secure sockets layer transport layer security beast attack
play

Secure Sockets Layer Transport Layer Security BEAST Attack Dan - PowerPoint PPT Presentation

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de> Wed Apr 18, 2012 University of the German Federal Armed Forces, Munich Slide 1 Outline History Design Goals SSL/TLS Stack


  1. Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 1

  2. Outline ● History ● Design Goals ● SSL/TLS Stack ● Attacks ● Attack on CBC ● BEAST ● Solution CBC Cipher Block Chaining BEAST Browser Exploit Against SSL/TLS Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 2

  3. History version Netscape IETF TLS 1.2 SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 “refined” 1994 1996 1999 2006 2008 2011 2012 changes ● minor changes ● MD5-SHA-1 complete SHA-256 ↣ ● no interoperation ● authenticated encryption redesign with SSL3 e.g. AES in CCM mode ● can downgrade ● protection against CBC-attacks connections to ● implicit IV SSL3 explicit IV ↣ MAC Message Authentication Code MD5 Message Digest Algorithm IETF Internet Engineering Task Force SHA Secure Hash Algorithm CBC Cipher Block Chaining AES Advanced Encryption Standard IV Initialization Vector CCM Counter with CBC-MAC Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 3

  4. Design Goals ● Cryptographic security ● establish secure connections ● secure existing connections ● data confidentiality ● authentication ● reliability ● Interoperability ● applications exchange parameters with each other ● applications establish connections with each other ● specified protocols Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 4

  5. Design Goals ● Extensibility ● SSL/TLS provides a framework ● cryptographic methods can be added – public key – bulk encryption ● no extensive library/protocol rewriting ● Relative efficiency ● ability to adopt to its environment ● session caching (saves CPU) ● minimal messaging (saves network bandwidth) Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 5

  6. SSL/TLS in Common Models ISO/OSI model TCP/IP model Application Cipher Spec Application Handshake Change Alert Data Presentation Application Session Transport Transport Record Network Internet Data Link Link Physical Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 6

  7. SSL/TLS Protocol Stack tells the other party to apply previously negotiated parameters error reporting ● negotiates session transports upper Cipher Spec Application Handshake ● crypt. methods layer payload Change ● versions Alert Data ● authentication (opt.) ● one-way ● two-way Record ● provides shared transaction layer ● ensures ● cryptographic security (data confidentiality) ● integrity of payload ● optional payload compression Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 7

  8. BEAST ● Browser Exploit Against SSL/TLS (BEAST) ● Chosen Plaintext Attack ● Targets deterministic Initialization Vectors of Cipher-Block Chaining Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 8

  9. Attack Scenario TLS 1.0 Alice Bob CBC ● wants to know secret P[16] Mallory ● eavesdrops encrypted data between Alice and Bob ● can force Alice to send chosen plaintext ● can force Alice to send P Please note that this is a simplified example, consult reference Educated Guesswork for details. Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 9

  10. Cipher-Block Chaining Plaintext Plaintext IV Block Cipher Block Cipher Encryption Encryption Ciphertext Ciphertext C 0 = E(Key, IV M 0 ) C i = E(Key, C i-1 M i ) ⊕ ⊕ Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 10

  11. CBC Chosen Plaintext Attack ● Force Alice to send P ● Eavesdrop and get C p = E(Key, C p-1 ⊕ P) ● Let G be a blind guess of P ● Force Alice to send plaintext C i-1 ⊕ C p-1 ⊕ G ● Alice sends C i = E(Key, C i-1 ⊕ C i-1 ⊕ C p-1 ⊕ G) ● C i = E(Key, C p-1 ⊕ G) ● If C i == C p then G == P This requires a lot of guessing and it is not very handy! Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 11

  12. BEAST ● Force Alice to send NULL[0-14] P[0] ● Eavesdrop and get C p = E(Key, C p-1 ⊕ NULL[0-14] P[0]) ● Let G be a blind guess of P[0] ● Force Alice to send plaintext C i-1 ⊕ C p-1 ⊕ NULL[0-14] G ● Alice sends C i = E(Key, C i-1 ⊕ C i-1 ⊕ C p-1 ⊕ NULL[0-14] G) C i = E(Key, C p-1 ⊕ NULL[0-14] G) This requires up to 2 8 =256 ● If C i == C p then G == P[0] guesses. We can do this! Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 12

  13. BEAST 16 byte block 256 possible C i-1 C p-1 NULL[0-14] ⊕ ⊕ ciphertexts P[0] 256 possible C i-1 C p-1 NULL[0-13] ⊕ ⊕ P[0]P[1] ciphertexts . . . voilà! P[0-15] legend: known unknown Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 13

  14. Solution: Explicit IV Plaintext Plaintext IV IV Block Cipher Block Cipher Encryption Encryption Ciphertext Ciphertext C 0 = E(Key, IV 0 M 0 ) C i = E(Key, IV i M i ) ⊕ ⊕ Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 14

  15. Questions? Thank you for your kind attention. ● References ● Jörg Schwenk. Sicherheit und Kryptographie im Internet: Von sicherer E-Mail bis zu IP-Verschlüsselung (German Edition). Vieweg+Teubner Verlag, 2010. ● T. Dierks and C. Allen. The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard), January 1999. Obsoleted by RFC 4346, updated by RFCs 3546, 5746, 6176. ● T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard), April 2006. Obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746, 6176. ● Dan Goodin. Hackers break SSL encryption used by millions of sites. The Register, 2011. http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ (Retrieved 2012-04-13) ● Security impact of the Rizzo/Duong CBC "BEAST" attack. Educated Guesswork, 2011. http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html (Retrieved 2012-04-13) Dan Luedtke <mail@danrl.de> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 15

Recommend


More recommend