tls/ssl internet security talk

TLS/SSL et. al.Internet Security

SSL/TLS how does it work?

´ Server authentication ()´ Key Exchange´ Encrypted data transfer (record

protocol)

Highest SSL Version, Ciphers Supported, Data Compression Methods, Session Id = 0, Random Data

Selected SSL Version, Selected Cipher,Selected Data Compression Method, Assigned Session Id, Random Data, Server Certificate

(Client Certificate Request)Server Hello Done

Indicates that further communication to server will be encrypted

Digest of all SSL handshake commands for integrity check

Indicates that further communication to client will be encrypted

Digest of all SSL handshake commands for integrity check

SessionIDCiphers ( keyexg/enc/hash)SSL ver.

SessionIDCiphers ( keyexg/enc/hash)

SSL ver.

Key Exchange - RSAInteger Prime Factorization Problem

´ Ron Rivest, Adi Shamir and Leonard Adleman in 1977

´ Good for signing and encryption

´ Bad for key exchange

´ Advance key computation

´ Patent expired in 2000

SessionIDCiphers ( keyexg/enc/hash)SSL ver.

SessionIDCiphers ( keyexg/enc/hash)

SSL ver.

Key Exchange – DH & DHEDiscrete Logarithm Problem (in Zp*)

DH

Even though α, p, A and B are known to the adversary, calculating a = logα A mod pis practically impossible with 'p' being a large prime number.

´ Whitfield Diffie and Martin Hellman in 1976´ No long term private key involved´ DHE provides Perfect Forward Secrecy´ No secret key is exchanged

DH - Ephemeral

How strong is TLS?

Symmetric Algorithms

Security Level Comparison Sym/Asym Algorithms

Elliptic Curve Cryptography - ECC

´ Discovered in 1985 by Victor Miller (IBM) and Neil Koblitz (University of Washington)

´ Some implementation patented by Certicom

´ Low computing power requirements

´ Reduced key length and hence fast

´ Use only standard NIST curves

Elliptic Curve Discrete Logarithm Problem

Let P and Q be two points on an elliptic curve such that kP = Q, where k is ascalar. Given P and Q, it is computationally infeasible to obtain k, if k is sufficiently large. k is the discrete logarithm of Q to the base P.

On EC, Scalar multiplication is a one way function.

P

Q = kP

P1

P2

P3= P1 + P2

-(P3= P1 + P2)

Eg:-‐In the elliptic curve group defined byy2 = x3 + 9x + 17 over F23,What is the discrete logarithm a of Q = (4,5) to the base P = (16,5)?

One (naive) way to fnd 'a' is to compute multiples of P untilQ is found. The first few multiples of P are:P = (16,5) 2P = (20,20)3P = (14,14) 4P = (19,20)5P = (13,10) 6P = (7,3)7P = (8,7) 8P = (12,17)9P = (4,5)

Since 9P = (4,5) = Q, the discrete logarithm of Q to thebase P is a = 9.

In a real application, 'a' would be large enough such that itwould be infeasible to determine 'a' in this manner.

Dissecting a certificateopenssl s_client -‐showcerts -‐connect www.google.com:443 < /dev/null

curl -‐s http://pki.google.com/GIAG2.crl | openssl crl -‐inform DER -‐text -‐noout -‐in /dev/stdin

openssl rsa -‐noout -‐in domain.key –modulus ( == ) openssl x509 -‐noout –in domain.cer -‐modulus

Cipher is TLS1_ECDHE2_RSA3_WITH4_AES2565_CBC6_SHA7

1. The transport layer protocol used(others : SSL)

2. Session key exchange algorithm(others : RSA, DH, DHE)

3. PKI type of the Certificate(others : DSS)

4. Symmetric algorithm used to encrypt the actual data(others : RC4, 3DES, CAMELLIA, ARIA, DES40)

5. Mode in which the symmetric algorithm operates(others : CCM, GCM)

6. Hashing algorithm for data integrity(others : MD5)

openssl s_client -‐showcerts -‐connect qualys.com:443

PFS (Perfect Forward Secrecy)

´ A property of secure communication protocols: a secure communication protocol is said to have forward secrecy if compromise of long-term keys (private keys) does not compromise past session keys.

