kci based mitm attacks against tls prying open pandora s
play

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens - PowerPoint PPT Presentation

Sep 14, 2022 •340 likes •684 views

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes BS(l)idesVienna 0x7df whoami [ haku@bsidesbox ] % getent passwd whoami | awk F :

  1. KCI-based MitM Attacks against TLS Prying Open Pandora’s Box Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes BS(l)idesVienna 0x7df

  2. whoami [ haku@bsidesbox ] % getent passwd ‘ whoami ‘ | awk − F ’ : ’ ’ { p r i n t $5 } ’ Clemens Hlauschek [ haku@bsidesbox ] % id − G − n | t r ” ” ” \ n” co − h e a d s e c u r i t y d i v i s i o n r i s e g m b h l e c t u r e r a t t u v i e n n a student mathematics s t u d e n t c o m p u t a t i o n a l i n t e l l i g e n c e r e s e a r c h e r p e n e t r a t i o n t e s t e r s e c u r i t y e n g i n e e r KCI-based MitM Attacks against TLS 2 / 17

  3. Outline of this Talk Authenticated Key Agreement and KCI ■ TLS is vulnerable to KCI ■ KCI and TLS in practice ■ Live demo: TLS MitM attack ■ Conclusion and Mitigation ■ KCI-based MitM Attacks against TLS 3 / 17

  4. Key Compromise Impersonation (KCI) Weakness of Authenticated Key Agreement protocol KCI-based MitM Attacks against TLS 4 / 17

  5. Key Compromise Impersonation (KCI) Weakness of Authenticated Key Agreement protocol Authenticated Key Agreement 2 parties exchange messages ■ Over an adversarial network ■ To derive a shared secret ■ (session key) KCI-based MitM Attacks against TLS 4 / 17

  6. Key Compromise Impersonation (KCI) Weakness of Authenticated Key Agreement protocol Compromise of long-term secret al- ■ lows to trivially impersonate the compromised party KCI – reverse situation: Imperson- ■ ate an uncompromised party to the compromised party KCI allows for MitM attacks ■ KCI-based MitM Attacks against TLS 5 / 17

  7. Key Compromise Impersonation (KCI) Weakness of Authenticated Key Agreement protocol Compromise of long-term secret al- ■ lows to trivially impersonate the compromised party KCI – reverse situation: Imperson- ■ ate an uncompromised party to the compromised party KCI allows for MitM attacks ■ KCI-based MitM Attacks against TLS 5 / 17

  8. Key Compromise Impersonation (KCI) Weakness of Authenticated Key Agreement protocol Compromise of long-term secret al- ■ lows to trivially impersonate the compromised party KCI – reverse situation: Imperson- ■ ate an uncompromised party to the compromised party KCI allows for MitM attacks ■ KCI-based MitM Attacks against TLS 5 / 17

  9. TLS protocol is vulnerable to KCI Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication Z p as well as EC ■ In all TLS versions ■ Client indicates support in ■ ClientHello message Server requests fixed_(ec)dh au- ■ thentication Session key is derived from static DH ■ values: PRF (( g s ) c , rand c || rand s ) client: server: PRF (( g c ) s , rand c || rand s ) KCI-based MitM Attacks against TLS 6 / 17

  10. TLS protocol is vulnerable to KCI Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication Z p as well as EC ■ In all TLS versions ■ Client indicates support in ■ ClientHello message Server requests fixed_(ec)dh au- ■ thentication Session key is derived from static DH ■ values: PRF (( g s ) c , rand c || rand s ) client: server: PRF (( g c ) s , rand c || rand s ) KCI-based MitM Attacks against TLS 6 / 17

  11. TLS protocol is vulnerable to KCI Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication Z p as well as EC ■ In all TLS versions ■ Client indicates support in ■ ClientHello message Server requests fixed_(ec)dh au- ■ thentication Session key is derived from static DH ■ values: PRF (( g s ) c , rand c || rand s ) client: server: PRF (( g c ) s , rand c || rand s ) KCI-based MitM Attacks against TLS 6 / 17

  12. TLS protocol is vulnerable to KCI Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication Z p as well as EC ■ In all TLS versions ■ Client indicates support in ■ ClientHello message Server requests fixed_(ec)dh au- ■ thentication Session key is derived from static DH ■ values: PRF (( g s ) c , rand c || rand s ) client: server: PRF (( g c ) s , rand c || rand s ) KCI-based MitM Attacks against TLS 6 / 17

