Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Similar documents
Practical Invalid Curve Attacks on TLS-ECDH

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Low-Level TLS Hacking

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption

Communication Systems SSL

Overview. SSL Cryptography Overview CHAPTER 1

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Chapter 17. Transport-Level Security

Web Security Considerations

Transport Level Security

DROWN: Breaking TLS using SSLv2

SECURE SOCKETS LAYER (SSL)

Information Security

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

SSL Secure Socket Layer

Secure Socket Layer. Security Threat Classifications

Network Security Essentials Chapter 5

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Chapter 7 Transport-Level Security

Security Protocols/Standards

SSL Secure Socket Layer

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Protocol Rollback and Network Security

Authenticity of Public Keys

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

TLS/SSL in distributed systems. Eugen Babinciuc

Communication Security for Applications

Three attacks in SSL protocol and their solutions

Programming with cryptography

Lecture 7: Transport Level Security SSL/TLS. Course Admin

Security Protocols and Infrastructures. h_da, Winter Term 2011/2012

ISA 562 Information System Security

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Transport Layer Security Protocols

TLS-RSA-PSK. Channel Binding using Transport Layer Security with Pre Shared Keys

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

Software Engineering 4C03 Research Project. An Overview of Secure Transmission on the World Wide Web. Sean MacDonald

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

Lecture 4: Transport Layer Security (secure Socket Layer)

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

[SMO-SFO-ICO-PE-046-GU-

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Chapter 10. Network Security

Lab 7. Answer. Figure 1

CSC Network Security

Network Security Part II: Standards

CSC 474 Information Systems Security

SSL: Secure Socket Layer

Secure Sockets Layer

Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1

Binding Security Tokens to TLS Channels. A. Langley, Google Inc. D. Balfanz, Google Inc. A. Popov, Microsoft Corp.

Savitribai Phule Pune University

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

SECURE SOCKETS LAYER (SSL) SECURE SOCKETS LAYER (SSL) SSL ARCHITECTURE SSL/TLS DIFFERENCES SSL ARCHITECTURE. INFS 766 Internet Security Protocols

Introduction to Cryptography

SSL A discussion of the Secure Socket Layer

Transport Layer Security (TLS)

Web Security. Mahalingam Ramkumar

Some solutions commonly used in order to guarantee a certain level of safety and security are:

As enterprises conduct more and more

Learning Network Security with SSL The OpenSSL Way

Vulnerabilità dei protocolli SSL/TLS

Introduction. Haroula Zouridaki Mohammed Bin Abdullah Waheed Qureshi

Secure Socket Layer (TLS) Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

ERserver. iseries. Secure Sockets Layer (SSL)

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

Secure Network Communications FIPS Non Proprietary Security Policy

ERserver. iseries. Securing applications with SSL

Lecture 9: Application of Cryptography

Key Management (Distribution and Certification) (1)

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

2014 IBM Corporation

Chapter 11 Security Protocols. Network Security Threats Security and Cryptography Network Security Protocols Cryptographic Algorithms

SSL BEST PRACTICES OVERVIEW

Is Your SSL Website and Mobile App Really Secure?

GNUTLS. a Transport Layer Security Library This is a Draft document Applies to GnuTLS by Nikos Mavroyanopoulos

SSL Protect your users, start with yourself

Efficient Padding Oracle Attacks on Cryptographic Hardware

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

The Secure Sockets Layer (SSL)

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Transcription:

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de

About me Security Researcher at: Chair for Network and Data Security, Ruhr University Bochum Prof. Dr. Jörg Schwenk Web Services, Single Sign-On, (Applied) Crypto, SSL, crypto currencies Provable security, attacks and defenses Horst Görtz Institute for IT-Security Further topics: embedded security, malware, crypto Co-founder of 3curity GmbH: Penetration tests, security analyses, security workshops Web, Single Sign-On, SSL, applied crypto www.3curity.de 2

Publications XML Security: All your Clouds Are Belong to us: Security Analysis of Cloud Management Interfaces (CCSW 11) How to Break XML Encryption (CCS 11) On Breaking SAML: Be Whoever you Want to Be (USENIX 12) On the Insecurity of XML Security (Dissertation) Further topics: Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks (USENIX 14) Untrusted Third Parties: When IdPs Break Bad (in submission, by my colleagues Christian Mainka, Vladislav Mladenov and Jörg Schwenk) 3

About this talk Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Paper accepted at Usenix Security 2014 Authors: Christopher Meyer, Juraj Somorovsky, Eugen Weiss, Jörg Schwenk, Sebastian Schinzel, Erik Tews Describes new side channels in specific TLS implementations 4

