DOCSLIB.ORG

Integrating SSH/TLS Into Netopeer NETCONF Server

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Masaryk University Faculty}w¡¢£¤¥¦§¨ of Informatics!"#$%&'()+,-./012345<yA| Integrating SSH/TLS into Netopeer NETCONF server Master’s thesis Michal Vaško Brno, spring 2015 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Michal Vaško Advisor: RNDr. Petr Velan ii Acknowledgement I would like to thank RNDr. Petr Velan for analyzing my ideas, sug- gesting his own and general help with writing and implementing this thesis. iii Abstract The goal of this thesis is to integrate SSH and TLS protocol support into the Netopeer open-source NETCONF server. A brief comparison of these two protocol is included as well. Then, the new implementation of Netopeer is described as is the private key and certificate management. Lastly, the performed testing and the tool used for it is discussed. iv Keywords NETCONF, TLS, SSH, libssh, OpenSSL, security v Contents 1 Introduction ...........................3 2 NETCONF Protocol .....................5 2.1 Call Home ..........................7 2.2 cert-to-name .........................7 3 Cryptographic Network Protocols .............8 3.1 Secure Shell .........................8 3.2 Transport Layer Security ..................9 3.3 SSH Versus TLS ...................... 11 4 Netopeer Server ........................ 13 4.1 Current Architecture .................... 14 4.2 Issues ............................ 15 4.3 Suggested Architecture ................... 16 5 Technologies ........................... 17 5.1 SSH Library ......................... 17 5.1.1 libssh . 18 5.2 TLS Library ......................... 20 5.2.1 OpenSSL Suite . 21 6 Server Implementation .................... 24 6.1 Implementation Steps .................... 24 6.2 Data Structures ....................... 25 6.3 Transport-independent Server ............... 26 6.3.1 Main Function . 26 6.3.2 NETCONF-server transAPI . 27 6.3.3 Netopeer transAPI . 28 6.3.4 listen_loop() . 30 6.4 Transport-specific Server Parts ............... 31 6.4.1 NETCONF-server transAPI . 31 6.4.2 Netopeer transAPI . 32 6.4.3 np_(ssh|tls)_client_netconf_rpc() . 34 6.4.4 np_(ssh|tls)_client_data() . 36 6.4.5 np_(ssh|tls)_server_id_check() . 39 6.4.6 np_(ssh|tls)_create_client() . 39 6.5 Server Compilation ..................... 41 6.5.1 configure . 41 6.5.2 Makefile . 42 1 7 Server Configuration And Testing ............. 43 7.1 netopeer-configurator .................... 43 7.1.1 nc_sshauth . 43 7.1.2 nc_tlsauth . 44 7.2 netopeer-cli ......................... 46 7.3 Tests ............................. 47 8 Conclusion ............................ 49 A Complete Data Structures .................. 54 A.1 Generic Data Structures .................. 54 A.2 SSH Data Structures .................... 57 A.3 TLS Data Structures .................... 59 B netopeer-cfgnetopeer YANG Model ............ 61 2 1 Introduction From the technical point of view, a computer network is a network of nodes that are able to exchange data. Quite naturally, considering the massive size of the Internet network, the coordinating intermediary devices are complex and require detailed configuration to operate prop- erly[1]. The most common means of setting this configuration is either automatically by another device or manually by an administrator, but in both cases remotely, utilizing the network itself. To allow it, there needs to be a format of the messages specified. While there are several solutions available, the protocol NETCONF has recently been gaining popularity for its advantages such as conforming to the principles of Software-Defined Networking (SDN)[2]. There is a software bundle Ne- topeer1 that enables simple deployment of this protocol on network devices. These can be elementary, collecting some basic state data, or complicated systems with complex configuration. In either case, with NETCONF it is possible to execute Remote Procedure Calls on these devices in a secure way, managing their configuration and even the de- vice itself, connect several clients to one device, receive asynchronous notifications of certain events, and much more[3]. The goal of this thesis is to improve the Netopeer server, which is an implementation of the server-side NETCONF communication point. The current version of it suffers from several drawbacks, which are specifically discussed in the Section 4.2. All of them should be rectified by integrating the transport layer functionality into the server itself, because it currently uses external applications for handling the transport of data, but additional issues are likely to arise with this solution. The second chapter starts with a brief description of the NETCONF protocol and specially the requirements for the underlying protocol operating on the transport layer. Next, in the third chapter, the suitable secure protocols are explained, presented to the reader, and also com- pared to each other. The fourth chapter introduces the Netopeer server. Its present overall architecture with the focus on the communication flow is discussed followed by an analysis of the problems that itin- cludes causing it to be unsatisfactory. Then, a new improved integrated architecture is introduced. 