revisiting ssl tls implementations new bleichenbacher
play

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels - PowerPoint PPT Presentation

Aug 26, 2023 •275 likes •818 views

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

  1. Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de

  2. About me Security Researcher at: ● Chair for Network and Data Security, Ruhr University Bochum – ● Prof. Dr. Jörg Schwenk ● Web Services, Single Sign-On, (Applied) Crypto, SSL, crypto currencies ● Provable security, attacks and defenses Horst Görtz Institute for IT-Security – ● Further topics: embedded security, malware, crypto… Co-founder of 3curity GmbH: ● Penetration tests, security analyses, security workshops… – Web, Single Sign-On, SSL, applied crypto – www.3curity.de – 2

  3. Publications ● XML Security: – All your Clouds Are Belong to us: Security Analysis of Cloud Management Interfaces (CCSW’11) – How to Break XML Encryption (CCS’11) – On Breaking SAML: Be Whoever you Want to Be (USENIX’12) – On the Insecurity of XML Security (Dissertation) ● Further topics: – Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks (USENIX’14) – Untrusted Third Parties: When IdPs Break Bad (in submission, by my colleagues Christian Mainka, Vladislav Mladenov and Jörg Schwenk) 3

  4. About this talk ● Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks ● Paper accepted at Usenix Security 2014 ● Authors: Christopher Meyer, Juraj Somorovsky, Eugen Weiss, Jörg Schwenk, Sebastian Schinzel, Erik Tews ● Describes new side channels in specific TLS implementations 4

  5. Overview ● TLS ● Bleichenbacher's Attack – Attack Intuition – Oracle Strength – Attack Challenges ● Attacks – Error Messages in JSSE – Additional Random Number Generation – Additional Exception in JSSE – Unexpected Timing Behavior by Hardware Appliances ● Conclusion 5

  6. TLS ● Invented by Netscape in 1994 – Name: Secure Sockets Layer ● Adopted by IETF in 1999 – Renamed to Transport Layer Security ● Versions: – SSL 1.0, 2.0, 3.0 – TLS 1.0, 1.1, 1.2, (1.3 in development) ● Implementations: – OpenSSL, GnuTLS, JSSE, Microsoft Schannel, MatrixSSL, LibreSSL, ... 6

  7. TLS ● Very complex ● Contains various crypto primitives: RSA, EC, AES-CBC, AES-GCM, RC4, 3DES, MD5, SHA1, MACs, Signatures, PRFs, ... ● Can be executed over TCP or UDP (DTLS) ● Contains various extensions ● TLS-Renegotiation 7

  8. TLS Handshake ● Used for negotiation of cryptographic keys for data transport ClientHello ServerHello Contains key material Certificate (PremasterSecret) ServerHelloDone ClientKeyExchange ChangeCipherSpec Client Finished ChangeCipherSpec Server Finished 8

  9. ClientKeyExchange ● Contains encrypted PremasterSecret (for example, encrypted using RSA or EC) ● PremasterSecret is used to derive all TLS session keys ● Decryption of PremasterSecret == decryption of the TLS traffic Snidely Whiplash (Dudley Do-Right of the Mounties) 9

  10. Overview ● TLS ● Bleichenbacher's Attack – Attack Intuition – Oracle Strength – Attack Challenges ● Attacks – Error Messages in JSSE – Additional Random Number Generation – Additional Exception in JSSE – Unexpected Timing Behavior by Hardware Appliances ● Conclusion 10

  11. RSA PKCS#1 v1.5 Encryption ● Used e.g. to distribute symmetric keys ● Textbook-RSA: C RSA = m e mod N – Short messages need padding – No randomization ● PKCS#1 adds randomized padding to the PremasterSecret, it works as follows: 256 Bytes – Take a PremasterSecret PMS non-zero padding Random 00 02 00 03 01 – Set m := 00 || 02 || pad || 00 || PMS 205 Bytes 48 Bytes PMS – Compute C PKCS = m e mod N ● A ciphertext is “valid”, if its decryption has the correct format 11

  12. Bleichenbacher's Attack ● 1998: Attack on RSA-PKCS#1 v1.5 (Bleichenbacher, Crypto 1998) ● SSL implementations applied an ad-hoc fix ● Well-noticed in crypto and security community ● PKCS#1 was updated to v2.0 (RSA-OAEP) – Still standardized in many applications, including TLS 12