Overview TLS Bleichenbacher's Attack Attack Intuition Oracle Strength Attack Challenges Attacks Error Messages in JSSE Additional Random Number Generation Additional Exception in JSSE Unexpected Timing Behavior by Hardware Appliances Conclusion 5

TLS Invented by Netscape in 1994 Name: Secure Sockets Layer Adopted by IETF in 1999 Renamed to Transport Layer Security Versions: SSL 1.0, 2.0, 3.0 TLS 1.0, 1.1, 1.2, (1.3 in development) Implementations: OpenSSL, GnuTLS, JSSE, Microsoft Schannel, MatrixSSL, LibreSSL,... 6

TLS Very complex Contains various crypto primitives: RSA, EC, AES-CBC, AES-GCM, RC4, 3DES, MD5, SHA1, MACs, Signatures, PRFs,... Can be executed over TCP or UDP (DTLS) Contains various extensions TLS-Renegotiation 7

TLS Handshake Used for negotiation of cryptographic keys for data transport Contains key material (PremasterSecret) ClientHello ClientKeyExchange ServerHello Certificate ServerHelloDone ChangeCipherSpec Client Finished ChangeCipherSpec Server Finished 8

ClientKeyExchange Contains encrypted PremasterSecret (for example, encrypted using RSA or EC) PremasterSecret is used to derive all TLS session keys Decryption of PremasterSecret == decryption of the TLS traffic Snidely Whiplash (Dudley Do-Right of the Mounties) 9

Overview TLS Bleichenbacher's Attack Attack Intuition Oracle Strength Attack Challenges Attacks Error Messages in JSSE Additional Random Number Generation Additional Exception in JSSE Unexpected Timing Behavior by Hardware Appliances Conclusion 10

RSA PKCS#1 v1.5 Encryption Used e.g. to distribute symmetric keys Textbook-RSA: CRSA = m e mod N Short messages need padding No randomization PKCS#1 adds randomized padding to the PremasterSecret, it works as follows: Take a PremasterSecret PMS Set m := 00 02 pad 00 PMS Compute C PKCS = m e mod N 256 Bytes 00 02 non zero padding 00 03 01 Random 205 Bytes 48 Bytes PMS A ciphertext is valid, if its decryption has the correct format 11

Bleichenbacher's Attack 1998: Attack on RSA-PKCS#1 v1.5 (Bleichenbacher, Crypto 1998) SSL implementations applied an ad-hoc fix Well-noticed in crypto and security community PKCS#1 was updated to v2.0 (RSA-OAEP) Still standardized in many applications, including TLS 12

Attack Applied to... SSL / TLS: D. Bleichenbacher: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, Crypto 98 Cryptographic Hardware: Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Graham Steel, and Joe-Kai Tsay. Efficient Padding Oracle Attacks on Cryptographic Hardware, Crypto 12 XML Encryption: Tibor Jager, Sebastian Schinzel, Juraj Somorovsky: Bleichenbacher s Attack Strikes Again: Breaking PKCS#1 v1.5 in XML Encryption, ESORICS'12 13

Motivation Attack worked in 1998... Is PKCS#1 v1.5 implemented correctly in TLS now? 14

Overview TLS Bleichenbacher's Attack Attack Intuition Oracle Strength Attack Challenges Attacks Error Messages in JSSE Additional Random Number Generation Additional Exception in JSSE Unexpected Timing Behavior by Hardware Appliances Conclusion 15

Bleichenbacher's Attack Requires a ciphertext validity oracle Adaptive Chosen-ciphertext attack XML Encryption ClientKeyExchange ciphertext C = Enc(M) Chosen ciphertext C 1 valid/invalid Client Snidely Whiplash (Dudley Do-Right of the Mounties) M = Dec(C) Chosen ciphertext C 2 valid/invalid (repeated several times) TLS Server Dec(C PKCS ) = 00 02 bytes??? 16

Attack Intuition d: private key (e,n): public key m = 00 02 bytes In RSA we can multiply the encrypted plaintext without knowing the private key m = c d mod N c = m e mod N c = (c s e) mod N s Z N c = (ms) e mod N 17

Attack Intuition OK, so we can multiply a plaintext... We define: B = 2 ( N -2), where N is byte length Example: 2B = 00 02 00 00 Attack Approach: Multiply plaintext with s: c = (c s e ) mod N Query oracle if the decrypted plaintext is in interval <2B,3B) Somewhere here is the secret m x Modulo Reduction! s=s x s=2 s=3 s=4 s=s x -1 s=s x 0 2B 3B N valid 18

Attack Intuition m x s=s x s=2 s=3 s=4 s=s x -1 s=s x 0 2B 3B N m y s=s y -1 s=s y s=2 s=3 s=4 s=5 s=6 s=s y -2 s=s y -1 0 2B 3B N sy > s x Intuition: Large s value indicates m is in the near of 2B Small s value indicates m is in the near of 3B 19

