ipv6 tls security scanning
play

IPv6 TLS Security Scanning Master Thesis Intermediate Talk Pirmin - PowerPoint PPT Presentation

Chair of Network Architectures and Services Technical University of Munich IPv6 TLS Security Scanning Master Thesis Intermediate Talk Pirmin Blanz 28.09.2016 Chair of Network Architectures and Services Department of Informatics Technical


  1. Chair of Network Architectures and Services Technical University of Munich IPv6 TLS Security Scanning Master Thesis Intermediate Talk Pirmin Blanz 28.09.2016 Chair of Network Architectures and Services Department of Informatics Technical University of Munich Advisors: Oliver Gasser, Quirin Scheitle, Dr. Ralph Holz Pirmin Blanz – IPv6 TLS Security Scanning 1

  2. Chair of Network Architectures and Services Technical University of Munich Motivation Related Work Approach Analysis Next Steps Pirmin Blanz – IPv6 TLS Security Scanning 2

  3. Chair of Network Architectures and Services Technical University of Munich Motivation ◮ TLS Security Scanning ◮ Protocol for security sensitive services (Banking, Shopping, etc.) ◮ TLS can be vulnerable: Weak ciphers, short keys, bad implementations (Heartbleed, DROWN) ◮ IHK TLS-Check (2016) [6] ◮ ∼ 16,000 Server of IHK member companies ◮ ∼ 6% SSL V2.0, ∼ 22% SSL V3.0, ∼ 87% TLS 1.0 ◮ ∼ 74% offer insecure cipher suites ◮ IPv6 TLS Security Scanning ◮ Plenty of existing IPv4 security scans ◮ Growing IPv6 deployment ( ∼ 10% [4]) ◮ How secure are IPv6 enabled hosts? ◮ How does IPv6 stand up in a comparison with IPv4 Pirmin Blanz – IPv6 TLS Security Scanning 3

  4. Chair of Network Architectures and Services Technical University of Munich Related Work ◮ Holz et al.: ” The SSL Landscape - A Thorough Analysis of the X.509 PKI Using Active and Passive Measurements ”[5] ◮ 1.5 years, ∼ 5.5M distinct X.509 certificates, ∼ 120M TLS connections ◮ ∼ 30% with weak cipher suites, ∼ 18% valid certificates ◮ Gasser et al.: ” Scanning the IPv6 Internet: Towards a Comprehensive Hitlist ”[3]) ◮ Guidelines for IPv6-Hitlist generation ◮ Alexa, DNS zone files, Passive measurements ◮ 150M IPv6 addresses, 84% AS coverage ◮ Czyz et al.: ” Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy ”[1] ◮ Unintended port openness of Dualstack hosts ◮ ∼ 50% are more open (HTTPS by ∼ 19% ) Pirmin Blanz – IPv6 TLS Security Scanning 4

  5. Chair of Network Architectures and Services Technical University of Munich Approach 1. Gather targets (DNS name resolution using massdns ) 2. Port scan (using Zmap [2], Zmapv6 [3]) 3. Perform TLS handshakes (using goscanner ) and collect data (X.509 certificates, TLS handshake data) 4. Data analysis ( Jupyter Notebook with Pandas , PyOpenSSL ) ◮ Investigated subsets: IPv4, IPv6, dualstack, dualstack IPv4, dualstack IPv6 ◮ Investigated aspects: TLS (version, cipher suite ), X.509 certificates (Validity dates, signature algorithms, key length, ... ) Pirmin Blanz – IPv6 TLS Security Scanning 5

  6. Chair of Network Architectures and Services Technical University of Munich Evaluation (I) - The Dataset Overview - Numbers 1) Alexa 1 Mio 700,000 700235 2) Zmap Output 655134 3) Goscan Output 600,000 500,000 478978 Number IPs/Hosts 460441 400,000 392822 382186 300,000 200,000 100,000 55157 45100 32574 18536 20849 10636 0 IP Addresses IPv4 Addresses IPv6 Addresses Dualstack Hosts IP/Host Subsets ◮ Hosts accessible on port 443: ∼ 70%, Successful TLS handshake: ∼ 57% ◮ ∼ 390,000 TLS handshakes, ∼ 284,000 distinct certificates Pirmin Blanz – IPv6 TLS Security Scanning 6

  7. Chair of Network Architectures and Services Technical University of Munich Evaluation (II) - TLS Versions Protocols TLSv1 1.0 TLSv1.1 TLSv1.2 0.9 0.8 0.7 0.6 Percent 0.5 0.4 0.3 0.2 0.1 0.0 IPv4 Addresses Dualstack IPs Dualstack IPv4 Dualstack IPv6 Sets ◮ Various TLSv1 implementations are vulnerable (e.G.: to POODLE) ◮ TLSv1 is used more frequently on IPv4 hosts Pirmin Blanz – IPv6 TLS Security Scanning 7

