Systematization of Knowledge Lessons Learned From SSL/TLS Attacks

Transcription

1 Systematization of Knowledge Lessons Learned From SSL/TLS Attacks Source:

2 Source:

3 Source:

4 What if we don't even need the private key? 4

5 Nearly 20 years of SSL/TLS 5

6 Nearly 20 years of SSL/TLS Some key data Invented in

7 Nearly 20 years of SSL/TLS Some key data Invented in 1994 Evolutionary development 7

8 Nearly 20 years of SSL/TLS Some key data Invented in 1994 Evolutionary development 5 official and 1 unpublished revision SSL 2.0, SSL 3.0 TLS 1.0, TLS 1.1, TLS 1.2 SSL 1.0 8

9 Nearly 20 years of SSL/TLS Some key data Invented in 1994 Evolutionary development 5 official and 1 unpublished revision SSL 2.0, SSL 3.0 TLS 1.0, TLS 1.1, TLS 1.2 SSL 1.0 ~ 39 theoretical and practical attacks so far 9

10 Timeline 10

11 Contribution 11

12 Contribution Collected attacks on SSL/TLS 12

13 Contribution Collected attacks on SSL/TLS Analyzed all attacks 13

14 Contribution Collected attacks on SSL/TLS Analyzed all attacks Categorized each attack 14

15 Contribution Collected attacks on SSL/TLS Analyzed all attacks Categorized each attack Identified the root cause of the vulnerabilities for each attack 15

16 Contribution Collected attacks on SSL/TLS Analyzed all attacks Categorized each attack Identified the root cause of the vulnerabilities for each attack Concluded Lessons Learned for each attack 16

17 Contribution Collected attacks on SSL/TLS Analyzed all attacks Categorized each attack Identified the root cause of the vulnerabilities for each attack Concluded Lessons Learned for each attack Created a Guideline for Protocol Designers and Implementers 17

18 Attack Patterns Abnormalities during the analysis of attacks 18

19 Attack Patterns Abnormalities during the analysis of attacks Attacks focus on specific parts/layers of SSL/TLS 19

20 Attack Patterns Abnormalities during the analysis of attacks Attacks focus on specific parts/layers of SSL/TLS Attacks can be grouped into 4 categories 20

21 Attack Patterns Abnormalities during the analysis of attacks Attacks focus on specific parts/layers of SSL/TLS Attacks can be grouped into 4 categories 1. Attacks on the Handshake Protocol 21

22 Attack Patterns Abnormalities during the analysis of attacks Attacks focus on specific parts/layers of SSL/TLS Attacks can be grouped into 4 categories 1. Attacks on the Handshake Protocol 2. Attacks on the Record Layer 22

23 Attack Patterns Abnormalities during the analysis of attacks Attacks focus on specific parts/layers of SSL/TLS Attacks can be grouped into 4 categories 1. Attacks on the Handshake Protocol 2. Attacks on the Record Layer 3. Attacks on the PKI 23

24 Attack Patterns Abnormalities during the analysis of attacks Attacks focus on specific parts/layers of SSL/TLS Attacks can be grouped into 4 categories 1. Attacks on the Handshake Protocol 2. Attacks on the Record Layer 3. Attacks on the PKI 4. Various other Attacks 24

25 Attacks on the Handshake Protocol Details Main goal: Influence Handshake Phase 25

26 Attacks on the Handshake Protocol Details Main goal: Influence Handshake Phase A R I S E 26

27 Attacks on the Handshake Protocol Details Main goal: Influence Handshake Phase Alter messages or message parts R I S E 27

28 Attacks on the Handshake Protocol Details Main goal: Influence Handshake Phase Alter messages or message parts Replay communication or parts of it I S E 28

29 Attacks on the Handshake Protocol Details Main goal: Influence Handshake Phase Alter messages or message parts Replay communication or parts of it Interfere messages or message parts S E 29

30 Attacks on the Handshake Protocol Details Main goal: Influence Handshake Phase Alter messages or message parts Replay communication or parts of it Interfere messages or message parts Systematically analyze communication E 30

31 Attacks on the Handshake Protocol Details Main goal: Influence Handshake Phase Alter messages or message parts Replay communication or parts of it Interfere messages or message parts Systematically analyze communication Establish own Cryptographic Primitives 31

32 Attacks on the Handshake Protocol Details 32

33 Attacks on the Record Layer Details Main goal: Violate Confidentiality or Integrity 33

34 Attacks on the Record Layer Details Main goal: Violate Confidentiality or Integrity B A T 34

35 Attacks on the Record Layer Details Main goal: Violate Confidentiality or Integrity Break Encryption A T 35

36 Attacks on the Record Layer Details Main goal: Violate Confidentiality or Integrity Break Encryption Analyze Encrypted Traffic T 36