Attack sx allows us to compute new interval for m: 2B m x s x N < 3B From this follows: (2B + N) / s x < m x < (3B + N) / s x Full algorithm: Searches for further s values Reduces the interval 20

Demo Time 21

Attack Countermeasure generate a random PMS R decrypt the ciphertext: m := dec(c) if ( (m? 00 02 PS 00 k) OR ( k? 48) ) then proceed with PMS := PMS R else proceed with PMS := k 22

Overview TLS Bleichenbacher's Attack Attack Intuition Oracle Strength Attack Challenges Attacks Error Messages in JSSE Additional Random Number Generation Additional Exception in JSSE Unexpected Timing Behavior by Hardware Appliances Conclusion 23

Attack Performance Bleichenbacher's attack is also called Million Messages attack The attack performance varies: it depends on the oracle message validation The oracle responds with valid when: The message starts with 00 02 (and) the PremasterSecret is of valid length? Further checks? Ciphertext C 00 02 non zero padding 00 03 01 Random 24 205 Bytes 48 Bytes PMS

Oracle Strength Oracle with less checks brings better performance Oracle strength: Probability the oracle responds with valid when the message starts with 00 02 Why important? m x s=s x s=2 s=3 s=4 s=s x -1 s=s x 0 2B 3B N invalid 25

Overview TLS Bleichenbacher's Attack Attack Intuition Oracle Strength Attack Challenges Attacks Error Messages in JSSE Additional Random Number Generation Additional Exception in JSSE Unexpected Timing Behavior by Hardware Appliances Conclusion 26

Attack Challenges Implement an oracle based on the server behavior Using different error messages, timing Ciphertext C TLS Handshake (C) Valid / invalid Analyze oracle strength Probability TLS Server If timing: how many server requests are needed to respond one oracle request Execute Bleichenbacher's attack 27

With the help of T.I.M.E. T.I.M.E.: TLS Inspection Made Easy Automatic scanning of TLS implementations Written (mainly) by Christopher Meyer: http://www-brs.ub.ruhr-uni-bochum.de/netahtml/hss /Diss/MeyerChristopher/diss.pdf Supports further features like TLS fingerprinting 28

For Timing Measurements... T.I.M.E. was not appropriate, caused too much noise We used our Bleichenbacher attack module with a patched MatrixSSL library NetTimer for response times evaluation: http://sebastian-schinzel.de/nettimer C TLS Handshake (C) Valid / invalid Bleichenbacher MatrixSSL TLS Server Measurement machine 29

Overview TLS Bleichenbacher's Attack Attack Intuition Oracle Strength Attack Challenges Attacks Error Messages in JSSE Additional Random Number Generation Additional Exception in JSSE Unexpected Timing Behavior by Hardware Appliances Conclusion 30

Error Messages in JSSE With T.I.M.E. we sent differently formatted PKCS#1 messages to a JSSE server Server responded with: INTERNAL ERROR and HANDSHAKE FAILURE 31

Analysis 0x00 bytes inserted at specific positions cause an internal ArrayIndexOutOfBoundsException Lead to a different TLS alert message 0x00 positions provoking an INTERNAL_ERROR 1 77 Bytes padding 48 Bytes 0.99" PMS 00 02 IE N = 1024 bit 2 205 Bytes padding 00 02 INTERNAL_ERROR IE N = 2048 bit 8 Bytes 117 Bytes 80 Bytes 3 461 Bytes padding 00 02 INTERNAL_ERROR IE N = 4096 bit 8 Bytes 373 Bytes 80 Bytes 32

Oracle Strength We were able to construct an oracle: INTERNAL_ERROR: message valid, starts with 00 02 HANDSHAKE FAILURE: message invalid What is the probability for triggering INTERNAL_ERROR? 2048 bit key: Number of bytes provoking INTERNAL_ERROR: 117 Probability: P 2048 = (255/256) 8 (1 (255/256) 117 ) = 35 % 4096 bit key: P 4096 = 74 % 1024 bit key: P 1024 = 0,2 % 33

Evaluation Mean Median 2048 bit RSA key 177 000 37 000 4096 bit RSA key 73 000 28 000 Attack on server with 1024 bit keys not practical because of the weak oracle Patched in October 2012 JDK 6, Update 37 (JDK 6u37): CVE-2012-5081 34

Overview TLS Bleichenbacher's Attack Attack Intuition Oracle Strength Attack Challenges Attacks Error Messages in JSSE Additional Random Number Generation Additional Exception in JSSE Unexpected Timing Behavior by Hardware Appliances Conclusion 35

