Attacks on SSL/TLS Applied Cryptography, Lecture 6

Assignments

I Choice of topic: before Thursday, November 26th, 23:59 (today).

I Assignment of topic: Friday, November 27th.

I Deadline of ﬁrst assignment: Sunday, December 13th, 23:59.

The deadlines are strict!

/ department of mathematics and computer science Attacks on SSL/TLS Applied Cryptography, Lecture 6

Ruben Niederhagen

Nov. 26th, 2015 / department of mathematics and computer science Timeline of attacks on SSL/TLS 3/42

2010 2011 2012 2013 2014 2015 2016

SSLstrip BEAST CRIMELuckyRoyal 13 BREACH HollowayFREAKBar-mitzvahHeartbleedPOODLE LogjamNOMORE RC4

←− 2002 Padding Oracle

/ department of mathematics and computer science I Problem: Bob oﬀers http via TLS.

I Solution: Make sure Alice uses an unencrypted connection.

People usually start SSL connections in two diﬀerent ways:

I Click on links that happen to be https.

I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.)

Idea: Parse web traﬃc and strip the “s” from all links to https. https −→ http

SSLstrip Attack (2009) 4/42

I Eve wants to read the traﬃc between Alice and Bob’s webserver.

/ department of mathematics and computer science I Solution: Make sure Alice uses an unencrypted connection.

People usually start SSL connections in two diﬀerent ways:

I Click on links that happen to be https.

I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.)

Idea: Parse web traﬃc and strip the “s” from all links to https. https −→ http

SSLstrip Attack (2009) 4/42

I Eve wants to read the traﬃc between Alice and Bob’s webserver.

I Problem: Bob oﬀers http via TLS.

/ department of mathematics and computer science People usually start SSL connections in two diﬀerent ways:

I Click on links that happen to be https.

I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.)

Idea: Parse web traﬃc and strip the “s” from all links to https. https −→ http

SSLstrip Attack (2009) 4/42

I Eve wants to read the traﬃc between Alice and Bob’s webserver.

I Problem: Bob oﬀers http via TLS.

I Solution: Make sure Alice uses an unencrypted connection.

/ department of mathematics and computer science Idea: Parse web traﬃc and strip the “s” from all links to https. https −→ http

SSLstrip Attack (2009) 4/42

I Eve wants to read the traﬃc between Alice and Bob’s webserver.

I Problem: Bob oﬀers http via TLS.

I Solution: Make sure Alice uses an unencrypted connection.

People usually start SSL connections in two diﬀerent ways:

I Click on links that happen to be https.

I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.)

/ department of mathematics and computer science SSLstrip Attack (2009) 4/42

I Eve wants to read the traﬃc between Alice and Bob’s webserver.

I Problem: Bob oﬀers http via TLS.

I Solution: Make sure Alice uses an unencrypted connection.

People usually start SSL connections in two diﬀerent ways:

I Click on links that happen to be https.

I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.)

Idea: Parse web traﬃc and strip the “s” from all links to https. https −→ http

/ department of mathematics and computer science SSLstrip Attack (2009) 5/42

I Watch HTTP traﬃc go by.

I Switch to and remember what has changed.

I Switch request https://... to http://... and remember what has changed.

/ department of mathematics and computer science SSLstrip Attack (2009) 5/42

I Watch HTTP traﬃc go by.

I If we see an HTTP request for an URL that we had stripped, proxy that as HTTPS.

I Watch the HTTPS traﬃc go by; remember relative links, CSS links, JavaScript, ...

/ department of mathematics and computer science SSLstrip Attack (2009) 5/42

I Server does not notice any diﬀerence.

I No warning message displayed to the client; needs to look out for https marks explicitly (and know about it).

I Eve sees all the traﬃc.

/ department of mathematics and computer science Best countermeasure: Carefully check that site is encrypted when handling sensitive information!

SSLstrip Attack (2009) 6/42

Countermeasure: HTTP Strict Transport Security (HSTS).

I Inform the browser to always use SSL/TLS to the site.

I This information is stored by the browser for all future connections.

I Can also be stripped by attacker; only works if ﬁrst connection was not intercepted.

I Some browsers are shipped with static HSTS list for some sites.

/ department of mathematics and computer science SSLstrip Attack (2009) 6/42

Countermeasure: HTTP Strict Transport Security (HSTS).

I Inform the browser to always use SSL/TLS to the site.

I This information is stored by the browser for all future connections.

I Can also be stripped by attacker; only works if ﬁrst connection was not intercepted.

I Some browsers are shipped with static HSTS list for some sites.

Best countermeasure: Carefully check that site is encrypted when handling sensitive information!

/ department of mathematics and computer science BEAST Attack (2011) 7/42

Recall the CBC mode of operation:

Plaintext Plaintext Plaintext

Initialization Vector (IV)

block cipher block cipher block cipher Key Key Key encryption encryption encryption

Ciphertext Ciphertext Ciphertext

Cipher Block Chaining (CBC) mode encryption

/ department of mathematics and computer science BEAST Attack (2011) 8/42

Plaintext 0 Plaintext 1 Plaintext 2

Initialization Vector (IV)

block cipher block cipher block cipher Key Key Key encryption encryption encryption

Ciphertext 0 Ciphertext 1 Ciphertext 2

guessed Plaintext 1

Ciphertext 2

block cipher Key encryption

Ciphertext 3

/ department of mathematics and computer science BEAST Attack (2011) 8/42

Plaintext 0 Plaintext 1 Plaintext 2

Initialization Vector (IV)

block cipher block cipher block cipher Key Key Key encryption encryption encryption

Ciphertext 0 Ciphertext 1 Ciphertext 2

guessed Plaintext 1

Ciphretext 2

Ciphertext 0 Ciphertext 2

block cipher Key encryption

Ciphertext 1

/ department of mathematics and computer science Countermeasures:

I For TLS 1.0: send an empty package ahead of each packet.

I TLS 1.1 and newer are not aﬀected by this attack because each packet has a new IV that is send in plain text.

BEAST Attack (2011) 9/42

BEAST: Browser Exploit Against SSL/TLS

I Attacker must be able to force the client to send deliberate data.

I There have been proof-of-concepts using cross-site scripting for stealing session cookies (byte by byte).

I Do we need to worry about information leaking when the attacker can modify or inject data on the client side?

/ department of mathematics and computer science BEAST Attack (2011) 9/42

BEAST: Browser Exploit Against SSL/TLS

I Attacker must be able to force the client to send deliberate data.

I There have been proof-of-concepts using cross-site scripting for stealing session cookies (byte by byte).