1. https://code.google.com/p/netopeer 3 1. Introduction In the fifth chapter the used technologies are discussed. They consist of two libraries, one for each transport protocol integrated into Netopeer. The actual choices are explained and justified and each chosen library is described in more depth. The new Netopeer implementation is examined by a reasonably thorough analysis in the sixth chapter. The seventh chapter is about other Netopeer utilities and how they were used for server configuration and testing. The last chapter concludes the the- sis by discussing the thesis goals and justifying their completion and mentioning any possible future work. 4 2 NETCONF Protocol The NETCONF (NETwork CONFiguration) protocol defines mechanism for device management and configuration retrieval and modification. It uses a remote procedure call (RPC) paradigm and a system of exposing device (server) capabilities, which enables a client to adjust to the specific features of any network equipment. NETCONF further distinguishes between state data, which are read-only, and configuration data, which can also be modified. Any NETCONF communication happens on4 layers as shown in the Table 2.1. XML (eXtensible Markup Language) is used as the encoding format.[3] 1 Content Configuration data Notification data 2 Operations <edit-config> 3 Messages <rpc>, <rpc-reply> <notification> 4 Secure Transport SSH, TLS Table 2.1: The NETCONF Layers. The device configuration data are stored in the form of anXML document. The specific nodes in the document as well as the allowed values are defined by a model, which is usually in YANG format or possibly transformed into YIN format with XML-based syntax[4]. There are many such models created directly by IETF to further support stan- dardization and unification of the NETCONF interface of the common network devices. For example, the general system settings of a standard computer are described in the ietf-system model1 or the configuration of its network interfaces defined by the ietf-interfaces model2. However, it is usual for every system to have some specific parts exclusive to it. In that case there are mechanisms defined to enable extensions while keeping the support for the standardized core. Also, as this whole mech- anism is designed in a liberal fashion, the configuration does not have to concern strictly network. Even RPCs additional to those defined by NETCONF can be characterized, thus allowing the client to request an explicit action from the server. 1. https://tools.ietf.org/html/rfc7317 2. https://tools.ietf.org/html/rfc7223 5 2. NETCONF Protocol NETCONF was originally defined in the RFC 4741 at the endof 2006. Later, in 2011 there was a new version 1.1 created and published in the RFC 6241. Since then NETCONF has been on the rise and is already supported by several major network equipment vendors[5] and new related RFC drafts are being published or updated[6]. All this effort is governed by the NETCONF Working Group3. Since correct network device configuration is vital for creating aro- bust network[7] that can be used to transfer sensitive information and the configuration itself is, in fact, sensitive, NETCONF security isof high importance. There are several mandatory conditions as follows that the transport protocol must fulfill in order to be agreeable tobe used in conjuction with NETCONF. • Session type indication (client/server) • Connection persistence • Reliable and sequenced data delivery • Automatic release of connection-specific resources on its close • Authentication, data integrity, confidentiality, and replay protec- tion • Mechanism to provide a username A protocol that meets all these requirements is Secure Shell, for instance, whose support is mandatory[3]. Another suitable protocol for transporting NETCONF data is Transport Layer Security, which is currently extensively used for secure HTTP connections. It should also be mentioned that there are RFCs describing transporting NETCONF over SOAP or BEEP4. They are not taken into consideration, though, because they are dated back to the first NETCONF standardization and are now regarded as historic5. Also, both of these protocols depend on the underlying use of TLS, which examined
Recommended publications
  • Using Frankencerts for Automated Adversarial Testing of Certificate

