DOCSLIB.ORG

Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities Robert Merget and Juraj Somorovsky, Ruhr University Bochum; Nimrod Aviram, Tel Aviv University; Craig Young, Tripwire VERT; Janis Fliegenschmidt and Jörg Schwenk, Ruhr University Bochum; Yuval Shavitt, Tel Aviv University https://www.usenix.org/conference/usenixsecurity19/presentation/merget This paper is included in the Proceedings of the 28th USENIX Security Symposium. August 14–16, 2019 • Santa Clara, CA, USA 978-1-939133-06-9 Open access to the Proceedings of the 28th USENIX Security Symposium is sponsored by USENIX. Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities Robert Merget1, Juraj Somorovsky1, Nimrod Aviram2, Craig Young3, Janis Fliegenschmidt1, Jörg Schwenk1, and Yuval Shavitt2 1Ruhr University Bochum 2Department of Electrical Engineering, Tel Aviv University 3Tripwire VERT Abstract the encryption key. The attack requires a server that decrypts a message and responds with 1 or 0 based on the message va- The TLS protocol provides encryption, data integrity, and lidity. This behavior essentially provides the attacker with a authentication on the modern Internet. Despite the protocol’s cryptographic oracle which can be used to mount an adaptive importance, currently-deployed TLS versions use obsolete chosen-ciphertext attack. The attacker exploits this behavior cryptographic algorithms which have been broken using var- to decrypt messages by executing adaptive queries.Vaudenay ious attacks. One prominent class of such attacks is CBC exploited a specific form of vulnerable behavior, where im- padding oracle attacks. These attacks allow an adversary to plementations validate the CBC padding structure and re- decrypt TLS traffic by observing different server behaviors spond with 1 or 0 accordingly. which depend on the validity of CBC padding. This class of attacks has been termed padding oracle We present the first large-scale scan for CBC padding attacks. Different forms of padding oracle attacks were oracle vulnerabilities in TLS implementations on the mod- demonstrated to break cryptographic hardware [6], XML ern Internet. Our scan revealed vulnerabilities in 1.83% of Encryption [23], or web technologies like Java Server the Alexa Top Million websites, detecting nearly 100 differ- Faces [33] and ASP.NET web applications [15]. Rizzo and ent vulnerabilities. Our scanner observes subtle differences Duong used a padding oracle attack to steal secrets and forge in server behavior, such as responding with different TLS authentication tokens, gaining access to sensitive data [15]. alerts, or with different TCP header flags. In all of these works, the attacker was able to use a direct side We used a novel scanning methodology consisting of three channel – different error messages – to instantiate a padding steps. First, we created a large set of probes that detect vul- oracle and decrypt confidential data. nerabilities at a considerable scanning cost. We then reduced Transport Layer Security (TLS) employs CBC mode in a the number of probes using a preliminary scan, such that a MAC-then-Pad-then-Encrypt scheme which makes it poten- smaller set of probes has the same detection rate but is small tially vulnerable to these attacks. Indeed, different types of enough to be used in large-scale scans. Finally, we used the CBC padding oracles have been used to break confidential- reduced set to scan at scale, and clustered our findings with ity TLS connections [39, 4, 3, 20]. All these attacks require a novel approach using graph drawing algorithms. the attacker to perform precise timing measurements. This Contrary to common wisdom, exploiting CBC padding or- requirement stems from the properties of the TLS protocol; acles does not necessarily require performing precise timing after establishing a TLS connection, all TLS error messages measurements. We detected vulnerabilities that can be ex- are sent encrypted and are of the same length. Therefore, ploited simply by observing the content of different server even if an attacker is able to cause the server to send differ- responses. These vulnerabilities pose a significantly larger ent error messages, the attacker is generally unable to distin- threat in practice than previously assumed. guish between the different encrypted responses. Since most previous analyses have only analyzed padding 1 Introduction oracle attacks based on timing side channels, they required testing an implementation in a local environment. These In 2002, Vaudenay presented an attack which targets mes- evaluations uncovered many new vulnerabilities [4, 3, 20]. sages encrypted with the Cipher Block Chaining (CBC) However, implementing a proper countermeasure to these mode of operation [39]. The attack exploits the malleability vulnerabilities