I Do we need to worry about information leaking when the attacker can modify or inject data on the client side?

Countermeasures:

I For TLS 1.0: send an empty package ahead of each packet.

I TLS 1.1 and newer are not aﬀected by this attack because each packet has a new IV that is send in plain text.

/ department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 10/42

CRIME: Compression Ratio Info-leak Made Easy

I Some parts of the plaintext are VERY predictable.

I Session cookies can be found on well-deﬁned spots: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...)

I Try to send data from the client in the TLS context and see how this aﬀects the ciphertext; “guess” session cookie character by character.

/ department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 11/42

CRIME attack: exploit SSL/TLS compression

I Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=0XXX

I E.g., with DEFLATE compression, the second occurrence of “secret=” is encoded as back reference.

I Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter.

I Continue with next digit.

/ department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 11/42

CRIME attack: exploit SSL/TLS compression

I Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=1XXX

I E.g., with DEFLATE compression, the second occurrence of “secret=” is encoded as back reference.

I Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter.

I Continue with next digit.

/ department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 11/42

CRIME attack: exploit SSL/TLS compression

I Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=2XXX

I E.g., with DEFLATE compression, the second occurrence of “secret=” is encoded as back reference.

I Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter.

I Continue with next digit.

/ department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 11/42

CRIME attack: exploit SSL/TLS compression

I Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=3XXX

I E.g., with DEFLATE compression, the second occurrence of “secret=” is encoded as back reference.

I Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter.

I Continue with next digit.

/ department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 11/42

CRIME attack: exploit SSL/TLS compression

I Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=4XXX

I E.g., with DEFLATE compression, the second occurrence of “secret=” is encoded as back reference.

I Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter.

I Continue with next digit.

/ department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 11/42

CRIME attack: exploit SSL/TLS compression

I Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=5XXX

I E.g., with DEFLATE compression, the second occurrence of “secret=” is encoded as back reference.

I Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter.

I Continue with next digit.

/ department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 11/42

CRIME attack: exploit SSL/TLS compression

I Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=6XXX

I E.g., with DEFLATE compression, the second occurrence of “secret=” is encoded as back reference.

I Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter.

I Continue with next digit.

/ department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 11/42

CRIME attack: exploit SSL/TLS compression

I Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=7XXX

I E.g., with DEFLATE compression, the second occurrence of “secret=” is encoded as back reference.

I Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter.

I Continue with next digit.

/ department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 11/42

CRIME attack: exploit SSL/TLS compression

I Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=70XX

I E.g., with DEFLATE compression, the second occurrence of “secret=” is encoded as back reference.

I Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter.

I Continue with next digit.

/ department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 12/42

Countermeasure for CRIME attack:

I Disable TLS compression (on client or server).

I Prevent attacker from sending data in user context (prevent cross-site request forgery).

I There will be no compression for TLS 1.3.

/ department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 13/42

BREACH: Browser Reconnaissance and Exﬁltration via Adaptive Compression of Hypertext The same attack works on HTTP content for HTTP compression. Will still work with TLS 1.3!

Countermeasure for BREACH attack:

I Disable HTTP compression (on client or server).

I Prevent attacker from sending data in user context (prevent cross-site request forgery).

I Disable HTTP compression on cross-site requests.

/ department of mathematics and computer science At the server side on receipt of an encrypted record:

I decrypt record with the client encryption key,

I check pad format, if not valid, return decryption_failed alert,

I if pad format okay, check MAC on fragment if does not verify, return bad_record_mac alert. This introduced diﬀerent types of errors that an attacker can distinguish.

Padding Oracle Attack (2002) 14/42

TLS prior to version 1.1 was susceptible to a padding oracle attack.

I Before encrypting with AES-CBC, need to pad data||MAC-tag to the AES block size (16 bytes).

I The padding sets each byte in the pad to the pad length, i.e., padding has speciﬁc format.

/ department of mathematics and computer science Padding Oracle Attack (2002) 14/42

TLS prior to version 1.1 was susceptible to a padding oracle attack.

I Before encrypting with AES-CBC, need to pad data||MAC-tag to the AES block size (16 bytes).

I The padding sets each byte in the pad to the pad length, i.e., padding has speciﬁc format.

At the server side on receipt of an encrypted record:

I decrypt record with the client encryption key,

I check pad format, if not valid, return decryption_failed alert,

I if pad format okay, check MAC on fragment if does not verify, return bad_record_mac alert. This introduced diﬀerent types of errors that an attacker can distinguish.

/ department of mathematics and computer science Padding Oracle Attack (2002) 15/42

Padding oracle:

I Attacker submits ciphertexts of choice,

I learns whether the last bytes of a plaintext are a valid pad;

I if not valid, server returns decryption_failed,

I if valid, server returns bad_record_mac.

Gives rise to a chosen-ciphertext attack!

/ department of mathematics and computer science Suppose an attacker wants to ﬁnd M2 from ciphertext (C0, C1, C2,... )

I M2 = DK (C2) ⊕ C1.

I Guess the last byte of M2 to be g, 0 I compute C1 = C1 ⊕ 00| ... |00|g ⊕ 00| ... |00|01, 0 I submit C = (C1, C2) to the server and wait for response.

I If g is the last byte of M2, the decryption of C will have a valid pad;

I if not, the pad will not be valid,

I try all 256 possible bytes for g until the correct one g0 is found. 0 I Go on using C1 = C1 ⊕ 00| ... |00|g|g0 ⊕ 00| ... |00|02|02.

Padding oracle attack on CBC encryption 16/42

CBC mode encryption: CBC mode decryption:

I C0 = IV I C0 = IV ,

I Ci = EK (Ci−1 ⊕ Mi ). I Mi = DK (Ci ) ⊕ Ci−1.

/ department of mathematics and computer science I Guess the last byte of M2 to be g, 0 I compute C1 = C1 ⊕ 00| ... |00|g ⊕ 00| ... |00|01, 0 I submit C = (C1, C2) to the server and wait for response.

I If g is the last byte of M2, the decryption of C will have a valid pad;

I if not, the pad will not be valid,

I try all 256 possible bytes for g until the correct one g0 is found. 0 I Go on using C1 = C1 ⊕ 00| ... |00|g|g0 ⊕ 00| ... |00|02|02.

Padding oracle attack on CBC encryption 16/42

CBC mode encryption: CBC mode decryption:

I C0 = IV I C0 = IV ,

I Ci = EK (Ci−1 ⊕ Mi ). I Mi = DK (Ci ) ⊕ Ci−1.

