Encryption-The Dark Side:

Encryption-The Dark Side: Things to Worry About for 2014 September 30, 2014 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time 1

Welcome Conference Moderator Mathieu Gorge CEO and Founder VigiTrust September 30, 2014 Start Time: 9am US Pacific 12pm US Eastern/5pm London Time 3

AGENDA: Speaker Introduction Paul Williams Chief Technology Officer, White Badger Group Jason Sabin VP of Research & Development, DigiCert Kenny Paterson EPSRC Leadership Fellow & Professor of Information Security at Royal Holloway, University of London Open Panel with Audience Q&A Closing Remarks 4

Why Take Encryption Head On, When You Can Bypass It? Paul Williams Chief Technology Officer White Badger Group September 30, 2014 1

Why Take Encryption Head On, When You Can Bypass It? o Endpoint Attacks Bypass Encryption o Application Attacks Don t Play Fair o Weak / Shared / Duplicative Passwords o Password Capture Defeats Encryption o Improperly Protected Backup & Recovery Keys o Vulnerable PKI Architecture o Attacking & Defeating Encryption Head On o Risk Management 101: Do Gains Exceed Total Cost of Deployment and Maintenance? 6

Endpoint Attacks Bypass Encryption 2. Administrator connects to network as per usual Encrypted VPN tunnel 1. Hacker targets network administrator protected with whole disk encryption, encrypted VPN, and more 3. Hacker negates use of multiple defense technologies, including encryption. 3

Application Attacks Don t Play Fair Application level attack intercepts sensitive data before SSL encryption Microsoft Windows Unix/Linux/BSD Win32 App Win32 Subsystem OS/2 App OS/2 Subsystem Posix App Posix Subsystem Linux App Win32 App Wine or Win4Lin Mac App Basilisk Games MAME Ntdll.dll Libc.so Executive Services Interface System call interface IO Mgr. File Sys. Security Ref. Monitor Device Drivers IPC Mgr. Object Manager Virtual Memory Mgr. Micro Kernel Process Mgr. Hardware Abstraction Layer GDI Window Mgr. Window Mgr. Graphics Device Drivers Scheduler Process Manager Virtual Memory Manager Memory Allocator VFS Interface Character Devices File Systems Block Devices Socket Manager Network Protocols Network Drivers Hardware Hardware 8

Weak / Shared / Duplicative Passwords June 2011: An app developer estimated that 15% of all iphone smartphones used one of these passcodes. 9

Password Capture Defeats Encryption 10

Improperly Protected Backup & Recovery Keys o Serious Insider Threat Risk from Rogue Network Administrators o Insecure Storage Allows Catastrophic Silent Data Compromise 11

Vulnerable PKI Architecture o Insider Threats o Internal Network Attacks o Computer Malware o Physical Facilities Break-ins 12

Attacking & Defeating Encryption Head On Weak Key Generation: Pseudo-random algorithm flaws Application level attacks Computer malware Weak Encryption Ciphers Hash Collision Attacks Man-In-The Middle Attacks on Key Exchanges Encryption Hardware & Software Implementation Flaws Brute Force Key Factoring 13

Risk Management 101: Do Gains Exceed Total Cost of Deployment and Maintenance? 2. The cost of deploying encryption may quickly outweigh any gain 3. In large scale enterprise IT networks, far higher returns on investment can typically be obtained with investments elsewhere 1. The Law of Diminishing Returns strongly affects the selection and deployment of encryption technology 14

Contact Info Paul Williams Chief Technology Officer White Badger Group LLC Direct: (281) 719-9345 Main: (888) 505-3768 ext. 104 Email: paul.williams@whitebadger.com Web: www.whitebadger.com 15

Thank you! Paul Williams paul.williams@whitebadger.com www.whitebadger.com 16

Question and Answer Paul Williams Chief Technology Officer White Badger Group paul.williams@whitebadger.com www.whitebadger.com #ISSAWebConf 17

SSL & How to make sure it s good Jason Sabin VP of Research & Development DigiCert jason.sabin@digicert.com

SSL: High Level View 51% of enterprises do not know all of the keys and certs on their network* 26% of websites support weak or insecure cipher suites** Still seeing 1024-bit key sizes or lower Only ~15% of SSL certificates on the web use SHA-2** Heartbleed in hardware and statically compiled applications Certificate Transparency * Based on research by Ponemon Institute ** Based on research by Trustworthy Internet Movement

Is your network secure? What is the one thing that most exploits have in common? They exploit improper SSL Implementation Encryption and SSL do work, but they must be implemented correctly

