the 9 lives of bleichenbacher s cat
play

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS - PowerPoint PPT Presentation

Mar 21, 2024 •158 likes •1.36k views

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert Gillham, Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom Transport Layer Security (TLS) The most widely used cryptographic protocol

  1. ME WANT COOKIE! • Session cookies give access to the users ’ data • Are sent in the beginning of each TLS connection • Attack scenario for RSA KX: • Sniff TLS handshake and first message • Use Bleich. to decrypt premaster secret • Decrypt first message

  2. ME WANT COOKIE! • Session cookies give access to the users ’ data • Are sent in the beginning of each TLS connection • Attack scenario for RSA KX: • Sniff TLS handshake and first message • Use Bleich. to decrypt premaster secret • Decrypt first message • COOKIE!

  3. Attack Scenario RSA KX: Sniff + Cache timing side channel

  4. Attack Scenario RSA KX: Sniff + Cache timing side channel

  5. Attack Scenario RSA KX: Sniff + Cache timing side channel

  6. Attack Scenario RSA KX: Sniff + Cache timing side channel

  7. Attack Scenario RSA KX: Sniff + Cache timing side channel

  8. Attack Scenario RSA KX: Sniff + Cache timing side channel

  9. Attack Scenario RSA KX: Sniff + Cache timing side channel

  10. Attack Scenario RSA KX: Sniff + Cache timing side channel

  11. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX

  12. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack

  13. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack • Only requires server support for RSA KX

  14. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack • Only requires server support for RSA KX • Works also on TLS 1.3 [JSS 15]

  15. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack • Only requires server support for RSA KX • Works also on TLS 1.3 [JSS 15] • Require active MiTM attack

  16. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack • Only requires server support for RSA KX • Works also on TLS 1.3 [JSS 15] • Require active MiTM attack • COOKIE?

  17. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack • Only requires server support for RSA KX • Works also on TLS 1.3 [JSS 15] • Require active MiTM attack • COOKIE? • Time to finish attack < 30 sec

  18. ME WANT COOKIE! ALL COOKIES! • Only 6% of connections use RSA KX • Use RSA KX vulnerability for downgrade attack • Only requires server support for RSA KX • Works also on TLS 1.3 [JSS 15] • Require active MiTM attack • COOKIE? • Time to finish attack < 30 sec • Need many queries • Have time for < 600 •

  19. Downgrade attack on Firefox • We can prevent timeout in Firefox ’ s TLS handshakes using TLS warning alerts [ABDG+15]

  20. Downgrade attack on Firefox • We can prevent timeout in Firefox ’ s TLS handshakes using TLS warning alerts [ABDG+15] • Do MiTM downgrade attack

  21. Downgrade attack on Firefox • We can prevent timeout in Firefox ’ s TLS handshakes using TLS warning alerts [ABDG+15] • Do MiTM downgrade attack • Keep session alive during padding attack

  22. Downgrade attack on Firefox • We can prevent timeout in Firefox ’ s TLS handshakes using TLS warning alerts [ABDG+15] • Do MiTM downgrade attack • Keep session alive during padding attack • Finish the TLS handshake with decrypted premaster secret

  23. Downgrade attack on Firefox • We can prevent timeout in Firefox ’ s TLS handshakes using TLS warning alerts [ABDG+15] • Do MiTM downgrade attack • Keep session alive during padding attack • Finish the TLS handshake with decrypted premaster secret • Cookie?

  24. Downgrade attack on Firefox • We can prevent timeout in Firefox ’ s TLS handshakes using TLS warning alerts [ABDG+15] • Do MiTM downgrade attack • Keep session alive during padding attack • Finish the TLS handshake with decrypted premaster secret • Cookie? • The user will notice the delay

  25. The Boost of the BEAST • BEAST like attack can help!

  26. The Boost of the BEAST • BEAST like attack can help! • JavaScript in browser allows the attacker to repeatedly reopen connections in the background, without the user ’ s knowledge.

