downgrade resilience in key exchange
play

Downgrade Resilience in Key Exchange markulf kohlweiss joint work - PowerPoint PPT Presentation

Downgrade Resilience in Key Exchange markulf kohlweiss joint work with: k. bhargavan, c. brzuska, c. fournet, m. green, s. zanella-beguelin 1 Downgrade as an everyday phenomen https:// http:// 2 TLS protocol suite not a single protocol


  1. Downgrade Resilience in Key Exchange markulf kohlweiss joint work with: k. bhargavan, c. brzuska, c. fournet, m. green, s. zanella-beguelin 1

  2. Downgrade as an everyday phenomen https:// http:// 2

  3. TLS protocol suite – not a single protocol Client Server Hello Messages Finished Messages 3

  4. Crypto failures MD5 RC4 RSA 512 bit SHA1 SLOTH DROWN CRIME Renegotiation Triple Attack Handshake Protocol weaknesses ECDHE Cross- protocol Attack Logjam BEAST (Rogaway 02) Lucky13 POODLE FREAK OpenSSL entropy EarlyCCS Implementation Heartbleed bugs SKIP 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 4

  5. 5

  6. Our contribution 1. Definition that tolerate weak algorithms – and capture downgrade attacks 2. Modular proof strategy • Analyse downgrade security of SSH, IKE, ZRTP, TLS • Prove downgrade security for SSH and TLS 1.3 – New countermeasures designed together with core-design team of TLS 1.3 6

  7. Negotiation • Inputs: – config C & config S : supported versions, ciphers, groups, long-term keys • Outputs: – mode : negotiated version, cipher, group, etc. • Ideal negotiation: – 𝑛𝑝𝑒𝑓 = Nego( c 𝑝𝑜𝑔𝑗𝑕 𝐷 , c 𝑝𝑜𝑔𝑗𝑕 𝑇 ) 7

  8. Transcript authentication vs. Downgrades • Authentication If my negotiated mode uses only strong algorithms, then my partner and I agree on keys, identities and mode. • Authentication does not guarantee negotiation of a strong mode. – Intersection of config C & config S must be strong! – What if config C & config S include a legacy algorithm? – What are minimal requirements on config C & config S ? 8

  9. POODLE Client Server Hello Messages Finished Messages [Dowling and Stebila 2015] 9

  10. LOGJAM Client C Server S MitM Knows 𝑡𝑙 𝐷 , 𝑞𝑙 𝑇 Knows 𝑡𝑙 𝑇 , 𝑞𝑙 𝐷 𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 : 𝐻 2048 , 𝐻 512 𝑑𝑝𝑜𝑔𝑗𝑕 𝑇 : 𝐻 2048 , 𝐻 512 [ 𝐻 2048 , 𝐻 512 ] [ 𝐻 512 ] [ 𝐻 512 ] 𝑛 1 = 𝑕 𝑦 𝑛𝑝𝑒 𝑞 512 𝑛 2 = 𝑕 𝑧 𝑛𝑝𝑒 𝑞 512 𝑡𝑗𝑕𝑜 𝑡𝑙 𝑇 , transcript′ ? 𝑡𝑗𝑕𝑜(𝑡𝑙 𝑇 , ℎ𝑏𝑡ℎ(𝑛1||𝑛2) 𝑙 = 𝑙𝑒𝑔(𝑕 𝑦𝑧 𝑛𝑝𝑒 𝑞 512 ) 𝑧 = 𝑒𝑚𝑝𝑕(𝑛 2 ) k = 𝑙𝑒𝑔(𝑕 𝑦𝑧 𝑛𝑝𝑒 𝑞 512 ) 𝑙 = 𝑙𝑒𝑔(𝑕 𝑦𝑧 𝑛𝑝𝑒 𝑞 512 ) 𝑛𝑏𝑑(𝑙, transcript′) 𝑛𝑏𝑑(𝑙, transcript) 10

  11. Client Server 11

  12. Client Server md5 ( m 1 ԡ 𝑛′ 2 ) = md5 ( m’ 1 ԡ m 2 ) 12

  13. Downgrade secure configurations • Downgrade protection (DP) only if – config 𝐷 requires good public keys and signatures scheme – config S has preference for downgrade secure version • Clients and servers interoperate with everyone; get desired mode only when DP(c 𝑝𝑜𝑔𝑗𝑕 𝐷 , c 𝑝𝑜𝑔𝑗𝑕 𝑇 ). 13