Suppose an attacker wants to ﬁnd M2 from ciphertext (C0, C1, C2,... )

I M2 = DK (C2) ⊕ C1.

/ department of mathematics and computer science I If g is the last byte of M2, the decryption of C will have a valid pad;

I if not, the pad will not be valid,

I try all 256 possible bytes for g until the correct one g0 is found. 0 I Go on using C1 = C1 ⊕ 00| ... |00|g|g0 ⊕ 00| ... |00|02|02.

Padding oracle attack on CBC encryption 16/42

CBC mode encryption: CBC mode decryption:

I C0 = IV I C0 = IV ,

I Ci = EK (Ci−1 ⊕ Mi ). I Mi = DK (Ci ) ⊕ Ci−1.

Suppose an attacker wants to ﬁnd M2 from ciphertext (C0, C1, C2,... )

I M2 = DK (C2) ⊕ C1.

I Guess the last byte of M2 to be g, 0 I compute C1 = C1 ⊕ 00| ... |00|g ⊕ 00| ... |00|01, 0 I submit C = (C1, C2) to the server and wait for response.

/ department of mathematics and computer science 0 I Go on using C1 = C1 ⊕ 00| ... |00|g|g0 ⊕ 00| ... |00|02|02.

Padding oracle attack on CBC encryption 16/42

CBC mode encryption: CBC mode decryption:

I C0 = IV I C0 = IV ,

I Ci = EK (Ci−1 ⊕ Mi ). I Mi = DK (Ci ) ⊕ Ci−1.

Suppose an attacker wants to ﬁnd M2 from ciphertext (C0, C1, C2,... )

I M2 = DK (C2) ⊕ C1.

I Guess the last byte of M2 to be g, 0 I compute C1 = C1 ⊕ 00| ... |00|g ⊕ 00| ... |00|01, 0 I submit C = (C1, C2) to the server and wait for response.

I If g is the last byte of M2, the decryption of C will have a valid pad;

I if not, the pad will not be valid,

I try all 256 possible bytes for g until the correct one g0 is found.

/ department of mathematics and computer science Padding oracle attack on CBC encryption 16/42

CBC mode encryption: CBC mode decryption:

I C0 = IV I C0 = IV ,

I Ci = EK (Ci−1 ⊕ Mi ). I Mi = DK (Ci ) ⊕ Ci−1.

Suppose an attacker wants to ﬁnd M2 from ciphertext (C0, C1, C2,... )

I M2 = DK (C2) ⊕ C1.

I Guess the last byte of M2 to be g, 0 I compute C1 = C1 ⊕ 00| ... |00|g ⊕ 00| ... |00|01, 0 I submit C = (C1, C2) to the server and wait for response.

I If g is the last byte of M2, the decryption of C will have a valid pad;

I if not, the pad will not be valid,

I try all 256 possible bytes for g until the correct one g0 is found. 0 I Go on using C1 = C1 ⊕ 00| ... |00|g|g0 ⊕ 00| ... |00|02|02.

/ department of mathematics and computer science Padding oracle attack on CBC encryption 17/42

Ciphertext Ciphertext

block cipher block cipher Key Key decryption decryption

Initialization Vector (IV)

Plaintext Plaintext

/ department of mathematics and computer science Padding oracle attack on CBC encryption 17/42

Ciphertext Ciphertext

block cipher block cipher Key Key decryption decryption

Initialization Vector (IV)

Plaintext Plaintext

/ department of mathematics and computer science Padding oracle attack on CBC encryption 17/42

Ciphertext ⊕g ⊕ 01 Ciphertext

block cipher block cipher Key Key decryption decryption

Initialization Vector (IV)

01 Plaintext Plaintext

/ department of mathematics and computer science Padding oracle attack on CBC encryption 17/42

Ciphertext ⊕g ⊕ 02 | ⊕ g0 ⊕ 02 Ciphertext

block cipher block cipher Key Key decryption decryption

Initialization Vector (IV)

02|02 Plaintext Plaintext

/ department of mathematics and computer science Padding oracle attack on CBC encryption 18/42

I For AES we can ﬁnd one plaintext block with at most 16 · 256 chosen ciphertext queries to the padding oracle.

I More complicated in practice: In case of invalid record, session is terminated, new keys need to be negotiated.

I Still valid attack if the same message is encrypted in various sessions.

I Example: IMAP over TLS: every few minutes client sends username and password to login.

I Compute password within a few hours.

/ department of mathematics and computer science Padding oracle attack on CBC encryption 19/42

Solutions:

I Make alert message and time the same in both cases.

I RFCs: always perform a MAC check as if zero-length padding is applied.

I Encrypt-then-MAC avoids the problem because change is detected before decryption.

I MAC-then-CBC is authenticated encryption, but padding oracle destroys it.

/ department of mathematics and computer science It turns out that the small timing diﬀerence actually can be exploited!

Lucky 13 Attack (2013) 20/42

Side channel attack: The Lucky 13 attack is a variant of the padding oracle attack, using the timing diﬀerence in the MAC computation as side a channel.

The TLS 1.1 and 1.2 RFCs recommend checking the MAC as if there was a zero-length pad: This leaves a small timing channel, since MAC performance depends to some extent on the size of the data fragment, but it is not believed to be large enough to be exploitable, due to the large block size of existing MACs and the small size of the timing signal.

/ department of mathematics and computer science Lucky 13 Attack (2013) 20/42

Side channel attack: The Lucky 13 attack is a variant of the padding oracle attack, using the timing diﬀerence in the MAC computation as side a channel.

It turns out that the small timing diﬀerence actually can be exploited!

/ department of mathematics and computer science • Ineﬀective, attacker just needs more samples!

I Switch to using RC4 cipher suites. • RC4 is vulnerable!

I Modify TLS’s CBC-mode decryption procedure so as to remove the timing side channel. • “Lucky Microseconds: A Timing Attack on Amazon’s s2n Implementation of TLS”, Albrecht and Paterson, Nov. 18, 2015.

I Switch to using authenticated encryption, such as AES-GCM. −→ TLS 1.3 uses authenticated encryption only.

Lucky 13 Attack (2013) 21/42

Countermeasures:

I Add random time delays to CBC-mode decryption processing.

/ department of mathematics and computer science I Switch to using RC4 cipher suites. • RC4 is vulnerable!

I Switch to using authenticated encryption, such as AES-GCM. −→ TLS 1.3 uses authenticated encryption only.

Lucky 13 Attack (2013) 21/42

Countermeasures:

I Add random time delays to CBC-mode decryption processing. • Ineﬀective, attacker just needs more samples!

