TLS and Internet Security. This is my reflection on where the SSL/TLS and the related stuff stands in playing their Internet Security role.

1. TLS/SSL et. al.
Internet Security

2. SSL/TLS how does it work?
´ Server authentication ()
´ Key Exchange
´ Encrypted data transfer (record
protocol)
Highest SSL Version, Ciphers Supported,
Data Compression Methods,
Session Id = 0,
Random Data
Selected SSL Version, Selected Cipher,
Selected Data Compression Method, Assigned
Session Id, Random Data, Server Certificate
(Client Certificate Request)
Server Hello Done
Indicates that further communication to server will be encrypted
Digest of all SSL handshake commands for integrity check
Indicates that further communication to client will be encrypted
Digest of all SSL handshake commands for integrity check

3. SessionID
Ciphers ( keyexg/enc/hash)
SSL ver.
SessionID
Ciphers ( keyexg/enc/hash)
SSL ver.

4. Key Exchange - RSA
Integer Prime Factorization Problem
´ Ron Rivest, Adi Shamir and Leonard Adleman in 1977
´ Good for signing and encryption
´ Bad for key exchange
´ Advance key computation
´ Patent expired in 2000

6. SessionID
Ciphers ( keyexg/enc/hash)
SSL ver.
SessionID
Ciphers ( keyexg/enc/hash)
SSL ver.

7. Key Exchange – DH & DHE
Discrete Logarithm Problem (in Zp*)
DH
Even though α, p, A and B are known to the
adversary, calculating
a = logα A mod p
is practically impossible with 'p' being a large
prime number.
´ Whitfield Diffie and Martin Hellman in 1976
´ No long term privatekey involved
´ DHE provides Perfect Forward Secrecy
´ No secret key is exchanged
DH - Ephemeral

8. How strong is TLS?
Symmetric Algorithms
Security Level Comparison Sym/Asym Algorithms

9. Elliptic Curve Cryptography - ECC
´ Discovered in 1985 by Victor Miller (IBM) and Neil Koblitz (University of
Washington)
´ Some implementation patented by Certicom
´ Low computing power requirements
´ Reduced key length and hencefast
´ Use only standard NIST curves
Elliptic Curve Discrete Logarithm Problem
Let P and Q be two points on an elliptic curve such that kP = Q, where k is a
scalar. Given P and Q, it is computationally infeasible to obtain k, if k is sufficiently large.
k is the discrete logarithm of Q to the base P.
On EC, Scalar multiplication is a one way function.
P
Q = kP

10. P1
P2
P3= P1 + P2
-(P3= P1 + P2)

11. Eg:-­‐
In the elliptic curve group defined by
y2 = x3 + 9x + 17 over F23,
What is the discrete logarithm a of Q = (4,5) to the base P =
(16,5)?
One (naive) way to fnd 'a' is to compute multiples of P until
Q is found. The first few multiples of P are:
P = (16,5) 2P = (20,20)
3P = (14,14) 4P = (19,20)
5P = (13,10) 6P = (7,3)
7P = (8,7) 8P = (12,17)
9P = (4,5)
Since 9P = (4,5) = Q, the discrete logarithm of Q to the
base P is a = 9.
In a real application, 'a' would be large enough such that it
would be infeasible to determine 'a' in this manner.

12. Dissecting a certificate
openssl s_client -­‐showcerts -­‐connect www.google.com:443 < /dev/null
curl -­‐s http://pki.google.com/GIAG2.crl | openssl crl -­‐inform DER -­‐text -­‐noout -­‐in /dev/stdin
openssl rsa -­‐noout -­‐in domain.key –modulus ( == ) openssl x509 -­‐noout –in domain.cer -­‐modulus

13. Cipher is
TLS1_ECDHE2_RSA3_WITH4_AES2565_CBC6_SHA7
1. The transport layer protocol used
(others : SSL)
2. Session key exchange algorithm
(others : RSA, DH, DHE)
3. PKI type of the Certificate
(others : DSS)
4. Symmetric algorithmused to encrypt the actual data
(others : RC4, 3DES, CAMELLIA, ARIA, DES40)
5. Mode in which thesymmetric algorithm operates
(others : CCM, GCM)
6. Hashing algorithmfor data integrity
(others : MD5)
openssl s_client -­‐showcerts -­‐connect qualys.com:443

14. PFS (Perfect Forward Secrecy)
´ A property of secure communication protocols: a secure communication
protocol is said to have forward secrecy if compromise of long-term keys
(private keys) does not compromise past session keys.
´ Passive cryptanalysis
´ DHE (Diffie Hellman Ephemeral)

