POODLE. Yoshiaki Kasahara Kyushu University 2015/3/3 APAN 39th in Fukuoka 1

Transcription

1 POODLE Yoshiaki Kasahara Kyushu University 2015/3/3 APAN 39th in Fukuoka 1

2 Summary POODLE: Padding Oracle On Downgraded Legacy Encryption Discovered in October 2014 by Google Security Team Allows a man-in-the-middle attacker to decipher an encrypted text without knowing the encryption key (one byte per 256 requests in average). Try to summarize what is POODLE attack, how it works, its workaround, and influence on ordinary users No, I m not going to disclose new vulnerability 2015/3/3 APAN 39th in Fukuoka 2

3 Summary (cont.) Less serious compared to Heartbleed and Shellshock Needs man-in-the-middle condition Sudden deprecation of SSL 3.0 caused user experience problems, though Needed manual intervention to change options 2015/3/3 APAN 39th in Fukuoka 3

4 POODLE Toy Poodle Chocolate by tranztec, CC BY /3/3 APAN 39th in Fukuoka 4

5 POODLE Padding Oracle On Downgraded Legacy Encryption CVE Consist of two problems Padding Oracle Weakness in SSL 3.0 Application Interoperability Force downgrade of SSL protocol version 2015/3/3 APAN 39th in Fukuoka 5

6 Oracle Someone receiving messages from a god Can see something usually unavailable to mortals Padding Oracle answers if the padding of the given encrypted message is correct or not Such information shouldn t be disclosed It can be used to guess a plain text without the encryption key in a certain condition 2015/3/3 APAN 39th in Fukuoka 6

7 How POODLE works This POODLE Bites: Exploiting The SSL 3.0 Fallback, B. Möller, T. Duong, K. Kotowicz, Assume HTTPS and MITM condition Attacker can only see an encrypted stream Attacker can intercept and modify the encrypted stream CBC block cipher mode is used for encryption Attacker can control the browser to send requests to other sites (via Javascript or images) Attacker wants to retrieve secret cookie contents in a browser 2015/3/3 APAN 39th in Fukuoka 7

8 G E T / H T T P / 1. 1 C o o k i e : n * * * * * * * L Encrypt X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Transfer X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Decrypt G E T / H T T P / 1. 1 C o o k i e : n * * * * * * * L 2015/3/3 APAN 39th in Fukuoka 8

9 How POODLE works Control message length + MAC to be a multiple of the block size Make the last block only containing padding The last byte of the block = the number of padding If the block size = 16, it is 15 Control the message header and body to place an unknown byte (to reveal) at the end of a block 2015/3/3 APAN 39th in Fukuoka 9

10 Manipulate encrypted blocks G E T / H T : n a m e = a * * * * * * * 7 Encrypt X X X X X X X X X X X X X X X X X X X X X X X X Transfer X X X X X X X X X X X X X X X X X X X X X X X X Decrypt G E T / H T : n a m e = a???????? 2015/3/3 APAN 39th in Fukuoka 10

11 What happens? In most case the copied last block becomes garbage The record will be rejected by the server In 1/256 chance, the last byte is decrypted as the correct value (the length of padding) SSLv3 accepts the message in such a case Act as a Padding Oracle The attacker know the correct value (by controlling the length of padding) 2015/3/3 APAN 39th in Fukuoka 11

12 Calculation G E T / H T k i e : n a m e = a M M M * * * * * * * 7 Encrypt X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Transfer X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Decrypt G E T / H T k i e : n a m e = a M M M??????? /3/3 APAN 39th in Fukuoka 12

13 CBC: Cipher Block Chaining 2015/3/3 APAN 39th in Fukuoka 13

14 One by one Now one of cookie contents was revealed Shift the place of cookie contents by one Reduce the length of header by one Increase the length of body by one Total length of the message remains same Do the same until all the hidden bytes are revealed 2015/3/3 APAN 39th in Fukuoka 14

