998, against RSA using PKCS#1
Renegotiation Attack by Ray and Dispensa in 2009,
impersonation attack

Past
2011$
1995$
1996$
1999$
2006$
2008$ 2016$
2009$
1998$
2008

Past
2011$
1995$
1996$
1999$
2006$
2008$ 2016$
2009$
1998$
2002$
2008

As of 21 April, 2016. Available at:
https://www.trustworthyinternet.org/ssl-pulse/

Present
BEAST by Duong and Rizzo in 2011
CRIME by Duong and Rizzo in 2012
Lucky Thirteen by Al Fardan and Paterson, and RC4 Attacks
by Al Fardan et al. in 2013
Cookie Cutter and Triple Handshake attacks by Bhargavan et
al., Heartbleed bug and POODLE by Moller et al. in 2014

Present
2011$
1995$
1996$
1999$
2006$
2008$
2016$2009$
2012$
2013$
2014$
1998$
2002$
2015$
BEAST by Duong and Rizzo in 2011
CRIME by Duong and Rizzo in 2012
Lucky Thirteen by Al Fardan and Paterson, and RC4 Attacks
by Al Fardan et al. in 2013
Cookie Cutter and Triple Handshake attacks by Bhargavan et
al., Heartbleed bug and POODLE by Moller et al. in 2014

Password Recovery Attacks Against RC4 in TLS
Password Recovery Attacks Against RC4 in TLS [GPV15]
Despite work such as On the Security of RC4 in TLS, Al
Fardan et al. (USENIX 2013) RC4 usage stood at 35% of
TLS connections
ICSI$Notary$Sta+s+cs$[Dec.,$2014]$
h9p://notary.icsi.berkeley.edu/$

Password Recovery Attacks Against RC4 in TLS [GPV15]
Despite work such as On the Security of RC4 in TLS, Al
Fardan et al. (USENIX 2013) RC4 usage stood at 35% of
TLS connections
Can we strengthen these attacks?
Passwords are widely used for authentication and the fact that
they are not uniformly distributed may give us a boost
Get RC4 closer to the point where it needs to be abandoned!

RC4
RC4 State
Byte permutation and indices i and j
RC4 Key scheduling
RC4 Keystream generation

RC4 in TLS
Ku,
Kd

Data
Link

Internet

Transport

Applica7on
TLS
h:p

tcp

ClientHello(…,[RC4,…])
ServerHello(…,RC4)
.

.

.

ClientFinshed
.

Ku,
Kd

ServerFinshed
applica7on
data

.

.

.

Handshake
protocol

Record
protocol

(encrypted
with
RC4,

keys
Ku
and
Kd)

Integrity,
HMAC-‐SHA1

Cr
=
Pr

Zr

C S

36
protected
FINISHED
bytes


RC4 Biases
0
32
64
96
128
160
192
224
255
0 32 64 96 128 160 192 224 255
Bytevalue,Position2[0...255]
Byte value, Position 1 [0...255]
INFILE using 1:2:(max(min(4194304*$3,1.0),-1.0))
-1
-0.5
0
0.5
1

Attack Setting
First described by Mantin and Shamir in 2001
A ﬁxed plaintext, P, is encrypted multiple times under
independent RC4 keys, Ki
P,#K1#
P,#KS#

Plaintext Recovery via Bayesian Analysis
We want to maximize (for a position in the plaintext stream r):
Pr(X = x | C = c)
X is the random variable corresponding to a plaintext byte, x
C is the random variable corresponding to a vector of ciphertext
bytes

Using Bayes’ Theorem:
Pr(X = x | C = c) =
Pr(C = c | X = x) · Pr(X = x)
Pr(C = c)
=
Pr(C = c | X = x) · Pr(X = x)
x ∈X Pr(C = c | X = x ) · Pr(X = x )

So we actually want to maximize this:
Pr(C = c | X = x) · Pr(X = x)
However,
Pr(C = c | X = x) = Pr(Z = z)
and it suﬃces to maximize:
Pr(X = x) · Pr(Z = z)

a"posteriori"likelihood(of(x(being((
correct(byte(
Recovery(algorithm:((
Compute(most(likely(byte(by((
considering(all(byte(possibili7es(
(
C1(
C2(
C3(
CS(
...((
r""
encryp7ons(of(ﬁxed(byte((
under(diﬀerent(keys(
byte(candidate((
(x("
x"
...((
yields(induced(distribu7on(on(
keystream(bytes(Zr"
combine(with(known(distribu7on(
Combine(with(a"priori"plaintext(
distribu7on((
x"
x"
x"

Attacking Cookies [ABPPS13]
correct(byte(
Recovery(algorithm:((
Compute(most(likely(byte(by((
considering(all(byte(possibili7es(
(
Repeat(for(all(bytes(of(the(cookie(
C1(
C2(
C3(
CS(
...((
r""
encryp7ons(of(ﬁxed(byte((
byte(candidate((
(x("
x"
...((
keystream(bytes(Zr"
assume(a"priori"plaintext(
distribu7on(uniform(
x"
x"
x"
✗((256(posi7ons,(234(encryp7ons,(2000(hrs!(

Attacking Passwords
Widely used for authentication on the web, NOT uniformly
distributed
RockYou leak of 32 million passwords in 2009, about 14
million unique, 123456 most popular
Have a priori information from leaked datasets
Multiple bytes, not just one...

