lecture 22–cas and https attacks · •certificates are free (from letsencrypt!) –identity...
TRANSCRIPT
Lecture22 – CAsandHTTPSAttacks
StephenCheckowayUniversityofIllinois atIllinois
CS487– Fall 2017SlidesfromMillerandBailey’sECE422
Certificates
•Makeuseoftrusted“CertificateAuthorities”(CA)
• “ThispublickeywithSHA-256hash(XXX)belongstothesite(name,e.g.,Amazon.com)”– Digitallysigned byacertificateauthority
• Yourbrowsers(e.g.,Firefox,Chrome)trustaspecificsetofCAsasrootCAs– ShippedwiththepublickeysoftherootCAs–Whydoweneedmorethan1?
HowtheCAverifiesyouridentity
• Typically’DV’(domain verification)–ProvesyouareincontrolofDNSregistration–Justanemailbasedchallengetotheaddressinthedomainregistrationrecords•Orsomedefaultemailaddress,[email protected]•Minimallysecure[Why?]
–Alternatelyaweb-basedchallenge–Includechallengeresponseina<meta>tag
• Certhasanexpirationdate(e.g.,oneyearahead)[Why?]
Howtoinvalidatecertificates?
• Expirationdateofcerts• Certificaterevocation• WhathappensifaCA’ssecretkeyisleaked?– CanwetrusttheoldcertsfromthatCA?
• Interestingfact:– GooglehasinstrumentedChromesuchthatwhenitobservesacertificateforGoogle.comthatitdoesn’trecognize,itpanics….(hashappenedseveraltimes)
Self-signedCertificates
• Issuersignstheirowncertificate– Aloopintheownerandsigner
• AvoidCAfees,usefulfortesting–YoucanaddyourselfasaCAtoyourownbrowser
• Browsersdisplaywarningsthatusershavetooverride• Protectsonlyagainstpassiveattacker“optimisticencryption”
TLS Certificates• Atrustedauthorityvouchesthatacertainpublickeybelongstoaparticularsite
• Formatcalledx.509(complicated)• BrowsersshipwithCApublickeysforlargenumberoftrustedCAs[accreditationprocess]
• Importantfields:• CommonName(CN)[e.g.,*.google.com]ExpirationDate[e.g.2yearsfromnow]Subject'sPublicKeyIssuer-- e.g.,VerisignIssuer'ssignature
• CommonNamefield• Explicitname,e.g.ece.illinois.edu• Orwildcard,e.g.*.illinois.edu
X509Certificates
Subject: C=US/O=GoogleInc/CN=www.google.comIssuer:C=US/O=GoogleInc/CN=GoogleInternetAuthoritySerialNumber:01:b1:04:17:be:22:48:b4:8e:1e:8b:a0:73:c9:ac:83ExpirationPeriod: Jul122010- Jul192012PublicKeyAlgorithm:rsaEncryptionPublicKey:43:1d:53:2e:09:ef:dc:50:54:0a:fb:9a:f0:fa:14:58:ad:a0:81:b0:3d7c:be:b1:82:19:b9:7c3:8:04:e9:1e5d:b5:80:af:d4:a0:81:b0:b0:68:5b:a4:a4:ff:b5:8a:3a:a2:29:e2:6c:7c3:8:04:e9:1e5d:b5:7c3:8:04:e9:39:23:46
SignatureAlgorithm: sha1WithRSAEncryption
Signature:39:10:83:2e:09:ef:ac:50:04:0a:fb:9a:f0:fa:14:58:ad:a0:81:b0:3d7c:be:b1:82:19:b9:7c3:8:04:e9:1e5d:b5:80:af:d4:a0:81:b0:b0:68:5b:a4:a4:ff:b5:8a:3a:a2:29:e2:6c:7c3:8:04:e9:1e5d:b5:7c3:8:04:e9:1e:5d:b5
CertificateChains• CAcandelegateabilitytogeneratecertificatesforcertainnames:IntermediateCAs
• RootCAsigns"certificateissuingcertificate"fordelegatedauthority• Browserthattrustsrootcanexaminecertstoestablishvalidity-- "Chainoftrust”
• HowtofindoutaboutalltheCAs?• Morethan1000trustedpartiestoday,cansignforanydomain– hugeproblem!
