Downgrade Resilience in Key Exchange markulf kohlweiss joint work with: k. bhargavan, c. brzuska, c. fournet, m. green, s. zanella-beguelin 1
Downgrade as an everyday phenomen https:// http:// 2
TLS protocol suite – not a single protocol Client Server Hello Messages Finished Messages 3
Crypto failures MD5 RC4 RSA 512 bit SHA1 SLOTH DROWN CRIME Renegotiation Triple Attack Handshake Protocol weaknesses ECDHE Cross- protocol Attack Logjam BEAST (Rogaway 02) Lucky13 POODLE FREAK OpenSSL entropy EarlyCCS Implementation Heartbleed bugs SKIP 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 4
5
Our contribution 1. Definition that tolerate weak algorithms – and capture downgrade attacks 2. Modular proof strategy • Analyse downgrade security of SSH, IKE, ZRTP, TLS • Prove downgrade security for SSH and TLS 1.3 – New countermeasures designed together with core-design team of TLS 1.3 6
Negotiation • Inputs: – config C & config S : supported versions, ciphers, groups, long-term keys • Outputs: – mode : negotiated version, cipher, group, etc. • Ideal negotiation: – 𝑛𝑝𝑒𝑓 = Nego( c 𝑝𝑜𝑔𝑗 𝐷 , c 𝑝𝑜𝑔𝑗 𝑇 ) 7
Transcript authentication vs. Downgrades • Authentication If my negotiated mode uses only strong algorithms, then my partner and I agree on keys, identities and mode. • Authentication does not guarantee negotiation of a strong mode. – Intersection of config C & config S must be strong! – What if config C & config S include a legacy algorithm? – What are minimal requirements on config C & config S ? 8
POODLE Client Server Hello Messages Finished Messages [Dowling and Stebila 2015] 9
