cryptographic strength of ssl/tls servers: current and recent practices
DESCRIPTION
Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices. Homin K. Lee, Tal Malkin, Erich Nahum Columbia University and IBM Research. Motivation. Many Web services ( e.g. e-commerce, online banking) require secure servers - PowerPoint PPT PresentationTRANSCRIPT
IBM Research
© 2007 IBM Corporation
Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices
Homin K. Lee, Tal Malkin, Erich Nahum
Columbia University and IBM Research
IBM Research
© 2007 IBM Corporation2
Motivation
Many Web services (e.g. e-commerce, online banking) require secure servers
Web security is handled by the Secure Socket Layer (SSL) protocol
SSL relies on cryptographic algorithms
A Web service is only truly secure if it uses current best practices in cryptography
A weak SSL configuration may indicate a poorly maintained site
What crypto is actually used by SSL servers?
IBM Research
© 2007 IBM Corporation3
Talk Outline
Motivation
Brief review of SSL
Methodology
Results
Summary and Conclusions
Future Work
IBM Research
© 2007 IBM Corporation4
What is SSL/TLS?
https
ssl/tls
tcp
ip
ethernet
SSL/TLS is a network protocol
– SSL: Secure Socket Layer
– TLS: Transport Layer Security
Provides end-to-end security:
– Authentication of server & client
– Encryption/integrity of data
History:
– Netscape developed versions 1,2
– SSL v3 TLS 1.0 (IETF RFC 2246)
– TLS 1.1 RFC out; 1.2 in draft
IBM Research
© 2007 IBM Corporation5
What Security Does SSL Provide?
Authentication:
– Person you’re speaking with is who they say they are, prevent masquerading
– RSA, Digital Signature Standard (DSS)
Key Exchange:
– Two parties who have never met mutually agree on a shared secret
– RSA, Diffie-Hellman
Secrecy/Privacy/Confidentiality
– Only 2 relevant parties understand messages, prevent eavesdropping
– Encrypt using symmetric key ciphers
– E.g., RC2, RC4, DES, 3-DES, AES, NULL(!)
Integrity:
– Message you get/send is the same one they/you sent, detect tampering
– Use one-way hash functions: MD5, SHA-1
IBM Research
© 2007 IBM Corporation6
Key Part of the SSL/TLS Handshake
Client HELLO message:
– Nonce (random + time)
– Cipher suites
Server HELLO response:
– Nonce
– Chosen cipher suite
Server Certificate
Client verifies certificate
client server
ClientHello
time
ServerHello
verifycertificate
generatenonce &ciphers
generatenonce &chooseoptions
SSL Option Negotiation
TLS1-RSA-EDH-AES256-SHA1;TLS1-DSS-EDH-3DES-MD5;SSL3-RSA-RSA-RC4128-MD5;SSL2-RSA-RSA-DES56-MD5;etc.
TLS1-RSA-EDH-AES256-SHA1
Certificate
IBM Research
© 2007 IBM Corporation7
Talk Outline
Motivation
Brief review of SSL
Methodology
Results
Summary and Conclusions
Future Work
IBM Research
© 2007 IBM Corporation8
client server
ClientHello
time
ServerHello
verifycertificate
generatenonce &ciphers
generatenonce &chooseoptions
How to Discover Support
SSL2-RSA-RSA-DES56-MD5;
SSL2-RSA-RSA-DES56-MD5
Certificate
For each cyphersuite j
– Make connection to server
– Advertise only one cyphersuite j
– Log success of first part of handshake
– Terminate connection
IBM Research
© 2007 IBM Corporation9
What is PSST?
PSST: The Probing SSL Scanning Tool– Leverages code from openssl & httperf
– Modifications to use algorithm
Uses a list of over 19,000 SSL servers– Culled from TBIT site, Web100, NLANR, etc.
Run algorithm over each server– Takes roughly 3 days
– Runs in 11/2006, 6/2006, 08/2005, 02/2005
Wait for angry phone calls/email
But none come!
IBM Research
© 2007 IBM Corporation10
Talk Outline
Motivation
Brief review of SSL
Methodology
Results
Summary and Conclusions
Future Work
IBM Research
© 2007 IBM Corporation11
Questions We’re Asking
What versions of SSL/TLS are out there?
What kinds of key exchange and site authentication?
How strong are the public keys?
What types of bulk transfer authentication?
What kinds of symmetric key encryption?
How strong are the symmetric keys?
Do sites choose the best crypto possible?