37 Attacks on the Record Layer Details Main goal: Violate Confidentiality or Integrity Break Encryption Analyze Encrypted Traffic Tamper with MAC 37

38 Attacks on the Record Layer Details 38

39 Attacks on the PKI Details Main goal: Influence, Compromise or Trick PKI 39

40 Attacks on the PKI Details Main goal: Influence, Compromise or Trick PKI R I T C H 40

41 Attacks on the PKI Details Main goal: Influence, Compromise or Trick PKI Recover or Break Private Keys I T C H 41

42 Attacks on the PKI Details Main goal: Influence, Compromise or Trick PKI Recover or Break Private Keys Influence Certificate Revocation Systems T C H 42

43 Attacks on the PKI Details Main goal: Influence, Compromise or Trick PKI Recover or Break Private Keys Influence Certificate Revocation Systems Trick Certificate Validation C H 43

44 Attacks on the PKI Details Main goal: Influence, Compromise or Trick PKI Recover or Break Private Keys Influence Certificate Revocation Systems Trick Certificate Validation Compute Colliding Certificates H 44

45 Attacks on the PKI Details Main goal: Influence, Compromise or Trick PKI Recover or Break Private Keys Influence Certificate Revocation Systems Trick Certificate Validation Compute Colliding Certificates Hack or Trick Certification Authorities 45

46 Attacks on the PKI Details 46

47 Various Other Attacks Details Main goal: Predict, Disturb, Inject, Disable 47

48 Various Other Attacks Details Main goal: Predict, Disturb, Inject, Disable G A S P 48

49 Various Other Attacks Details Main goal: Predict, Disturb, Inject, Disable Guess Random Numbers A S P 49

50 Various Other Attacks Details Main goal: Predict, Disturb, Inject, Disable Guess Random Numbers Affect Reliability S P 50

51 Various Other Attacks Details Main goal: Predict, Disturb, Inject, Disable Guess Random Numbers Affect Reliability Smuggle Data into Running Connections P 51

52 Various Other Attacks Details Main goal: Predict, Disturb, Inject, Disable Guess Random Numbers Affect Reliability Smuggle Data into Running Connections Prevent Traffic Encryption (disable SSL/TLS) 52

53 Various Other Attacks Details 53

54 Finally... I tried to put the keywords in a meaningful context 54

55 Finally... I tried to put the keywords in a meaningful context e t a n u t r o f n u u s t u o h it w ly s s e cc 55

56 Lessons Learned 1/2 what can we conclude? 56

57 Lessons Learned 1/2 what can we conclude? 1. Theoretical attacks can turn into practice 57

58 Lessons Learned 1/2 what can we conclude? Theoretical attacks can turn into practice Side channels may appear at different layers in different situations 58

59 Lessons Learned 1/2 what can we conclude? Theoretical attacks can turn into practice Side channels may appear at different layers in different situations Reliable cryptographic primitives are important 59

60 Lessons Learned 1/2 what can we conclude? Theoretical attacks can turn into practice Side channels may appear at different layers in different situations Reliable cryptographic primitives are important Processes must leak as little information as possible 60

61 Lessons Learned 1/2 what can we conclude? Theoretical attacks can turn into practice Side channels may appear at different layers in different situations Reliable cryptographic primitives are important Processes must leak as little information as possible Specifications have to be implemented without own improvements 61

62 Lessons Learned 1/2 what can we conclude? Theoretical attacks can turn into practice Side channels may appear at different layers in different situations Reliable cryptographic primitives are important Processes must leak as little information as possible Specifications have to be implemented without own improvements Critical parts in specifications and source code have to be highlighted 62

63 Lessons Learned 2/2 what can we conclude? 7. Specifications have to verbose, unambiguous and technically detailed 63

64 Lessons Learned 2/2 what can we conclude? Specifications have to verbose, unambiguous and technically detailed Details on requirements and preconditions are necessary 64

65 Lessons Learned 2/2 what can we conclude? Specifications have to verbose, unambiguous and technically detailed Details on requirements and preconditions are necessary Data has to be protected 65

66 Lessons Learned 2/2 what can we conclude? Specifications have to verbose, unambiguous and technically detailed Details on requirements and preconditions are necessary Data has to be protected The interplay between different layers must be part of the security analysis 66

67 Lessons Learned 2/2 what can we conclude? Specifications have to verbose, unambiguous and technically detailed Details on requirements and preconditions are necessary Data has to be protected The interplay between different layers must be part of the security analysis Flexibility mostly means additional risks 67

68 Lessons Learned 2/2 what can we conclude? Specifications have to verbose, unambiguous and technically detailed Details on requirements and preconditions are necessary Data has to be protected The interplay between different layers must be part of the security analysis Flexibility mostly means additional risks Always be careful and alarmed 68

69 Source: Chris Meyer 69