DOCSLIB.ORG

Trustbase: an Architecture to Repair and Strengthen Certificate-Based

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

TrustBase: An Architecture to Repair and Strengthen Certificate-based Authentication Mark O’Neill Scott Heidbrink Scott Ruoti Jordan Whitehead Dan Bunker Luke Dickinson Travis Hendershot Joshua Reynolds Kent Seamons Daniel Zappala Brigham Young University [email protected], [email protected], [email protected], [email protected], [email protected] [email protected], [email protected], [email protected] [email protected], [email protected] Abstract of end-to-end encryption [24, 34], with many firewalls having significant implementation bugs that break authen- The current state of certificate-based authentication is tication [7, 11]. Third, the CA system itself is vulnerable messy, with broken authentication in applications and to being hijacked even when applications and proxies are proxies, along with serious flaws in the CA system. To implemented correctly. This is largely due to the fact solve these problems, we design TrustBase, an architec- that most CAs are able to sign certificates for any host, ture that provides certificate-based authentication as an reducing the strength of the CA system to that of the weak- operating system service, with system administrator con- est CA [12]. This weakness was exploited in the 2011 trol over authentication policy. TrustBase transparently DigiNotar hack [25], and is exacerbated by CAs that do enforces best practices for certificate validation on all not follow best practices [31, 10] and by governmental applications, while also providing a variety of authentica- ownership and access to CAs [13, 40]. tion services to strengthen the CA system. We describe a research prototype of TrustBase for Linux, which uses a Due to these problems, there are a number of recent loadable kernel module to intercept traffic in the socket proposals to improve or replace the current CA trust layer, then consults a userspace policy engine to evaluate model. These include multi-path probing [31, 41, 1, 23] certificate validity using a variety of plugins. We evaluate or other systems that vouch for the authenticity of a certifi- the security of TrustBase, including a threat analysis, ap- cate [15, 2, 3], DNS-based authentication [21], certificate plication coverage, and hardening of the Linux prototype. pinning [16, 32], and audit logs [27, 39, 14, 26]. Unfortu- We also describe prototypes of TrustBase for Android nately, the majority of applications have not yet integrated and Windows, illustrating the generality of our approach. these improvements. Even relatively simple fixes, such We show that TrustBase has negligible overhead and uni- as certificate revocation, are beset with problems [29]. versal compatibility with applications. We demonstrate The result is that there is no de facto standard regarding its utility by describing eight authentication services that where and how certificate validation should occur, and it extend CA hardening to all applications. is currently spread between applications, TLS libraries, and interception proxies [11]. Several projects have tried to address these issues, fix- 1 Introduction ing broken authentication in existing applications, while providing a means to deploy improved authentication ser- Server authentication on the Internet currently relies on vices. Primary among these is CertShim, which uses the the certificate authority (CA) system to provide assurance LD PRELOAD environment variable to replace functions in that the client is connected to a legitimate server and not dynamically-loaded security libraries [4]. However, this one controlled by an attacker. Unfortunately, certificate approach does not provide universal coverage of all exist- validation is challenged by significant problems. First, ap- ing applications, does not provide administrators singular plications frequently do not properly validate the server’s control over certificate authentication practices, does not certificate [20, 17, 5, 35]. This is caused by failure to protect against several important attacks, and has signifi- use validation functions, incorrect usage of libraries, and cant maintenance issues. Fahl takes a different approach also developers who disable validation during develop- that rewrites the library used for authentication by An- ment and forget to enable it upon release. Second, TLS droid applications [18], while also including pluggable interception, used by numerous firewall appliances and authentication modules. This approach is well-suited for software (as well as malware), compromises the integrity Android because all applications are written in Java, but it is difficult to extend this approach to operating sys- TrustBase enables system administrators and OS ven- tems that provide more general programming language dors to enforce a number of policies regarding TLS. For support. example, an administrator could require revocation status In this paper, we explore a different avenue for fixing checking, disallow weak cipher suites, or mandate that these problems by centralizing authentication as an operat- Certificate Transparency be used to protect against active ing system (OS) service and giving system administrators man-in-the-middle (MITM) attacks. An OS vendor could and OS vendors control over authentication policy. These ship TrustBase with strong default protections against two motivating principles result in TrustBase, an archi- broken applications, such as enforcing best practices for tecture for certificate authentication that secures existing validating a certificate chain, requiring hostname valida- applications, provides simple deployment of improved tion, and pinning certificates for the most popular web authentication services, and overcomes shortcomings of sites and applications. As TLS becomes more widespread, previous approaches. TrustBase provides universal cov- TrustBase could easily be extended to provide the capa- erage of existing applications, supports both direct and bility to report on the use of all applications that do not opportunistic TLS1, is hardened against unprivileged lo- use TLS, so that an organization could better manage or cal adversaries, is supported on both mobile and desktop even block insecure applications. All of these improve- operating systems, and has negligible overhead. ments can be made without requiring user interaction or To centralize authentication as an operating system ser- configuration. vice, TrustBase uses a combination of traffic interception Our contributions include: to harden certificate validation for existing applications and a validation API to simplify authentication for new • An architecture for certificate validation that pri- or modified applications. TrustBase intercepts network oritizes operating system centralization and sys- traffic between the socket layer and the transport layer, tem administrator control: TrustBase offers stan- where it detects the initiation of TLS connections, extracts dard certificate validation procedures and option- handshake information, validates the server’s certificate ally adds additional authentication services, both using a variety of configurable authentication services, of which are enforced by the operating system and and then allows or blocks the connection based on the re- controlled by the administrator or OS vendor. This sults of this additional validation. This allows TrustBase repairs broken validation for poorly-written appli- to harden certificate validation in an application-agnostic cations and can strengthen the validation done by fashion, irrespective of what TLS library is employed. all applications. TrustBase provides a policy engine TrustBase also includes a simple certificate validation that enables an administrator to use policies that de- API that applications call directly, which extends authen- fine how multiple authentication services cooperate, tication services to new or modified applications, while for example using unanimous consent or threshold also providing compatibility with TLS 1.3. voting. To provide system administrator control, TrustBase • A research prototype of TrustBase: We develop a provides a policy engine that enables an administrator to loadable kernel module that provides general traf- choose how certificate authentication is performed on the fic interception and TLS handling for Linux. This host, with a variety of authentication services that can be module communicates via the Netlink API to the used to harden the CA system. The checks performed by policy engine residing in user space for parsing and authentication services are complementary to any exist- validation of certificates. We describe how this same ing certificate validation performed by applications. This architecture can be implemented on other operat- approach both protects against insecure applications and ing systems and give details of our current Android transparently enables existing applications to be strength- and Windows versions. We provide source code and ened against failures of the CA system. For example, a developer documentation for our prototypes, with browser that validates the extended validation (EV) cer- licensing for both commercial and non-commercial tificate of a bank is doing the best it currently can, but it is purposes. still vulnerable to a compromised CA, allowing a man-in- the-middle (MITM) to present fake but valid certificates. • A security analysis of TrustBase: We provide a One possible use of TrustBase is to configure the use of security analysis of TrustBase, including its central- notaries that check whether hosts across the Internet are ization, application coverage,
Recommended publications
  • Using Frankencerts for Automated Adversarial Testing of Certificate