LOGJAM Client C Server S MitM Knows 𝑡𝑙 𝐷 , 𝑞𝑙 𝑇 Knows 𝑡𝑙 𝑇 , 𝑞𝑙 𝐷 𝑑𝑝𝑜𝑔𝑗 𝐷 : 𝐻 2048 , 𝐻 512 𝑑𝑝𝑜𝑔𝑗 𝑇 : 𝐻 2048 , 𝐻 512 [ 𝐻 2048 , 𝐻 512 ] [ 𝐻 512 ] [ 𝐻 512 ] 𝑛 1 = 𝑦 𝑛𝑝𝑒 𝑞 512 𝑛 2 = 𝑧 𝑛𝑝𝑒 𝑞 512 𝑡𝑗𝑜 𝑡𝑙 𝑇 , transcript′ ? 𝑡𝑗𝑜(𝑡𝑙 𝑇 , ℎ𝑏𝑡ℎ(𝑛1||𝑛2) 𝑙 = 𝑙𝑒𝑔( 𝑦𝑧 𝑛𝑝𝑒 𝑞 512 ) 𝑧 = 𝑒𝑚𝑝(𝑛 2 ) k = 𝑙𝑒𝑔( 𝑦𝑧 𝑛𝑝𝑒 𝑞 512 ) 𝑙 = 𝑙𝑒𝑔( 𝑦𝑧 𝑛𝑝𝑒 𝑞 512 ) 𝑛𝑏𝑑(𝑙, transcript′) 𝑛𝑏𝑑(𝑙, transcript) 10
Client Server 11
Client Server md5 ( m 1 ԡ 𝑛′ 2 ) = md5 ( m’ 1 ԡ m 2 ) 12
Downgrade secure configurations • Downgrade protection (DP) only if – config 𝐷 requires good public keys and signatures scheme – config S has preference for downgrade secure version • Clients and servers interoperate with everyone; get desired mode only when DP(c 𝑝𝑜𝑔𝑗 𝐷 , c 𝑝𝑜𝑔𝑗 𝑇 ). 13
Protocol execution model Adversary controls generation of sk pk keys and sessions 𝐿𝑓𝑧𝐻𝑓𝑜() Configurations : algorithms and keys supported MitM by sessions 𝐽𝑜𝑗𝑢(𝑑𝑝𝑜𝑔𝑗 𝐷 ) C C S S 𝑛′ ← 𝑇𝑓𝑜𝑒(𝑛 ) Sessions assign variables 𝑑𝑝𝑜𝑔𝑗: = 𝑑𝑝𝑜𝑔𝑗 𝐷 𝑑𝑝𝑜𝑔𝑗: = 𝑑𝑝𝑜𝑔𝑗 𝐷 𝑣𝑗𝑒 ≔ … 𝑣𝑗𝑒 ≔ … 𝑛𝑝𝑒𝑓 ≔ …. 𝑛𝑝𝑒𝑓 ≔ …. 14
Downgrade security What if server sk pk does not exist? MitM 𝑑𝑝𝑜𝑔𝑗 ∶= 𝐝𝐩𝐨𝐠𝐣𝐡 𝐃 𝑑𝑝𝑜𝑔𝑗 ∶= 𝒅𝒑𝒐𝒈𝒋𝒉 𝑻 𝑣𝑗𝑒 ≔ uid 𝑣𝑗𝑒 ≔ uid 𝑛𝑝𝑒𝑓 ≔ mode 𝑛𝑝𝑒𝑓 ≔ C C S S 𝑑𝑝𝑛𝑞𝑚𝑓𝑢𝑓 ≔ true 𝑑𝑝𝑛𝑞𝑚𝑓𝑢𝑓 ≔ DP( 𝐷. 𝑑𝑝𝑜𝑔𝑗, 𝑇. 𝑑𝑝𝑜𝑔𝑗 ) but 𝑛𝑝𝑒𝑓 ≠ Nego(𝐷. 𝑑𝑝𝑜𝑔𝑗, 𝑇. 𝑑𝑝𝑜𝑔𝑗 ) 15
Our contribution 1. Definition that tolerate weak algorithms – and capture downgrade attacks 2. Modular proof strategy • Analyse downgrade security of SSH, IKE, ZRTP, TLS • Prove downgrade security for SSH and TLS 1.3 – New countermeasures designed together with core-design team of TLS 1.3 16
Reducing complex real- world protocol analysis … 17
… using simulation … sk pk sk pk 𝐿𝑓𝑧𝐻𝑓𝑜() 𝐿𝑓𝑧𝐻𝑓𝑜() MitM MitM ≈ Sim 𝐽𝑜𝑗𝑢(𝑑𝑔 𝐷 ) 𝐽𝑜𝑗𝑢(𝑑𝑔 𝐷 ) S S C C 𝐷′ 𝐷′ 𝑇′ 𝑇′ 𝑇𝑓𝑜𝑒(𝑛 ) 𝑇𝑓𝑜𝑒(𝑛 ) 𝑑𝑔 ∶= 𝑑𝑔 𝐷 𝑑𝑔 ∶= 𝑑𝑔 𝐷 = 𝑣𝑗𝑒 ≔ … 𝑣𝑗𝑒 ≔ … 𝑛𝑝𝑒𝑓 ≔ …. 𝑛𝑝𝑒𝑓 ≔ …. [Rogaway and Steger 2009] 18
