transcript collision attacks
play

Transcript collision Attacks Breaking Authentication in TLS, IKE, - PowerPoint PPT Presentation

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20


  1. Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20 Gaëtan Leurent, Karthikeyan Bhargavan Inria, France Dagstuhl Seminar 16012 Symmetric Cryptography

  2. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 2 / 20 Key exchange protocols Conclusion Channel Binding Downgrade Attack A B g x mod p g y mod p k = kdf ( g xy mod p ) k = kdf ( g xy mod p ) Diffje-Hellman key exchange

  3. Introduction g x Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) Client Authentication g y Key exchange protocols Conclusion Channel Binding Downgrade Attack 2 / 20 A MitM B g x ′ g y ′ k A = kdf ( g xy ′ ) Knows k A , k B k B = kdf ( g x ′ y ) Forwards messages Diffje-Hellman key exchange broken by Man in the Middle

  4. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 2 / 20 Conclusion Key exchange protocols Channel Binding Downgrade Attack A B m 1 = g x m 2 = g y k = kdf ( g xy ) k = kdf ( g xy ) sign ( sk A , m 1 ‖ m 2 ), mac ( k , A ) sign ( sk B , m 1 ‖ m 2 ), mac ( k , B ) SIGMA protocol: authenticated DH (in practice) [Krawczyk ’03] ▶ Add PKI: A known sk A , pk b , B knows sk B , pk A ▶ Sign transcript, prove knowledge of k

  5. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 2 / 20 Conclusion Key exchange protocols Channel Binding Downgrade Attack A B m 1 = g x , info A m 2 = g y , info B k = kdf ( g xy ) k = kdf ( g xy ) sign ( sk A , h ( m 1 ‖ m 2 )), mac ( k , A ) sign ( sk B , h ( m 1 ‖ m 2 )), mac ( k , B ) SIGMA protocol: authenticated DH (in practice) [Krawczyk ’03] ▶ Add info for parameters negotiation (flexible format) ▶ Signature uses a hash function (hash-and-sign)

  6. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) How bad is it? 3 / 20 Conclusion Weak Hash Functions in Internet Protocols Channel Binding Downgrade Attack ▶ Security proofs assume collision-resistance. ▶ In practice, many protocols support weak functions ▶ TLS ≤ 1.1 uses combinations of MD5 and SHA1 ▶ IKE, SSH use SHA1 (MD5 in some cases) ▶ Hash-function negotiation for the signature added in TLS 1.2 (2008) ▶ Introduces MD5 as an option... ▶ HMAC-MD5 is still mostly secure ▶ In most cases, the hash include fresh nonces

  7. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) How bad is it? 3 / 20 Conclusion Weak Hash Functions in Internet Protocols Channel Binding Downgrade Attack ▶ Security proofs assume collision-resistance. ▶ In practice, many protocols support weak functions ▶ TLS ≤ 1.1 uses combinations of MD5 and SHA1 ▶ IKE, SSH use SHA1 (MD5 in some cases) ▶ Hash-function negotiation for the signature added in TLS 1.2 (2008) ▶ Introduces MD5 as an option... ▶ HMAC-MD5 is still mostly secure ▶ In most cases, the hash include fresh nonces

  8. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) How bad is it? 3 / 20 Conclusion Weak Hash Functions in Internet Protocols Channel Binding Downgrade Attack ▶ Security proofs assume collision-resistance. ▶ In practice, many protocols support weak functions ▶ TLS ≤ 1.1 uses combinations of MD5 and SHA1 ▶ IKE, SSH use SHA1 (MD5 in some cases) ▶ Hash-function negotiation for the signature added in TLS 1.2 (2008) ▶ Introduces MD5 as an option... ▶ HMAC-MD5 is still mostly secure ▶ In most cases, the hash include fresh nonces

  9. MD5 AND SHA1 ARE BROKEN? MD5 AND SHA1 ARE BROKEN? WE PROBABLY DON’T NEED WE PROBABLY DON’T NEED COLLISION RESISTANCE COLLISION RESISTANCE

  10. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 5 / 20 Conclusion Outline Channel Binding Downgrade Attack ▶ We show a class of transcript collision attack ▶ man-in-the-middle can tamper with the key exchange messages ▶ if messages collide, signature still valid ▶ Applications to TLS, IKE, SSH key-exchange ▶ Main results: SLOTH attack ▶ Almost practical client impersonation for TLS 1.2 with MD5 ▶ Almost practical break of tls-unique channel binding (credential forwarding attack on client authentication mechanisms)