Improper SSL Implementation Heartbleed Goto Fail BEAST, CRIME, BREACH, etc Weak cipher suites Weak algorithms Weak private keys

<SSL Labs screenshot>

SHA-1 Transition Microsoft SHA-1 Deprecation Timeline January 1, 2016 Microsoft will end trust for SHA-1 Code Signing Certificates January 1, 2017 Microsoft will end trust for SHA-1 SSL Certificates Mozilla SHA-1 Deprecation Timeline Firefox early 2015 release SHA-1 certs expiring Jan 1, 2017 or later receive a security warning Firefox 2016 release Untrusted Connection error when a newly issued SHA-1 certificate is encountered Firefox 2017 release Untrusted Connection error whenever a SHA-1 certificate is encountered.

SHA-1 Transition Google SHA-1 Deprecation Timeline Chrome 37 current version Chrome 38 beta in progress Chrome 39 beta launch Sep 26, 2014 SHA-1 certs expiring Jan 1, 2017 or later receive yellow triangle warning Chrome 40 beta launch Nov 7, 2014 SHA-1 certs expiring between June 1, 2016-December 31, 2016 receive yellow triangle warning SHA-1 certs expiring after Jan 1, 2017 receive neutral warning (shows https in grey instead of green) Chrome 41 beta launch Q1 2015 SHA-1 certs expiring Jan 1, 2016 -> Dec 31, 2016 receive yellow triangle warning SHA-1 certs expiring Jan 1, 2017 or later receive red strike-through warning

DigiCert SHA-1Sunset Tool

Heartbleed still? Where is Heartbleed now? Statically compiled applications Hardware devices Mobile/Table devices Internal servers and infrastructure Companies response Tech giants started funding OpenSSL and other critical open source projects. Shellshock and BASH?

Always On SSL Refocused with HTTPS Everywhere Google SEO ranking Marketing cares and concerns Relative links vs absolute links

Whynopadlock screenshot

SSL best practices Always-On SSL Secure Cookies HSTS (Http Strict Transport Security) Disable Weak Cipher Suites Secure Renegotiation Disable TLS Compression Perfect Forward Secrecy Read Bulletproof SSL And TLS by Ivan Ristic

Future Concerns Internet of Things Internet of Everything 37-50 billion devices by 2020

Thanks SSL Analysis Tools https://www.ssllabs.com https://www.digicert.com/cert-inspector.htm https://www.digicert.com/sha1-sunset/ http://www.whynopadlock.com/ Jason Sabin Vice President of Research & Development jason.sabin@digicert.com 801-701-9647

Thank you! Jason Sabin jason.sabin@digicert.com 34

Question and Answer Jason Sabin VP of Research and Development DigiCert jason.sabin@digicert.com #ISSAWebConf 35

The Dark Side of SSL/TLS Kenny Paterson Information Security Group Royal Holloway University of London

Agenda I plan to talk about some recent developments for SSL/TLS and extract some learning points as we go along. SSL/TLS Heartbleed Wrap-up 37

About The Speaker 38

About The Speaker Academic But spent 5 years in industrial research lab, 1996-2001. Still involved in IPR, consulting, industry liaison. RHUL since 2001 You are teaching Network Security. Leading to research into how crypto is used in Network Security. EPSRC Leadership Fellow, 2010-2015 Cryptography: Bridging Theory and Practice e.g. attacks on IPsec (2006, 2007,2010), SSH (2009), SSL/TLS (2011, 2013, 2013), WPA (2014), EMV (2012), MPPE (2014), 39

SSL/TLS Probably the world s most widely deployed cryptographic protocol. Almost ubiquitous, not just secure e-commerce. Increasing focus for analysis from research community. 40

Highly Simplified View of TLS Used by client and server to 1.Negotiate ciphersuite 2.Authenticate 3.Establish keys used in the Record Protocol Client Handshake Protocol Server Record Protocol Provides confidentiality and authenticity of application layer data using keys from Handshake Protocol 41 41

The TLS Ecosystem (1/3) Servers Clients Including managed service providers (CloudFlare, Akamai) Of all shapes and sizes Certification service providers Of all shapes, sizes and levels of security Software vendors From Google down to one-man open-source operations OpenSSL somewhere in-between Hardware vendors 42 42

The TLS Ecosystem (2/3) TLS versions: SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 Many servers even still support SSL 2.0 200+ ciphersuites https://www.thesprawl.org/research/tls-and-ssl-ciphersuites Some highly esoteric, e.g. TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS extensions Too numerous to mention. DTLS 43