How has behavior changed over time?
IBM Research
© 2007 IBM Corporation12
SSL/TLS Protocol Version
SSL 2.0 has many flaws:
– Vulnerable to man-in-the-middle attacks
– Uses MD5 exclusively
– Uses a weak MAC
– Uses same key for authentication and encryption
SSL Type
Number
Percent
SSL 2.0 16,587 85.37 %
SSL 3.0 19,025 97.92 %
TLS1 19,111 98.36 %
IBM Research
© 2007 IBM Corporation13
SSL/TLS Protocol Breakdown
SSL 2.0
SSL 3.0
TLS Number Percent
24 0.12 %
146 0.75 %
148 0.76 %
211 1.09 %
169 0.87 %
2,485 12.79 %
16,246 83.62 %
IBM Research
© 2007 IBM Corporation14
Key Exchange & Authentication
KeyEx + Auth Number Percentage
EDH + DSS 4 0.02 %
EDH + RSA 11,185 57.57 %
RSA + RSA 19,401 99.86 %
EDH, DSS, and RSA give comparable levels of security for equal key sizes.
IBM Research
© 2007 IBM Corporation15
Public Key Sizes
512 bits factored in 1999
NIST, RSA, NESSIE: Public key sizes should be at least 1024 bits for the recommended 80-bit level of security.
Old export laws used to forbid sizes greater than 512 bits.
Key Size
Number
Percent
512 765 3.94 %
768 275 1.42 %
1024 17,166 88.35 %
1280 1 0.01 %
2048 1,192 6.14 %
4096 36 0.19 %
IBM Research
© 2007 IBM Corporation16
Hash Functions
MAC Number Percentage
MD5 19,201 98.83 %
SHA-1 19,326 99.47 %
MD5 has a family of collisions
– Only option for SSL 2.0, but 79 servers use SSL 3.0 or TLS and only support MD5
SHA-1 is also recently in trouble
SHA-256, SHA-512 are also available
IBM Research
© 2007 IBM Corporation17
Symmetric Key Encryption
Cipher Number Percent
AES 11,107 57.17 %
DES 19,168 98.66 %
RC2 17,931 92.29 %
RC4 19,241 99.03 %
Nearly all servers support DES, RC2, and RC4
Over 50% of the servers support the new AES standard
IBM Research
© 2007 IBM Corporation18
DES
Cipher Number Percent
DES-40 12,930 66.55 %
DES-56 12,102 62.29 %
DES-64 18,162 93.48 %
3-DES 18,943 97.50 %
Cipher Number Percent
DES-40 25 0.13 %
DES-56 35 0.18 %
DES-64 165 0.85 %
3-DES 18,943 97.50 %
Maximum
DES strength
DES support
IBM Research
© 2007 IBM Corporation19
Cipher Number Percent
RC2-40 17,546 90.31 %
RC2-56 7,360 37.88 %
RC2-128
16,278 83.78 %Cipher Number Percent
RC2-40 790 4.07 %
RC2-56 863 4.44 %
RC2-128
16,278 83.78 %
Maximum RC2 Strength
RC2 Support
RC2
IBM Research
© 2007 IBM Corporation20
Cipher Number Percent
RC4-40 17,827 91.75 %
RC4-56 12,173 62.65 %
RC4-64 11,030 56.77 %
RC4-128 19,154 98.58 %Cipher Number Percent
RC4-40 48 0.25 %
RC4-56 38 0.20 %
RC4-64 1 0.01 %
RC4-128
19,154 98.58 %
Maximum RC4 strength
RC4 Support
RC4
IBM Research
© 2007 IBM Corporation21
AES
AES-128 AES-256 Number
Percentage
154 0.79 %
10,709 55.12 %
244 1.26 %
AES support
IBM Research
© 2007 IBM Corporation22
Default Choice of Full Cipher Suite
Cipher Suite Number Percent
AES-256 SHA-1
10,135 53.69 %
RC4-128 MD5
5,611 29.72 %
3-DES SHA-1 2,837 15.02 %
RC4-128 SHA-1
259 1.37 %
3-DES MD5 12 0.06 %
RC4-40 MD5 9 0.05 %
AES-128 SHA-1
6 0.03 %
RC4-56 MD5 3 0.02 %
DES-64 SHA-1
3 0.02 %
DES-56 SHA-1
2 0.01 %
IBM Research
© 2007 IBM Corporation23
Really Bad Choices
Bad Decision Num Percent
Support AES, choose something weaker
657 6.00 %
Support SSL3, choose SSL2 3 0.01 %
Choose weaker public key than available
4 0.01 %
IBM Research
© 2007 IBM Corporation24
Changes in SSL Version Support over Time
SSL Type
02 / 2005
08 / 2005
06 / 2006
11 / 2006