15 Afterthought When I heard about POODLE first, I scrambled to disable SSLv3 for my servers as soon as possible Actually the attack seems only feasible on HTTPS w.r.t. the POODLE paper Need to send the same request repeatedly Suitable for secure cookie and HTTP Authentication header retrieval Seems no way to apply againt pop3, imaps, etc 2015/3/3 APAN 39th in Fukuoka 15

16 Mitigation This is a protocol flaw in SSLv3 CBC In SSLv3 the content of padding is arbitrary The padding must be filled with the padding length value in TLSv1.0 (RFC 2246) Not required to validate it at the receiver side In addition to that, the receiver MUST check this padding in TLSv1.1 (RFC 4346) 2015/3/3 APAN 39th in Fukuoka 16

17 The POODLE bites again Some TLS implementations don t properly validate the padding contents Reuse SSLv3 padding processing code Implementation issue, not protocol flaw Including A10, Checkpoint, Cisco, F5, IBM, Juniper, etc Please make sure your system is up to date No need to force downgrade, easier than original POODLE 2015/3/3 APAN 39th in Fukuoka 17

18 Downgrade Attack Even both server and client support TLSv1 or higher, POODLE attack is possible if both support SSLv3 In some case MITM attacker can downgrade the protocol version used 2015/3/3 APAN 39th in Fukuoka 18

19 Interoperability Many TLS implementations are still backwardscompatible with SSLv3 for legacy system Usually the most recent common version between server and client is negotiated and used with the protocol handshake Some TLS server implementations have issues and break the connection when higher version is offered from a client 2015/3/3 APAN 39th in Fukuoka 19

20 Compatibility Dance To keep interoperability with broken servers Clients (especially browsers) try again with offering an older version, if the connection failed during protocol handshake Implemented in application Not a part of TLS implentations A MITM attacker can force the negotiation to fail and downgrade the protocol version intentionally 2015/3/3 APAN 39th in Fukuoka 20

21 Mitigation Disable SSLv3 Only when all your peers supports TLSv1 or higher Or maybe you decided to kick legacy system away Support TLS_FALLBACK_SCSV Protect handshake from downgrade attacks Need to be supported by both servers and clients Legacy clients (only support SSLv3) are still vulnerable anyway 2015/3/3 APAN 39th in Fukuoka 21

22 TLS_FALLBACK_SCSV A client SHOULD include this (signalling) cipher suite when it uses lower client_version than it supports If TLS_FALLBACK_SCSV appears in client s cipher suites and the server supports higher version than client_version, the server MUST respond with a fatal inappropriate_fallback alert 2015/3/3 APAN 39th in Fukuoka 22

23 Impact on users Many services decided to disable SSLv3 support It caused troubles for some users Examples in Japan (all in Japanese, sorry) html ml 2015/3/3 APAN 39th in Fukuoka 23

24 There is a myth (at least in Japan) If you have some trouble connecting to a certain web site, fiddle SSL/TLS settings In some case, disabling all TLS (v1.0, 1.1, 1.2) solves the issue Actually it was caused by broken servers This time many major sites disabled SSLv3 at once, and caused much trouble 2015/3/3 APAN 39th in Fukuoka 24

25 RFC 7457 Other attacks against SSL SSL Stripping STARTTLS Command Injection BEAST Padding Oracle: Lucky 13, POODLE RC4 Compression Attacks: CRIME, TIME, BREACH 2015/3/3 APAN 39th in Fukuoka 25

26 Recommendation It is better to disable SSLv3 sooner than later if possible RC4 stream cipher is weak, but POODLE is easier, so you might want to enable RC4 and disable CBC if you really need support of SSLv3 Try logging SSL version on your server To estimate the number of legacy software users To detect possible downgrade attacks 2015/3/3 APAN 39th in Fukuoka 26

27 References B. Möller, T. Duong, K. Kotowicz: This POODLE Bites: Exploiting The SSL 3.0 Fallback (2014) vulnerability-cve / (In Japanese) RFC 7457: Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS) P. Sarkar, S. Fitzgerald: Attacks on SSL, a comprehensive study of BEAST, CRIME, TIME, BREACH, Lucky13 and RC4 biases (2013) 2015/3/3 APAN 39th in Fukuoka 27