  13. Attack Applied to ... ● SSL / TLS: – D. Bleichenbacher: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, Crypto’98 ● Cryptographic Hardware: – Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Graham Steel, and Joe-Kai Tsay. Efficient Padding Oracle Attacks on Cryptographic Hardware, Crypto‘12 ● XML Encryption: – Tibor Jager, Sebastian Schinzel, Juraj Somorovsky: Bleichenbacher’s Attack Strikes Again: Breaking PKCS#1 v1.5 in XML Encryption, ESORICS'12 13

  14. Motivation ● Attack worked in 1998... ● Is PKCS#1 v1.5 implemented correctly in TLS now? 14

  15. Overview ● TLS ● Bleichenbacher's Attack – Attack Intuition – Oracle Strength – Attack Challenges ● Attacks – Error Messages in JSSE – Additional Random Number Generation – Additional Exception in JSSE – Unexpected Timing Behavior by Hardware Appliances ● Conclusion 15

  16. Bleichenbacher's Attack ● Requires a “ciphertext validity oracle” ● Adaptive Chosen-ciphertext attack XML Encryption ciphertext C = Enc(M) ClientKeyExchange Chosen ciphertext C 1 valid/invalid Chosen ciphertext C 2 TLS Server Client valid/invalid Dec(C PKCS ) = Snidely Whiplash … 00 || 02 || “bytes” (Dudley Do-Right of the Mounties) (repeated several times) ??? M = Dec(C) 16

  17. Attack Intuition ● d: private key ● (e,N): public key ● m = 00 || 02 || “bytes” ● In RSA we can multiply the encrypted plaintext without knowing the private key ● m = c d mod N ● c = m e mod N ● c’ = (c · s e ) mod N s ∈ Z N ● c’ = (ms) e mod N 17

  18. Attack Intuition OK, so we can multiply a plaintext ... ● We define: B = 2 (|N|-2) , where |N| is byte length ● – Example: 2B = 00 02 00 … 00 Attack Approach: ● – Multiply “plaintext” with s: c’ = (c · s e ) mod N – Query oracle if the decrypted plaintext is in interval <2B,3B) Somewhere here Modulo is the secret m x Reduction! s=s x s=2 s=3 s=4 s=s x -1 s=s x 0 2B 3B N valid 18

  19. Attack Intuition m x s=2 s=3 s=4 s=s x -1 s=s x s=s x 0 2B 3B N m y s=s y -1 s=s y s=2 s=3 s=4 s=5 s=6 s=s y -2 s=s y -1 0 2B 3B N ● s y > s x ● Intuition: – Large s value indicates m is in the near of 2B – Small s value indicates m is in the near of 3B 19

  20. Attack ● s x allows us to compute new interval for m: 2B ≤ m x s x − N < 3B ● From this follows: (2B + N) / s x < m x < (3B + N) / s x ● Full algorithm: – Searches for further s values – Reduces the interval 20

  21. Demo Time 21

  22. Attack Countermeasure generate a random PMS R decrypt the ciphertext: m := dec(c) if ( (m ? 00||02||PS||00||k) OR (|k| ? 48) ) then proceed with PMS := PMS R else proceed with PMS := k 22

  23. Overview ● TLS ● Bleichenbacher's Attack – Attack Intuition – Oracle Strength – Attack Challenges ● Attacks – Error Messages in JSSE – Additional Random Number Generation – Additional Exception in JSSE – Unexpected Timing Behavior by Hardware Appliances ● Conclusion 23

  24. Attack Performance ● Bleichenbacher's attack is also called Million Messages attack ● The attack performance varies: it depends on the oracle message validation ● The oracle responds with “valid” when: – The message starts with 00 02 – (and) the PremasterSecret is of valid length? – Further checks? Ciphertext C non-zero padding Random 00 02 00 03 01 24 205 Bytes 48 Bytes PMS

  25. Oracle Strength ● Oracle with less checks brings better performance ● Oracle strength: Probability the oracle responds with “valid” when the message starts with 00 02 ● Why important? m x s=2 s=3 s=4 s=s x -1 s=s x s=s x 0 2B 3B N valid invalid 25

  26. Overview ● TLS ● Bleichenbacher's Attack – Attack Intuition – Oracle Strength – Attack Challenges ● Attacks – Error Messages in JSSE – Additional Random Number Generation – Additional Exception in JSSE – Unexpected Timing Behavior by Hardware Appliances ● Conclusion 26

  27. Attack Challenges ● Implement an oracle based on the server behavior – Using different error messages, timing Ciphertext C TLS Handshake (C) Valid / invalid TLS Server ● Analyze oracle strength – Probability – If timing: how many server requests are needed to respond one oracle request ● Execute Bleichenbacher's attack 27

  28. With the help of T.I.M.E. ● T.I.M.E.: TLS Inspection Made Easy ● Automatic scanning of TLS implementations ● Written (mainly) by Christopher Meyer: – http://www-brs.ub.ruhr-uni-bochum.de/netahtml/HSS /Diss/MeyerChristopher/diss.pdf ● Supports further features like TLS fingerprinting 28

  29. For Timing Measurements... ● T.I.M.E. was not appropriate, caused too much noise ● We used our Bleichenbacher attack module with a patched MatrixSSL library ● NetTimer for response times evaluation: – http://sebastian-schinzel.de/nettimer TLS Handshake (C) C Valid / invalid TLS Server MatrixSSL Bleichenbacher Measurement 29 machine

  30. Overview ● TLS ● Bleichenbacher's Attack – Attack Intuition – Oracle Strength – Attack Challenges ● Attacks – Error Messages in JSSE – Additional Random Number Generation – Additional Exception in JSSE – Unexpected Timing Behavior by Hardware Appliances ● Conclusion 30

  31. Error Messages in JSSE ● With T.I.M.E. we sent differently formatted PKCS#1 messages to a JSSE server ● Server responded with: – INTERNAL ERROR and – HANDSHAKE FAILURE 31

Recommend

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert Gillham, Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom Transport Layer Security (TLS) The most widely used cryptographic protocol

1.36k views • 120 slides
Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom SudParis GreHack 2019 15 novembre 2019 Levillain &amp; Rasoamanana Wombat 1/27 Plan RSA and PKCS#1 v1.5 in a nutshell Bleichenbacher : the

845 views • 48 slides
Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai

Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai

slides from presentation at Real World Crypto 2019 Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai Duong with contributions by Haris Andrianakis , Thanh Bui , Thomas Holenstein , Charles Lee , Erhan

657 views • 38 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi Tibouchi 1 , 2 Masayuki Abe 1 , 2 September 12, 2018 1 Kyoto University 2 NTT Secure Platform Laboratories 1 Outline Introduction Contribution 1.

1.89k views • 81 slides
Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations : inst 1 , inst 2 Contracts vs. Implementations Boolean expressions for Contracts: exp 1 , exp 2 , exp 3 , exp 4 , exp 5 feature -- Commands

231 views • 6 slides
Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge-

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge-

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge- hammer Ioanna M. Dimitriou H. and Peter Koepke, University of Bonn, Germany AITP 2016 Obergurgl, Austria, April 3-7, 2016 Revisiting Paulsons

703 views • 33 slides
Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array Vector Linked Chain 2 Stack ADT #ifndef STACK_H_ #define STACK_H_ template&lt;&lt;typename ItemType&gt; class

1.19k views • 71 slides
REVISITING GENDER AND HOUSEWORK IN Dawn Mannay CONTEMPORARY URBAN SOUTH WALES

REVISITING GENDER AND HOUSEWORK IN Dawn Mannay CONTEMPORARY URBAN SOUTH WALES

WHO SHOULD DO THE DISHES NOW? REVISITING GENDER AND HOUSEWORK IN Dawn Mannay CONTEMPORARY URBAN SOUTH WALES MannayDI@Cardiff.ac.uk REVISITING Jane Pilchers (1994) seminal work Who should do the dishes? Three generations of Welsh women

250 views • 11 slides
Revisiting the Estim ation of the Revisiting the Estim ation of the Marginal Cost of Highw ay

Revisiting the Estim ation of the Revisiting the Estim ation of the Marginal Cost of Highw ay

The 6 th Conference on Applied I nfrastructure Research ( I nfraday) The 6 th Conference on Applied I nfrastructure Research ( I nfraday) Berlin - - October 2 0 0 7 October 2 0 0 7 Berlin Revisiting the Estim ation of the Revisiting the Estim

206 views • 20 slides
Theory and applications 1 Roadmap to Lecture 6 Part 2 1. Revisiting the Reynolds stress

Theory and applications 1 Roadmap to Lecture 6 Part 2 1. Revisiting the Reynolds stress