  27. The Boost of the BEAST • BEAST like attack can help! • JavaScript in browser allows the attacker to repeatedly reopen connections in the background, without the user ’ s knowledge. • At the start of each connection, the same session cookie is sent in the first packet

  28. The Boost of the BEAST • BEAST like attack can help! • JavaScript in browser allows the attacker to repeatedly reopen connections in the background, without the user ’ s knowledge. • At the start of each connection, the same session cookie is sent in the first packet • Need to break just one connection

  29. The Boost of the BEAST • BEAST like attack can help! • JavaScript in browser allows the attacker to repeatedly reopen connections in the background, without the user ’ s knowledge. • At the start of each connection, the same session cookie is sent in the first packet • Need to break just one connection • COOKIE!

  30. Attack Scenario Firefox: MiTM + Cache timing side channel

  31. Attack Scenario Firefox: MiTM + Cache timing side channel

  32. Attack Scenario Firefox: MiTM + Cache timing side channel

  33. Attack Scenario Firefox: MiTM + Cache timing side channel .COM

  34. Attack Scenario Firefox: MiTM + Cache timing side channel

  35. Attack Scenario Firefox: MiTM + Cache timing side channel

  36. Attack Scenario Firefox: MiTM + Cache timing side channel

  37. Attack Scenario Firefox: MiTM + Cache timing side channel

  38. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds

  39. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds • Many companies reuse certificate on multiple servers

  40. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds • Many companies reuse certificate on multiple servers • We can parallelize the attack across multiple servers

  41. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds • Many companies reuse certificate on multiple servers • We can parallelize the attack across multiple servers • Each server is a separate oracle

  42. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds • Many companies reuse certificate on multiple servers • We can parallelize the attack across multiple servers • Each server is a separate oracle • Many previous works mention parallelization

  43. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds • Many companies reuse certificate on multiple servers • We can parallelize the attack across multiple servers • Each server is a separate oracle • Many previous works mention parallelization • Cookie?

  44. Parallel Downgrade attack • Most browsers timeout TLS handshake after 30 seconds • Many companies reuse certificate on multiple servers • We can parallelize the attack across multiple servers • Each server is a separate oracle • Many previous works mention parallelization • Cookie? • Need at least 2048 sequential adaptive queries • Have time for < 600

  45. A little Manger background • Assume we have the following Manger oracle

  46. A little Manger background • Assume we have the following Manger oracle • We start with a blinding phase to find s such that

  47. A little Manger background • Assume we have the following Manger oracle • We start with a blinding phase to find s such that 0 N -1

  48. A little Manger background • Assume we have the following Manger oracle • We start with a blinding phase to find s such that 0 N -1

  49. A little Manger background • Iteratively reduce size of possible interval 0 N -1

  50. A little Manger background • Iteratively reduce size of possible interval • After additional i sequential queries we learn that 0 N -1

  51. A little Manger background • Iteratively reduce size of possible interval • After additional i sequential queries we learn that 0 N -1

  52. A little Manger background • Iteratively reduce size of possible interval • After additional i sequential queries we learn that 0 N -1

  53. A little Manger background • Iteratively reduce size of possible interval • After additional i sequential queries we learn that 0 N -1

  54. A little Manger background • Iteratively reduce size of possible interval • After additional i sequential queries we learn that 0 N -1

Recommend

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom SudParis GreHack 2019 15 novembre 2019 Levillain &amp; Rasoamanana Wombat 1/27 Plan RSA and PKCS#1 v1.5 in a nutshell Bleichenbacher : the

845 views • 48 slides
Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai

Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai

slides from presentation at Real World Crypto 2019 Tink: a cryptographic library Bartosz Przydatek joint work with Daniel Bleichenbacher and Thai Duong with contributions by Haris Andrianakis , Thanh Bui , Thomas Holenstein , Charles Lee , Erhan

657 views • 38 slides
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

818 views • 53 slides
New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi Tibouchi 1 , 2 Masayuki Abe 1 , 2 September 12, 2018 1 Kyoto University 2 NTT Secure Platform Laboratories 1 Outline Introduction Contribution 1.