15. Signature
´ Hash of something signed by privatekey
´ Verified using public key
´ Satisfies Integrity and Non-repudiation
´ Hashing Algorithms
´ MD5, SHA{1,256,384}, SHA3 (Keccak)
´ Collision

16. Chain of trust
Subj’s DN (GIA)
Issuer’s DN (GeoTrust, CA)
Validity, Version etc.
Signed with
GeoTrust’s PrivKHASH
Subj’s PubK (GIA)
Signature
Subj’s DN (google.com)
Issuer’s DN (GIA, CA)
Validity, Version etc.
Signed with
GIA’s PrivKHASH
Subj’s PubK (google.com)
Signature
Subj’s DN (Geotrust)
Issuer’s DN (Equifax, CA)
Validity, Version etc.
Signed with
Equifax’s PrivKHASH
Subj’s PubK (Geotrust)
Signature
browser
used to securely
transport PMS
Root’s DN (Equifax)
Validity, Version etc.
Signed with
Root’s PrivKHASH
Root’s PubK (Equifax)
Signature

17. f3:2e:4a:af:42:d2:cb:ea:c4:6a:1a:b2:cc:53:dd:
15:4b:8b:1f:c8:19:61:1f:cd:9d:a8:3e:63:2b:84:
35:69:65:84:c8:19:c5:46:22:f8:53:95:be:e3:80:
4a:10:c6:2a:ec:ba:97:20:11:c7:39:99:10:04:a0:
f0:61:7a:95:25:8c:4e:52:75:e2:b6:ed:08:ca:14:
fc:ce:22:6a:b3:4e:cf:46:03:97:97:03:7e:c0:b1:
de:7b:af:45:33:cf:ba:3e:71:b7:de:f4:25:25:c2:
0d:35:89:9d:9d:fb:0e:11:79:89:1e:37:c5:af:8e:
72:69
exponentof:~
>
cat
val_s |
tr 'n'
'
'
|
sed 's/://g'
|
sed 's/
//g'
exponentof:~
>
cat
val_p |
tr 'n'
'
'
|
sed 's/://g'
|
sed 's/
//g'
>>>
print
"%x"
%
pow(
signature,
exponent,
modulus
)
exponentof:~
>
python
Python
2.7.6
(default,
Sep
9
2014,
15:04:36)
[GCC
4.2.1
Compatible
Apple
LLVM
6.0
(clang-­‐600.0.39)]
on
darwin
Type
"help",
"copyright",
"credits"
or
"license"
for
more
information.
>>>
s
=
0x2524813aac6d551f5a4251e4c358a3195b8c99a7959ebbfa0dc5192be3b5cb6f876ca119e9cf389764d2709a539227f55ce4704aae7483a3849a607494b298fec86593fe58c1ffbc5be8759a84f0e135c423c012a46ee1cca7e4
28097baa17efd4ad5987a70fc74cc798992125d70af6e4adf755f3c73409bef156339db2c2511db021f24f3349ae1cbca1e32f69ef04a98abcbbddb76fa82f3033fbc3c81941d347bfc4362fb068e947770bb7b614c5e71206c496
9898c25609e595f99762fff5aef1ca1e836e9c5c4b574e081df61d62a606cf126791e26cb6aa361a55d1bf672a5c896622a91ca5988488cadbce504c5059c7741f29534a315d5de52f8bc8
>>>
p
=
0x009c2a04775cd850913a06a382e0d85048bc893ff119701a88467ee08fc5f189ce21ee5afe610db7324489a0740b534f55a4ce826295eeeb595fc6e1058012c45e943fbc5b4838f453f724e6fb91e915c4cff4530df44afc9f54d
e7dbea06b6f87c0d0501f28300340da0873516c7fff3a3ca737068ebd4b1104eb7d24dee6f9fc3171fb94d560f32e4aaf42d2cbeac46a1ab2cc53dd154b8b1fc819611fcd9da83e632b8435696584c819c54622f85395bee3804a
10c62aecba972011c739991004a0f0617a95258c4e5275e2b6ed08ca14fcce226ab34ecf46039797037ec0b1de7baf4533cfba3e71b7def42525c20d35899d9dfb0e1179891e37c5af8e7269
>>>
print
"%x"
%
pow(
s,
65537,
p
)
1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdd
if=Google.crt of=Google.tbsCertificate skip=4
bs=1
count=866ffffffffffffff003031300d06096086480165030402010500042088a87cce9efc117b780401bccfaf115c94f1bdd578fb0f3adc9501061422018e
>>>
exit()
exponentof:~
>
exponentof:~
>
openssl asn1parse
-­‐inform
der
-­‐in
www.google.com.der |
head
-­‐10
0:d=0
hl=4
l=1152
cons:
SEQUENCE
4:d=1
hl=4
l=
872
cons:
SEQUENCE
8:d=2
hl=2
l=
3
cons:
cont [
0
]
10:d=3
hl=2
l=
1
prim:
INTEGER
:02
13:d=2
hl=2
l=
8
prim:
INTEGER
:3DD4FA1A02DDF51A
23:d=2
hl=2
l=
13
cons:
SEQUENCE
25:d=3
hl=2
l=
9
prim:
OBJECT
:sha256WithRSAEncryption
36:d=3
hl=2
l=
0
prim:
NULL
38:d=2
hl=2
l=
73
cons:
SEQUENCE
40:d=3
hl=2
l=
11
cons:
SET
exponentof:~
>