  14. Protocol execution model Adversary controls generation of sk pk keys and sessions 𝐿𝑓𝑧𝐻𝑓𝑜() Configurations : algorithms and keys supported MitM by sessions 𝐽𝑜𝑗𝑢(𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 ) C C S S 𝑛′ ← 𝑇𝑓𝑜𝑒(𝑛 ) Sessions assign variables 𝑑𝑝𝑜𝑔𝑗𝑕: = 𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 𝑑𝑝𝑜𝑔𝑗𝑕: = 𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 𝑣𝑗𝑒 ≔ … 𝑣𝑗𝑒 ≔ … 𝑛𝑝𝑒𝑓 ≔ …. 𝑛𝑝𝑒𝑓 ≔ …. 14

  15. Downgrade security What if server sk pk does not exist? MitM 𝑑𝑝𝑜𝑔𝑗𝑕 ∶= 𝐝𝐩𝐨𝐠𝐣𝐡 𝐃 𝑑𝑝𝑜𝑔𝑗𝑕 ∶= 𝒅𝒑𝒐𝒈𝒋𝒉 𝑻 𝑣𝑗𝑒 ≔ uid 𝑣𝑗𝑒 ≔ uid 𝑛𝑝𝑒𝑓 ≔ mode 𝑛𝑝𝑒𝑓 ≔ C C S S 𝑑𝑝𝑛𝑞𝑚𝑓𝑢𝑓 ≔ true 𝑑𝑝𝑛𝑞𝑚𝑓𝑢𝑓 ≔ DP( 𝐷. 𝑑𝑝𝑜𝑔𝑗𝑕, 𝑇. 𝑑𝑝𝑜𝑔𝑗𝑕 ) but 𝑛𝑝𝑒𝑓 ≠ Nego(𝐷. 𝑑𝑝𝑜𝑔𝑗𝑕, 𝑇. 𝑑𝑝𝑜𝑔𝑗𝑕 ) 15

  16. Our contribution 1. Definition that tolerate weak algorithms – and capture downgrade attacks 2. Modular proof strategy • Analyse downgrade security of SSH, IKE, ZRTP, TLS • Prove downgrade security for SSH and TLS 1.3 – New countermeasures designed together with core-design team of TLS 1.3 16

  17. Reducing complex real- world protocol analysis … 17

  18. … using simulation … sk pk sk pk 𝐿𝑓𝑧𝐻𝑓𝑜() 𝐿𝑓𝑧𝐻𝑓𝑜() MitM MitM ≈ Sim 𝐽𝑜𝑗𝑢(𝑑𝑔𝑕 𝐷 ) 𝐽𝑜𝑗𝑢(𝑑𝑔𝑕 𝐷 ) S S C C 𝐷′ 𝐷′ 𝑇′ 𝑇′ 𝑇𝑓𝑜𝑒(𝑛 ) 𝑇𝑓𝑜𝑒(𝑛 ) 𝑑𝑔𝑕 ∶= 𝑑𝑔𝑕 𝐷 𝑑𝑔𝑕 ∶= 𝑑𝑔𝑕 𝐷 = 𝑣𝑗𝑒 ≔ … 𝑣𝑗𝑒 ≔ … 𝑛𝑝𝑒𝑓 ≔ …. 𝑛𝑝𝑒𝑓 ≔ …. [Rogaway and Steger 2009] 18