1.89k views • 81 slides
I believe that in all men's lives at certain periods, and in many men's lives at all periods

I believe that in all men's lives at certain periods, and in many men's lives at all periods

I believe that in all men's lives at certain periods, and in many men's lives at all periods between infancy and extreme old age, one of the most dominant elements is the desire to be inside the C.S. Lewis local Ring and the terror of

558 views • 18 slides
Shared Lives: the connection test Alex Fox, CEO Shared Lives Plus www.SharedLivesPlus.org.uk

Shared Lives: the connection test Alex Fox, CEO Shared Lives Plus www.SharedLivesPlus.org.uk

Shared Lives: the connection test Alex Fox, CEO Shared Lives Plus www.SharedLivesPlus.org.uk http://alexfoxblog.wordpress.com http://vimeo.com/108993357 Kent Shared Lives Karl and Clare with Shared Lives carers Blossom and Mike, at their

542 views • 15 slides
Better Advice, Better Lives Adults Select Committee 21 st June Usk 1 Better Advice, Better Lives

Better Advice, Better Lives Adults Select Committee 21 st June Usk 1 Better Advice, Better Lives

Better Advice, Better Lives Monmouthshire County Citizens Advice Better Advice, Better Lives Adults Select Committee 21 st June Usk 1 Better Advice, Better Lives Introduction As you are no doubt aware, in 2012, the Government announced plans

84 views • 4 slides
East Lancashire Transforming Lives Programme Steve Rides East Lancashire Transforming Lives

East Lancashire Transforming Lives Programme Steve Rides East Lancashire Transforming Lives

East Lancashire Transforming Lives Programme Steve Rides East Lancashire Transforming Lives Project Lead What is Transforming Lives To develop a multi-agency model of working that delivers better outcomes; reduces demand and lowers costs,

278 views • 15 slides
We Are Mission Vision Medicaid Medicare MLTC Specialty 1,576,259 305,865 124,484

We Are Mission Vision Medicaid Medicare MLTC Specialty 1,576,259 305,865 124,484

We Are Mission Vision Medicaid Medicare MLTC Specialty 1,576,259 305,865 124,484 918,565 Lives Lives Lives Lives *As of April 2019. Specialty includes: PACE, Duals, SNP 4.3M calls 7.9M trips Geography 7 languages per year

461 views • 15 slides
A tax that saves lives. www.RaiseItforHealthIN.com Before we begin, lets watch

A tax that saves lives. www.RaiseItforHealthIN.com Before we begin, lets watch

Raising Indianas cigarette tax to save lives, protect youth and strengthen our workforce Kent Mitchell, Director of Outreach and Engagement KMitchell@tobaccofreekids.org A tax that saves lives. www.RaiseItforHealthIN.com Before we begin,

178 views • 17 slides
Feelings about Suicide Suicide is an emotional subject, to patient, provider, and Strong emotions

Feelings about Suicide Suicide is an emotional subject, to patient, provider, and Strong emotions

10/29/2015 Advancing treatment. Transforming lives. Advancing treatment. Transforming lives. Advancing treatment. Transforming lives. Advancing treatment. Transforming lives. Agenda Mindfulness, Acceptance, and Discuss the emotional impact

336 views • 10 slides
Plymouth Larissa Milden, Active for All Service Manager What is Im Improving Lives Plymouth?

Plymouth Larissa Milden, Active for All Service Manager What is Im Improving Lives Plymouth?

Improving Lives Plymouth Larissa Milden, Active for All Service Manager What is Im Improving Lives Plymouth? Improving Lives Plymouth is a local health and wellbeing charity Previously known as Plymouth Guild, Improving Lives

144 views • 11 slides
Saving Lives at MVD August 2018 September 4, 2018 1 You are Saving Lives!! AUTHORIZED BY

Saving Lives at MVD August 2018 September 4, 2018 1 You are Saving Lives!! AUTHORIZED BY

Saving Lives at MVD August 2018 September 4, 2018 1 You are Saving Lives!! AUTHORIZED BY REGISTRY IN 2017 71% Organ Donors 69% Tissue Donors 68% Eye Donors LIVES SAVED &amp; ENHANCED 153 Organ Transplants 5,000 Tissue for Transplant

366 views • 8 slides
Improving homes and lives every day. Service Coordination Business Unit Improving homes and lives

Improving homes and lives every day. Service Coordination Business Unit Improving homes and lives

