1 / 66

The Security of SSL

The Security of SSL. Itsik Mantin F5 ASM Team April 2014. Outline. Crypto Background SSL/TLS Attacks on SSL. https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf. Outline. Crypto Background SSL/TLS Attacks on SSL. Cryptography Functions. Encryption. c=E K (m )

azuka
Télécharger la présentation

The Security of SSL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Security of SSL Itsik Mantin F5 ASM Team April 2014

  2. Outline • Crypto Background • SSL/TLS • Attacks on SSL

  3. https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdfhttps://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf

  4. Outline • Crypto Background • SSL/TLS • Attacks on SSL

  5. Cryptography Functions Encryption c=EK(m) ciphertext DK(c) = m Enc Dec m plaintext EK encryption key DK decryption key Eavesdropping Adversary Authentication m, s Signed message Check(m, s)True/False Sign Ver m Plaintext Tampering Adversary SK Signature key VK Verification key

  6. Symmetric vs. Asymmetric Cryptography ≠ Asymmetric Symmetric Encryption Key = Decryption Key Signature Key = Verification Key ≠ Encryption Authentication Symmetric Asymmetric

  7. Encryption Authentication Symmetric Asymmetric

  8. Block Ciphers and Stream Ciphers Block Ciphers Stream Ciphers Key Expansion Key Expansion IV [16] Key [16] Key [16] Data In [16] Key [16] Data In [] Round Key [16] Key Expansion Key Expansion Diffusion Data Out [16] State [16] State [16] State [16] Key Stream[] Data Out []

  9. Block Cipher • Divide input bit stream into n-bit sections, encrypt only that section • In a good block cipher, each output bit is a function of all n input bits and all k key bits

  10. Using Block/Stream Ciphers

  11. Encryption Mode (ECB) • Electronic Code Book (ECB) mode for block ciphers of a long digital sequence

  12. ECB Leak

  13. Encryption Mode (CBC) • Cipher Block Chaining (CBC) mode for block ciphers • Identical Plaintext prefix  Identical Ciphertext prefix

  14. SSL Ciphers

  15. Conventional Attack Models Plaintext Ciphertext Ciphertext Plaintext

  16. Crytptanalysis Rule #1 (ALMOST) ANY LEAK OFSECRET INFO CAN BEAGGREGATED INTO ANEFFECTIVE ATTACK

  17. Asymmetric Key Cryptography

  18. Network Public Key Cryptosystem PublicKey SecretKey Cipher Text Cipher Text Plain Text Plain Text D E

  19. Certificate an entity’s description (name, type, etc.) + entity’s public key + expiration date, serial number, etc. + CA’s name + a signature issued by a CA

  20. Certificates • Only Trusted Certificate Authorities (CAs) are ”allowed” to create/modify certificates • Certificates allows: • Clients to authenticate servers • Servers to authenticate clients (when used) • Key exchange without Public Key Server • Chain-of-trust • Certificate Revocation List

  21. Security Rule #1 THE CHAIN IS AS STRONGAS ITS WEAKEST LINK

  22. Outline • Crypto Background • SSL/TLS • Attacks on SSL

  23. What is SSL?

  24. SSL and TLS

  25. SSL Objectives

  26. Man-in-the-Middle ACTIVE SSL Client SSL Server DNSPoisoning alice.wonder@gmail.com Alice123! alice.wonder@gmail.com Alice123! Browser Web Application

  27. SSL HowStuffWorks (file transfer)

  28. SSL Certificates

  29. Server Identification Security Algorithms • Authenticator

  30. Record Protocol Security Algorithms • Authenticator

  31. Outline • Crypto Background • SSL/TLS • Attacks on SSL

  32. Hash Collision Attack - Background

  33. CertificateAuthority (CA) Hash Collision Attack CERTA • Build site certificate CERTA and CA certificate CERTB with same hash • Ask CA to sign CERTA • And thus get signature on CERTB CERTA NEVER USE MD5!!!!! Sig CERTCA CERTA CERTB CERTCA CERTCA CERTGOOGLE CERTB CERTGOOGLE, CERTB Hello Google!!! • Verify CERTCA • Verify CERTB • Verify B is a CA • Verify CERTGOOGLE • Trust connection

  34. “Validating SSL Certificates in Non-Browser Software”or Host Verification Attack CERTDEVIL CERTDEVIL CERTDEVIL USE HOST NAME VERIFICATION!!!!! Sig CERTDEVIL HOST=GOOGLE, CERTDEVIL Hello Google!!! • Verify CERTDEVIL • NEVER COMPARE HOST TO CERT

  35. The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software (Boneh et-al) • Faulty authenticators (not browsers) • OpenSSL: Hostname verification must be managed by the application itself, or by data-transport wrapper (ex. cURL) • “The primary cause of these vulnerabilities is the developers’ misunderstanding of the numerous options, parameters, and return values of SSL libraries.” • Paper shows applications that depend on standard SSL libraries such as JSSE, OpenSSL, GnuTLS, etc. often accomplish SSL Certificate Validation incorrectly or not at all. • See http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

  36. SSL Security Black-box Assumption

  37. Recent SSL Attacks

  38. HSR Model Plaintext Plaintext is a combination of secret info and known info (under same key) (Header + Secret + Random) Ciphertext Ciphertext Plaintext NO ALGORITHM GUARANTEES ANY SECURITY IN THE HSR MODEL

  39. HSR Attack The Secret Random (unknown) Chosen/Known S*[0]=x if C*==CXRequires:* SAME KEY* SAME SECRET S** HSR H* S* R C* H0 S* R0 C0 H1 S* R1 C1 H2 S* R2 C2 H255 S* R255 C255 16 bytes 1 byte

  40. Padding Oracle Attack • Oracle “tells” the attacker whether or not a plaintext is properly structured (usually padded) • FACT: NO ALGORITHM GUARANTEES ANY SECURITY IN THE PADDING ORACLE MODEL Target Ciphertext Dummy Ciphertext OK/NOK Dummy Ciphertext OK/NOK Dummy Ciphertext OK/NOK

  41. The Attack Setup HttpOnly Application Server User (1) Login (2) Session Cookie (3) Request DNS Poisoning, or open (malicious) Wifi Cross-Site Scripting (XSS) Non-https Response

  42. BEAST (Browser Exploit Against SSL/TLS)

  43. BEAST Countermeasures

  44. CRIME (Compression Ratio Info-leak Made Easy)

  45. CRIME (Compression Ratio Info-leak Made Easy)

  46. TIME (Time Info-leak Made Easy)

  47. TIME (Time Info-leak Made Easy)

  48. Server-Side Countermeasures

More Related