Plaintext-Recovery Attacks Against Datagram TLS

Nadhem Alfardan and Kenneth Paterson

Information Security Group Royal Holloway, University of London

6th Feb 2012 Results Introduction to DTLS Previous Attacks Padding Oracle Realisation Against OpenSSL Attacking the GnuTLS Implementation of DTLS Lessons Contents

4 Padding Oracle Realisation Against OpenSSL 1 Results

5 Attacking the GnuTLS 2 Introduction to DTLS Implementation of DTLS

3 Previous Attacks 6 Lessons

Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS Previous Attacks Padding Oracle Realisation Against OpenSSL Attacking the GnuTLS Implementation of DTLS Lessons Results

4 Padding Oracle Realisation Against OpenSSL 1 Results

5 Attacking the GnuTLS 2 Introduction to DTLS Implementation of DTLS

3 Previous Attacks 6 Lessons

Plaintext-recovery attacks through which we were able to: Decrypt arbitrary amount of ciphertext in the case of the OpenSSL implementation of DTLS. Decrypt the four most signiﬁcant bits of the last byte in every block in the case of the GnuTLS implementation of DTLS.

Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS Previous Attacks Background Padding Oracle Realisation Against OpenSSL DTLS versus TLS Attacking the GnuTLS Implementation of DTLS Lessons Introduction to DTLS

4 Padding Oracle Realisation Against OpenSSL 1 Results

5 Attacking the GnuTLS 2 Introduction to DTLS Implementation of DTLS Background DTLS versus TLS 6 Lessons

3 Previous Attacks

Datagram Transport Layer Security (DTLS) was ﬁrst introduced in NDSS 2004. IETF assigned RFC 4347 to DTLS 1.0 in 2006. RFC 6347 updates RFC 4347 and was published in Jan 2012 under DTLS 1.2. By design, DTLS 1.0 is very similar to TLS 1.1. RFC 4347 presents only the changes to TLS 1.1 and refers to RFC 4346 for the rest of the speciﬁcation. A number of RFC documents have been published on DTLS. DTLS is used in a number of implementations.

DTLS runs over an unreliable protocol such as Unreliable Datagram Protocol (UDP).

Handshake Change Alert Applications Protocol Cipher Spec Protocol TLS! Record Protocol

Reliable Transport Protocol

Handshake Change Alert Applications Protocol Cipher Spec Protocol DTLS! Record Protocol

Unreliable Transport Protocol

Changes to TLS 1.1 also include: Implementations of DTLS should silently discard data with bad MACs or padding. No error messages are generated in both cases. In DTLS, connections are not terminated in the case of an error. In DTLS, fragmentation of record messages is not permitted. DTLS optionally supports record replay protection. There are other changes, but they are not of relevance.

Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS Previous Attacks Vaudenay’s Padding Oracle Padding Oracle Realisation Against OpenSSL Canvel et al. Work Attacking the GnuTLS Implementation of DTLS Lessons Previous Attacks

4 Padding Oracle Realisation Against OpenSSL 1 Results

5 Attacking the GnuTLS 2 Introduction to DTLS Implementation of DTLS

3 Previous Attacks 6 Lessons Vaudenay’s Padding Oracle Canvel et al. Work

Vaudenay’s padding oracle, ( ) applies to CBC-mode encryption.PO Algorithm 1: Decrypting a block returns VALID if the padding using a padding oracle for TL- PO PO is correct and INVALID otherwise. S/DTLS.

The realisation of this oracle relies Data: Ct∗ 1, Ct∗ − Result: Pt∗ = Dk (Ct∗) Ct∗ 1 on the attacker having access to ⊕ − Let R be a random b-byte block.; TLS error messages; for i =0to b 1 do for byte−=0to 255 do decryption failed and R[i]=byte; C = R Ct∗; bad record mac which are if (||C) = VALID then PO P[i]=R[i] Ct∗ 1[i] i; classiﬁed as fatal. ⊕ − ⊕ Break; In the case of TLS 1.0, both of for j =0to i do R[j]=R[j] (i) (i +1); these error messages are encrypted. ⊕ ⊕ Connections are terminated Output P; immediately whenever such errors are encountered.

The work of Canvel et al. exploits the fact that processing a message with valid padding may take longer than the processing of a message with invalid padding: The timing difference comes from the MAC verification process. Canvel et al. were able to extract fixed plaintext in the form of TLS-encrypted passwords. Connections had to be re-established after being terminated, making the attack difficult to implement. Countermeasures were introduced in TLS 1.1: One of them is to perform MAC verification on packets that fail the padding check.

Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS OpenSSL Implementation of DTLS Previous Attacks Timing and Packet Processing Padding Oracle Realisation Against OpenSSL Results Attacking the GnuTLS Implementation of DTLS Lessons Padding Oracle Realisation Against OpenSSL

OpenSSL Implementation of DTLS 1 Results Timing and Packet Processing 2 Introduction to DTLS Results

3 Previous Attacks 5 Attacking the GnuTLS Implementation of DTLS 4 Padding Oracle Realisation

Against OpenSSL 6 Lessons

Algorithm 2: Padding Oracle for DTLS Packets with invalid padding are silently discarded and MAC OpenSSL implementation of DTLS Data: C veriﬁcation is not performed. No Result: VALID or INVALID error messages are generated when for q =1to m do RTTq = Timer(C); the padding error is encountered. RTT =Mean(RTT1, RTT2,...,RTTm); if RTT T then This protects the system from return≥ VALID; else the attack introduced by return INVALID; Canvel et al. Timer(C) Set Ts =currenttime; We constructed a new realisation Send n copies of PC ,aDTLSpacketcontainingC,to the targeted system; for the padding oracle to exploit Send a Heartbeat request packet to the targeted system; the OpenSSL implementation of Set Te = time when Heartbeat response packet is seen; return (Te Ts ) DTLS. −

We were able to use Heartbeat messages to compensate the lack of error messages. The advisory sends a Heartbeat request message right after the attack message(s).

The advisory calculates the time from sending the ﬁrst message to receiving the Heartbeat response message.

To amplify the timing diﬀerence we used a train of packets.

Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS packet 1

t1,0 t1,1 t1,2 t1,3 packet 2

Heartbeat Request t2,0 t2,1 t2,2 t2,3 Heartbeat Response

Ts Tf Te

Results Figure 11. Time-line for a train with n =2(not to scale). Introduction to DTLS OpenSSL Implementation of DTLS Previous Attacks Timing and Packet Processing Padding Oracle Realisation Against OpenSSL Results Attacking the GnuTLS Implementation of DTLS Lessons

packet 1

t1,0 t1,1 t1,2 t1,3 packet 2

t2,0 t2,1 t2,2 t2,3 Heartbeat Request Time-line for packet train with valid padding Heartbeat Response

Ts Tf Te

packet 1

t1,0 t1,1 t1,3 packet 2 Time-line for packet train with invalid padding

t2,0 t2,1 t2,3 Heartbeat Request Heartbeat Response

Ts Tf Te Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS OpenSSL Implementation of DTLS Previous Attacks Timing and Packet Processing Padding Oracle Realisation Against OpenSSL Results Attacking the GnuTLS Implementation of DTLS Lessons

0.30 0.08 0.06

0.25 0.05 0.06 0.20 0.04

0.15 0.04 0.03

0.10 0.02 0.02 0.05 0.01

540 560 580 600 620 640 1240 1260 1280 1300 1320 1340 1660 1680 1700 1720 (a) l =256 (b) l =1024 (c) l =1456

Figure: 3DES – PDFs for trains of 10 packets and varying the DTLS payload length, l.

0.20 0.12 0.15 0.10 0.15 0.08 0.10

0.10 0.06

0.04 0.05 0.05 0.02

520 530 540 550 560 570 580 1210 1215 1220 1225 1230 1580 1590 1600 1610 1620 1630 (a) l =256 (b) l =1024 (c) l =1456

Figure: AES-256 – PDFs for trains of 10 packets and varying the DTLS payload length, l.

n and l 128 160 192 224 256 288 1 0.99 0.99 1.00 0.99 1.00 0.99 2 0.99 1.00 0.99 1.00 1.00 0.98 5 0.99 1.00 1.00 1.00 1.00 0.98 10 0.98 1.00 0.99 1.00 1.00 0.99 20 0.99 0.99 1.00 1.00 1.00 0.99 50 0.99 0.99 1.00 1.00 0.98 0.95

Table: Success probabilities per byte for AES, for various attack parameters (with anti-replay disabled). n is the train size and l is the DTLS payload size in bytes.

4 Padding Oracle Realisation Against OpenSSL 1 Results

5 Attacking the GnuTLS 2 Introduction to DTLS Implementation of DTLS

3 Previous Attacks 6 Lessons

Unlike OpenSSL, GnuTLS share the same 0.014 code for TLS and DTLS. 0.012 0.010

GnuTLS implements the ﬁx introduced in 0.008 TLS 1.1 and hence is not vulnerable to 0.006 our attack against OpenSSL. 0.004 0.002

We were able to recover the four most 100 200 300 400 signiﬁcant bits of the last byte in each Figure: PDFs for AES-256 with ciphertext block by exploiting a diﬀerent HMAC-SHA256, l =176,n =5,based issue in the code and using the same on 1000 trials, with outliers removed. technique.

On 4th of Jan 2012, OpenSSL issued releases 1.0.0f and 0.9.8s which included a ﬁx. On 6th of Jan 2012, GnuTLS issued release 3.0.11 which included a ﬁx.

4 Padding Oracle Realisation Against OpenSSL 1 Results

5 Attacking the GnuTLS 2 Introduction to DTLS Implementation of DTLS

3 Previous Attacks 6 Lessons

Lack of error messages does not necessarily mean that the system is not vulnerable. Although the GnuTLS implementation of DTLS follows the standard, we were able to deploy similar techniques to attack the implementation and recover a limited amount plaintext. Features of lower layer protocols can have a major inﬂuence on security at higher layers.

Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS