downgrade attacks by example
play

Downgrade Attacks by Example How Compatibility breaks Security - PowerPoint PPT Presentation

Feb 02, 2023 •300 likes •820 views

Downgrade Attacks by Example How Compatibility breaks Security Michael Rodler (@f0rki) 2012-01-21 Michael Rodler Downgrade Attacks 1 / 39 About me about me @f0rki, http://f0rki.at Student Sichere Informationssysteme Bachelor at

  1. Downgrade Attacks by Example How Compatibility breaks Security Michael Rodler (@f0rki) 2012-01-21 Michael Rodler Downgrade Attacks 1 / 39

  2. About me about me ◮ @f0rki, http://f0rki.at ◮ Student “Sichere Informationssysteme Bachelor” at FH Hagenberg ◮ 5th semester ◮ Member of Hagenberger Kreis and CTF Team ◮ Helps organize Security Forum ◮ Annual security conference at Hagenberg ◮ 18./19. April 2012 ◮ www.securityforum.at Michael Rodler Downgrade Attacks 2 / 39

  3. What are “Downgrade Attacks”? ◮ In every application layer protocol there’s some kind of Handshake ◮ Negotiation of common... ◮ ... protocol version ◮ ... protocol features ◮ ... crypto algorithms ◮ ... etc. Michael Rodler Downgrade Attacks 3 / 39

  4. What are “Downgrade Attacks”? ◮ Man-in-the-middle (e.g. arp spoofing, fake ra, etc.) ◮ Attacker can alter traffic Michael Rodler Downgrade Attacks 4 / 39

  5. What are “Downgrade Attacks”? ◮ Man-in-the-middle (e.g. arp spoofing, fake ra, etc.) ◮ Attacker can alter traffic Downgrade Attack The attacker acts as a proxy and alters the communication so that no or weaker security features are used by the client, the server or both. Michael Rodler Downgrade Attacks 4 / 39

  6. Welcome to History Class... SSL 2.0 ◮ published 1994 – a long time ago ◮ had some serious security issues [7] ◮ was fixed in SSL 3.0 in 1995 ◮ Vulnerable to some kind of downgrade attack 1 ◮ No integrity protection of handshake messages 1 called Ciphersuite Rollback Attack back then Michael Rodler Downgrade Attacks 5 / 39

  7. Welcome to History Class... SSL 2.0 The Attack ◮ Replace Cipher Specs sent by client with weakest cipher suite Michael Rodler Downgrade Attacks 6 / 39

  8. Welcome to History Class... SSL 2.0 The Attack ◮ Replace Cipher Specs sent by client with weakest cipher suite SSLv2 Record Layer : C l i e n t Hello Length : 28 Handshake Message Type : C l i e n t Hello (1) [ . . . ] Cipher Specs (X specs ) Cipher Spec : SSL2_DES_64_CBC_WITH_MD5 (0 x060040 ) [ . . . ] Challenge Michael Rodler Downgrade Attacks 6 / 39

  9. SSL 3.0 – The Fix ◮ Integrity protection of handshake introduced ◮ Handshake ends with: ◮ change_cipher_spec – change to negotiated parameters ◮ finished – hash over handshake, key material ◮ need to check hash in finished message ◮ detects tampering of handshake messages Michael Rodler Downgrade Attacks 7 / 39

  10. Problem fixed! Michael Rodler Downgrade Attacks 8 / 39

  11. Problem fixed! ... yeah right ... Michael Rodler Downgrade Attacks 8 / 39

  12. E-Mail ◮ E-Mail is much older than SSL/TLS ◮ First SMTP RFC in 1982 ◮ Security introduced later ◮ RFC for STARTTLS extension to SMTP in 2002 ◮ Compatibility is essential Michael Rodler Downgrade Attacks 9 / 39

  13. E-Mail ◮ explicit TLS ◮ STARTTLS, STLS commandos ◮ Client requests switching to TLS secured connection ◮ implicit TLS ◮ imaps, pops ◮ no attack vector here Michael Rodler Downgrade Attacks 10 / 39

  14. IMAP ∗ OK [ CAPABILITY IMAP4rev1 LITERAL+ SASL − IR LOGIN − REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED ] Dovecot ready . 1 STARTTLS 1 OK Begin TLS n e g o t i a t i o n now . < TLS Handshake > Michael Rodler Downgrade Attacks 11 / 39

  15. IMAP ∗ OK [ CAPABILITY IMAP4rev1 LITERAL+ SASL − IR LOGIN − REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED ] Dovecot ready . 1 STARTTLS 1 OK Begin TLS n e g o t i a t i o n now . < TLS Handshake > The Attack ◮ Attacker strips out STARTTLS and LOGINDISABLED ◮ tricks client into thinking that the server does not support STARTTLS Michael Rodler Downgrade Attacks 11 / 39

  16. POP S : + OK Dovecot ready . C: CAPA S : + OK S : CAPA S : [ . . . ] S : STLS S : . C: STLS S : + OK Begin TLS n e g o t i a t i o n now . < TLS Handshake > Michael Rodler Downgrade Attacks 12 / 39