    Using Frankencerts for Automated Adversarial Testing of Certificate

    Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Chad Brubaker ∗ y Suman Janay Baishakhi Rayz Sarfraz Khurshidy Vitaly Shmatikovy ∗Google yThe University of Texas at Austin zUniversity of California, Davis Abstract—Modern network security rests on the Secure Sock- many open-source implementations of SSL/TLS are available ets Layer (SSL) and Transport Layer Security (TLS) protocols. for developers who need to incorporate SSL/TLS into their Distributed systems, mobile and desktop applications, embedded software: OpenSSL, NSS, GnuTLS, CyaSSL, PolarSSL, Ma- devices, and all of secure Web rely on SSL/TLS for protection trixSSL, cryptlib, and several others. Several Web browsers against network attacks. This protection critically depends on include their own, proprietary implementations. whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. In this paper, we focus on server authentication, which We design, implement, and apply the first methodology for is the only protection against man-in-the-middle and other large-scale testing of certificate validation logic in SSL/TLS server impersonation attacks, and thus essential for HTTPS implementations. Our first ingredient is “frankencerts,” synthetic and virtually any other application of SSL/TLS. Server authen- certificates that are randomly mutated from parts of real cer- tication in SSL/TLS depends entirely on a single step in the tificates and thus include unusual combinations of extensions handshake protocol. As part of its “Server Hello” message, and constraints. Our second ingredient is differential testing: if the server presents an X.509 certificate with its public key.
  • Email Transport Encryption STARTTLS Vs. DANE Vs. MTA-STS