  11. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) B A 6 / 20 Conclusion Downgrade Attack Channel Binding Man-in-the-Middle attack against SIGMA’ A MitM B m 1 = g x , info A Finds x ′ , y ′ , info ′ A , info ′ B s.t. h ( g x ‖ info A ‖ g y ′ ‖ info ′ B ) = h ( g x ′ ‖ info ′ A ‖ g y ‖ info B ) 1 = g x ′ , info ′ m ′ 2 = g y ′ , info ′ m ′ m 2 = g y , info B h ( m 1 ‖ m ′ 2 ) = h ( m ′ 1 ‖ m 2 ) 2 ), mac ( g xy ′ , A ) sign ( sk A , m ′ 1 ‖ m 2 ), mac ( g x ′ y , A ) sign ( sk A , m 1 ‖ m ′ 2 ), mac ( g xy ′ , B ) 1 ‖ m 2 ), mac ( g x ′ y , B ) sign ( sk B , m 1 ‖ m ′ sign ( sk B , m ′

  12. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 7 / 20 Conclusion Transcript collisions Channel Binding Downgrade Attack Finds x ′ , y ′ , info ′ A , info ′ B s.t. h ( g x ‖ info A ‖ g y ′ ‖ info ′ B ) = h ( g x ′ ‖ info ′ A ‖ g y ‖ info B ) 1 If g y and info B are predictable, generic collision attack ▶ Complexity 2 64 for MD5

  13. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) A B 7 / 20 Downgrade Attack Channel Binding Conclusion Transcript collisions Finds x ′ , y ′ , info ′ A , info ′ B s.t. h ( g x ‖ info A ‖ g y ′ ‖ info ′ B ) = h ( g x ′ ‖ info ′ A ‖ g y ‖ info B ) 2 If no message boundaries in concatenation ▶ Assume that garbage after info is ignored ▶ Impersonate B with: 2 = g x ‖ info A ‖ g y ′ ‖ info M ‖ g y ‖ info B T A = m 1 ‖ m ′ 􏿌􏻱􏻱􏻱􏿍􏻱􏻱􏻱􏿎 info ′ T B = m ′ 1 ‖ m 2 = g x ‖ info A ‖ g y ′ ‖ info M ‖ g y ‖ info B 􏿌􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿍􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿎 info ′ ▶ Forward signatures, compute A’s key with g y ′

  14. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) A C 2 B 7 / 20 Downgrade Attack Transcript collisions Channel Binding Conclusion Finds x ′ , y ′ , info ′ A , info ′ B s.t. h ( g x ‖ info A ‖ g y ′ ‖ info ′ B ) = h ( g x ′ ‖ info ′ A ‖ g y ‖ info B ) 3 If messages prefixed by message length ▶ Assume that garbage after info is ignored ▶ Use a chosen-prefix collision attack: 2 = g x ‖ len A ‖ info A ‖ g y ′ ‖ len ′ T A = m 1 ‖ m ′ B ‖ C 1 ‖ g y ‖ len B ‖ info B 􏿌􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿍􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿎 info ′ 1 ‖ m 2 = g x ′ ‖ len ′ T B = m ′ A ‖ ‖ g y ‖ len B ‖ info B 􏿌􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿍􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿎 info ′ ▶ Cost ≈ 2 39 for MD5 (1 hour on 48 cores) [Stevens & al. ’09] ▶ Cost ≈ 2 77 for SHA1 or MD5 ‖ SHA-1 [Stevens ’13, Joux ’04]

  15. Introduction Client Authentication Downgrade Attack Channel Binding Conclusion TLS 1.2 G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 8 / 20

  16. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 8 / 20 TLS 1.2 Conclusion Channel Binding Downgrade Attack ▶ Server signs only nonce and DH parameters (not transcript) ▶ Cannot use transcript collisions for server impersonation ▶ On the other hand, this allows LogJam ▶ In proposed TLS 1.3 draft, server signs transcript ▶ Client sends g x and signature together ▶ Not flexible message after sending g x ▶ SIGMA attack not applicable

  17. Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Outline Introduction Breaking Client Authentication Downgrade Attack Breaking Channel Binding Conclusion G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 9 / 20

  18. Introduction Client Authentication Dagstuhl 16012 Transcript collision Attacks G. Leurent, K. Bhargavan (Inria) 10 / 20 Conclusion Breaking client authentication in TLS 1.2 Channel Binding Downgrade Attack ▶ Assume client connects to M , authenticates with certificate also used for S . ▶ We make the client DH share predictable in a bogus group ▶ With p = g 2 − g (not prime), ∀ x , g x ≡ g mod p ▶ We can stufg data in ▶ ClientHello extensions ( C → S ) ▶ CertificateRequest list of accepted CA ( S → C ) T C = 𝙳𝙸‖𝚃𝙸 ′ ‖𝚃𝙳 ′ ‖𝚃𝙻𝙵 ′ ‖ SCR ( C 1 , 𝚃𝙸‖𝚃𝙳‖𝚃𝙻𝙵‖𝚃𝙳𝚂) T S = CH ( n C , C 2 )‖𝚃𝙸‖𝚃𝙳‖𝚃𝙻𝙵‖𝚃𝙳𝚂 ▶ Forward the client signature, Finish connection with known DH keys

  19. Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Breaking client authentication in TLS 1.2 G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 10 / 20

Recommend


More recommend