is very challenging and requires complex of the CBC mode, which allows altering the ciphertext such constant-time implementations. It is not surprising that the that specific cleartext bits are flipped, without knowledge of implementation of such countermeasures could introduce USENIX Association 28th USENIX Security Symposium 1029 new attacks. For example, in an attempt to fix the Lucky websites with this reduced test vector set within three days. 13 padding oracle, the OpenSSL cryptographic library intro- Our scanner observes different server responses, not only in duced a different vulnerability where OpenSSL responded the TLS layer, but also in the TCP layer, similar to [9]. Our with different TLS alert messages [37]. Analysis of imple- results indicate that about 1.83% of TLS servers are vulner- mentations in lab settings therefore requires laborious test- able to CBC padding oracle attacks. ing for each new version of different implementations. This is obviously unrealistic, and therefore this type of analysis is Minimizing false positives. When a host first displays vul- performed sporadically. nerable behavior, we rescan it to make sure the behavior is Given the complexity of constant-time TLS padding veri- not a scanning artifact. We only consider a host to be vulner- fication, we expect that vulnerabilities similar to the one in- able if it responds identically in three separate scans to each troduced by OpenSSL [37] could have been introduced in of our test vectors. It is unlikely that hosts will be mislabeled other implementations as well. Therefore, this work moves as vulnerable under this criterion. We therefore believe our away from the above method of lab analyses and evaluates statistics for vulnerability are a conservative lower estimate. CBC padding oracles using large-scale Internet scans. We attempt to answer the two following questions: How preva- lent are padding oracle vulnerabilities? Are these attacks Nearly 100 different padding oracle vulnerabilities. The only exploitable by using timing side-channels? detected vulnerabilities have to be clustered in order to notify different vendors. Until now, this was done manually [9]. Contributions. In our work, we employ a novel scan- To achieve this automatically, we re-scan vulnerable hosts ning methodology that is capable of scanning for TLS CBC against a larger set of test vectors. We refer to the set of the padding oracles at scale. We use this methodology to find host responses to all test vectors as the host’s response map. new padding oracle vulnerabilities and perform responsi- This response map is essentially a fingerprint of the host’s ble disclosures. We identify nearly 100 different padding vulnerability. We then cluster the scanned hosts according oracles. We show that some of them can be exploitable to their response maps. This process identified 93 different without subtle timing side channels and thus pose a signif- response maps, i.e., 93 different vulnerabilities. These vul- icantly larger threat in practice compared to most recently- nerabilities include different behaviors, ranging from typical discovered padding oracles. padding oracles with different TLS alert messages [39], to TCP connection timeouts triggered by specific invalid MAC New large-scale scanning methodology. Scanning at bytes, or closed connections observed when using invalid scale for padding oracles is challenging. Such scans detect padding values. vulnerabilities by sending different malformed inputs and We treat distinct response maps as distinct vulnerabilities. observing server behavior. As shown by Böck et al. [9], in We argue that this is the natural way to count vulnerabilities some cases these inputs only trigger vulnerabilities when us- since it captures the case of the same vulnerability occurring ing specific TLS versions or cipher suites. Scanning with in similar, yet different implementations. Consider two hosts all possible combinations of protocol versions, cipher suites that respond identically to all test vectors. These hosts likely and malformed inputs is not feasible since it would require share an identical or very similar part of the implementation an enormous number of connections to each scanned host. that causes the vulnerability to manifest with identical re- We overcome this limitation by carefully selecting a set sponse maps. However, they do not necessarily share the ex- of probes, which allows for effective scans at scale. We sys- act same code. They may use different versions of the same tematically analyzed padding oracles previously described in TLS library, or two different libraries with a shared compo- the literature [39, 4, 3, 20, 37, 27, 25, 10, 29, 28]. We then nent. carefully
Recommended publications
  • Alcatel-Lucent Security Advisory Sa0xx