    Email Transport Encryption STARTTLS Vs. DANE Vs. MTA-STS

    Email Transport Encryption STARTTLS vs. DANE vs. MTA-STS Delimitation This document deals with the encrypted transport of messages between two email servers. Encryption during transport is crucial for a basic level of security for the exchange of messages. The exchange of messages between an email client and a server or the end-to-end encryption of messages are not covered in this article. If the aim is to create a secure overall system, these aspects should be considered in addition to the recommendations in this article. Initial situation When the first standard for the Simple Mail Transfer Protocol (in short: SMTP) was adopted, encryption of the transport was not included. All messages were exchanged as plain text between the servers. They were thus basically readable for anyone who could tap into the data exchange between the two servers. This only changed with the introduction of the SMTP Service Extensions for Extend SMTP (ESMTP for short), which made it possible to choose encrypted transport as an opportunistic feature of data exchange. Opportunistic, because it had to be assumed that not all servers would be able to handle transport encryption. They should only encrypt when it is opportune; encryption is not mandatory. To indicate the basic ability to encrypt to a sending server, it was agreed that the receiving server should send the keyword STARTTLS at the beginning of an ESMTP transport session. STARTTLS STARTTLS can encrypt the transport between two email servers. The receiving server signals the sending server that it is capable of encrypting after a connection is established and in the ESMTP session.
  • MTA STS Improving Email Security.Pdf

    MTA STS Improving Email Security.Pdf

    Improving Email Security with the MTA-STS Standard By Brian Godiksen An Email Best Practices Whitepaper CONTENTS Executive Overview 03 Why Does Email Need Encryption in Transit? 04 The Problem with “Opportunistic Encryption” 07 The Anatomy of a Man-in-the-Middle Attack 08 The Next Major Step with Email Encryption: MTA-STS 10 What Steps Should Senders Take to Adopt MTA-STS? 11 About SocketLabs 12 Brian Godiksen Brian has been helping organizations optimize email deliverability since joining SocketLabs in 2011. He currently manages a team of deliverability analysts that consult with customers on best infrastructure practices, including email authentication implementation, bounce processing, IP address warm-up, and email marketing list management. Brian leads the fight against spam and email abuse at SocketLabs by managing compliance across the platform. He is an active participant in key industry groups such as M3AAWG and the Email Experience Council. You can read more of Brian’s content here on the SocketLabs website. ©2019 SocketLabs 2 Executive The Edward Snowden leaks of 2013 opened many peoples’ eyes to the fact that mass surveillance was possible by Overview intercepting and spying on email transmissions. Today, compromised systems, database thefts, and technology breaches remain common fixtures in news feeds around the world. As a natural response, the technology industry is rabidly focused on improving the security and encryption of communications across all platforms. Since those early days of enlightenment, industry experts have discussed and attempted a variety of new strategies to combat “pervasive monitoring” of email channels. While pervasive monitoring assaults can take many forms, the most prominent forms of interference were man-in-the-middle (MitM) attacks.
  • HTTP2 Explained

    HTTP2 Explained

    HTTP2 Explained Daniel Stenberg Mozilla Corporation [email protected] ABSTRACT credits to everyone who helps out! I hope to make this document A detailed description explaining the background and problems better over time. with current HTTP that has lead to the development of the next This document is available at http://daniel.haxx.se/http2. generation HTTP protocol: HTTP 2. It also describes and elaborates around the new protocol design and functionality, 1.3 License including some implementation specifics and a few words about This document is licensed under the the future. Creative Commons Attribution 4.0 This article is an editorial note submitted to CCR. It has NOT license: been peer reviewed. The author takes full responsibility for this http://creativecommons.org/licenses/by/4.0/ article’s technical content. Comments can be posted through CCR Online. 2. HTTP Today Keywords HTTP 1.1 has turned into a protocol used for virtually everything HTTP 2.0, security, protocol on the Internet. Huge investments have been done on protocols and infrastructure that takes advantage of this. This is taken to the 1. Background extent that it is often easier today to make things run on top of HTTP rather than building something new on its own. This is a document describing http2 from a technical and protocol level. It started out as a presentation I did in Stockholm in April 2014. I've since gotten a lot of questions about the contents of 2.1 HTTP 1.1 is Huge that presentation from people who couldn't attend, so I decided to When HTTP was created and thrown out into the world it was convert it into a full-blown document with all details and proper probably perceived as a rather simple and straight-forward explanations.
  • Sizzle: a Standards-Based End-To-End Security Architecture for the Embedded Internet