… into analysis of downgrade sub -protocol (TLS 1.3) Client C Server S Initialized with 𝑑𝑝𝑜𝑔𝑗 𝐷 Initialized with 𝑑𝑝𝑜𝑔𝑗 𝑇 𝑛 0 = (𝑜 𝐷 , 𝐺 0 𝑑𝑝𝑜𝑔𝑗 𝐷 ) 𝑛 0 ′ = 𝐻 𝑇 𝑛 1 = (𝑜 𝐷 , 𝐺 1 𝑑𝑝𝑜𝑔𝑗 𝐷 ) 𝑣𝑗𝑒 = 𝑜 𝐷 , 𝑜 𝑇 𝑛𝑝𝑒𝑓 = 𝑜𝑓𝑝 𝐺 1 𝑑𝑝𝑜𝑔𝑗 𝐷 , 𝑑𝑝𝑜𝑔𝑗 𝑇 = (𝑤, 𝑏 𝑇 , 𝐻 𝑇 , 𝑞𝑙 𝑇 , ℎ𝑏𝑡ℎ 1 ) 𝑛 2 = (𝑜 𝑇 , 𝑤, 𝑏 𝑇 , 𝐻 𝑇 , 𝑞𝑙 𝑇 ) 𝑡𝑗𝑜(𝑡𝑙 𝑇 , ℎ𝑏𝑡ℎ 1 𝐼 𝑛1, 𝑛2, − ) 𝑑𝑝𝑛𝑞𝑚𝑓𝑢𝑓 = 𝑢𝑠𝑣𝑓 S erver signs full transcript 𝑣𝑗𝑒 = 𝑜 𝐷 , 𝑜 𝑇 with strong signature and 𝑛𝑝𝑒𝑓 = (𝑤, 𝑏 𝑇 , 𝐻 𝑇 , 𝑞𝑙 𝑇 , ℎ𝑏𝑡ℎ 1 ) hash algorithms? 𝑑ℎ𝑓𝑑𝑙(𝑑𝑝𝑜𝑔𝑗 𝐷 , 𝑛𝑝𝑒𝑓) 𝑑𝑝𝑛𝑞𝑚𝑓𝑢𝑓 = 𝑢𝑠𝑣𝑓 19
Client C Server S Initialized with 𝑑𝑝𝑜𝑔𝑗 𝐷 Initialized with 𝑑𝑝𝑜𝑔𝑗 𝑇 𝑛 0 = (𝑜 𝐷 , 𝐺 0 𝑑𝑝𝑜𝑔𝑗 𝐷 ) 𝑛 0 ′ = 𝐻 𝑇 𝑛 1 = (𝑜 𝐷 , 𝐺 1 𝑑𝑝𝑜𝑔𝑗 𝐷 ) ′ = 𝑜 𝑇 || 𝑛𝑏𝑦𝑤(𝑑𝑝𝑜𝑔𝑗 𝑇 ) 𝑣𝑗𝑒 = 𝑜 𝐷 , 𝑜 𝑇 ; 𝑜 𝑇 𝑛𝑝𝑒𝑓 = 𝑜𝑓𝑝 𝐺 1 𝑑𝑝𝑜𝑔𝑗 𝐷 , 𝑑𝑝𝑜𝑔𝑗 𝑇 = (𝑤, 𝑏 𝑇 , 𝐻 𝑇 , 𝑞𝑙 𝑇 , ℎ𝑏𝑡ℎ 1 ) ′ , 𝑤, 𝑏 𝑇 , 𝐻 𝑇 , 𝑞𝑙 𝑇 ) 𝑛 2 = (𝑜 𝑇 ′ , 𝑛1, 𝑛2, − ) 𝑡𝑗𝑜(𝑡𝑙 𝑇 , ℎ𝑏𝑡ℎ 1 𝐼 𝑛 0 , 𝑛 0 𝑑𝑝𝑛𝑞𝑚𝑓𝑢𝑓 = 𝑢𝑠𝑣𝑓 𝑣𝑗𝑒 = 𝑜 𝐷 , 𝑜 𝑇 𝑛𝑝𝑒𝑓 = (𝑤, 𝑏 𝑇 , 𝐻 𝑇 , 𝑞𝑙 𝑇 , ℎ𝑏𝑡ℎ 1 ) 𝑑ℎ𝑓𝑑𝑙(𝑑𝑝𝑜𝑔𝑗 𝐷 , 𝑛𝑝𝑒𝑓) 𝑑𝑝𝑛𝑞𝑚𝑓𝑢𝑓 = 𝑢𝑠𝑣𝑓 20
Downgrade security of TLS 1.3 • Good news: TLS 1.3 now has secure downgrade sub-protocol – nonce and signatures : unique server signs all network input to 𝑜𝑓𝑝 and result. • What do we do about version downgrade? – Can an attacker downgrade TLS 1.3 to TLS 1.2 and remount Logjam? 21
Version downgrade resilience • TLS 1.3 server signatures cover versions But TLS 1.2 signatures do not cover the version • How do we patch TLS 1.2 to prevent downgrades? – Finished messages cannot help – Look away: put max server version in server nonce signed in all versions of TLS • Good news: DP( 𝑑𝑝𝑜𝑔𝑗 𝐷 , 𝑑𝑝𝑜𝑔𝑗 𝑇 ) for TLS 1.0-1.3 if – countermeasure implemented – no RSA key transport 22
Downgrade Resilience in Key Exchange https://www.mitls.org/ https://eprint.iacr.org/2016/072 23
24
Recommend
More recommend