    Using Frankencerts for Automated Adversarial Testing of Certificate

    Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Chad Brubaker ∗ y Suman Janay Baishakhi Rayz Sarfraz Khurshidy Vitaly Shmatikovy ∗Google yThe University of Texas at Austin zUniversity of California, Davis Abstract—Modern network security rests on the Secure Sock- many open-source implementations of SSL/TLS are available ets Layer (SSL) and Transport Layer Security (TLS) protocols. for developers who need to incorporate SSL/TLS into their Distributed systems, mobile and desktop applications, embedded software: OpenSSL, NSS, GnuTLS, CyaSSL, PolarSSL, Ma- devices, and all of secure Web rely on SSL/TLS for protection trixSSL, cryptlib, and several others. Several Web browsers against network attacks. This protection critically depends on include their own, proprietary implementations. whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. In this paper, we focus on server authentication, which We design, implement, and apply the first methodology for is the only protection against man-in-the-middle and other large-scale testing of certificate validation logic in SSL/TLS server impersonation attacks, and thus essential for HTTPS implementations. Our first ingredient is “frankencerts,” synthetic and virtually any other application of SSL/TLS. Server authen- certificates that are randomly mutated from parts of real cer- tication in SSL/TLS depends entirely on a single step in the tificates and thus include unusual combinations of extensions handshake protocol. As part of its “Server Hello” message, and constraints. Our second ingredient is differential testing: if the server presents an X.509 certificate with its public key.
  • Not-Quite-So-Broken TLS Lessons in Re-Engineering a Security Protocol Specification and Implementation

    Not-Quite-So-Broken TLS Lessons in Re-Engineering a Security Protocol Specification and Implementation

    Not-quite-so-broken TLS Lessons in re-engineering a security protocol specification and implementation David Kaloper Meršinjak Hannes Mehnert Peter Sewell Anil Madhavapeddy University of Cambridge, Computer Labs Usenix Security, Washington DC, 12 August 2015 INT SSL23_GET_CLIENT_HELLO(SSL *S) { CHAR BUF_SPACE[11]; /* REQUEST THIS MANY BYTES IN INITIAL READ. * WE CAN DETECT SSL 3.0/TLS 1.0 CLIENT HELLOS * ('TYPE == 3') CORRECTLY ONLY WHEN THE FOLLOWING * IS IN A SINGLE RECORD, WHICH IS NOT GUARANTEED BY * THE PROTOCOL SPECIFICATION: * BYTE CONTENT * 0 TYPE \ * 1/2 VERSION > RECORD HEADER * 3/4 LENGTH / * 5 MSG_TYPE \ * 6-8 LENGTH > CLIENT HELLO MESSAGE Common CVE sources in 2014 Class # Memory safety 15 State-machine errors 10 Certificate validation 5 ASN.1 parsing 3 (OpenSSL, GnuTLS, SecureTransport, Secure Channel, NSS, JSSE) Root causes Error-prone languages Lack of separation Ambiguous and untestable specification nqsb approach Choice of language and idioms Separation and modular structure A precise and testable specification of TLS Reuse between specification and implementation Choice of language and idioms OCaml: a memory-safe language with expressive static type system Well contained side-effects Explicit flows of data Value-based Explicit error handling We leverage it for abstraction and automated resource management. Formal approaches Either reason about a simplified model of the protocol; or reason about small parts of OpenSSL. In contrast, we are engineering a deployable implementation. nqsb-tls A TLS stack, developed from scratch, with dual goals: Executable specification Usable TLS implementation Structure nqsb-TLS ML module layout Core Is purely functional: VAL HANDLE_TLS : STATE -> BUFFER -> [ `OK OF STATE * BUFFER OPTION * BUFFER OPTION | `FAIL OF FAILURE ] Core OCaml helps to enforce state-machine invariants.
  • Sizzle: a Standards-Based End-To-End Security Architecture for the Embedded Internet

    Sizzle: a Standards-Based End-To-End Security Architecture for the Embedded Internet

