the dangers of key reuse practical attacks on ipsec ike
play

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis - PowerPoint PPT Presentation

THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jrg Schwenk 1 , Adam Czubak 2 , Marcin Szymanek 2 1 : Ruhr University Bochum, Germany 2 : University of Opole, Poland 27 TH USENIX SECURITY SYMPOSIUM


  1. THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jörg Schwenk 1 , Adam Czubak 2 , Marcin Szymanek 2 1 : Ruhr University Bochum, Germany 2 : University of Opole, Poland 27 TH USENIX SECURITY SYMPOSIUM 08/16/2018

  2. VPNs (Virtual Private Networks) Internet 4G/LTE Icons from KDE Oxygen theme licensed under GNU LGPLv3, http://www.kde.org/ THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 2 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  3. IPsec (Internet Protocol Security) Data Data Application TCP/UDP TCP/UDP Transport IPsec integrity authenticity confidentitiality IPsec Internet IP IP Network Access THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 3 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  4. IKE (Internet Key Exchange)  The handshake protocol of IPsec  Standardized in two major versions  IKEv1: Published in 1998, declared obsolete by the IETF  nevertheless included in all implementations  IKEv2: Published in 2005, current version THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 4 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  5. IKEv1 2 msg Negotiation IKEv1 Application IKEv1 2 msg Key Agreement Authentication 2 msg Key Confirmation UDP UDP Transport Internet IP IP Network Access THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 5 5 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  6. IKEv1 Protocol Flow Initiator Responder m 1 m 1 = {proposals} m 2 = selected proposal m 2 m 3 = g x , anc. data m 3 m 4 = g y , anc. data m 4 1. Key derivation 1. Key derivation 2. Compute MAC I 2. Compute MAC R m 5 = Enc(MAC I | data) m 6 = Enc(MAC R | data) m 5 m 6 3. Decrypt m 6 3. Decrypt m 5 4. Verify MAC R 4. Verify MAC I THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 6 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  7. IKEv1 Authentication Methods 1. PSK (Pre-Shared-Key) 2 msg Negotiation 2. Digital Signatures 2 msg Key Agreement Authentication 3. Public Key Encryption (PKE) 2 msg Key Confirmation 4. Revised Public Key Encryption (RPKE) THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 7 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  8. IKEv1 Protocol Flow With PKE Authentication Initiator Responder m 1 m 1 = {proposals} m 2 = selected proposal m 2 m 3 = g x , Enc pk (n I ) m 3 = g x , anc. data m 3 m 4 = g y , anc. data m 4 = g y , Enc pk (n R ) m 4 1. Key derivation 1. Key derivation 2. Compute MAC I 2. Compute MAC R m 5 = Enc(MAC I | data) m 6 = Enc(MAC R | data) m 5 m 6 3. Decrypt m 6 3. Decrypt m 5 4. Verify MAC R 4. Verify MAC I THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 8 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  9. What if implementations contained Bleichenbacher oracles? THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 9 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  10. Bleichenbacher‘s Attack In Two Slides  Padding oracle attack  RSA PKCS#1 v1.5 encryption padding:  Attack requires oracle that tells if padding is valid THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 10 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  11. Bleichenbacher‘s Attack In Two Slides Sender Receiver m Attacker m' valid / invalid m'' valid / invalid …  Leaks the plaintext of message m to the attacker THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 11 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  12. Attack Idea On IKEv1 With PKE Authentication Responder A Attacker Responder B m 1 m 2 m 3 m 4 = Enc pkB (n RA ), … Keep A waiting Decrypt n RA Derive Keys m 5 m 6 Attacker impersonates Responder B ! THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 12 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  13. Where To Find The PKE And RPKE Modes?  Cisco includes PKE authentication in IOS  Huawei includes RPKE in some security appliances  Implementations in Clavister’s cOS and ZyXEL’s ZyWALL USG devices broken THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 13 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  14. Where To Find The PKE And RPKE Modes? THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 14 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  15. Case Study: Bleichenbacher Oracle In Cisco IOS 1/3  Test device:  Cisco ASR 1001-X router  IOS XE 03.16.02.S THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 15 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  16. Case Study: Bleichenbacher Oracle In Cisco IOS 2/3 Initiator Cisco IOS m 1 m 1 = proposal with PKE m 2 = proposal with PKE m 2 m 3 m 3 with valid padding m 4 m 3 m 3 with invalid padding wait 1 second m 2 m 2 = proposal with PKE THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 16 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  17. Case Study: Bleichenbacher Oracle In Cisco IOS 3/3  IOS cancels IKEv1 handshake after 60 seconds at the latest  Public key 1024 bits ⇒ ~ 850 responses per second  60 ∙ 850 = 51,000 requests per handshake  Empirical study with a simulator: 26 % of attacks require less than 51,000 requests THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 17 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  18. Cisco IOS – Simulator vs. Real Hardware  Cisco’s IKE handshake implementation is not optimized for throughput  Cryptographic calculations for IKE are done by CPU  m 1 /m 2 negotiations take a lot of time  Decryption attack with 19,000 requests took 13 minutes THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 18 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  19. Cisco IOS – Is An Attack Realistic?  A too slow attack does not permanently lock out attackers  Still dangerous if the victim has deployed multiple responders sharing one key pair  e. g. for load balancing THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 19 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  20. Bleichenbacher Oracles In (R)PKE Implementations  Cisco: CVE-2018-0131  Huawei: CVE-2017-17305  Clavister: CVE-2018-8753  ZyXEL: CVE-2018-9129  Patches are available! THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 20 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  21. Key Reuse  Maintaining individual key pairs for all variants of IKE?  Common practice: A single RSA key pair  Actual security depends on  cross-ciphersuite,  cross-version, and  cross-protocol security THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 21 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  22. Bleichenbacher’s Attack & Signatures  For RSA:  A decryption & creating a signature is the same operation  Bleichenbacher’s attack can forge a signature THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 22 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  23. Attack Against IKEv2 With Signatures  Signature Based Authentication  Supported by IKEv1 and IKEv2  IKEv2 on Cisco router: 4 minutes time  For Cisco: Simulation succeeds in 22% of attacks  Real hardware again lacks performance THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 23 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  24. Additional Contributions In The Paper  A dictionary attack against PSK authentication in main mode (CVE-2018-5389)  Message flow diagrams of all IKE variants  Description of the oracles in Huawei’s, Clavister’s , and ZyXEL’s implementations  Description of our parallelized Bleichenbacher attacker THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 24 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

  25. Questions? Dennis Felsch Ruhr University Bochum Horst Görtz Institute for IT-Security Chair for Network and Data Security dennis.felsch@rub.de @dfelsch https://web-in-security.blogspot.de THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 25 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018

Recommend


More recommend