SSL 2.0 94.49 93.23 87.95 85.37
SSL 3.0 97.96 98.30 98.16 97.92
TLS 1.0 97.51 98.32 98.28 98.36
Situation is improving, but not quickly enough
SSL Version Support (Percentage)
IBM Research
© 2007 IBM Corporation25
Changes in Cipher Support over Time
Cipher02 /
200508 /
200506 /
200611 /
2006
AES 41.26 48.29 55.18 57.17
DES 99.13 99.28 98.81 98.66
Weak DES
97.32 97.00 94.63 93.48
RC2 96.52 96.20 93.63 92.29
RC4 99.50 99.57 99.18 99.03Cipher Support (Percentage)
IBM Research
© 2007 IBM Corporation26
Changes in Public Key Size over Time
Key Size02 /
200508 /
200506 /
200611 /
2006
512 5.01 5.32 4.17 3.94
768 1.93 1.84 1.54 1.42
1024 88.46 87.80 88.33 88.35
1048 0.01 0.01 0.00 0.00
1280 0.00 0.00 0.01 0.01
1536 0.01 0.00 0.00 0.00
1568 0.01 0.01 0.01 0.00
2048 4.51 4.96 5.91 6.14
4096 0.12 0.15 0.17 0.19Key Size Support (Percentage)
IBM Research
© 2007 IBM Corporation27
Most servers support reasonable cryptography– 57% support the new AES standard– 95% have strong public keys
Most servers also support weak cryptography– E.g., SSL2, 40-bit & 64 bit RC2/RC4/DES– Clients should not be allowed to use them
• e.g., Firefox changing to disable SSL2 Some servers have serious weaknesses
– 5% of servers support breakable public keys– 24 servers only support SSL2– 8% support only weak RC2– 87 support only weak RC4– 225 support only weak DES
Summary and Conclusions
IBM Research
© 2007 IBM Corporation28
We see some sites that make bad choices
– Choose RC4 or DES over AES
– Choose weaker symmetric keys than are supported
– Choose SSL2 over SSL3
We also see some strange birds
– A few that do not support RSA
– Some bizarre public key sizes (1048,1568,2560)
– A few sites that support AES-128 or 256 but not both
– Sites with inconsistent choices (behind a L4/L7 switch)
Summary and Conclusions (cont)
IBM Research
© 2007 IBM Corporation29
Future Work
Shorter term:
– Categorize servers by industry
– Categorize server strengths
– Check certificates (expired, self-signed, revoked)
Longer Term:
– Scan random (or routable) IPs rather than list
– Measure SSH server crypto strength
– Measure crypto used by clients
IBM Research
© 2007 IBM Corporation30
Security Is Limited By The Weakest Link
IBM Research
© 2007 IBM Corporation31
Q&A
Thank you!
IBM Research
© 2007 IBM Corporation
Backup
IBM Research
© 2007 IBM Corporation33
Related Work
Murray 2001 Study (USENIX Security 2001)– Tested 8081 servers– Found many more weak SSL sites (using 2001 defs)– Didn’t study choice of cipher, AES, etc.
NetCraft, SecuritySpace– Both sell subscription service testing SSL sites– Look at coarser-grain information (“strong”, “weak”)– SecuritySpace checks self-signed certificates (~9%)
Other Scanning Tools– E.g., IBM’s NSA, NMAP, ssh-scan (Michigan)– Look at different class of vulnerabilities (open ports, SSH version,
etc.)
IBM Research
© 2007 IBM Corporation34
Default Choice of Symmetric Encryption
Most sites choose wisely
Cipher Number Percent
AES 10,141 53.72 %
DES 2,845 15.12 %
RC2 0 0.00 %
RC4 5,882 31.16 %
IBM Research
© 2007 IBM Corporation35
Key Strengths
Bits of security
40 56 64 80 112 128 256
Private Key RC2, RC4, DES
RC2, RC4, DES
RC4, DES
3DES
RC2, RC4,
AES
AES
Public Key
Length (bits)
1024
2048 3072
15360
NIST suggests that the 80-bit level will be appropriate until 2015, and the 112- bit level until 2035.