    Alcatel-Lucent Security Advisory Sa0xx

    Alcatel-Lucent Security Advisory No. SA0053 Ed. 04 Information about Poodle vulnerability Summary POODLE stands for Padding Oracle On Downgraded Legacy Encryption. The POODLE has been reported in October 14th 2014 allowing a man-in-the-middle attacker to decrypt ciphertext via a padding oracle side-channel attack. The severity is not considered as the same for Heartbleed and/or bash shellshock vulnerabilities. The official risk is currently rated Medium. The classification levels are: Very High, High, Medium, and Low. The SSLv3 protocol is only impacted while TLSv1.0 and TLSv1.2 are not. This vulnerability is identified CVE- 2014-3566. Alcatel-Lucent Enterprise voice products using protocol SSLv3 are concerned by this security alert. Openssl versions concerned by the vulnerability: OpenSSL 1.0.1 through 1.0.1i (inclusive) OpenSSL 1.0.0 through 1.0.0n (inclusive) OpenSSL 0.9.8 through 0.9.8zb (inclusive) The Alcatel-Lucent Enterprise Security Team is currently investigating implications of this security flaw and working on a corrective measure, for OpenTouch 2.1.1 planned in Q4 2015, to prevent using SSLv3 that must be considered as vulnerable. This note is for informational purpose about the padding-oracle attack identified as “POODLE”. References CVE-2014-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 Advisory severity CVSS Base score : 4.3 (MEDIUM) - AV:N/AC:M/Au:N/C:P/I:N/A:N https://www.openssl.org/news/secadv_20141015.txt https://www.openssl.org/~bodo/ssl-poodle.pdf Description of the vulnerabilities Information about Poodle vulnerability (CVE-2014-3566).
  • Technical Report RHUL–ISG–2019–1 27 March 2019

    Technical Report RHUL–ISG–2019–1 27 March 2019

    20 years of Bleichenbacher attacks Gage Boyle Technical Report RHUL–ISG–2019–1 27 March 2019 Information Security Group Royal Holloway University of London Egham, Surrey, TW20 0EX United Kingdom Student Number: 100866673 Gage, Boyle 20 Years of Bleichenbacher Attacks Supervisor: Kenny Paterson Submitted as part of the requirements for the award of the MSc in Information Security at Royal Holloway, University of London. I declare that this assignment is all my own work and that I have acknowledged all quotations from published or unpublished work of other people. I also declare that I have read the statements on plagiarism in Section 1 of the Regulations Governing Examination and Assessment Offences, and in accordance with these regulations I submit this project report as my own work. Signature: Date: Acknowledgements I would first like to thank my project supervisor, Kenny Paterson. This project would not have been possible without his continuous encouragement to push the boundaries of my knowledge, and I am grateful for the commitment and expertise that he has provided throughout. Secondly, I would like to thank Nimrod Aviram for his invaluable advice, particularly with respect to algorithm implementation and understanding the finer details of this project. Further thanks should go to Raja Naeem Akram, Oliver Kunz and David Morrison for taking the time to teach me Python and how to run my source code on an Ubuntu server. I am grateful for the time that David Stranack, Thomas Bingham and James Boyle have spent proof reading this project, and for the continuous support from my part- ner, Lisa Moxham.
  • Arxiv:1911.09312V2 [Cs.CR] 12 Dec 2019