  13. TLS protocol is vulnerable to KCI Non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication Z p as well as EC ■ In all TLS versions ■ Client indicates support in ■ ClientHello message Server requests fixed_(ec)dh au- ■ thentication Session key is derived from static DH ■ values: PRF (( g s ) c , rand c || rand s ) client: server: PRF (( g c ) s , rand c || rand s ) KCI-based MitM Attacks against TLS 6 / 17

  14. TLS protocol is vulnerable to KCI Man-in-the-Middle attack against TLS using KCI Block connection to server ■ Send server cert ■ Request fixed (EC)DH ■ Request compromised cert via Dis- ■ tinguished Name in CertRequest Both attacker and client do the ■ same session key computation: PRF (( g s ) c , rand c || rand s ) Connect to server ■ KCI-based MitM Attacks against TLS 7 / 17

  15. TLS protocol is vulnerable to KCI Man-in-the-Middle attack against TLS using KCI Block connection to server ■ Send server cert ■ Request fixed (EC)DH ■ Request compromised cert via Dis- ■ tinguished Name in CertRequest Both attacker and client do the ■ same session key computation: PRF (( g s ) c , rand c || rand s ) Connect to server ■ KCI-based MitM Attacks against TLS 7 / 17

  16. TLS protocol is vulnerable to KCI Man-in-the-Middle attack against TLS using KCI Block connection to server ■ Send server cert ■ Request fixed (EC)DH ■ Request compromised cert via Dis- ■ tinguished Name in CertRequest Both attacker and client do the ■ same session key computation: PRF (( g s ) c , rand c || rand s ) Connect to server ■ KCI-based MitM Attacks against TLS 7 / 17

  17. TLS protocol is vulnerable to KCI Man-in-the-Middle attack against TLS using KCI Block connection to server ■ Send server cert ■ Request fixed (EC)DH ■ Request compromised cert via Dis- ■ tinguished Name in CertRequest Both attacker and client do the ■ same session key computation: PRF (( g s ) c , rand c || rand s ) Connect to server ■ KCI-based MitM Attacks against TLS 7 / 17

  18. TLS protocol is vulnerable to KCI Man-in-the-Middle attack against TLS using KCI Block connection to server ■ Send server cert ■ Request fixed (EC)DH ■ Request compromised cert via Dis- ■ tinguished Name in CertRequest Both attacker and client do the ■ same session key computation: PRF (( g s ) c , rand c || rand s ) Connect to server ■ KCI-based MitM Attacks against TLS 7 / 17

  19. Prerequisites KCI attacks against TLS 1. Victim client support: must implement non-ephemeral Diffie Hellman with fixed client authentication handshake rsa_fixed_dh ■ dss_fixed_dh ■ rsa_fixed_ecdh ■ ecdsa_fixed_ecdh ■ 2. Victim server support: must have matching certificate 3. Compromised client certificate’s secret: Stolen private key ■ Client cert foisted on victim (various vectors) ■ KCI-based MitM Attacks against TLS 8 / 17

  20. Foisting client cert on victim: Social engineering Secure ways for generating client ■ certs exist Common practice: send pre- ■ generated client certs with secret key to user Insecure OS mechanisms to install ■ client certs Attacker / malicious admin coax vic- ■ tim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers KCI-based MitM Attacks against TLS 9 / 17

  21. Foisting client cert on victim: Social engineering Secure ways for generating client ■ certs exist Common practice: send pre- ■ generated client certs with secret key to user Insecure OS mechanisms to install ■ client certs Attacker / malicious admin coax vic- ■ tim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers KCI-based MitM Attacks against TLS 9 / 17

  22. Foisting client cert on victim: Social engineering Secure ways for generating client ■ certs exist Common practice: send pre- ■ generated client certs with secret key to user Insecure OS mechanisms to install ■ client certs Attacker / malicious admin coax vic- ■ tim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers KCI-based MitM Attacks against TLS 9 / 17

  23. Foisting client cert on victim: Social engineering Secure ways for generating client ■ certs exist Common practice: send pre- ■ generated client certs with secret key to user Insecure OS mechanisms to install ■ client certs Attacker / malicious admin coax vic- ■ tim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers KCI-based MitM Attacks against TLS 9 / 17