18. Threats
´ Crypto vulnerabilities
´ BEAST
´ CRIME
´ Lucky13
´ HeartBleed
´ Poodle
´ Drown
´ Cachebleed
´ Wrong implementation
´ Never write your on crypto, use libraries.
´ Lawful Intercept (LI)
´ Backdoors (RSA and ECC)
´ CA
´ Private Key

19. Crypto Vulnerabilities
´ BEAST (CVE-2011-3389) and Lucky13 (CVE-2013-0169). These are CBC vulnerabilities.
Fix:
The exploit attack impacts TLS 1.0/SSL 3.0, but does not work for TLS versions 1.1 and 1.2. So use
TLS 1.2 with AES GCM suits. But the GCM mode is new and it is an arduous job to get every
security systems (both at the server and the client sides) upgraded;
So instead use RC4 which is a stream cipher and hence faster and CBC/IV-free. But the bad
news is that RC4 has got its own security problems (fixed string cipher entropy problem) when
compared to block ciphers like AES and DSA, but that is less devastating than what CBC
mode offers.
Apache
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:R
SA+3DES:!ADH:!AECDH:!MD5:!DSS
Nginx
ssl_prefer_server_ciphers On;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DE
S:!ADH:!AECDH:!MD5:!DSS;

20. Crypto Vulnerabilities
´ CRIME attack (CVE-2012-4929). A vulnerability exposed by TLS compression. Exposes
the site cookies on side-channel attacks.
Fix:
Disable TLS compression. Most of the applications like Nginx and Apache have directives to disable
compression.
Apache
SSLCompression Off
Nginx
export OPENSSL_NO_DEFAULT_ZLIB=1

21. Crypto Vulnerabilities
´ Poodle attack (CVE-2014-3566). Secure Socket Layer (SSL) 3.0 with cipher-block
chaining (CBC).
The POODLE attack takes advantage of the protocol versionnegotiation feature built into SSL/TLS to
force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the
SSL session.
Fix:
There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol;
however, disabling SSL 3.0 support in system/application configurations is the most viable solution
currently available.
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but
presents significant compatibility problems, even today. Therefore our recommended response is to
support TLS_FALLBACK_SCSV.
TLS_FALLBACK_SCSVis a mechanism that solves the problems caused by retrying failed connections
and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from
TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

22. Crypto Vulnerabilities
´ Heartbleed attack (CVE-2014-0160). Secure Socket Layer (SSL) 3.0 with cipher-block
chaining (CBC).
Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat
extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the
client and from the client to the server.
A missing bounds check in the handling of the TLS heartbeat extension can beused to reveal up to 64k
of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including1.0.1f and 1.0.2-beta1.
Fix:
There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol;
however, disabling SSL 3.0 support in system/application configurations is the most viable solution
currently available.
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but
presents significant compatibility problems, even today. Therefore our recommended response is to
support TLS_FALLBACK_SCSV. So Affected users should upgrade to OpenSSL 1.0.1g. Users unable to
immediately upgrade can alternatively recompile OpenSSL with-DOPENSSL_NO_HEARTBEATS.
TLS_FALLBACK_SCSVis a mechanism that solves the problems caused by retrying failed connections
and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from
TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

23. Crypto Vulnerabilities
´ Drown attack (CVE-2016-0800). Secure Socket Layer (SSL) 2.0
DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption.
Fix:
To protect against DROWN, server operators need to ensure that their private keys are not used
anywhere with server software that allows SSLv2 connections. This includes web servers,SMTP servers,
IMAP and POP servers,and any other software that supports SSL/TLS.
Apache
SSLProtocol All -SSLv2 -SSLv3
Nginx
ssl_protocols TLSv1 TLSv1.1 TLSv1.2

