off path attacks against pki
play

OFF-PATH ATTACKS AGAINST PKI Markus Brandt, Tianxiang Dai, Amit - PowerPoint PPT Presentation

OFF-PATH ATTACKS AGAINST PKI Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, Michael Waidner 1 WHO AM I? n Security Researcher n Technische Universitt Darmstadt n Fraunhofer-Institut fr Sichere Informationstechnologie n Freelancer n


  1. OFF-PATH ATTACKS AGAINST PKI Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, Michael Waidner 1

  2. WHO AM I? n Security Researcher n Technische Universität Darmstadt n Fraunhofer-Institut für Sichere Informationstechnologie n Freelancer n Teaching IT Security at TU Darmstadt n Special interest: n Network Security n Crypto n Reverse engineering n … 2

  3. OUTLINE n Public-Key Infrastructures n Domain Validation n Off-Path attack against Domain Validation n Defences n Conclusion 3

  4. PUBLIC-KEY INFRASTRUCTURES 4

  5. LET'S START WITH A SIMPLE EXAMPLE client 5

  6. INSECURE WITHOUT ENCRYPTION client 6

  7. ENCRYPTION PROTECTS THE DATA client ? 7

  8. CERTIFICATES BIND CRYPTOGRAPHIC KEYS TO SUBJECTS Certificate is signed by trusted root client 8

  9. CERTIFICATES BIND CRYPTOGRAPHIC KEYS TO SUBJECTS Certificate is signed by untrusted root ✘ or self signed ebay client 9

  10. DOMAIN VALIDATION 10

  11. MORE THAN 100 ROOT CA IN BROWSERS Domain Organisation Extended Validation (OV) Validation (EV) Validation (DV) Expensive Manual Time-consuming Automated Free / cheap Immediate n We tested 17 CAs that perform DV n They control over 95% of the certificates market n Five were vulnerable n Only one vulnerable CA is sufficient n Usually it doesn’t matter which CA signed it 11

  12. CERTIFICATE ISSUANCE WITH DOMAIN VALIDATION 1 2 3 4 5 12

  13. RESOLVING A DOMAIN NAME Nameserver ns.ebay.com DNS resolver Client www.ebay.com? www.ebay.com? 1.2.3.4 1.2.3.4 1.2.3.4 13

  14. REPLYING FROM CACHE DNS resolver Client www.ebay.com? 1.2.3.4 1.2.3.4 14

  15. OFF-PATH ATTACK AGAINST DOMAIN VALIDATION 15

  16. WE ASSUME THE WEAKEST ATTACKER Off-Path (Spoofing) Attackers can: n only inject packets n not eavesdrop n not modify or delay packets in any way 16

  17. DNS CACHE POISONING Nameserver ns.ebay.com DNS resolver Client www.ebay.com? www.ebay.com? 6.6.6.6 1.2.3.4 6.6.6.6 6.6.6.6 DNS Cache Poisoning 17

  18. AGAINST OFF-PATH POISONING: CHALLENGE-RESPONSE n Send request from random port (16 Bit) n Select random DNS transaction ID (also 16 Bit) n 2 32 values à impractical to guess! 18

  19. DNS PACKET: IP HEADER Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 v4 IHL TOS Total Length 0 IP Identifier Flags Fragment Offset 32 Header Time To Live Protocol IP Header Checksum 64 IP Source IP Address 96 Destination IP Address 128 19

  20. DNS PACKET: UDP HEADER Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 v4 IHL TOS Total Length 0 IP Identifier Flags Fragment Offset 32 Header Time To Live Protocol IP Header Checksum 64 IP Source IP Address 96 Destination IP Address 128 Header Source Port Destination Port 160 UDP Length UDP Checksum 192 20

  21. DNS PACKET: DNS HEADER Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 v4 IHL TOS Total Length 0 IP Identifier Flags Fragment Offset 32 Header Time To Live Protocol IP Header Checksum 64 IP Source IP Address 96 Destination IP Address 128 Header Source Port Destination Port 160 UDP Length UDP Checksum 192 Transaction Identifier (TXID) DNS Flags 224 Header DNS Question Count Answer Record Count 256 Authority Record Count Additional Record Count 288 21

  22. DNS PACKET: DNS PAYLOAD Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 v4 IHL TOS Total Length 0 IP Identifier Flags Fragment Offset 32 Header Time To Live Protocol IP Header Checksum 64 IP Source IP Address 96 Destination IP Address 128 Header Source Port Destination Port 160 UDP Length UDP Checksum 192 Transaction Identifier (TXID) DNS Flags 224 Header DNS Question Count Answer Record Count 256 Authority Record Count Additional Record Count 288 Question Section … Payload Answer Section DNS Authority Section Additional Section 22

  23. CHALLENGES n Modify communication without seeing it and without access to it n Overwrite cached record with incorrect value n Exploit DNS cache poisoning to circumvent PKI authentication (and issue certificate) 23

  24. GOALS Create Inject Issue correct into spoofed 3 1 2 response DNS certificate cache (Port, TXID) 24

  25. LET’S START WITH STEP 1 Create Inject Issue correct into spoofed 3 1 response DNS certificate cache (Port, TXID) 25

  26. LARGE PACKETS CAN GET FRAGMENTED ON PATH Net Net 5.5.5 .0 Net 3.3.3 .0 2.2.2 .0 From: 2.2.2.5 To : 3.3.3.7 From: 2.2.2.5 Bob, how much I . . . To : 3.3.3.7 Bob, how much I From: 2.2.2.5 love you To : 3.3.3.7 . love you ! . . Bob, how Bob, how IPs, Ports and IP IDs have to match! much much I love you I love you 26