´ Passive cryptanalysis

´ DHE (Diffie Hellman Ephemeral)

Signature

´ Hash of something signed by private key

´ Verified using public key

´ Satisfies Integrity and Non-repudiation

´ Hashing Algorithms´ MD5, SHA{1,256,384}, SHA3 (Keccak)

´ Collision

Chain of trust

Subj’s DN (GIA)

Issuer’s DN (GeoTrust, CA)Validity, Version etc.

Signed withGeoTrust’s PrivKHASH

Subj’s PubK (GIA)

Signature

Subj’s DN (google.com)

Issuer’s DN (GIA, CA)Validity, Version etc.

Signed withGIA’s PrivKHASH

Subj’s PubK (google.com)

Signature

Subj’s DN (Geotrust)

Issuer’s DN (Equifax, CA)Validity, Version etc.

Signed withEquifax’s PrivKHASH

Subj’s PubK (Geotrust)

Signature

browser

used to securely transport PMS

Root’s DN (Equifax)

Validity, Version etc.

Signed withRoot’s PrivKHASH

Root’s PubK (Equifax)

Signature

11:04:eb:7d:24:de:e6:f9:fc:31:71:fb:94:d5:60:f3:2e:4a:af:42:d2:cb:ea:c4:6a:1a:b2:cc:53:dd:15:4b:8b:1f:c8:19:61:1f:cd:9d:a8:3e:63:2b:84:35:69:65:84:c8:19:c5:46:22:f8:53:95:be:e3:80:4a:10:c6:2a:ec:ba:97:20:11:c7:39:99:10:04:a0:f0:61:7a:95:25:8c:4e:52:75:e2:b6:ed:08:ca:14:fc:ce:22:6a:b3:4e:cf:46:03:97:97:03:7e:c0:b1:de:7b:af:45:33:cf:ba:3e:71:b7:de:f4:25:25:c2:0d:35:89:9d:9d:fb:0e:11:79:89:1e:37:c5:af:8e:72:69

exponentof:~ > cat val_s | tr '\n' ' ' | sed 's/://g' | sed 's/ //g'exponentof:~ > cat val_p | tr '\n' ' ' | sed 's/://g' | sed 's/ //g'

>>> print "%x" % pow( signature, exponent, modulus )

exponentof:~ > pythonPython 2.7.6 (default, Sep 9 2014, 15:04:36)[GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-‐600.0.39)] on darwinType "help", "copyright", "credits" or "license" for more information.>>> s = 0x2524813aac6d551f5a4251e4c358a3195b8c99a7959ebbfa0dc5192be3b5cb6f876ca119e9cf389764d2709a539227f55ce4704aae7483a3849a607494b298fec86593fe58c1ffbc5be8759a84f0e135c423c012a46ee1cca7e428097baa17efd4ad5987a70fc74cc798992125d70af6e4adf755f3c73409bef156339db2c2511db021f24f3349ae1cbca1e32f69ef04a98abcbbddb76fa82f3033fbc3c81941d347bfc4362fb068e947770bb7b614c5e71206c4969898c25609e595f99762fff5aef1ca1e836e9c5c4b574e081df61d62a606cf126791e26cb6aa361a55d1bf672a5c896622a91ca5988488cadbce504c5059c7741f29534a315d5de52f8bc8>>> p = 0x009c2a04775cd850913a06a382e0d85048bc893ff119701a88467ee08fc5f189ce21ee5afe610db7324489a0740b534f55a4ce826295eeeb595fc6e1058012c45e943fbc5b4838f453f724e6fb91e915c4cff4530df44afc9 f54de7dbea06b6f87c0d0501f28300340da0873516c7fff3a3ca737068ebd4b1104eb7d24dee6f9 fc3171fb94d560f32e4aaf42d2cbeac46a1ab2cc53dd154b8b1fc819611fcd9da83e632b8435696584c819c54622f85395bee3804a10c62aecba972011c739991004a0f0617a95258c4e5275e2b6ed08ca14fcce226ab34ecf46039797037ec0b1de7baf4533cfba3e71b7def42525c20d35899d9dfb0e1179891e37c5af8e7269>>> print "%x" % pow( s, 65537, p )1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdd if=Google.crt of=Google.tbsCertificate skip=4 bs=1 count=866ffffffffffffff003031300d06096086480165030402010500042088a87cce9efc117b780401bccfaf115c94f1bdd578fb0f3adc9501061422018e>>> exit()exponentof:~ >