Attacking Passwords
For n bytes we want to maximize
Pr(X = x) · Pr(Z = z)
where X is the random variable corresponding to a vector of
plaintext bytes, x = (x0, x1, . . . , xn−1)
Z is the random variable corresponding to the matrix of keystream
bytes
?? Pr(Z = z)??

Approximations
Pr(Z%=%z)%%
A"ack&1:&&
Assume&keystream&bytes&behave&
independently&–&use&single6byte&probabili8es&
(product&distribu8on)&
A"ack&2:&&
Assume&keystream&byte&is&inﬂuenced&only&by&
byte&directly&adjacent&to&it&–&use&double6&and&
single6byte&probabili8es&

Approximations
correct(password(
!Recovery!algorithm:!(
(Compute(most(likely(password(from((((
(dic8onary(of(N(passwords(
C1(
C2(
C3(
CS(
...((
r,"r+1,…,"r+n11"
encryp8ons(of(ﬁxed(password((
password(candidate((
(x(=(x0",x1",…,"xn"
x0,"x1,"…,"xn"
...((
x0,"x1,"…,"xn"
x0,"x1,"…,"xn"
x0,"x1,"…,"xn"
keystream(bytes(Zr,Zr+1,…,Zr+n11""
approximate!using!known!!
distribu:on!
combine(with(a"priori"password(
distribu8on(

What’s diﬀerent?
n bytes instead of one
T attempts before lockout
dictionary of size N
single-byte vs double-byte estimator
Base64 or ASCII
r starting position
S ciphertexts
guessing attacks

Simulation Results
Use a dictionary built from RockYou leak dataset to attack
Singles.org dataset
More realistic but limits our success rate
Default parameters, n = 6, T = 5, S = 220, 222, . . . , 228
Success rate based on 256 experiments

Simulation Results
Single-byte vs double-byte, n = 6, T = 5
0
0.2
0.4
0.6
0.8
1
0 64 128 192 256
SuccessRate
Starting Position
db, 220
db, 222
db, 224
db, 226
db, 228
sb, 220
sb, 222
sb, 224
sb, 226
sb, 228

Simulation Results
T vs success rate, n = 6, r = 133 - double-byte and guessing
0
5
10
15
20
25
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
log2(T)
Recovery Rate
214
216
218
220
222
224
226
228
optimal guessing

Practical Validation
Applicable to BasicAuth and IMAP
We need multiple, independent encryptions of the password
We need the password to be encrypted at a favourable
position

Practical Validation
www.evil.com!
www.good.com!
PW = 123456!
PW!
TLS
channel!
r = 133!
Resumption latency of 250ms, 226, 6 parallel connections, 776
hours (at 100ms, 312 hours)

ICSI$Notary$Sta+s+cs$[Jul./Aug.,$2015]$
h=p://notary.icsi.berkeley.edu/$
RC4$at$12.8$%$$
ICSI$Notary$Sta+s+cs$[Mar./Apr.,$2016]$
RC4$at$2.4$%$$

Present
Password Recovery Attacks Against RC4 in TLS by Garman et
al. (OUR WORK)
FREAK by Beurdouche et al., Bar Mitzva Attack by Mantin,
LOGJAM, RC4 attack by Vanhoef and Piessens
Attack by Jager et. al, SLOTH and DROWN

Present
2011$ 2015$
1995$
1996$
1999$
2006$
2008$
2016$
$$10$
2009$
2012$
2013$
2014$
1998$
2002$
Password Recovery Attacks Against RC4 in TLS by Garman et
al. (OUR WORK)
FREAK by Beurdouche et al., Bar Mitzva Attack by Mantin,
LOGJAM, RC4 attack by Vanhoef and Piessens
Attack by Jager et. al, SLOTH and DROWN

Future
2011$ 2015$
1995$
1996$
1999$
2006$
2008$
2016$
$$10$
2009$
2012$
2013$
2014$
1998$
2002$
See my next talk :-)
Draft 1 of TLS 1.3 released in March 2015, draft 12 released
in March 2016
Encrypt as much of the handshake as possible
Re-evaluate the handshake contents - diﬀerent handshakes,
renegotiation handshake removed, resumption done diﬀerently
1-RTT for initial handshake, 0-RTT for repeated handshakes,
also 0.5-RTT
Update the record protection mechanisms

Takeaways
2011$ 2015$ 2016$
2009$
2012$
2013$
2014$
1998$
2002$

TLS: Past, Present, Future

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Viewers also liked

Viewers also liked (20)

Similar to TLS: Past, Present, Future

Similar to TLS: Past, Present, Future (20)

More from vpnmentor

More from vpnmentor (13)

Recently uploaded

Recently uploaded (20)

TLS: Past, Present, Future