    Arxiv:1911.09312V2 [Cs.CR] 12 Dec 2019

    Revisiting and Evaluating Software Side-channel Vulnerabilities and Countermeasures in Cryptographic Applications Tianwei Zhang Jun Jiang Yinqian Zhang Nanyang Technological University Two Sigma Investments, LP The Ohio State University [email protected] [email protected] [email protected] Abstract—We systematize software side-channel attacks with three questions: (1) What are the common and distinct a focus on vulnerabilities and countermeasures in the cryp- features of various vulnerabilities? (2) What are common tographic implementations. Particularly, we survey past re- mitigation strategies? (3) What is the status quo of cryp- search literature to categorize vulnerable implementations, tographic applications regarding side-channel vulnerabili- and identify common strategies to eliminate them. We then ties? Past work only surveyed attack techniques and media evaluate popular libraries and applications, quantitatively [20–31], without offering unified summaries for software measuring and comparing the vulnerability severity, re- vulnerabilities and countermeasures that are more useful. sponse time and coverage. Based on these characterizations This paper provides a comprehensive characterization and evaluations, we offer some insights for side-channel of side-channel vulnerabilities and countermeasures, as researchers, cryptographic software developers and users. well as evaluations of cryptographic applications related We hope our study can inspire the side-channel research to side-channel attacks. We present this study in three di- community to discover new vulnerabilities, and more im- rections. (1) Systematization of literature: we characterize portantly, to fortify applications against them. the vulnerabilities from past work with regard to the im- plementations; for each vulnerability, we describe the root cause and the technique required to launch a successful 1.
  • A Security Analysis of the WPA-TKIP and TLS Security Protocols

    A Security Analysis of the WPA-TKIP and TLS Security Protocols

    ARENBERG DOCTORAL SCHOOL Faculty of Engineering Science A Security Analysis of the WPA-TKIP and TLS Security Protocols Mathy Vanhoef Supervisor: Dissertation presented in partial Prof. dr. ir. F. Piessens fulfillment of the requirements for the degree of Doctor in Engineering Science: Computer Science July 2016 A Security Analysis of the WPA-TKIP and TLS Security Protocols Mathy VANHOEF Examination committee: Dissertation presented in partial Prof. dr. ir. P. Van Houtte, chair fulfillment of the requirements for Prof. dr. ir. F. Piessens, supervisor the degree of Doctor in Engineering Prof. dr. ir. C. Huygens Science: Computer Science Prof. dr. D. Hughes Prof. dr. ir. B. Preneel Prof. dr. K. Paterson (Royal Holloway, University of London) July 2016 © 2016 KU Leuven – Faculty of Engineering Science Uitgegeven in eigen beheer, Mathy Vanhoef, Celestijnenlaan 200A box 2402, B-3001 Leuven (Belgium) Alle rechten voorbehouden. Niets uit deze uitgave mag worden vermenigvuldigd en/of openbaar gemaakt worden door middel van druk, fotokopie, microfilm, elektronisch of op welke andere wijze ook zonder voorafgaande schriftelijke toestemming van de uitgever. All rights reserved. No part of the publication may be reproduced in any form by print, photoprint, microfilm, electronic or any other means without written permission from the publisher. Preface When I started my PhD four years ago, I thought people were exaggerating when they said that doing a PhD was a unique and special experience. Turns out I was wrong: it is indeed quite the journey! It was a roller coaster of exciting and sometimes no so exciting research results, late-night deadline races, moments of doubt, enriching and rewarding travels, grueling dilemmas, facing your own limitations,.
  • Yet Another Padding Oracle in Openssl CBC Ciphersuites

    Yet Another Padding Oracle in Openssl CBC Ciphersuites

    Yet Another Padding Oracle in OpenSSL CBC Ciphersuites presented by Raphael Finkel based on https://blog.cloudflare.com/ yet-another-padding-oracle-in-openssl-cbc-ciphersuites/ Keeping Current, September 5, 2018 The Cryptographic Doom Principle I reference: https://moxie.org/blog/ the-cryptographic-doom-principle/ by Moxie Marlinspike I If you have to perform any cryptographic operation before verifying the MAC (message authentication code) on a message you’ve received, it will somehow inevitably lead to doom. I MAC is a cryptographic digest based on a secret key shared by Alice and Bob. I Proper use of MAC: Encrypt Then Authenticate (Encrypt-then-MAC, EtA; used in IPsec) I Alice sends to Bob: E(P) || MAC(E(P)) I Detail: E(P) also includes such information as the initialization vector and the encryption algorithm; both are then covered by MAC(). I Bob first verifies MAC(E(P)), satisfying the principle. If that test passes, Bob decrypts P. I Good: Verifies integrity of E(P), therefore it also verifies integrity of P. I Good: MAC(E(P)) provides no information about P. Authenticate and encrypt (Encrypt-and-MAC, E&A; used in SSH) I Alice sends to Bob: E(P) || MAC(P) I Bob must first decrypt E(P) to get P, then confirm MAC(P), violating the principle. I Good: verifies integrity of P. I Not good: I May theoretically reveal information about P in MAC(P). I No integrity check on E(P). I Bad: vulnerable to chosen-ciphertext attacks on E. I Man-in-the-middle Morton can try various versions of E(P), noting whether Bob gets as far as trying to verify MAC(P).
  • Lucky 13, BEAST, CRIME,... Is TLS Dead, Or Just Resting?