  24. Foisting client cert on victim: Social engineering Secure ways for generating client ■ certs exist Common practice: send pre- ■ generated client certs with secret key to user Insecure OS mechanisms to install ■ client certs Attacker / malicious admin coax vic- ■ tim to install client certificate for network X, then use it to exploit con- nections to all vulnerable servers KCI-based MitM Attacks against TLS 9 / 17

Recommend

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides
MitM attacks on HTTPS sessions Much of this material can also be seen in DEFCON 2009 presentation

MitM attacks on HTTPS sessions Much of this material can also be seen in DEFCON 2009 presentation

Software and Web Security 2 MitM attacks on HTTPS sessions Much of this material can also be seen in DEFCON 2009 presentation by Moxie Marlinspike; see URL on course page sws2 1 MitM (Man-in-the-Middle) attacks MitM attack: attacker

971 views • 38 slides
Pandora Updates p LArPandoraContent v03_13_00 using Pandora v03_11_00 L. Escudero for

Pandora Updates p LArPandoraContent v03_13_00 using Pandora v03_11_00 L. Escudero for

Pandora Updates p LArPandoraContent v03_13_00 using Pandora v03_11_00 L. Escudero for the Pandora Team LArSoft Coordination Meeting June 19, 2018 1 Rotational Coordinate Transformations Pandora forms separate 2D images for

405 views • 6 slides
Recreating the NSA's MITM Attack 1 Why Should This Topic be Chosen? Goal 1: Understanding how

Recreating the NSA's MITM Attack 1 Why Should This Topic be Chosen? Goal 1: Understanding how

create your own exercise Christoph Schmidt, Team 1 Recreating the NSA's MITM Attack 1 Why Should This Topic be Chosen? Goal 1: Understanding how the NSA uses its access to the Backbone Goal 2: Understanding how MITM attacks can be done

1.02k views • 82 slides
E-Voting and Forensics: Prying Open the Black Box Sean Peisert Matt Bishop Candice Hoke

E-Voting and Forensics: Prying Open the Black Box Sean Peisert Matt Bishop Candice Hoke

E-Voting and Forensics: Prying Open the Black Box Sean Peisert Matt Bishop Candice Hoke Mark Graff David Jefferson given at EVT/WOTE09 Montreal, Canada August 10, 2009 Monday, August 10, 2009 Key Questions That We Address

551 views • 35 slides
LArTPC Pattern Recognition with Pandora John Marshall for the Pandora Team 27th January 2019 1

LArTPC Pattern Recognition with Pandora John Marshall for the Pandora Team 27th January 2019 1

LArTPC Pattern Recognition with Pandora John Marshall for the Pandora Team 27th January 2019 1 Overview 1. LArTPC event reconstruction 2. Pandora multi-algorithm approach 3. Overview of key Pandora algorithms 4. Pandora highlights at

637 views • 52 slides
Pandora pattern recognition p for LArTPCs L. Escudero for the Pandora Team &

Pandora pattern recognition p for LArTPCs L. Escudero for the Pandora Team &

Pandora pattern recognition p for LArTPCs L. Escudero for the Pandora Team & the MicroBooNE and DUNE collaborations Calibration and Reconstruction for LAr TPC Detectors Thanks to John Marshall, Andy Blake and Steve Green for

526 views • 28 slides
Welcome Thank you for coming to the Pandora Park and Sports Court Upgrade Open House Please

Welcome Thank you for coming to the Pandora Park and Sports Court Upgrade Open House Please

Welcome Thank you for coming to the Pandora Park and Sports Court Upgrade Open House Please review the display boards and share your comments and ideas. We will use your input to develop a preferred concept for the park and sports court

426 views • 4 slides
Pandora Changes Since MCC10 Steven Green on behalf of the Pandora Team 18th July 2018 Weve

Pandora Changes Since MCC10 Steven Green on behalf of the Pandora Team 18th July 2018 Weve

Pandora Changes Since MCC10 Steven Green on behalf of the Pandora Team 18th July 2018 Weve created a slack channel for all questions related to Pandora. Please join if youd like to ask us anything: https://pandorapfa.slack.com S.Green

295 views • 16 slides
Lessons Learned: 603 Pandora Fire - EOC activation & Business Continuity 05:18hrs on May 6 th

Lessons Learned: 603 Pandora Fire - EOC activation & Business Continuity 05:18hrs on May 6 th