  8. Chair of Network Architectures and Services Technical University of Munich Evaluation (I) - TLS Cipher Suites Ciphers 1.0 0.9 0.8 0.7 0.6 1) STRONG Percent 0.5 2) INTERMEDIATE 3) WEAK 0.4 0.3 0.2 0.1 0.0 IPv4 Addresses Dualstack IPs Dualstack IPv4 Dualstack IPv6 IP Subsets ◮ Strong: AES-GCM ≥ 128, PFS ◮ Intermediate: Known weaknesses. E.g.: CBC in TLS 1.0 ◮ Weak: Known to be broken. E.g.: 3DES, MD5 Pirmin Blanz – IPv6 TLS Security Scanning 8

  9. Chair of Network Architectures and Services Technical University of Munich Evaluation (IV) - X.509 Public Key ◮ 256-EC-RSA � = 3072-RSA/DSA ◮ 1024-RSA deprecated since 2008 Pirmin Blanz – IPv6 TLS Security Scanning 9

  10. 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Chair of Network Architectures and Services Technical University of Munich Evaluation (V) - X.509 Signature Algorithms Certificate Signature Algorithms IPv4 Addresses 0.6 IPv4 only hosts Dualstack IPs Dualstack IPv4 0.5 Dualstack IPv6 0.4 Percent 0.3 0.2 0.1 0.0 sha256WithRSAEncryption sha1WithRSAEncryption ecdsa-with-SHA256 sha384WithRSAEncryption ecdsa-with-SHA384 Sets ◮ Collisions for SHA1 detected [7] ◮ IPv6 resp. dualstack hosts utilize ECDSA more frequently Pirmin Blanz – IPv6 TLS Security Scanning 10

  11. Chair of Network Architectures and Services Technical University of Munich Evaluation (VI) - X.509 Validity Certificate Validity IPv4 Addresses Dualstack IPv6 0.3 0.2 0.1 0.0 Expired 60 - 180 days 180 - 360 days 1 - 2 years 2 - 5 years 5 - 10 years 20 - 40 years ◮ Expired certificates won’t pass verification ◮ IPv4 hosts utilize expired certificates more frequently Pirmin Blanz – IPv6 TLS Security Scanning 11

  12. Chair of Network Architectures and Services Technical University of Munich Next Steps (I) ◮ Additional scans ◮ Comparison of multiple scans over time ◮ Multiple hitlists (DNS zone files next) ◮ Refine scanning ◮ SNI ◮ Dualstack detection ◮ Extend evaluation ◮ Certificate chains ◮ Vulnerabilities Pirmin Blanz – IPv6 TLS Security Scanning 12

  13. Chair of Network Architectures and Services Technical University of Munich Next Steps (II) - Estimated Schedule 2016 Aug Jun Jul Sep Oct Nov Dec Research Implement Analysis Framework Scanning Data Evaluation Thesis writing Today Pirmin Blanz – IPv6 TLS Security Scanning 13

  14. Chair of Network Architectures and Services Technical University of Munich Bibliography I [1] J. Czyz, M. Luckie, M. Allman, and M. Bailey. Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy. In Network and Distributed System Security Symposium , Feb. 2016. [2] Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide Scanning and Its Security Applications. In Usenix Security , volume 2013, 2013. [3] O. Gasser, Q. Scheitle, S. Gebhard, and G. Carle. Scanning the IPv6 Internet: Towards a Comprehensive Hitlist. In 8th Int. Workshop on Traffic Monitoring and Analysis , 2016. [4] Google. Ipv6 adpoption. Technical report, Google, https://www.google.com/intl/en/ipv6/statistics.html, 2016. [5] R. Holz, L. Braun, N. Kammenhuber, and G. Carle. The SSL Landscape: A Thorough Analysis of the X.509 PKI Using Active and Passive Measurements. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference , pages 427–444. ACM, 2011. [6] IHK. Pk tls-check. Technical report, IHK, 2016. [7] M. Stevens, P . Karpman, and T. Peyrin. Freestart collision for full sha-1. Cryptology ePrint Archive, Report 2015/967, 2015. Pirmin Blanz – IPv6 TLS Security Scanning 14

  15. Chair of Network Architectures and Services Technical University of Munich Backup(I) - X.509 Versions Certificate X.509 Versions 1.0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 IP Addresses IPv4 Addresses IPv6 Addresses Dualstack IPs Dualstack IPv4 Dualstack IPv6 0.8 0.6 0.4 0.2 0.0 0 2 3 Pirmin Blanz – IPv6 TLS Security Scanning 15

Recommend


More recommend