Improving homes and lives every day. Service Coordination Business Unit Improving homes and lives every day. Agenda Whats New Department Updates - Heather Follow Up: Things to Remember Operations Updates Annette QA

565 views • 23 slides
Supporting the Black Lives Matter when teaching pronunciation Movement when teaching

Supporting the Black Lives Matter when teaching pronunciation Movement when teaching

Supporting the Black Lives Matter when teaching pronunciation Movement when teaching pronunciation What is the #BlackLivesMatter was founded in 2013 in Black Lives response to the acquittal of Trayvon Martins murderer. Black Lives

398 views • 18 slides
Engage Rotary Change Lives Engage Rotary Change Lives President: Faure

Engage Rotary Change Lives Engage Rotary Change Lives President: Faure

Engage Rotary Change Lives Engage Rotary Change Lives President: Faure Gnassingbe (2005 Current) Land area: 21,000 sq mi Total area: 21,925 sq mi Population 6,961,049 Median Age: 19.1 (US 37.1) 0-14 years: 40.8% (male

453 views • 20 slides
transform millions of lives Sand dams will transform millions of lives Sand Dams are

transform millions of lives Sand dams will transform millions of lives Sand Dams are

Sand Dams will transform millions of lives Sand dams will transform millions of lives Sand Dams are effectively horizontal boreholes with minimal O&amp;M costs Sand Dams are the worlds lowest cost method of capturing rainwater in dry

638 views • 11 slides
LiVES LiVES is a Video Editing System Because the media should be Open Because the media

LiVES LiVES is a Video Editing System Because the media should be Open Because the media

LiVES LiVES is a Video Editing System Because the media should be Open Because the media should be Free ! - real time performance of video and audio - non linear editing of video and audio - using built-in GUI or over a network using

485 views • 9 slides
Natural Language Processing Lecture 7: Parts of Speech My cat who lives dangerously no longer

Natural Language Processing Lecture 7: Parts of Speech My cat who lives dangerously no longer

Natural Language Processing Lecture 7: Parts of Speech My cat who lives dangerously no longer has nine lives. My cat who lives dangerously no longer has nine lives. My cat who lives dangerously no longer has nine lives.

711 views • 46 slides
Natural Language Processing Lecture 8: Parts of Speech My cat who lives dangerously no longer

Natural Language Processing Lecture 8: Parts of Speech My cat who lives dangerously no longer

Natural Language Processing Lecture 8: Parts of Speech My cat who lives dangerously no longer has nine lives. My cat who lives dangerously no longer has nine lives. My cat who lives dangerously no longer has nine lives.

485 views • 45 slides
OBJECTIVES We strive to inculcate the Values and Principles of Sports into the lives of the

OBJECTIVES We strive to inculcate the Values and Principles of Sports into the lives of the

OBJECTIVES We strive to inculcate the Values and Principles of Sports into the lives of the Children. We aim to improve their lives by teaching them with various aspects of physical education through various indoor and outdoor activities.

966 views • 8 slides
Focus To look at some of the issues in end of life care To provide some information on the

Focus To look at some of the issues in end of life care To provide some information on the

Together for Short Lives Focus To look at some of the issues in end of life care To provide some information on the role of Together for Short Lives Together for Short Lives Together for Short Lives is the leading UK charity that speaks

649 views • 28 slides
Algorithms for Natural Language Processing Lecture 8: Parts of Speech My cat who lives

Algorithms for Natural Language Processing Lecture 8: Parts of Speech My cat who lives

Algorithms for Natural Language Processing Lecture 8: Parts of Speech My cat who lives dangerously no longer has nine lives. My cat who lives dangerously no longer has nine lives. My cat who lives dangerously no longer has

881 views • 45 slides
Stronger Standard Saves Thousands of Lives Each Year 12,000 12,000 Range of Estimates of Lives

Stronger Standard Saves Thousands of Lives Each Year 12,000 12,000 Range of Estimates of Lives

Stronger Standard Saves Thousands of Lives Each Year 12,000 12,000 Range of Estimates of Lives Saved Each Year Premature Deaths Avoided Each Year, 2020 Estimates Low Estimates 10,000 High Estimates 7,200 8,000 6,000 4,300 4,000 4,000

274 views • 5 slides

More recommend