TLS Record Protocol: Security Analysis and Defense-in-depth Countermeasures for HTTPS Olivier Levillain, Baptiste Gourdin, Hervé Debar ANSSI, Sekoia, Télécom SudParis ASIACCS 2015 Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 1 / 31
TLS in a nutshell Client Server ClientHello ServerHello Certificate Two phases ServerHelloDone ◮ secure channel establishment ClientKeyExchange ChangeCipherSpec ◮ algorithm negotiation Finished ◮ server authentication ChangeCipherSpec ◮ key exchange to obtain a shared secret Finished ◮ application data exchanges using this Application Data channel Cleartext Ciphertext Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 2 / 31
TLS in a nutshell Client Server ClientHello ServerHello Certificate Two phases ServerHelloDone ◮ secure channel establishment ClientKeyExchange ChangeCipherSpec ◮ algorithm negotiation Finished ◮ server authentication ChangeCipherSpec ◮ key exchange to obtain a shared secret Finished ◮ application data exchanges using this Application Data channel Cleartext Ciphertext This talk focuses on the second phase, the Record Protocol Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 2 / 31
TLS Record Protocol After the handshake, records can be protected using 3 different schemes: Plaintext P |P| < 2 14 Compression (optional) Compressed C |C| < |P| + 1024 MAC MAC C MAC C MAC Padding AEAD step P Encryption (XOR) C C MAC MAC a d Encryption (CBC) MAC'ed then MAC'ed then Padded Authenticated and Encrypted record then Encrypted record Encrypted record Stream cipher mode CBC mode AEAD mode Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 3 / 31
Well, all started... in 2011 ◮ 2011 : BEAST ◮ CBC mode with implicit IV ◮ 2012 : CRIME (followed by TIME and BREACH) ◮ Compression attacks ◮ 2013 - 2014 : Lucky13 (followed by POODLE) ◮ CBC Padding Attacks ◮ 2014 : RC4 biases (no real name) ◮ RC4 statistical biases Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 4 / 31
The cookie monsters ◮ BEAST, TIME, CRIME, BREACH, Lucky13, POODLE, RC4 biases, ... ◮ all the PoCs went after cookies ◮ all relies on having the cookie repeated inside the TLS channel Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 5 / 31
Model Web Application (PHP, Python, NodeJS, …) Application page (Django, ...) Web Server Web Client HTTP + SSL/TLS (Chrome, Firefox, IE, ...) Session Cookie (Apache2, IIS, Nginx) Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 6 / 31
RFC6265: HTTP State Management Mechanism Web Client Server application setcookie('session_id', 'C564A5F3EB', httponly, secure) Set-Cookie: session_id=C564A5F3EB; httponly;secure Cookie: session_id=C564A5F3EB $_COOKIE['session_id'] $_COOKIE['session_id'] contains 'C564A5F3EB' contains 'C564A5F3EB' Cookie: session_id=C564A5F3EB $_COOKIE['session_id'] $_COOKIE['session_id'] contains 'C564A5F3EB' contains 'C564A5F3EB' Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 7 / 31
Attacker Model Attacker Web Application (PHP, Python, NodeJS, …) Application Attacker (Django, ...) page Page Web Server Web Client HTTP + SSL/TLS (Chrome, Firefox, IE, ...) (Apache2, IIS, Nginx) Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 8 / 31
Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31
Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31
Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31
Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31
Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31
Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31
Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31
Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31
Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31
Summary of the proposed countermeasures Countermeasures Beast L 13 RC4 * IME POODLE Structural changes to TLS Use TLS 1.0 + Use TLS 1.1 + + Encrypt-then-MAC + Changes related to TLS ciphersuites or compression methods Use CBC mode + Use RC4 + + + Use a new stream cipher + + + + Use AEAD (TLS 1.2) + + + + No TLS compression + Changes related to TLS implementations 1 / n − 1 split + Constant-time CBC + Anti poodle splitting + Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 9 / 31
Summary ◮ Since 2011, seven attacks affecting the Record Protocol Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol Security Analysis and Countermeasures 10 / 31
Recommend
More recommend