/ department of mathematics and computer science • RC4 is vulnerable!

I Switch to using authenticated encryption, such as AES-GCM. −→ TLS 1.3 uses authenticated encryption only.

Lucky 13 Attack (2013) 21/42

Countermeasures:

I Add random time delays to CBC-mode decryption processing. • Ineﬀective, attacker just needs more samples!

I Switch to using RC4 cipher suites.

/ department of mathematics and computer science I Modify TLS’s CBC-mode decryption procedure so as to remove the timing side channel. • “Lucky Microseconds: A Timing Attack on Amazon’s s2n Implementation of TLS”, Albrecht and Paterson, Nov. 18, 2015.

I Switch to using authenticated encryption, such as AES-GCM. −→ TLS 1.3 uses authenticated encryption only.

Lucky 13 Attack (2013) 21/42

Countermeasures:

I Add random time delays to CBC-mode decryption processing. • Ineﬀective, attacker just needs more samples!

I Switch to using RC4 cipher suites. • RC4 is vulnerable!

/ department of mathematics and computer science • “Lucky Microseconds: A Timing Attack on Amazon’s s2n Implementation of TLS”, Albrecht and Paterson, Nov. 18, 2015.

I Switch to using authenticated encryption, such as AES-GCM. −→ TLS 1.3 uses authenticated encryption only.

Lucky 13 Attack (2013) 21/42

Countermeasures:

I Add random time delays to CBC-mode decryption processing. • Ineﬀective, attacker just needs more samples!

I Switch to using RC4 cipher suites. • RC4 is vulnerable!

I Modify TLS’s CBC-mode decryption procedure so as to remove the timing side channel.

/ department of mathematics and computer science I Switch to using authenticated encryption, such as AES-GCM. −→ TLS 1.3 uses authenticated encryption only.

Lucky 13 Attack (2013) 21/42

Countermeasures:

I Add random time delays to CBC-mode decryption processing. • Ineﬀective, attacker just needs more samples!

I Switch to using RC4 cipher suites. • RC4 is vulnerable!

/ department of mathematics and computer science Lucky 13 Attack (2013) 21/42

Countermeasures:

I Add random time delays to CBC-mode decryption processing. • Ineﬀective, attacker just needs more samples!

I Switch to using RC4 cipher suites. • RC4 is vulnerable!

I Switch to using authenticated encryption, such as AES-GCM. −→ TLS 1.3 uses authenticated encryption only.

/ department of mathematics and computer science POODLE Attack (2014) 22/42

POODLE: Padding Oracle On Downgraded Legacy Encryption

I Client requests TLS 1.2.

I Eve lets handshake fail (e.g. with Alert message). • The correct behaviour of the server would be to respond with an older SSL/TLS so that the handshake is ﬁnished properly and the transcript can be veriﬁed by both sides.

I To work with broken servers, some clients just try again after the handshake was aborted using a lower (less secure) SSL/TLS version.

I Eve is able to use the padding oracle attack and wins.

/ department of mathematics and computer science Best countermeasure: Do not implement insecure cipher suits either as server or as client!

Do not trade interoperability for security and standard compliance!

POODLE Attack (2014) 23/42

Countermeasure: TLS Fallback Signaling Cipher Suite Value (SCSV)

I When the client tries to connect again, he adds TLS_FALLBACK_SCSV (0x56, 0x00) to his supported ciphers list.

I When the server sees TLS_FALLBACK_SCSV, he is supposed to check if he actually would have supported the (higher) TLS version.

/ department of mathematics and computer science POODLE Attack (2014) 23/42

Countermeasure: TLS Fallback Signaling Cipher Suite Value (SCSV)

I When the client tries to connect again, he adds TLS_FALLBACK_SCSV (0x56, 0x00) to his supported ciphers list.

I When the server sees TLS_FALLBACK_SCSV, he is supposed to check if he actually would have supported the (higher) TLS version.

Best countermeasure: Do not implement insecure cipher suits either as server or as client!

Do not trade interoperability for security and standard compliance!

/ department of mathematics and computer science Biased outputs of the RC4 (2001):

I The second output byte of the key stream is biased toward zero with probability 1/128. −→ 2nd byte tends to be plaintext!

I The XOR value of the 1st and 2nd outputs of RC4 is also non-uniform.

RC4 Attacks 24/42

Roos’ biases (1995):

I First byte of the keystream is correlated to the ﬁrst three bytes of the key. 64 I Gives a square-root speedup to brute force key recovery, e.g., O(2 ) for 128-bit keys.

/ department of mathematics and computer science RC4 Attacks 24/42

Roos’ biases (1995):

I First byte of the keystream is correlated to the ﬁrst three bytes of the key. 64 I Gives a square-root speedup to brute force key recovery, e.g., O(2 ) for 128-bit keys.

Biased outputs of the RC4 (2001):

I The second output byte of the key stream is biased toward zero with probability 1/128. −→ 2nd byte tends to be plaintext!

I The XOR value of the 1st and 2nd outputs of RC4 is also non-uniform.

/ department of mathematics and computer science Klein’s attack (2005):

I Exploiting more correlations between the RC4 keystream and the key.

I Breaks 128-bit WEP in under a minute, requires 40,000 frames for 50% success probability, 85,000 frames for 95% probability.

RC4 Attacks 25/42

Fluhrer, Mantin and Shamir attack (2001):

I RC4 is like a pseudo random number generator, generating a key stream from a secret key.

I RC4 requires a nonce if a long-term key is used.

I If the nonce and the long-term key are simply concatenated, the long-term key can be discovered.

I SSL/TLS uses diﬀerent keys for each session; but this is a problem for WEP, requires 10 million messages.

/ department of mathematics and computer science RC4 Attacks 25/42

Fluhrer, Mantin and Shamir attack (2001):

I RC4 is like a pseudo random number generator, generating a key stream from a secret key.

I RC4 requires a nonce if a long-term key is used.

I If the nonce and the long-term key are simply concatenated, the long-term key can be discovered.

I SSL/TLS uses diﬀerent keys for each session; but this is a problem for WEP, requires 10 million messages.

Klein’s attack (2005):

I Exploiting more correlations between the RC4 keystream and the key.

I Breaks 128-bit WEP in under a minute, requires 40,000 frames for 50% success probability, 85,000 frames for 95% probability.

/ department of mathematics and computer science Countermeasures:

I Discard initial keystream bytes.

I Add random length padding to records.

I Limit lifetime of cookies or number of times cookies can be sent.

