secure protocols in a hostile world
play

Secure Protocols in a Hostile World for CHES 2015 Matthew Green - PowerPoint PPT Presentation

Jan 01, 2023 •306 likes •1.11k views

Secure Protocols in a Hostile World for CHES 2015 Matthew Green Johns Hopkins University Why this talk? Why this presentation? These people are wrong solved problem Algorithms Protocol Design Unsolved Implementation Library

  1. Secure Protocols in a 
 Hostile World for CHES 2015 Matthew Green 
 Johns Hopkins University

  2. Why this talk?

  3. Why this presentation? These people are wrong

  4. “solved problem” Algorithms Protocol Design Unsolved Implementation Library API design Deployment & Correct Usage

  5. “solved problem” Algorithms Protocol Design Unsolved Implementation Library API design Deployment & Correct Usage

  6. “solved problem” Algorithms Protocol Design Unsolved Implementation Library API design Deployment & Correct Usage

  7. Why does this matter?

  11. This talk • We know how to build strong cryptosystems • Our research focuses on building stronger crypto systems! • And yet we continue to deploy weak ones • Worse, we’re largely stuck with weak ones • What’s going on here? • Main case studies: SSL/TLS, IPSEC

  12. Case study 1: SSL/TLS

  13. SSL/TLS • Most important security protocol on the Internet • Allows secure connections between clients & servers • Current version: TLS 1.2 • (But browsers still support SSL 3, TLS 1.0/1.1) 
 plus 1.3 coming soon! • Not just web browsing!

  14. A brief history • SSLv1 born at Netscape. Never released. (~1994) • SSLv2 released one year later • SSLv3 (1996) • TLS 1.0 (1998) • Still widely deployed • TLS 1.1 (2006) • TLS 1.2 (2008)

  15. How secure is TLS? • Many active attacks and implementation vulnerabilities • Heartbleed, Lucky13, FREAK, CRIME, BEAST, RC4

  16. How secure is TLS? • Many active attacks and implementation vulnerabilities • Heartbleed, Lucky13, FREAK, CRIME, BEAST, RC4 In practice: most of these require substantial resources and 
 can’t be deployed at scale

  17. How secure is TLS? But not all attacks… • Not all attacks:

  18. What’s wrong with TLS?

  19. Quite a bit • Many problems result from TLS’s use of 
 “ pre-historic cryptography ” (- Eric Rescorla) • CBC with Mac-then-Encrypt, bad use of IVs • RSA-PKCS#1v1.5 encryption padding • RC4 • DH parameter generation • Horrifying backwards compatibility requirements

  20. Quite a bit • Many problems result from TLS’s use of 
 “ pre-historic cryptography ” (- Eric Rescorla) • CBC with Mac-then-Encrypt, bad use of IVs • RSA-PKCS#1v1.5 encryption padding • RC4 Many of these flaws were ‘known’ 
 • DH parameter generation at design time, but exploited by 
 researchers only afterwards. • Horrifying backwards compatibility requirements

  21. 
 
 MAC-then-pad-then-Encrypt • TLS MACs the record, then pads (in CBC), then enciphers • Obvious problem: padding oracles • Countermeasure(s): 
 1. Do not distinguish padding/MAC failure 
 2. “Constant-time” decryption 


  22. BEAST • Serious bug in TLS 1.0 • Allows complete decryption of CBC ciphertexts • Use of predictable Initialization Vector (CBC residue bug) • Known since 2002, attack described by Bard in 2005 
 ( Bard was advised to focus on more interesting problems .) • Nobody cared or noticed until someone implemented it

  23. Solution in practice: RC4 :-( (When RC4 is your solution, 
 you need a better problem)

  24. Compression (CRIME) • Can’t really blame the TLS designers for including it... • Blame cryptographers for not noticing it’s still in use? • Blame cryptographers for pretending it would go away. • We need a model for compression+encryption • Clearly this can’t be semantically secure • But how much weaker? Can we quantify?

  25. Protocol Design

  26. Example: Negotiation Each TLS handshake begins with a cipher suite negotiation that determines which key agreement protocol (etc.) will be used. Negotiate Key Exchange Confirm handshake messages

  27. Ciphersuite Negotiation I support: 
 RSA, DHE, ECDHE, RSA_EXPORT Negotiate I choose: 
 ECDHE

  28. Ciphersuite Negotiation I support: 
 RSA, DHE, ECDHE, RSA_EXPORT Key exchange I choose: 
 ECDHE

  29. Ciphersuite Negotiation I support: 
 RSA, DHE, ECDHE, RSA_EXPORT Confirm handshake messages I choose: 
 ECDHE

  30. MITM Negotiation

  31. MITM Negotiation I support: 
 RSA, DHE, ECDHE, RSA_EXPORT

  32. MITM Negotiation I support: 
 RSA, DHE, ECDHE, RSA_EXPORT I choose: 
 RSA_EXPORT

  33. MITM Negotiation I support: 
 RSA, DHE, ECDHE, RSA_EXPORT I choose: 
 RSA_EXPORT

  34. MITM Negotiation Attacker can break RSA I support: 
 RSA, DHE, ECDHE, export key RSA_EXPORT I choose: 
 RSA_EXPORT

  35. MITM Negotiation … and forge I support: 
 RSA, DHE, ECDHE, confirmation messages RSA_EXPORT Confirm handshake messages I choose: 
 RSA_EXPORT