exponentof:~ > openssl asn1parse -‐inform der -‐in www.google.com.der | head -‐100:d=0 hl=4 l=1152 cons: SEQUENCE4:d=1 hl=4 l= 872 cons: SEQUENCE8:d=2 hl=2 l= 3 cons: cont [ 0 ]10:d=3 hl=2 l= 1 prim: INTEGER :0213:d=2 hl=2 l= 8 prim: INTEGER :3DD4FA1A02DDF51A23:d=2 hl=2 l= 13 cons: SEQUENCE25:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption36:d=3 hl=2 l= 0 prim: NULL38:d=2 hl=2 l= 73 cons: SEQUENCE40:d=3 hl=2 l= 11 cons: SET

exponentof:~ >

4+872=876

Threats

´ Crypto vulnerabilities´ BEAST

´ CRIME

´ Lucky13

´ HeartBleed

´ Poodle

´ Drown

´ Cachebleed

´ Wrong implementation´ Never write your on crypto, use libraries.

´ Lawful Intercept (LI)´ Backdoors (RSA and ECC)

´ CA´ Private Key

Crypto Vulnerabilities

´ BEAST (CVE-2011-3389) and Lucky13 (CVE-2013-0169). These are CBC vulnerabilities.

Fix:

The exploit attack impacts TLS 1.0/SSL 3.0, but does not work for TLS versions 1.1 and 1.2. So use TLS 1.2 with AES GCM suits. But the GCM mode is new and it is an arduous job to get every security systems (both at the server and the client sides) upgraded;

So instead use RC4 which is a stream cipher and hence faster and CBC/IV-free. But the bad news is that RC4 has got its own security problems (fixed string cipher entropy problem) when compared to block ciphers like AES and DSA, but that is less devastating than what CBC mode offers.

ApacheSSLProtocol ALL -SSLv2SSLHonorCipherOrder OnSSLCipherSuiteECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS

Nginxssl_prefer_server_ciphers On;ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;ssl_ciphersECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS;


´ CRIME attack (CVE-2012-4929). A vulnerability exposed by TLS compression. Exposes the site cookies on side-channel attacks.

Fix:

Disable TLS compression. Most of the applications like Nginx and Apache have directives to disable compression.

ApacheSSLCompression Off

Nginxexport OPENSSL_NO_DEFAULT_ZLIB=1


´ Poodle attack (CVE-2014-3566). Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC).

The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session.

Fix:

There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV.

TLS_FALLBACK_SCSV is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.


´ Heartbleed attack (CVE-2014-0160). Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC).

Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

A missing bounds check in the handling of the TLS heartbeat extension can beused to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including1.0.1f and 1.0.2-beta1.

Fix:

There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. So Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

TLS_FALLBACK_SCSV is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.


´ Drown attack (CVE-2016-0800). Secure Socket Layer (SSL) 2.0DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption.

Fix:

To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS.

ApacheSSLProtocol All -SSLv2 -SSLv3

Nginxssl_protocols TLSv1 TLSv1.1 TLSv1.2


´ CacheBleed (CVE-2016-0702). CacheBleed is a side-channel attack that exploits information leaks through cache-bank conflicts in Intel processors. By detecting cache-bank conflicts via minute timing variations, we are able to recover information about victim processes running on the same machine. Our attack is able to recover both 2048-bit and 4096-bit RSA secret keys from OpenSSL 1.0.2f running on Intel Sandy Bridge processors after observing only 16,000 secret-key operations (decryption, signatures). This is despite the fact that OpenSSL's RSA implementation was carefully designed to be constant time in order to protect against cache-based (and other) side-channel attacks.

