Secure Internet Communication Can we prevent the Cryptocalypse?

Dr. Gregor Koenig

Barracuda Networks AG

09.04.2014

2

Overview

• Transport Layer Security • History

• Orientation

• Basic Functionality

• Key Exchange Algorithms • Perfect Forward Secrecy

• Elliptic Curve Cryptography

• Encrypted Data Exchange • Attacks on Algorithms

• BEAST

• CRIME

• BREACH

• Padding Oracle

• Lucky 13

• Resume

3

Transport Layer Security – History

• Secure Socket Layer (SSL) • Developed by Netscape 1993-1995

• SSL v3.0 published in RFC 6101 in 1996 still widely in use

• Transport Layer Security (TLS) • Defined in RFC 2246 in 1999 as improvement of SSL v3.0

• TLS 1.1 defined in RFC 4346 in 2006

• TLS 1.2 defined in RFC 5246 in 2008

• The backward-compatibility with SSL was defined in RFC 6176 in 2011

4

TLS – Orientation

1. Physical Layer

2. Data Link Layer (IEEE 802.3 Ethernet, …)

3. Network Layer (IP, ..)

4. Transport Layer (TCP, UDP, …)

6. Presentation Layer (MIME, …)

5. Session Layer (TLS/SSL, …)

7. Application Layer (HTTP, …)

5

TLS – Basic Functionality

Client Server

TLS Handshake

TLS Record

• Negotiation of Cipher

• Authentication

• Negotiation of Keys

• Authenticated and

• Encrypted Data Exchange

6

TLS – Key Exchange

• Most commonly used in TLS • RSA algorithm (public-key cryptography)

• Diffie-Hellman key exchange

• Problems • Long-term confidentiality

• Prime factorization is not considered future-proof • Specialized algorithms

• Availability of computing power

7

TLS – Key Exchange II

• Perfect Forward Secrecy • Ensures long-term confidentiality

• Key cannot be compromised even if private keys compromised in future

• Elliptic Curve Cryptography • Provides better mathematical properties

• Equivalent protection with lower key lengths • Ratio of equivalent key length about 32:1

8

TLS – Ephemeral Diffie-Hellman

Prime Number p Primitive Root g

Secret b

Server Key Message (A, p, g)

B = g^b mod p

A = g^a mod p

Client Key Exchange (B)

S = B^a mod p S = A^b mod p Secret a

Ephemeral DH: Secret a and b chosen randomly for every connection

9

TLS – Elliptic Curve DH

Elliptic curve y^2=x^3 + alpha x + beta Base point G

Secret b

Server Key Message (A, G,curve)

B = bG

A = aG

Client Key Exchange (B)

S = abG S = abG

Secret a

Simplified Key Exchange Protocol

10

TLS – Elliptic Curve DH

• Elliptic curve point multiplication

• A•A=B A•B=C A•C=D A•D=E

• Operation used in ECDH

• aG = G•G•G•…•G

Graph from http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography

11

TLS – Elliptic Curve Cryptography III

• Up to 20x faster than RSA

• Doubts • 130 patents of EC uses owned by BlackBerry

• Implementations available thought not to infringe patents

• Dual Elliptic Curve Deterministic Random Bit • NIST standardized EC-based random number generator may have backdoor

12

TLS – Attacks on Encrypted Data Exchange

• BEAST - Browser Exploit Against SSL/TLS

• CRIME - Compression Ratio Info-leak Made Easy

• BREACH – Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext

• Padding Oracle • Lucky 13

13

TLS – BEAST attack

• What is it? • Browser Exploit Against SSL/TLS

• Adaptive chosen plaintext attack with predictable IV

• Thai and Rizzo showed exploitability in 2011

• How does it work? • Based on two mechanisms

• Cipher block chaining mode

• Initialization vector

• Passive network eavesdropping

Figure from http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29

14

TLS – BEAST attack II

• Applicable to reveal the sessions cookie

• Session cookie transmitted at known offset

• Block boundaries (e.g. AES 16 bytes) can be controlled • Adjusting URL parameters

• Block containing cookie secret can be moved • Contains only 1 unknown byte

15

TLS – BEAST attack III

• Original HTTP Client Request:

POST / HTTP /1.1

Host: example.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0)

Gecko /20100101 Firefox/14.0.1

Cookie: secretcookie=7xc89f94wa96fd7cb4cb0031ba249ca2

Accept-Language: en-US,en;q=0.8

(... body of the request ...)

