VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
TLS: Past, Present, Future
1. Outline Background Past Present Future
TLS: Past, Present, Future
Thyla van der Merwe
Royal Holloway, University of London
2 May 2016
TLS: Past, Present, Future – Thyla van der Merwe 1/ 30
2. Outline Background Past Present Future
Outline
2011$ 2016$
1 Background (what is TLS?)
TLS: Past, Present, Future – Thyla van der Merwe 2/ 30
3. Outline Background Past Present Future
Outline
2011$ 2016$
1 Background (what is TLS?)
2 The Past
TLS: Past, Present, Future – Thyla van der Merwe 2/ 30
4. Outline Background Past Present Future
Outline
2011$ 2016$
1 Background (what is TLS?)
2 The Past
3 The Present
Password recovery attacks against RC4 in TLS
TLS: Past, Present, Future – Thyla van der Merwe 2/ 30
5. Outline Background Past Present Future
Outline
2011$ 2016$
1 Background (what is TLS?)
2 The Past
3 The Present
Password recovery attacks against RC4 in TLS
4 The Future
TLS: Past, Present, Future – Thyla van der Merwe 2/ 30
6. Outline Background Past Present Future
Outline
2011$ 2016$
1 Background (what is TLS?)
2 The Past
3 The Present
Password recovery attacks against RC4 in TLS
4 The Future
TLS: Past, Present, Future – Thyla van der Merwe 2/ 30
7. Outline Background Past Present Future
Outline
2011$ 2015$
PAST$ PRESENT$ FUTURE$
2011$ 2016$
1 Background (what is TLS?)
2 The Past
3 The Present
Password recovery attacks against RC4 in TLS
4 The Future
TLS: Past, Present, Future – Thyla van der Merwe 2/ 30
8. Outline Background Past Present Future
Importance of TLS [KP]
Originally designed for secure e-commerce, now widely used
Access to online banking
Acesss to Gmail, Facebook, etc.
Mobile applications, including banking apps
TLS has become the de facto secure protocol of choice
Used by millions (billions?) of devices daily
Analysis is crucial
TLS: Past, Present, Future – Thyla van der Merwe 3/ 30
9. Outline Background Past Present Future
Highly Simplified View of TLS
Ku,$Kd$
Data$Link$
Internet$
Transport$
Applica7on$ TLS$h:p$
tcp$
hello, let’s chat
okay, let’s agree on algorithms,
establish keys to communicate
securely and here’s some assurance
as to my identity
Ku,$Kd$
let’s exchange application data
Handshake$protocol$
Record$protocol$
C S
Nego7ate$ciphersuite,$
authen7cate$en77es$and$establish$
keys$for$record$protocol$
Provide$confiden7ality$and$authen7city$of$applica7on$data$using$keys$
established$in$the$Handshake$protocol$
TLS: Past, Present, Future – Thyla van der Merwe 4/ 30
10. Outline Background Past Present Future
The TLS Ecosystem
TLS
versions
TLS
extensions
DTLS
TLS
Ecosystem
Servers
Clients
Cer1fica1on
Authori1es
(CAs)
So:ware
vendors
Hardware
vendors
Researchers
Standards
TLS: Past, Present, Future – Thyla van der Merwe 5/ 30
11. Outline Background Past Present Future
Past
Started life as SSL, developed by Netscape
SSL 2.0 released in 1995 and SSL 3.0 in 1996
TLS 1.0 released in 1999, TLS 1.1 in 2006 and TLS 1.2 in
2008
Bleichenbacher Attack in 1998, against RSA using PKCS#1
Renegotiation Attack by Ray and Dispensa in 2009,
impersonation attack
TLS: Past, Present, Future – Thyla van der Merwe 6/ 30
12. Outline Background Past Present Future
Past
2011$
1995$
1996$
1999$
2006$
2008$ 2016$
2009$
1998$
Started life as SSL, developed by Netscape
SSL 2.0 released in 1995 and SSL 3.0 in 1996
TLS 1.0 released in 1999, TLS 1.1 in 2006 and TLS 1.2 in