I Stop using RC4 in TLS.

RC4 Attacks 26/42

Royal Holloway attack (2013):

I Extensive study revealed even more correlations in keystream. 28 32 I Requires 2 to 2 TLS connections for reliable recovery.

I Only ﬁrst 220 bytes of application data can be targeted.

/ department of mathematics and computer science RC4 Attacks 26/42

Royal Holloway attack (2013):

I Extensive study revealed even more correlations in keystream. 28 32 I Requires 2 to 2 TLS connections for reliable recovery.

I Only ﬁrst 220 bytes of application data can be targeted.

Countermeasures:

I Discard initial keystream bytes.

I Add random length padding to records.

I Limit lifetime of cookies or number of times cookies can be sent.

I Stop using RC4 in TLS.

/ department of mathematics and computer science Countermeasures:

I Discard even more initial keystream bytes.

I Seriously, stop using RC4 in TLS!

RC4 Attacks 27/42

Bar-mitzvah attack (2015):

I Make use of the 13-year old attack by Fluhrer, Mantin and Shamir.

I Some keys are particularly weak when used with RC4.

I Attack reveals several hundred bytes in the beginning of the plaintext if a weak key is used.

/ department of mathematics and computer science RC4 Attacks 27/42

Bar-mitzvah attack (2015):

I Make use of the 13-year old attack by Fluhrer, Mantin and Shamir.

I Some keys are particularly weak when used with RC4.

I Attack reveals several hundred bytes in the beginning of the plaintext if a weak key is used.

Countermeasures:

I Discard even more initial keystream bytes.

I Seriously, stop using RC4 in TLS!

/ department of mathematics and computer science RC4 Attacks 28/42 NOMORE RC4 attack (2015): Numerous Occurrence MOnitoring & Recovery Exploit:

I Exploit even more biases, including long-term biases.

I Exploit Mantin’s ABSAB bias: a byte pair (A, B) likely reappears. A B S A B 27 I With 94% probability, attack can be preformed using 9 · 2 encryptions collected over 75 hours.

/ department of mathematics and computer science RC4 Attacks 28/42 NOMORE RC4 attack (2015): Numerous Occurrence MOnitoring & Recovery Exploit:

I Exploit even more biases, including long-term biases.

I Exploit Mantin’s ABSAB bias: a byte pair (A, B) likely reappears. A B S A B 27 I With 94% probability, attack can be preformed using 9 · 2 encryptions collected over 75 hours.

/ department of mathematics and computer science RC4 Attacks 28/42 NOMORE RC4 attack (2015): Numerous Occurrence MOnitoring & Recovery Exploit:

I Exploit even more biases, including long-term biases.

I Exploit Mantin’s ABSAB bias: a byte pair (A, B) likely reappears. A B S A B 27 I With 94% probability, attack can be preformed using 9 · 2 encryptions collected over 75 hours.

Countermeasures: NOMORE RC4 in TLS!

/ department of mathematics and computer science RC4 Attacks 29/42 How about the NSA?

I The biases have been known to the NSA, the NSA has the resources to conduct research on their own.

I Large computing power allows to ﬁnd even more biases.

I Chances are the NSA can do better than public research.

I There are hints in the Snowden leaks that NSA can decrypt some SSL/TLS traﬃc — when RC4 is used?

/ department of mathematics and computer science RC4 Attacks 29/42 How about the NSA?

I The biases have been known to the NSA, the NSA has the resources to conduct research on their own.

I Large computing power allows to ﬁnd even more biases.

I Chances are the NSA can do better than public research.

I There are hints in the Snowden leaks that NSA can decrypt some SSL/TLS traﬃc — when RC4 is used?

/ department of mathematics and computer science FREAK Attack (2014) 30/42

FREAK: Factoring RSA Export Keys

I There are weak EXPORT ciphers due to export restrictions on “cryptography” in the Unites States in the ’90 (in the meantime loosened due to “Bernstein v. United States”).

I Nowadays, these EXPORT ciphers can be broken with small eﬀort, e.g., RSA-512 (cost: 100USD Amazon Cloud Services).

I Privacy at risk when EXPORT ciphers are used!

/ department of mathematics and computer science FREAK Attack (2014) 31/42

How to convince client and server to use EXPORT ciphers?

I Hash of transcript in Finished message should prevent MitM to downgrade to insecure ciphers.

I “Some modern TLS clients — including Apple’s SecureTransport and OpenSSL — have a bug in them. This bug causes them to accept RSA export-grade keys even when the client didn’t ask for export-grade RSA.” (Matthew Green)

/ department of mathematics and computer science MitM cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

ﬁnished(ms, logS ) check logS enc(k2, Data)

FREAK Attack (2014) 32/42

Client Server cr, [..., RSA,... ]

/ department of mathematics and computer science MitM cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

ﬁnished(ms, logS ) check logS enc(k2, Data)

FREAK Attack (2014) 32/42

Client Server cr, [..., RSA,... ]

sr, RSA

certs

/ department of mathematics and computer science MitM cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

ﬁnished(ms, logS ) check logS enc(k2, Data)

FREAK Attack (2014) 32/42

Client Server cr, [..., RSA,... ]

sr, RSA

certs

rsaencs (pms)

/ department of mathematics and computer science MitM cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

certs , sign(sks , [cr|sr|p512]) (ms, k , k ) = 1 2 rsaencsks (pms) s512 = factor(p512) kdf(pms, cr|sr) (ms, k1, k2) = ﬁnished(ms, logC ) kdf(pms, cr|sr) check logC enc(k1, Data)

ﬁnished(ms, logS ) check logS enc(k2, Data)

FREAK Attack (2014) 32/42

Client Server cr, [..., RSA,... ]

sr, RSA

certs

(ms, k1, k2) = rsaencs (pms) (ms, k1, k2) = kdf(pms, cr|sr) kdf(pms, cr|sr)

/ department of mathematics and computer science MitM cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

certs , sign(sks , [cr|sr|p512]) (ms, k , k ) = 1 2 rsaencsks (pms) s512 = factor(p512) kdf(pms, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(pms, cr|sr)

enc(k1, Data)

ﬁnished(ms, logS ) check logS enc(k2, Data)

FREAK Attack (2014) 32/42

Client Server cr, [..., RSA,... ]

sr, RSA

certs

(ms, k1, k2) = rsaencs (pms) (ms, k1, k2) = kdf(pms, cr|sr) kdf(pms, cr|sr) ﬁnished(ms, logC ) check logC