  19. … into analysis of downgrade sub -protocol (TLS 1.3) Client C Server S Initialized with 𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 Initialized with 𝑑𝑝𝑜𝑔𝑗𝑕 𝑇 𝑛 0 = (𝑜 𝐷 , 𝐺 0 𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 ) 𝑛 0 ′ = 𝐻 𝑇 𝑛 1 = (𝑜 𝐷 , 𝐺 1 𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 ) 𝑣𝑗𝑒 = 𝑜 𝐷 , 𝑜 𝑇 𝑛𝑝𝑒𝑓 = 𝑜𝑓𝑕𝑝 𝐺 1 𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 , 𝑑𝑝𝑜𝑔𝑗𝑕 𝑇 = (𝑤, 𝑏 𝑇 , 𝐻 𝑇 , 𝑞𝑙 𝑇 , ℎ𝑏𝑡ℎ 1 ) 𝑛 2 = (𝑜 𝑇 , 𝑤, 𝑏 𝑇 , 𝐻 𝑇 , 𝑞𝑙 𝑇 ) 𝑡𝑗𝑕𝑜(𝑡𝑙 𝑇 , ℎ𝑏𝑡ℎ 1 𝐼 𝑛1, 𝑛2, − ) 𝑑𝑝𝑛𝑞𝑚𝑓𝑢𝑓 = 𝑢𝑠𝑣𝑓 S erver signs full transcript 𝑣𝑗𝑒 = 𝑜 𝐷 , 𝑜 𝑇 with strong signature and 𝑛𝑝𝑒𝑓 = (𝑤, 𝑏 𝑇 , 𝐻 𝑇 , 𝑞𝑙 𝑇 , ℎ𝑏𝑡ℎ 1 ) hash algorithms? 𝑑ℎ𝑓𝑑𝑙(𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 , 𝑛𝑝𝑒𝑓) 𝑑𝑝𝑛𝑞𝑚𝑓𝑢𝑓 = 𝑢𝑠𝑣𝑓 19

  20. Client C Server S Initialized with 𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 Initialized with 𝑑𝑝𝑜𝑔𝑗𝑕 𝑇 𝑛 0 = (𝑜 𝐷 , 𝐺 0 𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 ) 𝑛 0 ′ = 𝐻 𝑇 𝑛 1 = (𝑜 𝐷 , 𝐺 1 𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 ) ′ = 𝑜 𝑇 || 𝑛𝑏𝑦𝑤(𝑑𝑝𝑜𝑔𝑗𝑕 𝑇 ) 𝑣𝑗𝑒 = 𝑜 𝐷 , 𝑜 𝑇 ; 𝑜 𝑇 𝑛𝑝𝑒𝑓 = 𝑜𝑓𝑕𝑝 𝐺 1 𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 , 𝑑𝑝𝑜𝑔𝑗𝑕 𝑇 = (𝑤, 𝑏 𝑇 , 𝐻 𝑇 , 𝑞𝑙 𝑇 , ℎ𝑏𝑡ℎ 1 ) ′ , 𝑤, 𝑏 𝑇 , 𝐻 𝑇 , 𝑞𝑙 𝑇 ) 𝑛 2 = (𝑜 𝑇 ′ , 𝑛1, 𝑛2, − ) 𝑡𝑗𝑕𝑜(𝑡𝑙 𝑇 , ℎ𝑏𝑡ℎ 1 𝐼 𝑛 0 , 𝑛 0 𝑑𝑝𝑛𝑞𝑚𝑓𝑢𝑓 = 𝑢𝑠𝑣𝑓 𝑣𝑗𝑒 = 𝑜 𝐷 , 𝑜 𝑇 𝑛𝑝𝑒𝑓 = (𝑤, 𝑏 𝑇 , 𝐻 𝑇 , 𝑞𝑙 𝑇 , ℎ𝑏𝑡ℎ 1 ) 𝑑ℎ𝑓𝑑𝑙(𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 , 𝑛𝑝𝑒𝑓) 𝑑𝑝𝑛𝑞𝑚𝑓𝑢𝑓 = 𝑢𝑠𝑣𝑓 20

  21. Downgrade security of TLS 1.3 • Good news: TLS 1.3 now has secure downgrade sub-protocol – nonce and signatures : unique server signs all network input to 𝑜𝑓𝑕𝑝 and result. • What do we do about version downgrade? – Can an attacker downgrade TLS 1.3 to TLS 1.2 and remount Logjam? 21

  22. Version downgrade resilience • TLS 1.3 server signatures cover versions But TLS 1.2 signatures do not cover the version • How do we patch TLS 1.2 to prevent downgrades? – Finished messages cannot help – Look away: put max server version in server nonce signed in all versions of TLS • Good news: DP( 𝑑𝑝𝑜𝑔𝑗𝑕 𝐷 , 𝑑𝑝𝑜𝑔𝑗𝑕 𝑇 ) for TLS 1.0-1.3 if – countermeasure implemented – no RSA key transport 22

  23. Downgrade Resilience in Key Exchange https://www.mitls.org/ https://eprint.iacr.org/2016/072 23

  24. 24

Recommend


More recommend