2008
Bleichenbacher Attack in 1998, against RSA using PKCS#1
Renegotiation Attack by Ray and Dispensa in 2009,
impersonation attack
TLS: Past, Present, Future – Thyla van der Merwe 6/ 30
13. Outline Background Past Present Future
Past
2011$
1995$
1996$
1999$
2006$
2008$ 2016$
2009$
1998$
2002$
Started life as SSL, developed by Netscape
SSL 2.0 released in 1995 and SSL 3.0 in 1996
TLS 1.0 released in 1999, TLS 1.1 in 2006 and TLS 1.2 in
2008
Bleichenbacher Attack in 1998, against RSA using PKCS#1
Renegotiation Attack by Ray and Dispensa in 2009,
impersonation attack
TLS: Past, Present, Future – Thyla van der Merwe 6/ 30
14. Outline Background Past Present Future
As of 21 April, 2016. Available at:
https://www.trustworthyinternet.org/ssl-pulse/
TLS: Past, Present, Future – Thyla van der Merwe 7/ 30
15. Outline Background Past Present Future
Present
BEAST by Duong and Rizzo in 2011
CRIME by Duong and Rizzo in 2012
Lucky Thirteen by Al Fardan and Paterson, and RC4 Attacks
by Al Fardan et al. in 2013
Cookie Cutter and Triple Handshake attacks by Bhargavan et
al., Heartbleed bug and POODLE by Moller et al. in 2014
TLS: Past, Present, Future – Thyla van der Merwe 8/ 30
16. Outline Background Past Present Future
Present
2011$
1995$
1996$
1999$
2006$
2008$
2016$2009$
2012$
2013$
2014$
1998$
2002$
2015$
BEAST by Duong and Rizzo in 2011
CRIME by Duong and Rizzo in 2012
Lucky Thirteen by Al Fardan and Paterson, and RC4 Attacks
by Al Fardan et al. in 2013
Cookie Cutter and Triple Handshake attacks by Bhargavan et
al., Heartbleed bug and POODLE by Moller et al. in 2014
TLS: Past, Present, Future – Thyla van der Merwe 8/ 30
17. Outline Background Past Present Future
Present
2011$
1995$
1996$
1999$
2006$
2008$
2016$2009$
2012$
2013$
2014$
1998$
2002$
2015$
BEAST by Duong and Rizzo in 2011
CRIME by Duong and Rizzo in 2012
Lucky Thirteen by Al Fardan and Paterson, and RC4 Attacks
by Al Fardan et al. in 2013
Cookie Cutter and Triple Handshake attacks by Bhargavan et
al., Heartbleed bug and POODLE by Moller et al. in 2014
TLS: Past, Present, Future – Thyla van der Merwe 8/ 30
18. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Password Recovery Attacks Against RC4 in TLS [GPV15]
Despite work such as On the Security of RC4 in TLS, Al
Fardan et al. (USENIX 2013) RC4 usage stood at 35% of
TLS connections
ICSI$Notary$Sta+s+cs$[Dec.,$2014]$
h9p://notary.icsi.berkeley.edu/$
TLS: Past, Present, Future – Thyla van der Merwe 9/ 30
19. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Password Recovery Attacks Against RC4 in TLS [GPV15]
Despite work such as On the Security of RC4 in TLS, Al
Fardan et al. (USENIX 2013) RC4 usage stood at 35% of
TLS connections
Can we strengthen these attacks?
Passwords are widely used for authentication and the fact that
they are not uniformly distributed may give us a boost
Get RC4 closer to the point where it needs to be abandoned!
TLS: Past, Present, Future – Thyla van der Merwe 9/ 30
20. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
RC4
RC4 State
Byte permutation and indices i and j
RC4 Key scheduling
RC4 Keystream generation
TLS: Past, Present, Future – Thyla van der Merwe 10/ 30
21. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
RC4 in TLS
Ku,
Kd
Data
Link
Internet
Transport
Applica7on
TLS
h:p
tcp
ClientHello(…,[RC4,…])
ServerHello(…,RC4)
.
.
.
ClientFinshed
.
Ku,
Kd
ServerFinshed
applica7on
data
.
.
.