    Lucky 13, BEAST, CRIME,... Is TLS Dead, Or Just Resting?

    Lucky 13, BEAST, CRIME,... Is TLS dead, or just resting? Kenny Paterson Information Security Group Overview Introduction to TLS (and why YOU should care) BEAST and CRIME Lucky 13 and RC4 attacks Current/future developments in TLS 2 About the Speaker Academic But spent 5 years in industrial research lab Still involved in IPR, consulting, industry liaison RHUL since 2001 “You are teaching Network Security” Leading to research into how crypto is used in Network Security EPSRC Leadership Fellow, 2010-2015 “Cryptography: Bridging Theory and Practice” Support from I4, HP, BT, Mastercard, CPNI Attacks on IPsec (2006, 2007), SSH (2009) So what about TLS? 3 A Word from my Sponsors 4 TLS – And Why You Should Care SSL = Secure Sockets Layer. Developed by Netscape in mid 1990s. SSLv2 now deprecated; SSLv3 still widely supported. TLS = Transport Layer Security. IETF-standardised version of SSL. TLS 1.0 = SSLv3 with minor tweaks, RFC 2246 (1999). TLS 1.1 = TLS 1.0 + tweaks, RFC 4346 (2006). TLS 1.2 = TLS 1.1 + more tweaks, RFC 5246 (2008). TLS 1.3? 5 TLS – And Why You Should Care Originally for secure e-commerce, now used much more widely. Retail customer access to online banking facilities. User access to gmail, facebook, Yahoo. Mobile applications, including banking apps. Payment infrastructures. User-to-cloud. Post Snowden: back-end operations for google, yahoo, … Not yet Yahoo webcam traffic, sadly. TLS has become the de facto secure protocol of choice. Used by hundreds of millions of people and devices every day. A serious attack could be catastrophic, both in real terms and in terms of perception/confidence.
  • Directed Greybox Fuzzing

    Directed Greybox Fuzzing

    Directed Greybox Fuzzing Marcel Böhme Van-Thuan Pham∗ National University of Singapore, Singapore National University of Singapore, Singapore [email protected] [email protected] Manh-Dung Nguyen Abhik Roychoudhury National University of Singapore, Singapore National University of Singapore, Singapore [email protected] [email protected] ABSTRACT However, existing greybox fuzzers cannot be effectively directed.1 Existing Greybox Fuzzers (GF) cannot be effectively directed, for Directed fuzzers are important tools in the portfolio of a security instance, towards problematic changes or patches, towards critical reseacher. Unlike undirected fuzzers, a directed fuzzer spends most system calls or dangerous locations, or towards functions in the of its time budget on reaching specific target locations without stacktrace of a reported vulnerability that we wish to reproduce. wasting resources stressing unrelated program components. Typical In this paper, we introduce Directed Greybox Fuzzing (DGF) applications of directed fuzzers may include which generates inputs with the objective of reaching a given set • patch testing [4, 21] by setting changed statements as targets. of target program locations efficiently. We develop and evaluate When a critical component is changed, we would like to check a simulated annealing-based power schedule that gradually as- whether this introduced any vulnerabilities. Figure 1 shows the signs more energy to seeds that are closer to the target locations commit introducing Heartbleed [49]. A fuzzer that focusses on while reducing energy for seeds that are further away. Experiments those changes has a higher chance of exposing the regression. with our implementation AFLGo demonstrate that DGF outper- • crash reproduction [18, 29] by setting method calls in the forms both directed symbolic-execution-based whitebox fuzzing stack-trace as targets.
  • Lucky Thirteen: Breaking the TLS and DTLS Record Protocols