/ department of mathematics and computer science MitM cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

certs , sign(sks , [cr|sr|p512]) (ms, k , k ) = 1 2 rsaencsks (pms) s512 = factor(p512) kdf(pms, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(pms, cr|sr)

enc(k1, Data)

ﬁnished(ms, logS ) check logS enc(k2, Data)

FREAK Attack (2014) 32/42

Client Server cr, [..., RSA,... ]

sr, RSA

certs

(ms, k1, k2) = rsaencs (pms) (ms, k1, k2) = kdf(pms, cr|sr) kdf(pms, cr|sr) ﬁnished(ms, logC ) check logC enc(k1, Data)

/ department of mathematics and computer science MitM cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

certs , sign(sks , [cr|sr|p512]) (ms, k , k ) = 1 2 rsaencsks (pms) s512 = factor(p512) kdf(pms, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(pms, cr|sr)

enc(k1, Data)

ﬁnished(ms, logS )

enc(k2, Data)

FREAK Attack (2014) 32/42

Client Server cr, [..., RSA,... ]

sr, RSA

certs

(ms, k1, k2) = rsaencs (pms) (ms, k1, k2) = kdf(pms, cr|sr) kdf(pms, cr|sr) ﬁnished(ms, logC ) check logC enc(k1, Data)

ﬁnished(ms, logS ) check logS

/ department of mathematics and computer science MitM cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

certs , sign(sks , [cr|sr|p512]) (ms, k , k ) = 1 2 rsaencsks (pms) s512 = factor(p512) kdf(pms, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(pms, cr|sr)

enc(k1, Data)

ﬁnished(ms, logS )

enc(k2, Data)

FREAK Attack (2014) 32/42

Client Server cr, [..., RSA,... ]

sr, RSA

certs

(ms, k1, k2) = rsaencs (pms) (ms, k1, k2) = kdf(pms, cr|sr) kdf(pms, cr|sr) ﬁnished(ms, logC ) check logC enc(k1, Data)

ﬁnished(ms, logS ) check logS enc(k2, Data)

/ department of mathematics and computer science cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

certs , sign(sks , [cr|sr|p512]) (ms, k , k ) = 1 2 rsaencsks (pms) s512 = factor(p512) kdf(pms, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(pms, cr|sr)

enc(k1, Data)

ﬁnished(ms, logS )

enc(k2, Data)

FREAK Attack (2014) 32/42

Client MitM Server cr, [..., RSA,... ]

sr, RSA

certs

(ms, k1, k2) = rsaencs (pms) (ms, k1, k2) = kdf(pms, cr|sr) kdf(pms, cr|sr) ﬁnished(ms, logC ) check logC enc(k1, Data)

ﬁnished(ms, logS ) check logS enc(k2, Data)

/ department of mathematics and computer science sr, RSA sr, RSA_EXPORT

certs , sign(sks , [cr|sr|p512]) (ms, k , k ) = 1 2 rsaencsks (pms) s512 = factor(p512) kdf(pms, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(pms, cr|sr)

enc(k1, Data)

ﬁnished(ms, logS )

enc(k2, Data)

FREAK Attack (2014) 32/42

Client MitM Server cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA

certs

(ms, k1, k2) = rsaencs (pms) (ms, k1, k2) = kdf(pms, cr|sr) kdf(pms, cr|sr) ﬁnished(ms, logC ) check logC enc(k1, Data)

ﬁnished(ms, logS ) check logS enc(k2, Data)

/ department of mathematics and computer science sr, RSA

certs , sign(sks , [cr|sr|p512]) (ms, k , k ) = 1 2 rsaencsks (pms) s512 = factor(p512) kdf(pms, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(pms, cr|sr)

enc(k1, Data)

ﬁnished(ms, logS )

enc(k2, Data)

FREAK Attack (2014) 32/42

Client MitM Server cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

certs

(ms, k1, k2) = rsaencs (pms) (ms, k1, k2) = kdf(pms, cr|sr) kdf(pms, cr|sr) ﬁnished(ms, logC ) check logC enc(k1, Data)

ﬁnished(ms, logS ) check logS enc(k2, Data)

/ department of mathematics and computer science certs , sign(sks , [cr|sr|p512]) (ms, k , k ) = 1 2 rsaencsks (pms) s512 = factor(p512) kdf(pms, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(pms, cr|sr)

enc(k1, Data)

ﬁnished(ms, logS )

enc(k2, Data)

FREAK Attack (2014) 32/42

Client MitM Server cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

certs

(ms, k1, k2) = rsaencs (pms) (ms, k1, k2) = kdf(pms, cr|sr) kdf(pms, cr|sr) ﬁnished(ms, logC ) check logC enc(k1, Data)

ﬁnished(ms, logS ) check logS enc(k2, Data)

/ department of mathematics and computer science (ms, k , k ) = 1 2 rsaencsks (pms) s512 = factor(p512) kdf(pms, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(pms, cr|sr)

enc(k1, Data)

ﬁnished(ms, logS )

enc(k2, Data)

FREAK Attack (2014) 32/42

Client MitM Server cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

certs , sign(skcerts , [scr|sr|p512])

(ms, k1, k2) = rsaencs (pms) (ms, k1, k2) = kdf(pms, cr|sr) kdf(pms, cr|sr) ﬁnished(ms, logC ) check logC enc(k1, Data)

ﬁnished(ms, logS ) check logS enc(k2, Data)

/ department of mathematics and computer science rsaencsks (pms) s512 = factor(p512) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(pms, cr|sr)

enc(k1, Data)

ﬁnished(ms, logS )

enc(k2, Data)

FREAK Attack (2014) 32/42

Client MitM Server cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

certs , sign(skcerts , [scr|sr|p512])

(ms, k1, k2) = rsaencs (pms) (ms, k1, k2) = kdf(pms, cr|sr) kdf(pms, cr|sr) ﬁnished(ms, logC ) check logC enc(k1, Data)

ﬁnished(ms, logS ) check logS enc(k2, Data)

/ department of mathematics and computer science s512 = factor(p512) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(pms, cr|sr)

enc(k1, Data)

ﬁnished(ms, logS )

enc(k2, Data)

FREAK Attack (2014) 32/42

Client MitM Server cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

certs , sign(skcerts , [scr|sr|p512]) (ms, k , k ) = (ms, k , k ) = 1 2 rsaencrsaencskss((pmspms)) 1 2 kdf(pms, cr|sr) kdf(pms, cr|sr) ﬁnished(ms, logC ) check logC enc(k1, Data)

ﬁnished(ms, logS ) check logS enc(k2, Data)