CertificateChains
Subject:C=US/…/O=GoogleInc/CN=*.google.comIssuer:C=US/…/CN=GoogleInternetAuthorityPublicKey:Signature: bf:dd:e8:46:b5:a8:5d:28:04:38:4f:ea:5d:49:ca
Subject:C=US/…/CN=GoogleInternetAuthorityIssuer: C=US/…/OU=EquifaxSecureCertificateAuthorityPublicKey:Signature:be:b1:82:19:b9:7c:5d:28:04:e9:1e:5d:39:cd
Subject:C=US/…/OU=EquifaxSecureCertificateAuthorityIssuer:C=US/…/OU=EquifaxSecureCertificateAuthorityPublicKey:Signature:39:10:83:2e:09:ef:ac:50:04:0a:fb:9a:38:c9:d1
MozillaFirefoxBrowser
Iauthorizeandtrustthiscertificate;here
ismysignature
Iauthorizeandtrustthiscertificate;here
ismysignature
Trusteverythingsignedbythis
“root”certificate
CertificateAuthorityEcosystem
EachbrowsertrustsasetofCAsCAscansigncertificatesfornewCAsCAscansigncertificatesforanywebsite
IfasingleCAiscompromised,thentheentiresystemiscompromised
WeultimatelyplaceourcompletetrustoftheInternetintheweakestCA
ImmediateConcerns
• NobodyhasanyideawhoalltheseCAsare…
• 1,733umich-knownbrowsertrustedCAs
• HistoryofCAsbeinghacked(e.g.Diginotar)
• Oooops,Koreagaveeveryelementaryschool,library,andagencyaCAcertificate(1,324)– Luckilyinvalidduetoahigher-upconstraint
GettingaCertificate
• Certificatesarefree(fromLetsEncrypt!)–Identityvalidatedbychallengetowebsite
• Certificatesarecheapelsewheretoo–Identityisvalidatedviae-mailtothedefaulte-mailaddresses
• SettingupSSLishard.Peopleareterribleatit.CertificateSigningRequests,eughIntegratinginawebserver
TLS inthebrowser
• Lockicon– HTTPScertmustbeissuedbyaCAtrustedbybrowser (orchaintoonethatis)
– HTTPScertisvalid(e.g.,notexpiredorrevoked)– CommonName incertmatchesdomaininURL
• ExtendedValidation(EV)certificates– CAdoesextraworktoverifyidentity-- expensive,butNO moresecure
• Invalidcertificatewarnings
AttackVectors
• AttacktheweakestCertificateAuthority
• Attackbrowserimplementations
• MagicallynoticeabuginakeygenerationlibrarythatleadsyoutodiscoveringalltheprivatekeysontheInternet
• Attackthecryptographicprimitives–Mathishard
Googlenoevil
Attackingsitedesign
• SSLstrip attack– Proxythroughthecontentw/oHTTPS
• Defense– DefaultHTTPSforallwebsites?– HSTS(hypertextstricttransportsecurity):headersays:alwaysexpectHTTPS,enforcedbybrowsers.