    Lucky Thirteen: Breaking the TLS and DTLS Record Protocols

    Lucky Thirteen: Breaking the TLS and DTLS Record Protocols Nadhem J. AlFardan and Kenneth G. Paterson∗ Information Security Group Royal Holloway, University of London, Egham, Surrey TW20 0EX, UK fnadhem.alfardan.2009, [email protected] 27th February 2013 Abstract 1.0 [31], which roughly matches TLS 1.1 and DTLS 1.2 [32], which aligns with TLS 1.2. The Transport Layer Security (TLS) protocol aims to pro- Both TLS and DTLS are actually protocol suites, rather than vide confidentiality and integrity of data in transit across un- single protocols. The main component of (D)TLS that con- trusted networks. TLS has become the de facto secure proto- cerns us here is the Record Protocol, which uses symmetric col of choice for Internet and mobile applications. DTLS is key cryptography (block ciphers, stream ciphers and MAC al- a variant of TLS that is growing in importance. In this paper, gorithms) in combination with sequence numbers to build a se- we present distinguishing and plaintext recovery attacks against cure channel for transporting application-layer data. Other ma- TLS and DTLS. The attacks are based on a delicate timing anal- jor components are the (D)TLS Handshake Protocol, which is ysis of decryption processing in the two protocols. We include responsible for authentication, session key establishment and experimental results demonstrating the feasibility of the attacks ciphersuite negotiation, and the TLS Alert Protocol, which car- in realistic network environments for several different imple- ries error messages and management traffic. Setting aside ded- mentations of TLS and DTLS, including the leading OpenSSL icated authenticated encryption algorithms (which are yet to implementations.
  • The Rocky Road To

    The Rocky Road To

    The Rocky Road to Hanno Böck https://hboeck.de @hanno 1 Transport Layer Security A protocol to create an encrypted and authenticated layer around other protocols 2 TLS 1.3 was published in August 2018 3 How did we get there? 4 In 1995 Netscape introduced Secure Socket Layer or SSL version 2 5 In 1996 it was followed up with SSL version 3 6 In 1999 the IETF took over and renamed it to TLS 7 SSL/TLS History 1995: SSL 2 1996: SSL 3 1999: TLS 1.0 2006: TLS 1.1 2008: TLS 1.2 2018: TLS 1.3 8 Vulnerabilities C C S 9 Padding Oracles in CBC mode 10 Plaintext Plaintext Plaintext Initialization Vector (IV) block cipher block cipher block cipher Key Key Key encryption encryption encryption Ciphertext Ciphertext Ciphertext WhiteTimberwolf, Wikimedia Commons, Public Domain 11 CBC Padding for Block Ciphers (AES) Encryption of data blocks means we have to fill up space 12 CBC in TLS MAC-then-Pad-then-Encrypt 13 Valid Padding 00 01 01 02 02 02 03 03 03 03 ... 14 We assume a situation where the attacker can see whether the padding is valid 15 Ciphertext Ciphertext block cipher block cipher Key Key decryption decryption Initialization Vector (IV) ?== 00 -> padding valid Plaintext Plaintext Attacker wants to decrypt Attacker manipulates / XOR with guess 16 Ciphertext Ciphertext block cipher block cipher Key Key decryption decryption Initialization Vector (IV) ?== 01 01 -> padding valid Plaintext Plaintext Attacker knows Attacker manipulates to 01 Attacker wants to know Attacker manipulates to guess 01 17 2002: Serge Vaudenay discovers Padding Oracle Vaudenay,
  • Plaintext-Recovery Attacks Against Datagram TLS