Handshake
protocol
Record
protocol
(encrypted
with
RC4,
keys
Ku
and
Kd)
Integrity,
HMAC-‐SHA1
Cr
=
Pr
Zr
C S
36
protected
FINISHED
bytes
TLS: Past, Present, Future – Thyla van der Merwe 11/ 30
22. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
RC4 Biases
0
32
64
96
128
160
192
224
255
0 32 64 96 128 160 192 224 255
Bytevalue,Position2[0...255]
Byte value, Position 1 [0...255]
INFILE using 1:2:(max(min(4194304*$3,1.0),-1.0))
-1
-0.5
0
0.5
1
TLS: Past, Present, Future – Thyla van der Merwe 12/ 30
23. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Attack Setting
First described by Mantin and Shamir in 2001
A fixed plaintext, P, is encrypted multiple times under
independent RC4 keys, Ki
P,#K1#
P,#KS#
TLS: Past, Present, Future – Thyla van der Merwe 13/ 30
24. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Plaintext Recovery via Bayesian Analysis
We want to maximize (for a position in the plaintext stream r):
Pr(X = x | C = c)
X is the random variable corresponding to a plaintext byte, x
C is the random variable corresponding to a vector of ciphertext
bytes
TLS: Past, Present, Future – Thyla van der Merwe 14/ 30
25. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Plaintext Recovery via Bayesian Analysis
Using Bayes’ Theorem:
Pr(X = x | C = c) =
Pr(C = c | X = x) · Pr(X = x)
Pr(C = c)
=
Pr(C = c | X = x) · Pr(X = x)
x ∈X Pr(C = c | X = x ) · Pr(X = x )
TLS: Past, Present, Future – Thyla van der Merwe 14/ 30
26. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Plaintext Recovery via Bayesian Analysis
So we actually want to maximize this:
Pr(C = c | X = x) · Pr(X = x)
However,
Pr(C = c | X = x) = Pr(Z = z)
and it suffices to maximize:
Pr(X = x) · Pr(Z = z)
TLS: Past, Present, Future – Thyla van der Merwe 14/ 30
27. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Plaintext Recovery via Bayesian Analysis
a"posteriori"likelihood(of(x(being((
correct(byte(
Recovery(algorithm:((
Compute(most(likely(byte(by((
considering(all(byte(possibili7es(
(
C1(
C2(
C3(
CS(
...((
r""
encryp7ons(of(fixed(byte((
under(different(keys(
byte(candidate((
(x("
x"
...((
yields(induced(distribu7on(on(
keystream(bytes(Zr"
combine(with(known(distribu7on(
Combine(with(a"priori"plaintext(
distribu7on((
x"
x"
x"
TLS: Past, Present, Future – Thyla van der Merwe 15/ 30
28. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Attacking Cookies [ABPPS13]
a"posteriori"likelihood(of(x(being((
correct(byte(
Recovery(algorithm:((
Compute(most(likely(byte(by((
considering(all(byte(possibili7es(
(
Repeat(for(all(bytes(of(the(cookie(
C1(
C2(
C3(
CS(
...((
r""
encryp7ons(of(fixed(byte((
under(different(keys(
byte(candidate((
(x("
x"
...((
yields(induced(distribu7on(on(
keystream(bytes(Zr"
combine(with(known(distribu7on(
assume(a"priori"plaintext(
distribu7on(uniform(
x"
x"
x"
✗((256(posi7ons,(234(encryp7ons,(2000(hrs!(
TLS: Past, Present, Future – Thyla van der Merwe 16/ 30
29. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Attacking Passwords
Widely used for authentication on the web, NOT uniformly
distributed
RockYou leak of 32 million passwords in 2009, about 14
million unique, 123456 most popular
Have a priori information from leaked datasets
Multiple bytes, not just one...
TLS: Past, Present, Future – Thyla van der Merwe 17/ 30
30. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Attacking Passwords
For n bytes we want to maximize
Pr(X = x) · Pr(Z = z)
where X is the random variable corresponding to a vector of
plaintext bytes, x = (x0, x1, . . . , xn−1)
Z is the random variable corresponding to the matrix of keystream
bytes
?? Pr(Z = z)??
TLS: Past, Present, Future – Thyla van der Merwe 18/ 30
31. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Attacking Passwords
For n bytes we want to maximize
Pr(X = x) · Pr(Z = z)
where X is the random variable corresponding to a vector of
plaintext bytes, x = (x0, x1, . . . , xn−1)
Z is the random variable corresponding to the matrix of keystream
bytes
?? Pr(Z = z)??
TLS: Past, Present, Future – Thyla van der Merwe 18/ 30
32. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Approximations
Pr(Z%=%z)%%
A"ack&1:&&
Assume&keystream&bytes&behave&
independently&–&use&single6byte&probabili8es&
(product&distribu8on)&
A"ack&2:&&
Assume&keystream&byte&is&influenced&only&by&
byte&directly&adjacent&to&it&–&use&double6&and&
single6byte&probabili8es&
TLS: Past, Present, Future – Thyla van der Merwe 19/ 30
34. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
What’s different?