/ department of mathematics and computer science s512 = factor(p512) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(pms, cr|sr)

enc(k1, Data)

ﬁnished(ms, logS )

enc(k2, Data)

FREAK Attack (2014) 32/42

Client MitM Server cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

ﬁnished(ms, logS ) check logS enc(k2, Data)

/ department of mathematics and computer science ﬁnished(ms, logS )

enc(k2, Data)

FREAK Attack (2014) 32/42

Client MitM Server cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

ﬁnished(ms, logS ) check logS enc(k2, Data)

/ department of mathematics and computer science FREAK Attack (2014) 32/42

Client MitM Server cr, [..., RSA,... ] cr, [RSA_EXPORT]

sr, RSA sr, RSA_EXPORT

ﬁnished(ms, logS ) check logS enc(k2, Data)

/ department of mathematics and computer science FREAK Attack (2014) 33/42

The MitM attack: 1. In the client’s Hello message, it asks for a ’standard RSA’ ciphersuite. 2. The MitM attacker changes this message to ask for ’export RSA’. 3. The server responds with a 512-bit export RSA key, signed with its long-term key, MitM forwards the ServerKeyExchange message. 4. The client accepts the unexpected ServerKeyExchange message due to an implementation bug and uses the weak key. 5. The attacker factors the RSA modulus to recover the corresponding RSA decryption key. 6. When the client encrypts the ’pre-master secret’ to the server, the attacker can now decrypt it to recover the TLS ’master secret’. 7. From here on out, the attacker can decrypt (recorded) ciphertext.

/ department of mathematics and computer science Is that enough?

FREAK Attack (2014) 34/42

Countermeasures:

I Do not oﬀer, do not even implement EXPORT ciphers (neither client nor server).

I Do not have bugs in SSL/TLS implementations (pretty please). • Still a problem for TLS False Start.

/ department of mathematics and computer science FREAK Attack (2014) 34/42

Countermeasures:

I Do not oﬀer, do not even implement EXPORT ciphers (neither client nor server).

I Do not have bugs in SSL/TLS implementations (pretty please). • Still a problem for TLS False Start. Is that enough?

/ department of mathematics and computer science MitM cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b b certcerts ,ssign, sign(sk(sks ,s[,cr[cr|sr|sr|p|512p|g||gg|g])])

a b (ms, k1, k2) = g b = dlog(g mod p512) (ms, k1, k2) = kdf(g ab, cr|sr) (ms, k1, k2) = kdf(g ab, cr|sr) ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client Server cr, [..., DHE,... ]

/ department of mathematics and computer science MitM cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b certs , sign(sks , [cr|sr|p512|g|g ])

a b (ms, k1, k2) = g b = dlog(g mod p512) (ms, k1, k2) = kdf(g ab, cr|sr) (ms, k1, k2) = kdf(g ab, cr|sr) ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client Server cr, [..., DHE,... ]

sr, DHE

b certs , sign(sks , [cr|sr|p|g|g ])

/ department of mathematics and computer science MitM cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b certs , sign(sks , [cr|sr|p512|g|g ])

a b (ms, k1, k2) = g b = dlog(g mod p512) (ms, k1, k2) = kdf(g ab, cr|sr) (ms, k1, k2) = kdf(g ab, cr|sr) ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client Server cr, [..., DHE,... ]

sr, DHE

b certs , sign(sks , [cr|sr|p|g|g ])

g a

/ department of mathematics and computer science MitM cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b certs , sign(sks , [cr|sr|p512|g|g ])

a b (ms, k1, k2) = g b = dlog(g mod p512) kdf(g ab, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client Server cr, [..., DHE,... ]

sr, DHE

b certs , sign(sks , [cr|sr|p|g|g ])

(ms, k1, k2) = g a (ms, k1, k2) = kdf(g ab, cr|sr) kdf(g ab, cr|sr)

/ department of mathematics and computer science MitM cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b certs , sign(sks , [cr|sr|p512|g|g ])

a b (ms, k1, k2) = g b = dlog(g mod p512) kdf(g ab, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client Server cr, [..., DHE,... ]

sr, DHE

b certs , sign(sks , [cr|sr|p|g|g ])

(ms, k1, k2) = g a (ms, k1, k2) = kdf(g ab, cr|sr) kdf(g ab, cr|sr) ﬁnished(ms, logC )

/ department of mathematics and computer science MitM cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b certs , sign(sks , [cr|sr|p512|g|g ])

a b (ms, k1, k2) = g b = dlog(g mod p512) kdf(g ab, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client Server cr, [..., DHE,... ]

sr, DHE

b certs , sign(sks , [cr|sr|p|g|g ])

(ms, k1, k2) = g a (ms, k1, k2) = kdf(g ab, cr|sr) kdf(g ab, cr|sr) ﬁnished(ms, logC )

ﬁnished(ms, logS )

/ department of mathematics and computer science MitM cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b certs , sign(sks , [cr|sr|p512|g|g ])

a b (ms, k1, k2) = g b = dlog(g mod p512) kdf(g ab, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client Server cr, [..., DHE,... ]

sr, DHE

b certs , sign(sks , [cr|sr|p|g|g ])

(ms, k1, k2) = g a (ms, k1, k2) = kdf(g ab, cr|sr) kdf(g ab, cr|sr) ﬁnished(ms, logC )

ﬁnished(ms, logS )

enc(k1, Data)

/ department of mathematics and computer science MitM cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b certs , sign(sks , [cr|sr|p512|g|g ])

a b (ms, k1, k2) = g b = dlog(g mod p512) kdf(g ab, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client Server cr, [..., DHE,... ]

sr, DHE

b certs , sign(sks , [cr|sr|p|g|g ])

(ms, k1, k2) = g a (ms, k1, k2) = kdf(g ab, cr|sr) kdf(g ab, cr|sr) ﬁnished(ms, logC )

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

/ department of mathematics and computer science cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b certs , sign(sks , [cr|sr|p512|g|g ])

a b (ms, k1, k2) = g b = dlog(g mod p512) kdf(g ab, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client MitM Server cr, [..., DHE,... ]

sr, DHE

b certs , sign(sks , [cr|sr|p|g|g ])

(ms, k1, k2) = g a (ms, k1, k2) = kdf(g ab, cr|sr) kdf(g ab, cr|sr) ﬁnished(ms, logC )

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

/ department of mathematics and computer science sr, DHE sr, DHE_EXPORT

b certs , sign(sks , [cr|sr|p512|g|g ])

a b (ms, k1, k2) = g b = dlog(g mod p512) kdf(g ab, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client MitM Server cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE

b certs , sign(sks , [cr|sr|p|g|g ])