The TLS Ecosystem (3/3) IETF TLS Working Group Also IETF UTA Working Group (UTA = Using TLS in Applications) Growing community of researchers Blackhat or Crypto? Attacks or security proofs? Handshake Protocol, Record Protocol or both? Full protocol including session resumption, renegotiation, ciphersuite negotiation? Provable security or formal methods or something else? Game-based, UC or constructive cryptography? The TLS ecosystem has become very complex and vibrant. 44 44

TLS Has Been in the News BEAST (2011) CRIME (2012) Lucky 13 and RC4 attacks (both 2013). Renegotiation attack (2009), triple Handshake attack (2014). Poor quality of implementations (particularly in certificate handling). Apple goto fail (2013) GnuTLS certificate processing bug (2013) OpenSSL CCS bug (2014) Frankencerts (2014) 45

Focus: Lucky 13 Key dates: We started work in December 2011. Key breakthrough in March 2012 (+4 months) Research paper completed November 2012 (+11 months). Attack disclosed in February 2013 (+15 months). Research paper presented in May 2013 (+18 months). 46 46

Focus: Lucky 13 Full plaintext recovery attack on CBC-mode encryption. Exploiting a timing side-channel introduced because of implementation advice in TLS specification. Hard to mount attack in practice semi-practical/semi-theoretical. 47 47

Focus: Lucky 13 How do you disclose an attack on a protocol that has dozens of different implementations and millions of users? Coordination amongst all stakeholders. Risk of leakage and panic before agreed time. We opened up multiple channels of communication. Initially IETF OpenSSL, Mozilla, Cisco, Apple, Microsoft, Google, Oracle, Opera, BouncyCastle, F5, and numerous open source projects. NOT end users. Hundreds of e-mails, December 2012 to February 2013. We helped a number of vendors with patch testing. Also building a website, preparing a press release, priming journalists and bloggers. 48 48

Focus: Lucky 13 D-Day: February 4 th 2013 One week after expected paper notification. Significant media exposure. Viral spread of the story across Internet over a 72 hour period. Ars Technica, TheRegister, Slashdot, Wired, Most major vendors issued patches within a few days. Eventual presentation at academic conference in May 2013 was a damp squib by comparison! To read more: http://www.isg.rhul.ac.uk/tls/lucky13.html 49 49

The Changing Face of TLS 42.6% of Alexa top 200k servers now support TLS 1.2. Up from 17% one year ago and 5% two years ago. (source: ssl pulse, Sept. 2014) TLS 1.2 support in browsers: Chrome: since release 30. Firefox: since release 28. IE: since IE11. Safari: since ios5 and OS X 10.9. (source: wikipedia, Nov. 2013) 50 50

The Changing Face of TLS Snapshot from ICSI Certificate Notary Project: 15.3% 1.6% 51

A Newsworthy Protocol TLS has really been in the news... the Heartbleed bug. What is it about Heartbleed that caught the wider media s imagination? Pressure built and the dam finally broke? Severity of the threat (leakage of private information, inc. server private keys)? Widespread use of OpenSSL. A good logo? 52

Heartbleed Heartbleed was not a crypto problem, per se. It was software bug that happens to affect one implementation of a cryptographic protocol. Classic problem of (un)safe handling of untrusted user input. Heartbeat = Secure ping for SSL/TLS Response to ping read beyond boundary of buffer assigned to incoming message. A memory leak. 53

Impact Only vulnerable if using a recent version of OpenSSL and if Heartbeat feature enabled. OpenSSL versions 1.0.1 and 1.0.1a 1.0.1f affected, bug fixed in version 1.o.1g. Heartbeat enabled by default. Window of exposure: 14/3/2012 7/4/2014. Still, the Internet melted 54

Web Server Stats 55

Heartbleed Impact More than 80% of the Alexa top 1 million websites run on Apache or Nginx Both of these rely on OpenSSL for provision of SSL/TLS/HTTPS. About 45% of the top 1 million sites do run HTTPS. It was initially unclear how much and what types of sensitive data could be extracted from vulnerable servers. Usernames and passwords? SSL private keys? 56

CloudFlare Challenge Cloudflare host websites and manage certs for their 100k+ customers. They set a challenge 57

58

Consequently Cloudflare revoked all its certificates (134,000 of them). From SANS Internet Storm Center: 59

Impact Cloudflare is just one web hosting company (there are many others). They are clearly well-organised and responsive, and put a lot of information in the public domain. Others less so? 60