Attacks target OpenSSL's implementation of RSA (both RSA decryption as well as RSA signatures). Although we have not demonstrated this, in principle our attack should be able to leak partial information about ElGamal encryption as well.

https://ssrg.nicta.com.au/projects/TS/cachebleed/

Fix:

Wrong Implementation

´ PGP database. [Lenstra et al. 2012]´ 2 factored RSA keys out of 700,000. Why?

´ Smartcards. [2012 Chou (slides in Chinese)]´ Taiwan Citizen Digital Certicates smartcard certicates used for paying taxes, etc.

´ Factored 103 (out of 2.26 million)

´ Mind your Ps & Qs -Nadia Heninger

´ High RNG entropy is difficult to achieve

´ Collect entropy more aggressively

´ Natural entropy Sources for true randomness

´ True NRGs´ Hardware RNGs (SSL Accelerator cards) = Transducer (noise conversion) + Amplifier + A-D

converter Seeds faster cryptographic PRNGs

´ Intels Ivy Bridge Entropy Source Each Ivy Bridge die contains one hardware RNG, shared by all the cores. The RNG begins with an entropy source (ES) whose behavior is determined by unpredictable thermal noise.

Bad RNGs & Keys

Bruce Schneier -

“I have no idea if the NSA convinced Intel to do this (reducing the entropy to enable easy cryptanalysis) with the hardware random number generator it embedded into its CPU chips, but I do know that it could. And I was always leery of Intel strongly pushing for applications to use the output of its hardware RNG directly and not putting it through some strong software PRNG like Fortuna. And now Theodore Ts'o writes this about Linux: "I am so glad I resisted pressure from Intel engineers to let /dev/random rely only on the RDRAND instruction.””

Linux PRNGs, /dev/random and /dev/urandom

https://www.random.org/

Wrong Implementation

Coders, Never Implement Your Own Crypto !!!

LI☛ PIPA (Protect IP Act) May'11, SOPA (Stop Online

Piracy Act) Oct'11

☛ What is about Edward Snowden & PRISM ?

☛ All major players like Google, Facebook, Yahoo,

Twitter etc.

☛ Lavabit and Silent Mail ?

CA Threats

Recent Incidents (in last 4 years) :

´ Comodo -‐ hacker issued bad certs

´ Diginotar - hacker issued bad certs for MITM

´ Trustwave - issued sub CA to customer for MITM

´ Turktrust - issued sub CA by mistake, used for MITM

´ Man-‐In-‐The-‐Middle and CA private key compromises leading to change in certificate

´ Require systems to detect a change in the certificate during the SSL hand shake.

Solutions and Experiments

´ HPKP (HTTP Public Key Extension)http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04

An extension to the HTTP protocol allowing webhost operators to instruct user agents (UAs) to remember ("pin") the hosts' cryptographic identities for a given period of time.

´ TACK (Trust Assertions for Certificate Keys)http://tack.io/draft.html

Server sends his “tack” through TLS Extension

Client has seen the same (hostname, TSK) pair multiple times, the client will "activate" a pin between the hostname and TSK for a period equal to the length of time the pair has been observed for.

Client pins to a server-chosen signing key, known as a "TACK signing key" or "TSK", which signs the server's TLS keys.

Certificate Pinning

´ Convergence.io et. al.ü An agile, distributed, and secure strategy for replacing Certificate

Authoritiesü Firefox add-on, once activated, replaces the entire CA infrastructureü User initiatedü No more self signed certificate warningsü Privacy with bounce notaries

Replacing CA

However, It is up to you too…

However, It is up to you too…ü Watch yourself in the cyber mirror

ü Be careful while you show up and show off in the social networking spree.

ü Investigate the exposure

ü Surprises from unverified sources (lottery, dead bank account, job offers etc.)

ü Electronic Frontier Foundation (https://www.eff.org)

“Only the paranoid survive”– Andrew S Grove, Ex-CEO Intel.