    Sizzle: a Standards-Based End-To-End Security Architecture for the Embedded Internet

    Sizzle: A Standards-based end-to-end Security Architecture for the Embedded Internet Vipul Gupta, Matthew Millard,∗ Stephen Fung*, Yu Zhu*, Nils Gura, Hans Eberle, Sheueling Chang Shantz Sun Microsystems Laboratories 16 Network Circle, UMPK16 160 Menlo Park, CA 94025 [email protected], [email protected], [email protected] [email protected], {nils.gura, hans.eberle, sheueling.chang}@sun.com Abstract numbers of even simpler, more constrained devices (sen- sors, home appliances, personal medical devices) get con- This paper introduces Sizzle, the first fully-implemented nected to the Internet. The term “embedded Internet” is end-to-end security architecture for highly constrained em- often used to refer to the phase in the Internet’s evolution bedded devices. According to popular perception, public- when it is invisibly and tightly woven into our daily lives. key cryptography is beyond the capabilities of such devices. Embedded devices with sensing and communication capa- We show that elliptic curve cryptography (ECC) not only bilities will enable the application of computing technolo- makes public-key cryptography feasible on these devices, it gies in settings where they are unusual today: habitat mon- allows one to create a complete secure web server stack itoring [26], medical emergency response [31], battlefield including SSL, HTTP and user application that runs effi- management and home automation. ciently within very tight resource constraints. Our small Many of these applications have security requirements. footprint HTTPS stack needs less than 4KB of RAM and For example, health information must only be made avail- interoperates with an ECC-enabled version of the Mozilla able to authorized personnel (authentication) and be pro- web browser.
  • Arxiv:1911.09312V2 [Cs.CR] 12 Dec 2019

    Arxiv:1911.09312V2 [Cs.CR] 12 Dec 2019

    Revisiting and Evaluating Software Side-channel Vulnerabilities and Countermeasures in Cryptographic Applications Tianwei Zhang Jun Jiang Yinqian Zhang Nanyang Technological University Two Sigma Investments, LP The Ohio State University [email protected] [email protected] [email protected] Abstract—We systematize software side-channel attacks with three questions: (1) What are the common and distinct a focus on vulnerabilities and countermeasures in the cryp- features of various vulnerabilities? (2) What are common tographic implementations. Particularly, we survey past re- mitigation strategies? (3) What is the status quo of cryp- search literature to categorize vulnerable implementations, tographic applications regarding side-channel vulnerabili- and identify common strategies to eliminate them. We then ties? Past work only surveyed attack techniques and media evaluate popular libraries and applications, quantitatively [20–31], without offering unified summaries for software measuring and comparing the vulnerability severity, re- vulnerabilities and countermeasures that are more useful. sponse time and coverage. Based on these characterizations This paper provides a comprehensive characterization and evaluations, we offer some insights for side-channel of side-channel vulnerabilities and countermeasures, as researchers, cryptographic software developers and users. well as evaluations of cryptographic applications related We hope our study can inspire the side-channel research to side-channel attacks. We present this study in three di- community to discover new vulnerabilities, and more im- rections. (1) Systematization of literature: we characterize portantly, to fortify applications against them. the vulnerabilities from past work with regard to the im- plementations; for each vulnerability, we describe the root cause and the technique required to launch a successful 1.
  • Analysis and Detection of Anomalies in Mobile Devices

    Analysis and Detection of Anomalies in Mobile Devices

    Master’s Degree in Informatics Engineering Dissertation Final Report Analysis and detection of anomalies in mobile devices António Carlos Lagarto Cabral Bastos de Lima [email protected] Supervisor: Prof. Dr. Tiago Cruz Co-Supervisor: Prof. Dr. Paulo Simões Date: September 1, 2017 Master’s Degree in Informatics Engineering Dissertation Final Report Analysis and detection of anomalies in mobile devices António Carlos Lagarto Cabral Bastos de Lima [email protected] Supervisor: Prof. Dr. Tiago Cruz Co-Supervisor: Prof. Dr. Paulo Simões Date: September 1, 2017 i Acknowledgements I strongly believe that both nature and nurture playing an equal part in shaping an in- dividual, and that in the end, it is what you do with the gift of life that determines who you are. However, in order to achieve great things motivation alone might just not cut it, and that’s where surrounding yourself with people that want to watch you succeed and better yourself comes in. It makes the trip easier and more enjoyable, and there is a plethora of people that I want to acknowledge for coming this far. First of all, I’d like to thank professor Tiago Cruz for giving me the support, motivation and resources to work on this project. The idea itself started over one of our then semi- regular morning coffee conversations and from there it developed into a full-fledged concept quickly. But this acknowledgement doesn’t start there, it dates a few years back when I first had the pleasure of having him as my teacher in one of the introductory courses.
  • Analysis of DTLS Implementations Using Protocol State Fuzzing