Example from https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf

16

TLS – BEAST attack IV

• Steps of the attack • Attacker forces browser to send HTTPS request

E(key, request) – C1, C2, C3, … , Cn

• Attacker captures encrypted blocks Knows all plaintext bytes except one of e.g. C3

• Attacker calculates Pi = guess × C2 × Cn and appends Pi to the original request

• Browser calculates E(key, Cn × Pi) and attacker checks if Ci == C3

17

TLS – BEAST attack V

• Feasibility • Eavesdrop traffic e.g. over wireless network

• Run malicious code in user’s browser • Bypass browser’s same-origin-policy

• Counter Measures • Mitigated in TLS 1.1 and 1.2

• If back-compatibility with TLS 1.0 or SSL is required ensure that browser implements countermeasures

• e.g. 1/n-1 record splitting

18

TLS – CRIME attack

• What is it? • Compression Ratio Info-leak Made Easy

• Rizzo and Doung showed exploitability in 2012

• How does it work? • Brute force attack

• Exploits data compression properties

• DEFLATE is the most common used compression in TLS • Removes redundancy of repeating symbols

• Applicable to reveal the sessions cookie

19

TLS – CRIME attack II

• Exploits length of encrypted message

• length(encrypt(compress(header+body)))

• Original HTTP Client Request:

POST / HTTP /1.1

Host: example.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv :14.0) Gecko

/20100101 Firefox/14.0.1

Cookie: secretcookie=7xc89f94wa96fd7cb4cb0031ba249ca2

Accept-Language: en-US,en;q=0.8

(... body of the request ...)

Example from https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf

20

TLS – CRIME attack III

• HTTP request modified by attacker

POST / secretcookie=0 HTTP /1.1

Host: example.com

User-Agent: Mozilla /5.0 (Windows NT 6.1; WOW64; rv:14.0)

Gecko /20100101 Firefox /14.0.1

Cookie: secretcookie=7xc89f94wa96fd7cb4cb0031ba249ca2

Accept-Language: en-US,en;q=0.8

Example from https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf

21

TLS – CRIME attack IV

• Feasibility • Affects all browsers and servers supporting

TLS compression • 42% of servers, 45% of browsers

• Needs way to execute code in user’s browser

• Counter Measures • Disable TLS compression!

22

TLS – BREACH attack

• What is it? • Browser Reconnaissance and Exfiltration via

Adaptive Compression of Hypertext

• Demonstrated by Gluck, Harris, Prado in 2013

• Application of CRIME attack based on HTTP compression

• How does it work? • Inject controlled information in HTTP requests

• Eavesdrop HTTP response

23

TLS – BREACH attack II

• Modified HTTP request

GET /product/?id =12345&user=CSRFtoken=<guess> HTTP /1.1

Host: example.com

• Server’s response

<form target="https://example.com:443/products/catalogue.aspx?id=

12345& user=CSRFtoken=<guess >" >

...

<td nowrap id="tdErrLgf">

<a href="logoff.aspx?CSRFtoken=4bd634cda846fd7cb4cb0031ba249ca2">

Log Off</a></td>

Example from https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf

24

TLS – BREACH attack III

• Feasibility • Monitor server responses

• ARP spoofing

• Run code in user’s browser

• 3 Requirements • Application supports HTTP compression

• Response reflects user’s input

• Response has sensitive information embedded

25

TLS – BREACH attack IV

• Countermeasures • Disable HTTP compression

• Separating secrets from user input

• Masking secrets

• Request rate-limiting and monitoring

• Length hiding • Add garbage to the response

• Proposal for TLS extension in development

26

TLS – Padding oracle attack

• Padding oracle attack • Chosen cipher text attack

• Side-channel attack • Exploits leaked information about validity of format

• Server leaks information if padding format is correct

• Works for Cipher-block chaining (CBC) mode of operation • Independent of encryption algorithm and key