    Plaintext-Recovery Attacks Against Datagram TLS

    Plaintext-Recovery Attacks Against Datagram TLS Nadhem J. AlFardan and Kenneth G. Paterson∗ Information Security Group Royal Holloway, University of London, Egham, Surrey TW20 0EX, UK nadhem.alfardan.2009, kenny.paterson @rhul.ac.uk { } Abstract GnuTLS2. Both of these provide source toolkits that imple- ment TLS and DTLS as well as being general purpose cryp- The Datagram Transport Layer Security (DTLS) proto- tographic libraries that software developers can use. The col provides confidentiality and integrity of data exchanged first release of OpenSSL to implement DTLS was 0.9.8. between a client and a server. We describe an efficient and Since its release, DTLS has become a mainstream proto- full plaintext recovery attack against the OpenSSL imple- col in OpenSSL. There are also a number of commercial mentation of DTLS, and a partial plaintext recovery attack products that have taken advantage of DTLS. For example, against the GnuTLS implementation of DTLS. The attack DTLS is used to secure Virtual Private Networks (VPNs)3,4 against the OpenSSL implementation is a variant of Vaude- and wireless traffic5. Platforms such as Microsoft Windows, nay’s padding oracle attack and exploits small timing differ- Microsoft .NET and Linux can also make use of DTLS6. ences arising during the cryptographic processing of DTLS In addition, the number of RFC documents that are be- packets. It would have been prevented if the OpenSSL im- ing published on DTLS is increasing. Recent examples in- plementation had been in accordance with the DTLS RFC. clude RFC 5415 [1], RFC 5953 [8] and RFC 6012 [13]. A In contrast, the GnuTLS implementation does follow the new version of DTLS is currently under development in the DTLS RFC closely, but is still vulnerable to attack.
  • RSA BSAFE Crypto-C Micro Edition 4.1.4 Security Policy Level 1

    RSA BSAFE Crypto-C Micro Edition 4.1.4 Security Policy Level 1

    Security Policy 28.01.21 RSA BSAFE® Crypto-C Micro Edition 4.1.4 Security Policy Level 1 This document is a non-proprietary Security Policy for the RSA BSAFE Crypto-C Micro Edition 4.1.4 (Crypto-C ME) cryptographic module from RSA Security LLC (RSA), a Dell Technologies company. This document may be freely reproduced and distributed whole and intact including the Copyright Notice. Contents: Preface ..............................................................................................................2 References ...............................................................................................2 Document Organization .........................................................................2 Terminology .............................................................................................2 1 Crypto-C ME Cryptographic Toolkit ...........................................................3 1.1 Cryptographic Module .......................................................................4 1.2 Crypto-C ME Interfaces ..................................................................17 1.3 Roles, Services and Authentication ..............................................19 1.4 Cryptographic Key Management ...................................................20 1.5 Cryptographic Algorithms ...............................................................24 1.6 Self Tests ..........................................................................................30 2 Secure Operation of Crypto-C ME ..........................................................33
  • An Analysis of the Transport Layer Security Protocol

    An Analysis of the Transport Layer Security Protocol

    An Analysis of the Transport Layer Security Protocol Thyla van der Merwe Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group School of Mathematics and Information Security Royal Holloway, University of London 2018 Declaration These doctoral studies were conducted under the supervision of Professor Kenneth G. Paterson. The work presented in this thesis is the result of original research I conducted, in collabo- ration with others, whilst enrolled in the School of Mathematics and Information Security as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Thyla van der Merwe March, 2018 2 Dedication To my niece, Emma. May you always believe in your abilities, no matter what anybody tells you, and may you draw on the strength of our family for support, as I have done (especially your Gogo, she’s one tough lady). “If you’re going through hell, keep going.” Winston Churchill 3 Abstract The Transport Layer Security (TLS) protocol is the de facto means for securing commu- nications on the World Wide Web. Originally developed by Netscape Communications, the protocol came under the auspices of the Internet Engineering Task Force (IETF) in the mid 1990s and today serves millions, if not billions, of users on a daily basis. The ubiquitous nature of the protocol has, especially in recent years, made the protocol an attractive target for security researchers. Since the release of TLS 1.2 in 2008, the protocol has suffered many high-profile, and increasingly practical, attacks.