Lessons Learned: 603 Pandora Fire - EOC activation & Business Continuity 05:18hrs on May 6 th , 2019 report of a structure fire at 603 Pandora Ave 603 Pandora Fire Lessons Learned RPAS Calle lled in in at 0600hrs 603 Pandora Fire Lessons

497 views • 16 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require: Hardware

360 views • 24 slides
MCC12 Validation with Pandora Reconstruction Metrics Steven Green on behalf of the Pandora team

MCC12 Validation with Pandora Reconstruction Metrics Steven Green on behalf of the Pandora team

MCC12 Validation with Pandora Reconstruction Metrics Steven Green on behalf of the Pandora team 14th August 2019 S.Green ProtoDUNE Sim/Reco 1 Introduction Aim: Use all available metrics to validate the latest reconstruction for use in the

302 views • 8 slides
MiTM Attack MiTM Attack Edri Guy Edri Guy May 29 ,2013 May 29 ,2013 PC-Labs May 29 2013

MiTM Attack MiTM Attack Edri Guy Edri Guy May 29 ,2013 May 29 ,2013 PC-Labs May 29 2013

MiTM Attack - Haifa-Sec MiTM Attack MiTM Attack Edri Guy Edri Guy May 29 ,2013 May 29 ,2013 PC-Labs May 29 2013 MiTM Attack - Haifa-Sec MiTM Attack - Haifa-Sec DISCLAIMER DISCLAIMER 1 The following discussion is for informational

552 views • 33 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Persisting slices in Pandoras output A. Smith for the Pandora Team LArSoft coordination

Persisting slices in Pandoras output A. Smith for the Pandora Team LArSoft coordination

Persisting slices in Pandoras output A. Smith for the Pandora Team LArSoft coordination meeting - 20th Nov 2018 What is a slice ? Pandora uses the concept of slice internally since its (LAr) beginning: They represent topologically

345 views • 9 slides
Music Genome Project David Seltzer Pandora Radio Internet radio service Personalized

Music Genome Project David Seltzer Pandora Radio Internet radio service Personalized

Music Genome Project David Seltzer Pandora Radio Internet radio service Personalized stations Considers user feedback Pandora Radio Pandora Radio Owns Music Genome Project Used for song recommendations Music Genome

210 views • 10 slides
The Pandora Spectrophotometer O 3 and multiple other species measured using a small, inexpensive

The Pandora Spectrophotometer O 3 and multiple other species measured using a small, inexpensive

The Pandora Spectrophotometer O 3 and multiple other species measured using a small, inexpensive package. I. Petropavlovskikh (CIRES/NOAA), J. Herman (U. of Maryland, NASA), G. McConville (CIRES/NOAA), R.D. Evans (NOAA) What is the Pandora? A

430 views • 20 slides
Updates on Vertex Reconstruction with Deep Learning in Pandora J. Ahmed. Second Year PhD Student.

Updates on Vertex Reconstruction with Deep Learning in Pandora J. Ahmed. Second Year PhD Student.

DUNE UK Meeting 11th of December 2019 Updates on Vertex Reconstruction with Deep Learning in Pandora J. Ahmed. Second Year PhD Student. Working on Pandora reconstruction Focusing on DUNE FD and ProtoDUNE. Supervisor: Dr John Marshall 1

549 views • 27 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI

Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI

Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI Networks Seminar jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 1 / 26 A Review of the DNS Lookup Process jtk (jtk@depaul.edu) ORs and

626 views • 26 slides
CHALLENGES IN INDIRECT SOURCING IN RETAIL JEWELRY INDUSTRY BY TRISTA AU YEUNG DATE: 10 JUL

CHALLENGES IN INDIRECT SOURCING IN RETAIL JEWELRY INDUSTRY BY TRISTA AU YEUNG DATE: 10 JUL

CHALLENGES IN INDIRECT SOURCING IN RETAIL JEWELRY INDUSTRY BY TRISTA AU YEUNG DATE: 10 JUL 2015 1 3 JULY 2015 PANDORA COMPANY PRESENTATION CONTENT PANDORA at a glance Procurement at PANDORA Challenges How we deal with

219 views • 18 slides
Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on Third-Party Software Jeffrey Knockel, Jedidiah Crandall Computer Science Department University of New Mexico Recent News Iran: forged SSL

569 views • 27 slides

More recommend