27

TLS – Padding oracle attack II

• Encryption (Normal operation) • Plaintext is split in blocks

• Last block is padded to fill up block • RC5-CBC-PAD algorithm proposes padding:

Padded n bytes are filled with the value of n e.g. for n=5 the last bytes are …,5,5,5,5,5

• Padded plaintext is encrypted

• Decryption (Normal operation) • Cipher text is decrypted

• Correct format of padding is checked

28

TLS – Padding oracle attack III

Figure from http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29

29

TLS – Lucky13

• What is it? • Padding oracle attack

• Man-in-the middle can recover plaintext from TLS connection • When using CBC-mode

• Exploits timing bug of TLS data decryption

• How does it work? • Message Authentication Code (MAC) is used to provide integrity

• TLS encrypts block: plaintext + MAC of plaintext + padding

• Decryption check padding, then checks correct MAC

30

TLS – Lucky13 II

• Problem in TLS 1.0 • Invalid padding

• Explicit error returned

• Made padding oracle attacks possible

• Fixed in TLS 1.1

• Problem in TLS 1.1 • Invalid padding

• Server kills the session to prevent attacks

• Server’s reaction time measureable

• Padding oracle attacks also work across sessions

31

TLS – Lucky13 III

• Current version TLS 1.2 • If padding fails, whole message used to calculate MAC

• Should resolve previous problems

• But: takes slightly longer!

• Lucky 13 exploits this subtle time difference

32

TLS – Lucky13 IV

• Feasibility • Intercept client-server communication, Inject malware to the client

• Repetition to eliminate noise and network jitter in time measurement • Slow attack – needs lots of connections to succeed

• All TLS cipher suites including CBC-mode encryption vulnerable

• Countermeasures • Implement uniform processing time

• Add random server-side delays

33

Resume

• Use Secure Key Exchange Algorithms in TLS 1.2 • Ephemeral Diffie Hellman

• Ephemeral Elliptic Curve Diffie Hellman

• Security of Ciphers defined in TLS 1.2 • HTTP compression makes any algorithm attackable

• Try to avoid HTTP compression or take counter measures against BREACH

• Don’t use RC4 as alternative algorithm • Full plaintext recovery attack shown by Bernstein et al. in 2013

• Use AES Galois/Counter Mode (AES GCM)

34

Take-Home Message

• Yes, we can prevent the Cryptocalypse… … for the moment

• Update your Servers • Use latest versions of libraries

• Enable secure algorithms

• Update your Browser • Latest browser version support TLS 1.2

• Chrome >= 30, Firefox >= 28, Internet Explorer >= 11 Opera >= 17, Safari >= 5 (iOS), >= 7 (Mac OS X)

Thank You Dr. Gregor Koenig

gkoenig@barracuda.com

36 Comic from http://xkcd.com/538/

37

References General

1. P. Bright, Crypto experts issue a call to arms to avert the cryptopocalypse http://arstechnica.com/security/2013/08/crytpo-experts-issue-a-call-to-arms-to-avert-the-cryptopocalypse/

2. Wikipedia, Transport Layer Security. http://en.wikipedia.org/wiki/Transport_Layer_Security

Key Exchange 1. Wikipedia, Perfect Forward Secrecy

http://en.wikipedia.org/wiki/Perfect_forward_secrecy

2. N. Sullivan, A primer on elliptic curve cryptography, 2013 http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography

Ciphers 1. P. Sarkar, S. Fitzgerald,. Attacks on SSL, A comprehensive Study of BEAST, CRIME, TIME, BREACH, LUCK13 & RC4 BIAS, 2013

https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf

2. S. Vaudenay, Security Flaws Induced by CBC padding, Applications to SSL, IPSEC, WTLS http://lasec.epfl.ch/pub/lasec/doc/Vau02a.ps

3. S. Gueron, AES - GCM for Efficient Authenticated Encryption , 2013. https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf

4. D. Goodin, Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages

5. N. AlFardan et al., On the security of RC4 in TLS and WPA, 2013. http://www.isg.rhul.ac.uk/tls

6. Wikipedia, Galois/Counter Mode http://en.wikipedia.org/wiki/Galois/Counter_Mode