  27. FRAGMENTATION CAN ALSO BE REQUESTED Net Net 5.5.5 .0 Net 3.3.3 .0 ¸ 2.2.2 .0 ICMP From: 2.2.2.5 To : 3.3.3.7 Packet too Bob, how much I love you big Bob, how much I love you 27

  28. ICMP FRAGMENTATION NEEDED AND DON'T FRAGMENT WAS SET Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 v4 IHL TOS Total Length 0 IP Identifier Flags Fragment Offset 32 Header Time To Live Protocol IP Header Checksum 64 IP Source IP Address 96 Destination IP Address 128 Header Type = 3 Code = 4 ICMP Checksum 160 ICMP Unused MTU = 100 192 v4 IHL TOS Total Length 224 IP Header IP Identifier Flags Fragment Offset 256 Time To Live Protocol IP Header Checksum 288 Source IP Address 320 Destination IP Address 352 IP Payload … 28

  29. FORCING FRAGMENTATION n Among 5K-top Alexa that reduce the MTU n 33,4% allow >= 296 bytes n 11% allow < 296 bytes n ICMP Messages can be sent by anyone n OSes typically do not apply any checks for UDP n UDP is stateless. 29

  30. EXPLOITING FRAGMENTATION AGAINST DNS Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 v4 IHL TOS Total Length 0 IP Identifier Flags Fragment Offset 32 Time To Live Protocol IP Header Checksum 64 But what about Source IP Address 96 the IP ID? Destination IP Address 128 Source Port Destination Port 160 Length UDP Checksum 192 Transaction Identifier (TXID) DNS Flags 224 Question Count Answer Record Count 256 Modify only this! Authority Record Count Additional Record Count 288 Question Section … Answer Section Authority Section Additional Section 30

  31. RFC 791 September 1981 Internet Protocol Overview Fragmentation [...] The identification field is used to distinguish the fragments of one datagram from those of another. The originating protocol module of an internet datagram sets the identification field to a value that must be unique for that source-destination pair and protocol for the time the datagram will be active in the internet system. The originating protocol module of a complete datagram sets the more-fragments flag to zero and the fragment offset to zero. [...] 31

  32. HOW DO MAKE IP IDENTIFIERS UNIQUE? RANDOM IP IDENTIFIERS n Very few servers use random IP ID values (<1%) n Quite complicated n Needs enough entropy n Has to check for collisions 32

  33. HOW DO MAKE IP IDENTIFIERS UNIQUE? Per-Destination IP ID n <40% of the nameservers use a per-destination incrementing IP ID n Default in Linux n Attacks exist [KC14] [KC14] Jeffrey Knockel and Jedidiah R Crandall. 2014. Counting Packets Sent Between Arbitrary Internet Hosts.. In FOCI. 33

  34. HOW DO MAKE IP IDENTIFIERS UNIQUE? Sequentially Incrementing IP ID n >60% of 10K-top Alexa domains use sequentially incrementing IP ID values n Easiest to attack n Simply estimate incremention 34

  35. WHAT HAPPENS IF THE 2 ND FRAGMENT ARRIVES FIRST? n Operating systems keep 2 nd fragment and wait for 1 st fragment n Windows keeps 100 fragments n Linux keeps 64 fragments n Older Linux kernels allow for thousands of fragments n Can be set via ip_frag_max_dist 35

  36. NOW WE WANT TO INSERT OUR ENTRY INTO THE CACHE Create Inject Issue correct into spoofed 2 response DNS certificate cache (Port, TXID) 36

  37. ADVANCED CACHE POISONING DNS resolver ns.doma.in sub.doma.in? sub.doma.in? 2.2.2.2 Answer: (none) Cache: Domain IP Authoritative Server: doma.in 1.1.1.1 sub.doma.in NS ns.doma.in ns.doma.in 2.2.2.2 Additional Section: … … ns.doma.in A 9.9.9.9 37

  38. ADVANCED CACHE POISONING DNS resolver ns.doma.in sub.doma.in? sub.doma.in? 2.2.2.2 Answer: ns.doma.in has a (none) new IP. Cache: I should update this. Domain IP Authoritative Server: doma.in 1.1.1.1 sub.doma.in NS ns.doma.in ns.doma.in 9.9.9.9 Additional Section: … … ns.doma.in A 9.9.9.9 38

  39. THIS WAS JUST ONE (VERY SIMPLE) EXAMPLE “Internet-wide study of DNS cache injections” [KSW17] examines 18 different techniques There may be many others yet to be discovered [KSW17] A. Klein, H. Shulman and M. Waidner, "Internet-wide study of DNS cache injections," IEEE INFOCOM 2017 - IEEE Conference on Computer Communications , Atlanta, GA, 2017 39

  40. DNS RESOLVERS APPLY DIFFERENT POLICIES Deciding which records to cache and which to overwrite 40

  41. DIFFERENT DNS SERVER ARE VULNERABLE TO DIFFERENT PAYLOADS 41

Recommend


More recommend