  17. POP S : + OK Dovecot ready . C: CAPA S : + OK S : CAPA S : [ . . . ] S : STLS S : . C: STLS S : + OK Begin TLS n e g o t i a t i o n now . < TLS Handshake > The Attack ◮ Attacker strips out STLS ◮ tricks client into thinking that the server does not support STLS Michael Rodler Downgrade Attacks 12 / 39

  18. SMTP S : 220 t e s t m a i l e r ESMTP P o s t f i x ( Ubuntu ) C: EHLO [ 1 0 . 4 2 . 4 2 . 2 ] S : 250 − t e s t m a i l e r S : [ . . . ] S : 250 − STARTTLS C: STARTTLS S : 220 2 . 0 . 0 Ready to s t a r t TLS < TLS Handshake > Michael Rodler Downgrade Attacks 13 / 39

  19. SMTP S : 220 t e s t m a i l e r ESMTP P o s t f i x ( Ubuntu ) C: EHLO [ 1 0 . 4 2 . 4 2 . 2 ] S : 250 − t e s t m a i l e r S : [ . . . ] S : 250 − STARTTLS C: STARTTLS S : 220 2 . 0 . 0 Ready to s t a r t TLS < TLS Handshake > The Attack ◮ Attacker strips out STARTTLS ◮ tricks client into thinking that the server does not support STARTTLS Michael Rodler Downgrade Attacks 13 / 39

  20. Status ◮ nothing new ◮ Attack is descirbed in “Security Considerations” of RFCs ◮ Responsiblity is at the client, to abort insecure connections Michael Rodler Downgrade Attacks 14 / 39

  21. Status ◮ nothing new ◮ Attack is descirbed in “Security Considerations” of RFCs ◮ Responsiblity is at the client, to abort insecure connections Mail Clients ◮ Thunderbird > 3 – good ◮ Outlook 2007 – has “automatic” setting == bad ◮ Windos Live Mail – IMAP/POP: no support, SMTP: bad ◮ Apple Mail (v3.6) – no support ◮ Pegasus Mail – good, SMTP: bad Michael Rodler Downgrade Attacks 14 / 39

  22. Mitigation ◮ don’t use plaintext auth ◮ use PGP or S/MIME for end-to-end encryption ◮ use implicit TLS, e.g. imaps, pops ◮ most client software behaves correct anyway ◮ no real risk here Michael Rodler Downgrade Attacks 15 / 39

  23. HTTPS/HTTP ◮ Default is browsing over unsecured http:// connection ◮ Users get redirected to https:// via ◮ links in html ◮ 302 Redirects ◮ Connection: Upgrade Header ◮ As with STARTTLS, this happens in unsecured traffic Michael Rodler Downgrade Attacks 16 / 39

  24. Strippping https links sslstrip by Moxie Marlinspike (presented at BlackHat DC 2009) [1] [2] ◮ http proxy ◮ strips out https links ◮ keeps track of https only resources Michael Rodler Downgrade Attacks 17 / 39

  25. Strippping https links sslstrip by Moxie Marlinspike (presented at BlackHat DC 2009) [1] [2] ◮ http proxy ◮ strips out https links ◮ keeps track of https only resources Mitigation ◮ A smart user? ◮ https only website Michael Rodler Downgrade Attacks 17 / 39

  26. Oracle Paper/presentations by László Tóth [5] [6], Steve Ocepek and Wendel G. Henrique [3] Oracle protocols ◮ Proprietary protocols ◮ Specifications only for $$$ ◮ → hard to analyze ◮ Transparent Network Substrate (TNS) ◮ simple/primitve protocol ◮ Wireshark decoder exists ◮ Net8 or SQL*Net ◮ complex and obscure ◮ no wireshark decoder (only partial implementation) ◮ TNS transports Net8 Michael Rodler Downgrade Attacks 18 / 39

  27. Oracle Authentication I ◮ Challenge-Response ◮ Used crypto algorithms changed with every release Oracle 8i ◮ Server sends session key encrypted with DES, Key is oraclehash of the user password ◮ Client sends user password encrypted with DES, Key is the session key Oracle 9i ◮ Similar to 8i, but uses 3DES Michael Rodler Downgrade Attacks 19 / 39

  28. Oracle Authentication II Oracle 10g/11g ◮ Client/Server both send a session Key → MD5(XOR(ServerKey, ClientKey)) ◮ uses AES-128/192 in 10g/11g Problems ◮ DES is broken ◮ Bruteforce attack ◮ Java Thin Client till Version 10 supports only 8i Michael Rodler Downgrade Attacks 20 / 39

  29. Downgrade Attacks Several Downgrade Attacks published [5] [3] [6] ◮ Against old versions of Oracle 11 JDBC Driver ◮ “Downgrade through Replay” ◮ Replace Handshake Packets with older Version ◮ Combinations of versions and platforms behave differently ◮ many WTF?!? moments... ◮ Attack against Oracle 10g Windows Client and Server ◮ Downgrade to Oracle 8i level ◮ metasploit module – release? Michael Rodler Downgrade Attacks 21 / 39