  36. MITM Negotiation I support: 
 RSA, DHE, ECDHE, RSA_EXPORT Confirm handshake messages I choose: 
 RSA_EXPORT As of Mar ’15, 30+% of TLS hosts supported export suites!

  37. 
 MITM Negotiation I support: 
 RSA, DHE, ECDHE, Solution: RSA_EXPORT Modern clients won’t offer broken cipher suites Confirm handshake messages like RSA_EXPORT (unless they’re wget or curl!) I choose: 
 RSA_EXPORT As of Mar ’15, 30+% of TLS hosts supported export suites!

  38. Question Is it sufficient for the client to support only “strong” ciphersuites, even if the server supports weak ones?

  39. Question Is it sufficient for the client to support only “strong” ciphersuites, even if the server supports weak ones? • Let A be the set of KA protocols supported by Client 
 Let B be the set of KA protocols supported by Server • If each KA protocol in is a secure KA protocol, is the TLS A ∩ B handshake secure?

  40. TLS for cryptographers • In CRYPTO 2012 (!) we saw the first paper 
 to successfully analyze TLS-DHE [Jager et al.] • In CRYPTO 2013 a random-oracle analysis of the 
 TLS-RSA handshake [Krawczyk et al.] • In CRYPTO 2014 an automated analysis of the full 
 handshake, under a new security model [Bhargavan et al.]

  41. TLS for cryptographers • In CRYPTO 2012 (!) we saw the first paper 
 to successfully analyze TLS-DHE [Jager et al.] • In CRYPTO 2013 a random-oracle analysis of the 
 TLS-RSA handshake [Krawczyk et al.] • In CRYPTO 2014 an automated analysis of the full 
 handshake, under a new security model [Bhargavan et al.]

  42. TLS for cryptographers • In CRYPTO 2012 (!) we saw the first paper 
 to successfully analyze TLS-DHE [Jager et al.] • In CRYPTO 2013 a random-oracle analysis of the 
 TLS-RSA handshake [Krawczyk et al.] • In CRYPTO 2014 an automated analysis of the full 
 handshake, under a new security model [Bhargavan et al.]

  43. 
 Theorem • Bhargavan et al. theorem statement: 
 Let A be the set of KA protocols supported by Client 
 Let B be the set of KA protocols supported by Server 
 If each KA protocol in is a secure KA protocol & 
 A ∪ B there exist PRFs, then the TLS handshake is a secure KA protocol.

  44. 
 Theorem • Bhargavan et al. theorem statement: 
 Let A be the set of KA protocols supported by Client 
 Let B be the set of KA protocols supported by Server 
 If each KA protocol in is a secure KA protocol & 
 A ∪ B there exist PRFs, then the TLS handshake is a secure KA protocol. TLS design/deployment assumes this would be ! A ∩ B

  45. Example 2: Negotiation I support: 
 RSA, DHE, ECDHE I support: 
 RSA, DHE, DHE_EXPORT, RSA_EXPORT, ECDHE Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010

  46. Example 2: Negotiation I support: 
 RSA_EXPORT RSA, DHE, ECDHE I support: 
 RSA, DHE, DHE_EXPORT, RSA_EXPORT, ECDHE Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010

  47. Example 2: Negotiation I support: 
 RSA_EXPORT RSA, DHE, ECDHE I support: 
 RSA, DHE, DHE_EXPORT, RSA_EXPORT, ECDHE Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010

  48. Example 2: Negotiation I support: 
 RSA_EXPORT RSA, DHE, ECDHE FREAK [Bhargavan et al.] : 
 Due to a bug in SecureTransport, OpenSSL, SChannel, client accepts export-grade RSA key I support: 
 RSA, DHE, DHE_EXPORT, RSA_EXPORT, ECDHE Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010

  49. Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010

  50. Example 2: Negotiation I support: 
 Solution: Fix implementations RSA, DHE, ECDHE Patch OpenSSL, SecureTransport, SChannel so they will recognize an RSA export key 
 Negotiation exchange message, barf (patches rolled out March 2015) I support: 
 RSA, DHE, DHE_EXPORT, RSA_EXPORT, ECDHE Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010