It Wasn t Just Webservers E-mail servers also vulnerable. Amazon Web Services had a major headache updating. Network appliance products from Cisco, Juniper also affected. Tor nodes. Heartbleed can also be applied to clients rather than servers. Including millions of smartphones running Android 4.1.1 (which uses OpenSSL 1.0.1e). Netgear NAS devices. Two-factor authentication systems. OpenVPN. 61

It Wasn t Just Private Keys Mumsnet: a large UK online forum for parents. 1.5 million users. http://www.mumsnet.com/features/mumsnet-andheartbleed-as-it-happened Patched within 48 hours of the OpenSSL vulnerability announcment. But 30+ accounts were hacked, including that of one of the site s founders... 62

How Many Sites Were Vulnerable? Data from https://zmap.io/heartbleed/ Generated using IPv4 address space scans with zmap tool. On 16/4/2014, 5.2% of Alexa top 1 million sites were still vulnerable, 32% supported secure Heartbeat, 63% did not support Heartbeat. None of top 1000 sites vulnerable by 16/4/2014 63

Was Heartbleed Being Actively Exploited? Robin Seggelmann at OpenSSL has denied deliberate insertion of a backdoor. Bloomberg claimed NSA knew for at least two years about Heartbleed according to two people familiar with the matter. US government issued a denial. One would expect a large team at NSA to be searching for such vulnerabilities. Question is what do they then do with them use them in attacks or notify vendors? Ongoing debate in US about duty of NSA in such cases. 64

Heartbleed Disclosure First discovered (21/03) by Neel Mehta at Google. Rediscovered by Codenomicon and disclosed to Finnish NCSC (02/04). OpenSSL informed by Google (01/04) and Finnish NCSC (07/04). Cloudflare (31/03) and Akamai (04/04) patch their servers. 06/04: Redhat (on behalf of OpenSSL) notify (some) other Linux who requested details got them in time. 07/04 (or earlier): Facebook patch their servers. 65

Heartbleed Disclosure 07/04, 10:27: OpenSSL release v1.0.1g with Heartbleed patch and security advisory on website. 07/04, 10:49: OpenSSL e-mail advisory. 07/04, 11:00: CloudFlare blog entry goes live. 07/04, 12:23: CloudFlare tweet. 07/04, 12:37: Neel Mehta tweet. 07/04, 13:13: Codenomicon tweet with link to their heartbleed.com website. 66

Heartbleed Disclosure The disclosure process was particularly messy. This is not uncommon. Personal experience with Lucky 13: Tell one of the big boys and they will want to tell their friends. There are informal communication channels and formal information sharing agreements outside of CERT/CC and other official processes. Hard to contain leakage when many vendors are affected. Double discovery of Heartbleed complicated matters. 67

What next for OpenSSL? LibreSSL fork. Heartbleed was the straw that broke the camel s back for OpenBSD. Core Infrastructure Initiative: Will identify and fund critical open source projects that are in need of assistance. Founding backers of the initiative include Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation. 68

Current Current Developments Developments in TLS Fresh algorithms are under active consideration in IETF TLS WG. Important for environments where AES is not available in hardware. Momentum behind ChaCha20 stream cipher plus Poly1305 MAC. Reform of TLS s encryption process to make CBCmode easier to implement securely. Recently published RFC 7366. Deployment via TLS extension, unclear how widely adopted it will become. 69

Current Developments in TLS TLS 1.3 now under active development in TLS WG Reducing latency in Handshake. Simplification of key exchange and authentication methods in Handshake. Reform of symmetric crypto algorithms. Development process is somewhat ad hoc. Active review of drafts needed by users and cryptographers. 70 70

Current Closing Developments Remarks There is little diversity in the code-base of the web. Apache and Nginx, both reliant on OoenSSL. Critical vulnerabilities in that code-base will have major impacts. Shellshock only the latest example, there will be more. Disclosure and patching at these scales is messy. Many affected vendors. Different parties at different points in the foodchain. Informal information exchanges. Cryptography does not stand still. Attacks only get better over time. Large deployed base means TLS practices are slow to change. 71

Thank you! Kenny Paterson 72

Question and Answer Kenny Paterson Information Security Group Royal Holloway, University of London #ISSAWebConf 73

Open Panel with Audience Q&A Paul Williams Chief Technology Officer, White Badger Group Jason Sabin VP of Research & Development, DigiCert Kenny Paterson Information Security Group Royal Holloway, University of London #ISSAWebConf 74

Closing Remarks Generously supported by: Thank you Citrix for donating the Webcast service #ISSAWebConf 75

CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. On-Demand Viewers Quiz Link information: http://www.surveygizmo.com/s3/1825751/issa-web-conference- Sept-30-2014-Encryption-The-Dark-Side #ISSAWebConf 76