  30. Attack! Michael Rodler Downgrade Attacks 22 / 39

  31. Attack! Michael Rodler Downgrade Attacks 23 / 39

  32. Attack! Michael Rodler Downgrade Attacks 24 / 39

  33. Mitigation ◮ Strong passwords ◮ Keep Software up to date ◮ espescially JDBC driver ◮ Configure minimal accepted net8 version SQLNET.ALLOWED_LOGON_VERSION ◮ (buy Oracle Advanced Security) ◮ (tunnel over SSH or SSL) Michael Rodler Downgrade Attacks 25 / 39

  34. Questions? Michael Rodler Downgrade Attacks 26 / 39

  35. Microsoft SQL Server ◮ Tabular Data Stream Protocol (TDS) ◮ Open Spezifikation [4] → not as painful as analyzing Oracle ;) ◮ Wireshark Decoder exists ◮ Two types of authentication ◮ Native authentication ◮ Integrated/Windows authentication Michael Rodler Downgrade Attacks 27 / 39

  36. Native Authentication ◮ Authentication with "‘Login7"’ packet ◮ No cryptographic Challenge-Response, no crypto at all??? ◮ Password is obfuscated ◮ no problem: obfuscation algorithm is in the standard Michael Rodler Downgrade Attacks 28 / 39

Recommend

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20

370 views • 33 slides
Downgrade Resilience in Key Exchange markulf kohlweiss joint work with: k. bhargavan, c.

Downgrade Resilience in Key Exchange markulf kohlweiss joint work with: k. bhargavan, c.

Downgrade Resilience in Key Exchange markulf kohlweiss joint work with: k. bhargavan, c. brzuska, c. fournet, m. green, s. zanella-beguelin 1 Downgrade as an everyday phenomen https:// http:// 2 TLS protocol suite not a single protocol

624 views • 24 slides
Downgrade Resilience in Key-Exchange Protocols Ruth Ng TLS Crypto Seminar, Winter 2019, UC San

Downgrade Resilience in Key-Exchange Protocols Ruth Ng TLS Crypto Seminar, Winter 2019, UC San

Downgrade Resilience in Key-Exchange Protocols Ruth Ng TLS Crypto Seminar, Winter 2019, UC San Diego Overview High-level summary of the whole paper: Motivate the study of downgrade resilience (Very) brief discussion on modelling

604 views • 24 slides
Standard &amp; Poors downgrade in 2018, 2020 on Fairgrounds JPA bond ratings

Standard &amp; Poors downgrade in 2018, 2020 on Fairgrounds JPA bond ratings

Standard &amp; Poors downgrade in 2018, 2020 on Fairgrounds JPA bond ratings Fairgrounds Operating budget impacted by COVID Cancelation of 2020 NHSFR &amp; postponement FMCA facility-wide events using new improvements: over

314 views • 13 slides
From Criticality Incredible Project Plan to Facility Hazard Categorization Downgrade Tom Hines

From Criticality Incredible Project Plan to Facility Hazard Categorization Downgrade Tom Hines

From Criticality Incredible Project Plan to Facility Hazard Categorization Downgrade Tom Hines DOE Nuclear Safety Oversight Lead Matthew Wilson Senior Nuclear Criticality Safety Consultant 2017 ANS Winter Meeting www.energy.gov/EM 1

468 views • 22 slides
IMPACT OF COVID-19 AND SOVEREIGN DOWNGRADE ON SA GOVERNMENT DEBT CABRI webinar: Managing public

IMPACT OF COVID-19 AND SOVEREIGN DOWNGRADE ON SA GOVERNMENT DEBT CABRI webinar: Managing public

IMPACT OF COVID-19 AND SOVEREIGN DOWNGRADE ON SA GOVERNMENT DEBT CABRI webinar: Managing public debt amidst COVID- 19 financing pressures in Africa Alilali Nelufule, National Treasury of South Africa 25 June 2020 SOUTH AFRICA WAS DOWNGRADED

648 views • 16 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant, Opportunistic Security for Server To Server E-Mail Delivery Overview Server-to-Server E-Mail background SMTP Vulnerabilities DANE/SMTP to

360 views • 16 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides
History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks First noted in 1990 as a result of fuzz testing on csh First used as an attack

488 views • 28 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

DD O S D ETECTION AND A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in the SURFnet network Mostly flooding attacks Customers are heavily affected and complain These attacks are cheap and

767 views • 17 slides
Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik Matuschke Tom McCormick Gianpaolo Oriolo TU Berlin UBC Vancouver Tor Vergata Britta Peis Martin Skutella RWTH Aachen TU Berlin Robust flows

531 views • 28 slides
Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

ITS335 DoS Attacks DoS Attacks Classic DoS Flooding &amp; DDoS Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013

409 views • 26 slides
Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova, Ventzislav Nikov, and Vincent Rijmen Introduction Physical Attacks Active Passive (Fault Attacks) (Observing Attacks) Side Channel Attacks

644 views • 45 slides

More recommend