    Sizzle: A Standards-based end-to-end Security Architecture for the Embedded Internet Vipul Gupta, Matthew Millard,∗ Stephen Fung*, Yu Zhu*, Nils Gura, Hans Eberle, Sheueling Chang Shantz Sun Microsystems Laboratories 16 Network Circle, UMPK16 160 Menlo Park, CA 94025 [email protected], [email protected], [email protected] [email protected], {nils.gura, hans.eberle, sheueling.chang}@sun.com Abstract numbers of even simpler, more constrained devices (sen- sors, home appliances, personal medical devices) get con- This paper introduces Sizzle, the first fully-implemented nected to the Internet. The term “embedded Internet” is end-to-end security architecture for highly constrained em- often used to refer to the phase in the Internet’s evolution bedded devices. According to popular perception, public- when it is invisibly and tightly woven into our daily lives. key cryptography is beyond the capabilities of such devices. Embedded devices with sensing and communication capa- We show that elliptic curve cryptography (ECC) not only bilities will enable the application of computing technolo- makes public-key cryptography feasible on these devices, it gies in settings where they are unusual today: habitat mon- allows one to create a complete secure web server stack itoring [26], medical emergency response [31], battlefield including SSL, HTTP and user application that runs effi- management and home automation. ciently within very tight resource constraints. Our small Many of these applications have security requirements. footprint HTTPS stack needs less than 4KB of RAM and For example, health information must only be made avail- interoperates with an ECC-enabled version of the Mozilla able to authorized personnel (authentication) and be pro- web browser.
  • Arxiv:1911.09312V2 [Cs.CR] 12 Dec 2019

    Arxiv:1911.09312V2 [Cs.CR] 12 Dec 2019

    Revisiting and Evaluating Software Side-channel Vulnerabilities and Countermeasures in Cryptographic Applications Tianwei Zhang Jun Jiang Yinqian Zhang Nanyang Technological University Two Sigma Investments, LP The Ohio State University [email protected] [email protected] [email protected] Abstract—We systematize software side-channel attacks with three questions: (1) What are the common and distinct a focus on vulnerabilities and countermeasures in the cryp- features of various vulnerabilities? (2) What are common tographic implementations. Particularly, we survey past re- mitigation strategies? (3) What is the status quo of cryp- search literature to categorize vulnerable implementations, tographic applications regarding side-channel vulnerabili- and identify common strategies to eliminate them. We then ties? Past work only surveyed attack techniques and media evaluate popular libraries and applications, quantitatively [20–31], without offering unified summaries for software measuring and comparing the vulnerability severity, re- vulnerabilities and countermeasures that are more useful. sponse time and coverage. Based on these characterizations This paper provides a comprehensive characterization and evaluations, we offer some insights for side-channel of side-channel vulnerabilities and countermeasures, as researchers, cryptographic software developers and users. well as evaluations of cryptographic applications related We hope our study can inspire the side-channel research to side-channel attacks. We present this study in three di- community to discover new vulnerabilities, and more im- rections. (1) Systematization of literature: we characterize portantly, to fortify applications against them. the vulnerabilities from past work with regard to the im- plementations; for each vulnerability, we describe the root cause and the technique required to launch a successful 1.
  • Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation

    Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation

    Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation David Kaloper-Meršinjak, Hannes Mehnert, Anil Madhavapeddy, and Peter Sewell, University of Cambridge https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/kaloper-mersinjak This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Not-quite-so-broken TLS: lessons in re-engineering a security protocol specification and implementation David Kaloper-Mersinjakˇ †, Hannes Mehnert†, Anil Madhavapeddy and Peter Sewell University of Cambridge Computer Laboratory [email protected] † These authors contributed equally to this work Abstract sensitive services, they are not providing the security we need. Transport Layer Security (TLS) is the most widely Transport Layer Security (TLS) implementations have a deployed security protocol on the Internet, used for au- history of security flaws. The immediate causes of these thentication and confidentiality, but a long history of ex- are often programming errors, e.g. in memory manage- ploits shows that its implementations have failed to guar- ment, but the root causes are more fundamental: the chal- antee either property. Analysis of these exploits typically lenges of interpreting the ambiguous prose specification, focusses on their immediate causes, e.g. errors in mem- the complexities inherent in large APIs and code bases, ory management or control flow, but we believe their root inherently unsafe programming choices, and the impos- causes are more fundamental: sibility of directly testing conformance between imple- mentations and the specification.
  • Analysis and Detection of Anomalies in Mobile Devices