– HTTPSEverywhere:browserextension– EV:ExtendedValidation(comparedtoDV:DomainValidation)
Attackingsitedesign
• MixedContentattack-- PageloadsoverHTTPSbutcontainscontentoverHTTP– e.g.JavaScript,Flash– ActiveattackercantamperwithHTTPcontenttohijacksession
• Defense:Browserwarnings:["Thispagecontainsinsecurecontent"],– butinconsistentandoftenignored
UIinterfacebasedattacks
• Invalidcerts– Expired,CommonName!=URL,unknownCA(e.g.,self-signed)
• Defense: browserwarnings,anti-usabilitytobypass…• Picture-in-pictureattack:spooftheuserinterface– Attackerpagedrawsfakebrowserwindowwithlockicon
• Defense:individualizedimage
AttackingthePKI:CAcompromiseExample:DigiNotar
AttackingthePKI:CAcompromiseExample:DigiNotar
• DigiNotarwas aDutchCertificateAuthority
• OnJune10,2011,*.google.com certwasissuedtoanattackerandsubsequentlyusedtoorchestrateMITMattacksinIran
• Nobodynoticedtheattackuntilsomeonefoundthecertificateinthewild…andpostedtopastebin
DigiNotarContd.
• DigiNotarlateradmittedthatdozensoffraudulentcertificateswerecreated
• Google,Microsoft,AppleandMozillaallrevokedtherootDiginotarcertificate
• DutchGovernmenttookoverDiginotar
• Diginotarwentbankruptanddied
AttackingthePKI:Hashcollisions
• MD5/SHA1isknowntobebroken-- Cangeneratecollisions• In2008,researchersshowedthattheycouldcreatearogueCAcertificateusinganMD5collision
• Attack:MakecollidingmessagesA,B,withsameMD5hash:– A:Sitecertificate:"cn=attack.com,pubkey=....”– B:DelegatedCAcertificate:"pubkey=....isallowedtosigncertsfor*”– GetCAtosignA-- SignatureisSign(MD5(message))– SignaturealsovalidforB(samehash)– AttackerisnowaCA!–Makeacertforanysite,browserswillacceptit
MD5consideredharmful
• MD5CAcertificatesstillexist,butCAshavestoppedsigningcertificateswiththem– 879,705certificatesstillhaveMD5signatures
•SHA-1shouldnotbeusedeither– 46,969,095outof146,442,087certseverseenbyCensys useSHA1WithRSA (32%)
Attackingimplementations:NullTerminationAttack
• ASN.1utilizesPascal-stylestrings
• WebbrowsersutilizeuseC-stylestrings
• AnnouncedbyMoxieMarlinspikein2009
gmail.com\0.badguy.com
NullTerminationAttack• www.attacker.com
– [CAsverifycertbylookingupwhoownsthelastpartofthedomainviaDNSrecord]– emails"[email protected]"-->"Clickheretovalidatecertrequest”
• x.509certsencodeCNfieldasaPascalstring(length+data)• BrowserscopyitintoaCstring(data+\0)• WhatifCAcontains"\0"?
– www.paypal.com\0.attacker.com?– CAcontacts"attacker.com"toverify(lastpartofdomainname)– BrowserscopytoCstring,terminatesat"\0"-- seeonlypaypal.com– AttackernowhasacertthatworksforPaypal!
Otherimplementation-basedattacks
• Gotofail,Feb.2014(AppleSSLbug;skippedcertificatecheckforalmostayear!)
• Heartbleed,April2014(OpenSSLbug;leakeddata,possiblyincludingprivatekey!)
• MozillaBERserkvulnerability,Oct2014(Buginverifyingcertsignatures,allowedspoofingcerts,probablysincethebeginning….!)•Logjam,Oct2016(TLSvulnerabletoMan-in-themiddle“Downgrade”attack)
WhocontrolstheTLSendpoint?
Cloudbleed - (theotherbignewslastweek)- oneofthemostpopular“contentdeliverynetworks”- actsastheSSLendpointformanyservers- abufferoverflow attackcausedittoleakHTTPSdata
ClientsideHTTPInterception -- MostantivirussoftwareinterceptsyourHTTPS[How?]- Introducesnewvulnerabilitiesbyimplementingpoorly
Takeaways
• UseHTTPS!It’ssomuchbetterthannothing
• TLS keepsbreaking.Useit,butdon'trelyonitexclusively.