    Analysis of DTLS Implementations Using Protocol State Fuzzing

    Analysis of DTLS Implementations Using Protocol State Fuzzing Paul Fiterau-Brostean and Bengt Jonsson, Uppsala University; Robert Merget, Ruhr-University Bochum; Joeri de Ruiter, SIDN Labs; Konstantinos Sagonas, Uppsala University; Juraj Somorovsky, Paderborn University https://www.usenix.org/conference/usenixsecurity20/presentation/fiterau-brostean This paper is included in the Proceedings of the 29th USENIX Security Symposium. August 12–14, 2020 978-1-939133-17-5 Open access to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX. Analysis of DTLS Implementations Using Protocol State Fuzzing Paul Fiterau-Bro¸stean˘ Bengt Jonsson Robert Merget Joeri de Ruiter Uppsala University Uppsala University Ruhr University Bochum SIDN Labs Konstantinos Sagonas Juraj Somorovsky Uppsala University Paderborn University Abstract reach 11.6 billion by 2021 [26]. This will constitute half of all devices connected to the Internet, with the percentage set to Recent years have witnessed an increasing number of proto- grow in subsequent years. Such trends also increase the need cols relying on UDP. Compared to TCP, UDP offers perfor- to ensure that software designed for these devices is properly mance advantages such as simplicity and lower latency. This scrutinized, particularly with regards to its security. has motivated its adoption in Voice over IP, tunneling techno- DTLS is also used as one of the two security protocols in logies, IoT, and novel Web protocols. To protect sensitive data WebRTC, a framework enabling real-time communication. exchange in these scenarios, the DTLS protocol has been de- WebRTC can be used, for example, to implement video con- veloped as a cryptographic variation of TLS.
  • Lucky 13, BEAST, CRIME,... Is TLS Dead, Or Just Resting?

    Lucky 13, BEAST, CRIME,... Is TLS Dead, Or Just Resting?

    Lucky 13, BEAST, CRIME,... Is TLS dead, or just resting? Kenny Paterson Information Security Group Overview Introduction to TLS (and why YOU should care) BEAST and CRIME Lucky 13 and RC4 attacks Current/future developments in TLS 2 About the Speaker Academic But spent 5 years in industrial research lab Still involved in IPR, consulting, industry liaison RHUL since 2001 “You are teaching Network Security” Leading to research into how crypto is used in Network Security EPSRC Leadership Fellow, 2010-2015 “Cryptography: Bridging Theory and Practice” Support from I4, HP, BT, Mastercard, CPNI Attacks on IPsec (2006, 2007), SSH (2009) So what about TLS? 3 A Word from my Sponsors 4 TLS – And Why You Should Care SSL = Secure Sockets Layer. Developed by Netscape in mid 1990s. SSLv2 now deprecated; SSLv3 still widely supported. TLS = Transport Layer Security. IETF-standardised version of SSL. TLS 1.0 = SSLv3 with minor tweaks, RFC 2246 (1999). TLS 1.1 = TLS 1.0 + tweaks, RFC 4346 (2006). TLS 1.2 = TLS 1.1 + more tweaks, RFC 5246 (2008). TLS 1.3? 5 TLS – And Why You Should Care Originally for secure e-commerce, now used much more widely. Retail customer access to online banking facilities. User access to gmail, facebook, Yahoo. Mobile applications, including banking apps. Payment infrastructures. User-to-cloud. Post Snowden: back-end operations for google, yahoo, … Not yet Yahoo webcam traffic, sadly. TLS has become the de facto secure protocol of choice. Used by hundreds of millions of people and devices every day. A serious attack could be catastrophic, both in real terms and in terms of perception/confidence.
  • Prying Open Pandora's Box: KCI Attacks Against