(ms, k1, k2) = g a (ms, k1, k2) = kdf(g ab, cr|sr) kdf(g ab, cr|sr) ﬁnished(ms, logC )

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

/ department of mathematics and computer science sr, DHE

b certs , sign(sks , [cr|sr|p512|g|g ])

a b (ms, k1, k2) = g b = dlog(g mod p512) kdf(g ab, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client MitM Server cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b certs , sign(sks , [cr|sr|p|g|g ])

(ms, k1, k2) = g a (ms, k1, k2) = kdf(g ab, cr|sr) kdf(g ab, cr|sr) ﬁnished(ms, logC )

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

/ department of mathematics and computer science b certs , sign(sks , [cr|sr|p512|g|g ])

a b (ms, k1, k2) = g b = dlog(g mod p512) kdf(g ab, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client MitM Server cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b certs , sign(sks , [cr|sr|p|g|g ])

(ms, k1, k2) = g a (ms, k1, k2) = kdf(g ab, cr|sr) kdf(g ab, cr|sr) ﬁnished(ms, logC )

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

/ department of mathematics and computer science a b (ms, k1, k2) = g b = dlog(g mod p512) kdf(g ab, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client MitM Server cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b b certcerts ,ssign, sign(sk(sks ,s[,cr[cr|sr|sr|p|512p|g||gg|g])])

(ms, k1, k2) = g a (ms, k1, k2) = kdf(g ab, cr|sr) kdf(g ab, cr|sr) ﬁnished(ms, logC )

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

/ department of mathematics and computer science b (ms, k1, k2) = b = dlog(g mod p512) kdf(g ab, cr|sr) (ms, k1, k2) = ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client MitM Server cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b b certcerts ,ssign, sign(sk(sks ,s[,cr[cr|sr|sr|p|512p|g||gg|g])])

(ms, k1, k2) = g a (ms, k1, k2) = kdf(g ab, cr|sr) kdf(g ab, cr|sr) ﬁnished(ms, logC )

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

/ department of mathematics and computer science ﬁnished(ms, logC )

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

Logjam Attack (2015) 35/42

Client MitM Server cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b b certcerts ,ssign, sign(sk(sks ,s[,cr[cr|sr|sr|p|512p|g||gg|g])])

a b (ms, k1, k2) = g b = dlog(g mod p512) (ms, k1, k2) = kdf(g ab, cr|sr) (ms, k1, k2) = kdf(g ab, cr|sr) ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

/ department of mathematics and computer science Logjam Attack (2015) 35/42

Client MitM Server cr, [..., DHE,... ] cr, [DHE_EXPORT]

sr, DHE sr, DHE_EXPORT

b b certcerts ,ssign, sign(sk(sks ,s[,cr[cr|sr|sr|p|512p|g||gg|g])])

a b (ms, k1, k2) = g b = dlog(g mod p512) (ms, k1, k2) = kdf(g ab, cr|sr) (ms, k1, k2) = kdf(g ab, cr|sr) ﬁnished(ms, log ) C kdf(g ab, cr|sr)

ﬁnished(ms, logS )

enc(k1, Data)

enc(k2, Data)

/ department of mathematics and computer science Logjam Attack (2015) 36/42

How to break 512-bit RSA in real-time? Millions of servers all use the same prime numbers for Diffie-Hellman key exchange. However, the first step in the number field sieve — the most efficient algorithm for breaking a Diffie-Hellman connection — is dependent only on this prime. After this first step, an attacker can quickly break individual connections. Using precomputation for the most common 512-bit prime, the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_EXPORT. An academic team can break a 768-bit prime; a nation-state can probably break a 1024-bit prime.

/ department of mathematics and computer science Logjam Attack (2015) 37/42

Countermeasures:

I Do not oﬀer EXPORT ciphers on servers.

I Make a sanity check of presented DH parameters; reject weak parameters.

I Do not use the standard primes; use individual primes.

I Use large primes, i.e., 2048-bit or larger primes.

/ department of mathematics and computer science OpenSSL Heartbleed Bug (2014) 38/42

Bug in the implementation of the Heartbeat Extension (RFC 6520): struct { HeartbeatMessageType type; uint16 payload_length; opaque payload[HeartbeatMessage.payload_length]; opaque padding[padding_length]; } HeartbeatMessage;

[...] When a HeartbeatRequest message is received [...], the receiver MUST send a corresponding HeartbeatResponse message carrying an exact copy of the payload of the received HeartbeatRequest.

OpenSSL failed to check actual length of payload data.

/ department of mathematics and computer science OpenSSL Heartbleed Bug (2014) 39/42

/ department of mathematics and computer science SSL/TLS Cipher Suites 40/42

Cipher Protocol Version Algorithm Strength (bits) SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 AES GCM N/A N/A N/A N/A Secure Secure AES CCM 256, 128 N/A N/A N/A N/A Secure Secure AES CBC N/A N/A Depends Secure Secure N/A Camellia GCM N/A N/A N/A N/A Secure Secure 256, 128 Camellia CBC N/A N/A Depends Secure Secure N/A ARIA GCM N/A N/A N/A N/A Secure Secure 256, 128 ARIA CBC N/A N/A Depends Secure Secure N/A SEED CBC 128 N/A N/A Depends Secure Secure N/A 3DES EDE CBC 112 Insecure Insecure Low/Dep. Low Low N/A GOST CNT 256 N/A N/A Secure Secure Secure N/A IDEA CBC 128 Insecure Insecure Depends Secure N/A N/A 40 Insecure Insecure N/A N/A N/A N/A DES CBC 56 Insecure Insecure Insecure N/A N/A N/A RC2 CBC 56 Insecure Insecure Insecure N/A N/A N/A ChaCha20-Poly1305 256 N/A N/A N/A N/A Secure Secure 40 Insecure Insecure Insecure N/A N/A N/A RC4 128 Insecure Insecure Insecure Insecure Insecure N/A NULL – N/A Insecure Insecure Insecure Insecure Insecure

/ department of mathematics and computer science Announcement 41/42

Guest lectures next week:

I Tuesday: Jacob Appelbaum, Tor.

I Thursday: Dan Bernstein, DNSsec.

/ department of mathematics and computer science Assignments 42/42

I Choice of topic: before Thursday, November 26th, 23:59 (today).

I Assignment of topic: Friday, November 27th.

I Deadline of ﬁrst assignment: Sunday, December 13th, 23:59.

The deadlines are strict!

/ department of mathematics and computer science