THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE Dennis Felsch 1 , Martin Grothe 1 , Jörg Schwenk 1 , Adam Czubak 2 , Marcin Szymanek 2 1 : Ruhr University Bochum, Germany 2 : University of Opole, Poland 27 TH USENIX SECURITY SYMPOSIUM 08/16/2018
VPNs (Virtual Private Networks) Internet 4G/LTE Icons from KDE Oxygen theme licensed under GNU LGPLv3, http://www.kde.org/ THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 2 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
IPsec (Internet Protocol Security) Data Data Application TCP/UDP TCP/UDP Transport IPsec integrity authenticity confidentitiality IPsec Internet IP IP Network Access THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 3 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
IKE (Internet Key Exchange) The handshake protocol of IPsec Standardized in two major versions IKEv1: Published in 1998, declared obsolete by the IETF nevertheless included in all implementations IKEv2: Published in 2005, current version THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 4 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
IKEv1 2 msg Negotiation IKEv1 Application IKEv1 2 msg Key Agreement Authentication 2 msg Key Confirmation UDP UDP Transport Internet IP IP Network Access THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 5 5 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
IKEv1 Protocol Flow Initiator Responder m 1 m 1 = {proposals} m 2 = selected proposal m 2 m 3 = g x , anc. data m 3 m 4 = g y , anc. data m 4 1. Key derivation 1. Key derivation 2. Compute MAC I 2. Compute MAC R m 5 = Enc(MAC I | data) m 6 = Enc(MAC R | data) m 5 m 6 3. Decrypt m 6 3. Decrypt m 5 4. Verify MAC R 4. Verify MAC I THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 6 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
IKEv1 Authentication Methods 1. PSK (Pre-Shared-Key) 2 msg Negotiation 2. Digital Signatures 2 msg Key Agreement Authentication 3. Public Key Encryption (PKE) 2 msg Key Confirmation 4. Revised Public Key Encryption (RPKE) THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 7 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
IKEv1 Protocol Flow With PKE Authentication Initiator Responder m 1 m 1 = {proposals} m 2 = selected proposal m 2 m 3 = g x , Enc pk (n I ) m 3 = g x , anc. data m 3 m 4 = g y , anc. data m 4 = g y , Enc pk (n R ) m 4 1. Key derivation 1. Key derivation 2. Compute MAC I 2. Compute MAC R m 5 = Enc(MAC I | data) m 6 = Enc(MAC R | data) m 5 m 6 3. Decrypt m 6 3. Decrypt m 5 4. Verify MAC R 4. Verify MAC I THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 8 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
What if implementations contained Bleichenbacher oracles? THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 9 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Bleichenbacher‘s Attack In Two Slides Padding oracle attack RSA PKCS#1 v1.5 encryption padding: Attack requires oracle that tells if padding is valid THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 10 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Bleichenbacher‘s Attack In Two Slides Sender Receiver m Attacker m' valid / invalid m'' valid / invalid … Leaks the plaintext of message m to the attacker THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 11 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Attack Idea On IKEv1 With PKE Authentication Responder A Attacker Responder B m 1 m 2 m 3 m 4 = Enc pkB (n RA ), … Keep A waiting Decrypt n RA Derive Keys m 5 m 6 Attacker impersonates Responder B ! THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 12 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Where To Find The PKE And RPKE Modes? Cisco includes PKE authentication in IOS Huawei includes RPKE in some security appliances Implementations in Clavister’s cOS and ZyXEL’s ZyWALL USG devices broken THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 13 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Where To Find The PKE And RPKE Modes? THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 14 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Case Study: Bleichenbacher Oracle In Cisco IOS 1/3 Test device: Cisco ASR 1001-X router IOS XE 03.16.02.S THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 15 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Case Study: Bleichenbacher Oracle In Cisco IOS 2/3 Initiator Cisco IOS m 1 m 1 = proposal with PKE m 2 = proposal with PKE m 2 m 3 m 3 with valid padding m 4 m 3 m 3 with invalid padding wait 1 second m 2 m 2 = proposal with PKE THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 16 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Case Study: Bleichenbacher Oracle In Cisco IOS 3/3 IOS cancels IKEv1 handshake after 60 seconds at the latest Public key 1024 bits ⇒ ~ 850 responses per second 60 ∙ 850 = 51,000 requests per handshake Empirical study with a simulator: 26 % of attacks require less than 51,000 requests THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 17 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Cisco IOS – Simulator vs. Real Hardware Cisco’s IKE handshake implementation is not optimized for throughput Cryptographic calculations for IKE are done by CPU m 1 /m 2 negotiations take a lot of time Decryption attack with 19,000 requests took 13 minutes THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 18 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Cisco IOS – Is An Attack Realistic? A too slow attack does not permanently lock out attackers Still dangerous if the victim has deployed multiple responders sharing one key pair e. g. for load balancing THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 19 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Bleichenbacher Oracles In (R)PKE Implementations Cisco: CVE-2018-0131 Huawei: CVE-2017-17305 Clavister: CVE-2018-8753 ZyXEL: CVE-2018-9129 Patches are available! THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 20 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Key Reuse Maintaining individual key pairs for all variants of IKE? Common practice: A single RSA key pair Actual security depends on cross-ciphersuite, cross-version, and cross-protocol security THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 21 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Bleichenbacher’s Attack & Signatures For RSA: A decryption & creating a signature is the same operation Bleichenbacher’s attack can forge a signature THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 22 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Attack Against IKEv2 With Signatures Signature Based Authentication Supported by IKEv1 and IKEv2 IKEv2 on Cisco router: 4 minutes time For Cisco: Simulation succeeds in 22% of attacks Real hardware again lacks performance THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 23 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Additional Contributions In The Paper A dictionary attack against PSK authentication in main mode (CVE-2018-5389) Message flow diagrams of all IKE variants Description of the oracles in Huawei’s, Clavister’s , and ZyXEL’s implementations Description of our parallelized Bleichenbacher attacker THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 24 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Questions? Dennis Felsch Ruhr University Bochum Horst Görtz Institute for IT-Security Chair for Network and Data Security dennis.felsch@rub.de @dfelsch https://web-in-security.blogspot.de THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH 25 27 TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Recommend
More recommend