    Prying Open Pandora's Box: KCI Attacks Against

    Prying open Pandora’s box: KCI attacks against TLS Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes RISE – Research Industrial Systems Engineering GmbH {clemens.hlauschek, markus.gruber, florian.fankhauser, christian.schanes}@rise-world.com Abstract and implementations of the protocol: their utility is ex- tremely limited, their raison d’ˆetre is practically nil, and Protection of Internet communication is becoming more the existence of these insecure key agreement options common in many products, as the demand for privacy only adds to the arsenal of attack vectors against cryp- in an age of state-level adversaries and crime syndi- tographically secured communication on the Internet. cates is steadily increasing. The industry standard for doing this is TLS. The TLS protocol supports a multi- 1 Introduction tude of key agreement and authentication options which provide various different security guarantees. Recent at- The TLS protocol [1, 2, 3] is probably the most tacks showed that this plethora of cryptographic options widely used cryptographic protocol on the Internet. in TLS (including long forgotten government backdoors, It is designed to secure the communication between which have been cunningly inserted via export restric- client/server applications against eavesdropping, tamper- tion laws) is a Pandora’s box, waiting to be pried open by ing, and message forgery, and it also provides additional, heinous computer whizzes. Novel attacks lay hidden in optional security properties such as client authentica- plainsight. Parts of TLS areso oldthat theirfoul smell of tion. TLS is an historically grown giant: its predecessor, rot cannot be easily distinguished from the flowery smell SSL [4,5], was developed more than 20 years ago.
  • Lucky Thirteen: Breaking the TLS and DTLS Record Protocols

    Lucky Thirteen: Breaking the TLS and DTLS Record Protocols

    Lucky Thirteen: Breaking the TLS and DTLS Record Protocols Nadhem J. AlFardan and Kenneth G. Paterson∗ Information Security Group Royal Holloway, University of London, Egham, Surrey TW20 0EX, UK fnadhem.alfardan.2009, [email protected] 27th February 2013 Abstract 1.0 [31], which roughly matches TLS 1.1 and DTLS 1.2 [32], which aligns with TLS 1.2. The Transport Layer Security (TLS) protocol aims to pro- Both TLS and DTLS are actually protocol suites, rather than vide confidentiality and integrity of data in transit across un- single protocols. The main component of (D)TLS that con- trusted networks. TLS has become the de facto secure proto- cerns us here is the Record Protocol, which uses symmetric col of choice for Internet and mobile applications. DTLS is key cryptography (block ciphers, stream ciphers and MAC al- a variant of TLS that is growing in importance. In this paper, gorithms) in combination with sequence numbers to build a se- we present distinguishing and plaintext recovery attacks against cure channel for transporting application-layer data. Other ma- TLS and DTLS. The attacks are based on a delicate timing anal- jor components are the (D)TLS Handshake Protocol, which is ysis of decryption processing in the two protocols. We include responsible for authentication, session key establishment and experimental results demonstrating the feasibility of the attacks ciphersuite negotiation, and the TLS Alert Protocol, which car- in realistic network environments for several different imple- ries error messages and management traffic. Setting aside ded- mentations of TLS and DTLS, including the leading OpenSSL icated authenticated encryption algorithms (which are yet to implementations.
  • Practical Invalid Curve Attacks on TLS-ECDH

    Practical Invalid Curve Attacks on TLS-ECDH

    Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky Horst Görtz Institute for IT Security Ruhr University Bochum @jurajsomorovsky 1 Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 1 Recent years revealed many attacks on TLS… • ESORICS 2004, Bard: The Vulnerability of SSL to Chosen Plaintext Attack • Eurocrypt 2002, Vaudenay: Security Flaws Induced by CBC Padding—Applications to SSL, IPSEC, WTLS • Crypto 1998, Bleichenbacher: Chosen Ciphertext Attacks Against Protocols based on the RSA Encryption Standard PKCS #1 Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 2 Another “forgotten” attack • Invalid curve attack • Crypto 2000, Biehl et al.: Differential fault attacks on elliptic curve cryptosystems • Targets elliptic curves – Allows one to extract private keys • Are current libraries vulnerable? Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 3 3 Overview 1. Elliptic Curves 2. Invalid Curve Attacks 3. Application to TLS ECDH 4. Evaluation 5. Bonus Content Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 4 4 Elliptic Curve (EC) Crypto • Key exchange, signatures, PRNGs • Many sites switching to EC • Fast, secure – openssl speed rsa2048 ecdhp256 – ECDH about 10 times faster Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 5 5 Elliptic Curve • Set of points over a