Turbulence and CFD models: Theory and applications 1 Roadmap to Lecture 6 Part 2 1. Revisiting the Reynolds stress transport equation and the turbulent kinetic energy equation 2. Revisiting the closure problem 3. Two equations models

598 views • 36 slides
Revisiting Old Friends: Is CoDel Really Achieving What RED Cannot? Nicolas Kuhn 1 Emmanuel Lochin

Revisiting Old Friends: Is CoDel Really Achieving What RED Cannot? Nicolas Kuhn 1 Emmanuel Lochin

Revisiting Old Friends: Is CoDel Really Achieving What RED Cannot? Nicolas Kuhn 1 Emmanuel Lochin 2 Olivier Mehani 3 1 IMT Telecom Bretagne, France 2 Universit e de Toulouse, France 3 National ICT Australia, Australia 1/21 Revisiting Old

838 views • 40 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
1 Revisiting the Roman Masculine Ideal 1. Confident public speaker

1 Revisiting the Roman Masculine Ideal 1. Confident public speaker

Class 8a REAL (CHRISTIAN) MEN: AN OXYMORON? Outline Revisiting the Roman Masculine Ideal How Christian Men Measured Up Research Cluster

412 views • 4 slides
Re Revisiting Multilateral Co Cooperation o on N NTS S Is Issues es in in ASEAN: Th The

Re Revisiting Multilateral Co Cooperation o on N NTS S Is Issues es in in ASEAN: Th The

Re Revisiting Multilateral Co Cooperation o on N NTS S Is Issues es in in ASEAN: Th The Cas ase of f AHA Centre Is Is mu mult ltila ilater eral al coop ooper eration ion need eeded ed? In In wh what s situation m

332 views • 15 slides
Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Introduction Methodology Implementations Results Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla Kishore Kumar Surapathi Bilal Habib Susheel Vadlamudi Smriti Gurung John Pham Cryptographic

461 views • 29 slides
Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Part I: How to make software secure Something with implementations 2 Timing Attacks General idea of those attacks Secret

1.47k views • 65 slides
Less is more: Revisiting interrogative flip Natasha Korotkova Konstanz / Tbingen Workshop

Less is more: Revisiting interrogative flip Natasha Korotkova Konstanz / Tbingen Workshop

Less is more: Revisiting interrogative flip Natasha Korotkova Konstanz / Tbingen Workshop Meaning in non-canonical questions June 8, 2018 Natasha Korotkova (n.korotkova@ucla.edu) Revisiting Interrogative flip MiQ 6/8/18 1 / 42

1.09k views • 52 slides
Revisiting the Top Background (and a little of B-tagging) G. Codispoti, J.F. de Trocniz

Revisiting the Top Background (and a little of B-tagging) G. Codispoti, J.F. de Trocniz

May12 Higgs 2l2q Working Meeting Revisiting the Top Background (and a little of B-tagging) G. Codispoti, J.F. de Trocniz Universidad Autnoma de Madrid Outline q Using e data for top(+X) background: full 2011 results. q First

378 views • 19 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Re-indexing the DFT (n and k) We can investigate the various implementations of the DFT by

Re-indexing the DFT (n and k) We can investigate the various implementations of the DFT by

Re-indexing the DFT (n and k) We can investigate the various implementations of the DFT by looking at ways to re-index values of n and k. Idea: Using properties of addition and multiplication we can rewrite the equation. 1

541 views • 22 slides
Privacy of Geolocation Implementations Marcos Cceres, Opera Software ASA W3C Workshop on

Privacy of Geolocation Implementations Marcos Cceres, Opera Software ASA W3C Workshop on

Privacy of Geolocation Implementations Marcos Cceres, Opera Software ASA W3C Workshop on Privacy of Advance Web APIs 12 July, 2010. London, United Kingdom. Implementations iOS 4 Firefox 3.6 Chrome 6 Opera 10.6 Critical

445 views • 20 slides
Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting

Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting

Introduction CGA for IPv6 CGA++ Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting Self-Certifying Address Generation and Verification Joppe Bos, Onur Ozen and Jean-Pierre Hubaux Ecole Polytechnique F

2.28k views • 44 slides
-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who Am I Hold two degrees nobody likes these days: Economics &amp; MBA. Ex-hacker for .pt banking system (www.sibs.pt). Security

1.16k views • 91 slides

More recommend