Additional Random Number Generation Recommended Countermeasure: Countermeasure in OpenSSL, GnuTLS,...: generate a random PMS R decrypt the ciphertext: m := dec(c) if ( (m? 00 02 PS 00 k) OR ( k? 48) ) then proceed with PMS := PMS R else proceed with PMS := k decrypt the ciphertext: m := dec(c) if ( (m? 00 02 PS 00 k) OR ( k? 48) ) then generate a random PMS R proceed with PMS := PMS R else proceed with PMS := k 36

Analysis We saw this in more implementations Important observation: Random PMS generated only in case of invalid decryption step Does this misbehavior allow us to execute practical attacks? 37

Oracle Strength We were able to measure different timing responses, however the timing difference was very small (cca. 2 microseconds) Valid TLS structure. Starts with 00 02, No random number generation. Probability of returning a valid message small: P = 2,7 * 10-8 38

Evaluation Attack not practical Too many oracle queries The timing difference too small 39

Overview TLS Bleichenbacher's Attack Attack Intuition Oracle Strength Attack Challenges Attacks Error Messages in JSSE Additional Random Number Generation Additional Exception in JSSE Unexpected Timing Behavior by Hardware Appliances Conclusion 40

Additional Exception in JSSE PKCS#1 unpadding function in Java: private byte [] unpadv15 (byte[] padded) throws BadPaddingException { } if (not PKCS compliant) { } else { } throw new BadPaddingException(); return unpadded text; 41

Analysis We tested the JSSE server with different valid and invalid PKCS#1 messages We were not able to trigger a different alert......but we saw an additional exception in case of invalid message 42

Oracle Strength We evaluated that an additional exception consumes about 20 microseconds! Valid PKCS#1. Starts with 00 02, No exception. Enough to measure over LAN 43

Oracle Strength We were able to construct an oracle: Shorter time: message valid, PKCS#1 compliant Longer time: message invalid, additional exception produced Large probability of about 60% 44

Evaluation C TLS Handshake (C) Attack evaluation: About 20 000 oracle queries to decrypt a PMS Each oracle query takes about 500 server queries 20% false negatives, no false positive 20 hours, over LAN Bleichenbacher Valid / invalid Executed against OpenJDK and Oracle JDK MatrixSSL Patched in January 2014 JDK 7, Update 45: CVE- 2014-411 TLS Server Similar behavior found in Bouncy Castle (Java and C#) Reported, not fixed 45

Overview TLS Bleichenbacher's Attack Attack Intuition Oracle Strength Attack Challenges Attacks Error Messages in JSSE Additional Random Number Generation Additional Exception in JSSE Unexpected Timing Behavior by Hardware Appliances Conclusion 46

Unexpected Timing Behavior by Hardware Appliances We used T.I.M.E. to execute TLS handshakes using malformed PKCS#1 messages Our Hardware Appliance accepted malformed PKCS#1 formatted PremasterSecrets: 01 02 00 PMS 02 02 00 PMS 03 02 00 PMS The first byte was not checked at all and we could execute valid TLS handshakes 47

Analysis It was not directly exploitable the attacker is not able to produce valid ClientFinished messages ClientHello ClientKeyExchange ChangeCipherSpec Client Finished ServerHello Certificate ServerHelloDone ChangeCipherSpec Server Finished but we smelled a timing leakage in the PKCS#1 processing Black box analysis 48

Oracle Strength We found a timing difference of about 15 microseconds between messages starting with?? 02 and other messages (?? indicates an arbitrary byte) Starts with?? 02, Message accepted. 49

Oracle Strength We were able to construct an oracle: Longer time: message valid, starts with?? 02 Shorter time: message invalid, different second byte The oracle is not Bleichenbacher compliant s=s x s=2 s=3 s=4 s=s x -1 s=s x 0 2B 3B N 50

Evaluation We extended Bleichenbacher's attack to work with our oracle Performance improvement: About 4700 oracle queries to decrypt a PMS Real attack: 7371 oracle queries 4 000 000 server queries at total 40 hours 1290 false negatives, no false positive Developers notified, be prepared to update your appliances Public disclosure in August 51

Overview TLS Bleichenbacher's Attack Attack Intuition Oracle Strength Attack Challenges Attacks Error Messages in JSSE Additional Random Number Generation Additional Exception in JSSE Unexpected Timing Behavior by Hardware Appliances Conclusion 52

Conclusion and Outlook We showed first practical timing Bleichenbacher attacks on TLS A tiny side channel can lead to catastrophic results Crypto code should be handled with care, especially when assuming local attackers: e.g., crypto in browser We motivate for the usage of secure cryptographic primitives Future Work: Analysis of further crypto standards TLS impl. Type Queries Time OpenSSL timing NA JSSE direct 177 000 12 h JSSE timing 18 600 20 h Hardware timing 7 400 41 h Development of TLS penetration tools 53

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information