24. Crypto Vulnerabilities
´ CacheBleed (CVE-2016-0702).
CacheBleed is a side-channel attack that exploits information leaks through cache-bank conflicts in
Intel processors.By detecting cache-bank conflicts via minute timing variations, we are able to
recover information about victim processes running on the same machine. Our attack is able to
recover both 2048-bit and 4096-bit RSA secret keys from OpenSSL 1.0.2f running on Intel Sandy Bridge
processors after observing only 16,000 secret-keyoperations (decryption, signatures). This is despite the
fact that OpenSSL's RSA implementation was carefully designed to be constant time in order to
protect against cache-based (and other) side-channel attacks.
Attacks target OpenSSL's implementation of RSA (both RSA decryption as well as RSA signatures).
Although we have not demonstrated this, in principle our attack should be able to leak partial
information about ElGamal encryption as well.
https://ssrg.nicta.com.au/projects/TS/cachebleed/
Fix:

25. Wrong Implementation
´ PGP database. [Lenstra et al. 2012]
´ 2 factored RSA keys out of 700,000. Why?
´ Smartcards. [2012 Chou (slides in Chinese)]
´ Taiwan Citizen Digital Certicates smartcard certicates used for paying taxes, etc.
´ Factored 103 (out of 2.26 million)
´ Mind your Ps & Qs -Nadia Heninger
´ High RNG entropy is difficult to achieve
´ Collect entropy more aggressively
´ Natural entropy Sources for true randomness
´ True NRGs
´ Hardware RNGs (SSL Accelerator cards) = Transducer (noise conversion) + Amplifier + A-D
converter Seeds faster cryptographic PRNGs
´ Intels Ivy Bridge Entropy Source Each Ivy Bridge die contains one hardware RNG, shared by all
the cores. The RNG begins with an entropy source (ES) whose behavior is determined by
unpredictable thermal noise.
Bad RNGs & Keys

26. Bruce Schneier -
“I have no idea if the NSA convinced Intel to do this (reducing the entropy to
enable easy cryptanalysis) with the hardware random number generator it
embedded into its CPU chips, but I do know that it could. And I was always
leery of Intel strongly pushing for applications to use the output of its hardware
RNG directly and not putting it through some strong software PRNG like
Fortuna. And now Theodore Ts'o writes this about Linux: "I am so glad I resisted
pressure from Intel engineers to let /dev/randomrely only on the RDRAND
instruction.””
Linux PRNGs, /dev/random and /dev/urandom
https://www.random.org/
Wrong Implementation
Coders, Never Implement Your Own Crypto !!!

27. LI
☛ PIPA (Protect IP Act) May'11, SOPA (Stop Online
Piracy Act) Oct'11
☛ What is about Edward Snowden & PRISM ?
☛ All major players like Google, Facebook, Yahoo,
Twitter etc.
☛ Lavabit and Silent Mail ?

28. CA Threats
Recent Incidents (in last 4 years) :
´ Comodo -­‐ hacker issued bad certs
´ Diginotar - hacker issued bad certs for MITM
´ Trustwave - issued sub CA to customer for MITM
´ Turktrust - issued sub CA by mistake, used for MITM
´ Man-­‐In-­‐The-­‐Middle and CA private key compromises leading to change
in certificate
´ Require systems to detect a change in the certificate during the
SSL hand shake.

29. Solutions and Experiments
´ HPKP (HTTP Public Key Extension)
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04
An extension to the HTTP protocol allowing webhost operators to instruct user
agents (UAs) to remember ("pin") the hosts' cryptographic identities for a
given period of time.
´ TACK (Trust Assertions for Certificate Keys)
http://tack.io/draft.html
Server sends his “tack” through TLS Extension
Client has seen the same(hostname, TSK) pair multiple times, theclient will
"activate" a pin between the hostname and TSK for a period equal to the
length of time the pair has been observed for.
Client pins to a server-chosen signing key, known as a "TACK signing key" or
"TSK", which signs the server's TLS keys.
Certificate Pinning

30. ´ Convergence.io et. al.
ü An agile, distributed, and secure strategy for replacing Certificate
Authorities
ü Firefox add-on, once activated, replaces the entire CA infrastructure
ü User initiated
ü No more self signed certificate warnings
ü Privacy with bounce notaries
Replacing CA

31. However, It is up to you too…

32. However, It is up to you too…
ü Watch yourself in the cyber mirror
ü Be careful while you show up and show off in the social networking spree.
ü Investigate the exposure
ü Surprises from unverified sources (lottery, dead bank account, job offers etc.)
ü Electronic Frontier Foundation (https://www.eff.org)

35. “Only the paranoid survive”
– Andrew S Grove, Ex-CEO Intel.

36. ?