n bytes instead of one
T attempts before lockout
dictionary of size N
single-byte vs double-byte estimator
Base64 or ASCII
r starting position
S ciphertexts
guessing attacks
TLS: Past, Present, Future – Thyla van der Merwe 21/ 30
35. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Simulation Results
Use a dictionary built from RockYou leak dataset to attack
Singles.org dataset
More realistic but limits our success rate
Default parameters, n = 6, T = 5, S = 220, 222, . . . , 228
Success rate based on 256 experiments
TLS: Past, Present, Future – Thyla van der Merwe 22/ 30
36. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Simulation Results
Single-byte vs double-byte, n = 6, T = 5
0
0.2
0.4
0.6
0.8
1
0 64 128 192 256
SuccessRate
Starting Position
db, 220
db, 222
db, 224
db, 226
db, 228
sb, 220
sb, 222
sb, 224
sb, 226
sb, 228
TLS: Past, Present, Future – Thyla van der Merwe 23/ 30
37. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Simulation Results
T vs success rate, n = 6, r = 133 - double-byte and guessing
0
5
10
15
20
25
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
log2(T)
Recovery Rate
214
216
218
220
222
224
226
228
optimal guessing
TLS: Past, Present, Future – Thyla van der Merwe 24/ 30
38. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Practical Validation
Applicable to BasicAuth and IMAP
We need multiple, independent encryptions of the password
We need the password to be encrypted at a favourable
position
TLS: Past, Present, Future – Thyla van der Merwe 25/ 30
39. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Practical Validation
www.evil.com!
www.good.com!
PW = 123456!
PW!
TLS
channel!
r = 133!
Resumption latency of 250ms, 226, 6 parallel connections, 776
hours (at 100ms, 312 hours)
TLS: Past, Present, Future – Thyla van der Merwe 26/ 30
40. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
ICSI$Notary$Sta+s+cs$[Jul./Aug.,$2015]$
h=p://notary.icsi.berkeley.edu/$
RC4$at$12.8$%$$
ICSI$Notary$Sta+s+cs$[Mar./Apr.,$2016]$
RC4$at$2.4$%$$
TLS: Past, Present, Future – Thyla van der Merwe 27/ 30
41. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Present
Password Recovery Attacks Against RC4 in TLS by Garman et
al. (OUR WORK)
FREAK by Beurdouche et al., Bar Mitzva Attack by Mantin,
LOGJAM, RC4 attack by Vanhoef and Piessens
Attack by Jager et. al, SLOTH and DROWN
TLS: Past, Present, Future – Thyla van der Merwe 28/ 30
42. Outline Background Past Present Future
Password Recovery Attacks Against RC4 in TLS
Present
2011$ 2015$
1995$
1996$
1999$
2006$
2008$
2016$
$$10$
2009$
2012$
2013$
2014$
1998$
2002$
Password Recovery Attacks Against RC4 in TLS by Garman et
al. (OUR WORK)
FREAK by Beurdouche et al., Bar Mitzva Attack by Mantin,
LOGJAM, RC4 attack by Vanhoef and Piessens
Attack by Jager et. al, SLOTH and DROWN
TLS: Past, Present, Future – Thyla van der Merwe 28/ 30
43. Outline Background Past Present Future
Future
2011$ 2015$
1995$
1996$
1999$
2006$
2008$
2016$
$$10$
2009$
2012$
2013$
2014$
1998$
2002$
See my next talk :-)
Draft 1 of TLS 1.3 released in March 2015, draft 12 released
in March 2016
Encrypt as much of the handshake as possible
Re-evaluate the handshake contents - different handshakes,
renegotiation handshake removed, resumption done differently
1-RTT for initial handshake, 0-RTT for repeated handshakes,
also 0.5-RTT
Update the record protection mechanisms
TLS: Past, Present, Future – Thyla van der Merwe 29/ 30
44. Outline Background Past Present Future
Future
2011$ 2015$
1995$
1996$
1999$
2006$
2008$
2016$
$$10$
2009$
2012$
2013$
2014$
1998$
2002$
See my next talk :-)
Draft 1 of TLS 1.3 released in March 2015, draft 12 released
in March 2016
Encrypt as much of the handshake as possible
Re-evaluate the handshake contents - different handshakes,
renegotiation handshake removed, resumption done differently
1-RTT for initial handshake, 0-RTT for repeated handshakes,
also 0.5-RTT
Update the record protection mechanisms
TLS: Past, Present, Future – Thyla van der Merwe 29/ 30
45. Outline Background Past Present Future
Takeaways
2011$ 2015$ 2016$
2009$
2012$
2013$
2014$
1998$
2002$
TLS: Past, Present, Future – Thyla van der Merwe 30/ 30