  51. Example 3: Negotiation I support: 
 RSA, DHE, ECDHE I support: 
 RSA, DHE, DHE_EXPORT, RSA_EXPORT, ECDHE Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010

Recommend

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against

2.07k views • 85 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC

Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC

Black-Box Constructions of Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own Secure MPC Goal: Allow a set

1.11k views • 98 slides
Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons

Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons

Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons SSH Secure shell (remote login) IPSec IP Security suite, originally for use with IPv6 SSL/TLS Secure Sockets Layer / Transport Layer

322 views • 18 slides
TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication Confidentiality by applying block & stream ciphers - Integrity with MACs - Authenticity with certificates - Predecessor: SSL (secure

557 views • 13 slides
Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure Routing? Current routing protocols assume trusted environment! Even misconfigurations severely disrupt Internet routing Secure routing

245 views • 22 slides
Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty

Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty

Yehuda Lindell (BIU) Amos Beimel (BGU BGU) Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty protocols wi without out an honest majority Positive result: 1/p-secure protocols for cons

487 views • 27 slides
Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport network Example client/server systems and link their application-level protocols: physical Application-Layer Protocols:

432 views • 10 slides
Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport Example client/server systems and network their application-level protocols: link physical Application-Layer Protocols

281 views • 13 slides
OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19

OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19

OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19 October 2014 Sandra Scott-Hayward, Christopher Kane and Sakir Sezer s.scott-hayward@qub.ac.uk Centre for Secure Information Technologies (CSIT)

359 views • 20 slides
Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next,

Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next,

CS 166: Information Security Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next, we look at real protocols SSH a simple & useful security protocol SSL practical security on the Web

1.27k views • 112 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
GASP: a Generic Approach to Secure network Protocols Olivier Levillain May 13th 2020 O.

GASP: a Generic Approach to Secure network Protocols Olivier Levillain May 13th 2020 O.

GASP: a Generic Approach to Secure network Protocols Olivier Levillain May 13th 2020 O. Levillain GASP 1/39 Agenda Introduction The Need for Robust Parsers A Platform for Binary Parser Generators Animating Protocols Fuzzing

977 views • 74 slides
Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 1. Interactive Proofs and Zero-Knowledge Protocols 2. Secure Multi-Party Computation Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine Agreement Secure Multi-Party

170 views • 3 slides
Is the efficacy of the pediatric-like protocols for ALL superior to the protocols for adult ALL?

Is the efficacy of the pediatric-like protocols for ALL superior to the protocols for adult ALL?

The 1 st World Congress on Controversies in Hematology (COHEM) Rome, September, 2-5, 2010 Session 4. Acute Lymphoblastic Leukemia Is the efficacy of the pediatric-like protocols for ALL superior to the protocols for adult ALL? No No JM

990 views • 44 slides
FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge Proofs Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 5: Secure

729 views • 26 slides
TARDIS Implementing Secure Protocols on Embedded Devices without Clocks Amir Rahmati ,

TARDIS Implementing Secure Protocols on Embedded Devices without Clocks Amir Rahmati ,

TARDIS Implementing Secure Protocols on Embedded Devices without Clocks Amir Rahmati , Mastooreh Salajegheh, Dan Holcomb 1 , Jacob Sorber 2 , Wayne Burleson, Kevin Fu 1 UC Berkeley 2 Dartmouth Collage The Problem Slow Brute Force attacks on

173 views • 6 slides
Secure protocols on BIP-taproot 2019-06-08 Jonas Nick jonasd.nick@gmail.com

Secure protocols on BIP-taproot 2019-06-08 Jonas Nick jonasd.nick@gmail.com

Secure protocols on BIP-taproot 2019-06-08 Jonas Nick jonasd.nick@gmail.com https://nickler.ninja @n1ckler GPG: 36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366 Disclaimer Its not at all certain that a BIP-taproot softfork activates in

375 views • 25 slides
Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa

Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa

Preprocessing Based Verification of Multiparty Protocols with an Honest Majority 20.07.17 Alisa Pankova Roman Jagomgis Peeter Laud 1 / 10 Secure Multiparty Computation 2 / 10 Secure Multiparty Computation 2 / 10 Secure Multiparty

641 views • 38 slides
Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda,

Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda,

Outline Introduction HISPs Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda, Ivan Flechais, and A.W.

670 views • 41 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Individual Family Group Company Community Country World NOW Secure Secure financial Learn

Individual Family Group Company Community Country World NOW Secure Secure financial Learn

Individual Family Group Company Community Country World NOW Secure Secure financial Learn psychosocial Determine your Identify the Consider Evaluate global employment and educational principles and unassailable strengths and

200 views • 6 slides
Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications

Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications

Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications Estonian Winter School in Computer Science 2016 Overview of this lecture Part 2: ABY Part 3: GSHADE Special Purpose Protocols Generic Protocols

819 views • 52 slides

More recommend