    Analysis and Detection of Anomalies in Mobile Devices

    Master’s Degree in Informatics Engineering Dissertation Final Report Analysis and detection of anomalies in mobile devices António Carlos Lagarto Cabral Bastos de Lima [email protected] Supervisor: Prof. Dr. Tiago Cruz Co-Supervisor: Prof. Dr. Paulo Simões Date: September 1, 2017 Master’s Degree in Informatics Engineering Dissertation Final Report Analysis and detection of anomalies in mobile devices António Carlos Lagarto Cabral Bastos de Lima [email protected] Supervisor: Prof. Dr. Tiago Cruz Co-Supervisor: Prof. Dr. Paulo Simões Date: September 1, 2017 i Acknowledgements I strongly believe that both nature and nurture playing an equal part in shaping an in- dividual, and that in the end, it is what you do with the gift of life that determines who you are. However, in order to achieve great things motivation alone might just not cut it, and that’s where surrounding yourself with people that want to watch you succeed and better yourself comes in. It makes the trip easier and more enjoyable, and there is a plethora of people that I want to acknowledge for coming this far. First of all, I’d like to thank professor Tiago Cruz for giving me the support, motivation and resources to work on this project. The idea itself started over one of our then semi- regular morning coffee conversations and from there it developed into a full-fledged concept quickly. But this acknowledgement doesn’t start there, it dates a few years back when I first had the pleasure of having him as my teacher in one of the introductory courses.
  • A Technical Comparison of Ipsec and SSL

    A Technical Comparison of Ipsec and SSL

    A Technical Comparison of IPSec and SSL y Ab delNasir Alshamsi Takamichi Saito Tokyo University of Technology Abstract p osed but the most famous secure and widely de ployed are IPSec IP Security and SSL Secure So cket Layer IPSec IP Security and SSL SecureSocket Layer In this pap er we will provide a technical comparison have been the most robust and most potential tools of IPSec and SSL the similarities and the dierences available for securing communications over the Inter of the cryptographic prop erties The results of per net Both IPSec and SSL have advantages and short formance are based on comparing FreeSWAN as comings Yet no paper has been found comparing the IPSec and Stunnel as SSL two protocols in terms of characteristic and functional ity Our objective is to present an analysis of security and performancepr operties for IPSec and SSL IPSec IPSec is an IP layer proto col that enables the Intro duction sending and receiving of cryptographically protected packets of any kind TCPUDPICMPetc without any provides two kinds of crypto mo dication IPSec Securing data over the network is hard and compli graphic services Based on necessity IPSec can provide cated issue while the threat of data mo dication and condentiality and authenticity or it can provide data interruption is rising The goal of network security authenticity only is to provide condentiality integrity and authenticity Condentiality is keeping the data secret from the ESP Encapsulated SecurityPayload unintended listeners on the network Integrity is en suring
  • Analysis of DTLS Implementations Using Protocol State Fuzzing

    Analysis of DTLS Implementations Using Protocol State Fuzzing

    Analysis of DTLS Implementations Using Protocol State Fuzzing Paul Fiterau-Brostean and Bengt Jonsson, Uppsala University; Robert Merget, Ruhr-University Bochum; Joeri de Ruiter, SIDN Labs; Konstantinos Sagonas, Uppsala University; Juraj Somorovsky, Paderborn University https://www.usenix.org/conference/usenixsecurity20/presentation/fiterau-brostean This paper is included in the Proceedings of the 29th USENIX Security Symposium. August 12–14, 2020 978-1-939133-17-5 Open access to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX. Analysis of DTLS Implementations Using Protocol State Fuzzing Paul Fiterau-Bro¸stean˘ Bengt Jonsson Robert Merget Joeri de Ruiter Uppsala University Uppsala University Ruhr University Bochum SIDN Labs Konstantinos Sagonas Juraj Somorovsky Uppsala University Paderborn University Abstract reach 11.6 billion by 2021 [26]. This will constitute half of all devices connected to the Internet, with the percentage set to Recent years have witnessed an increasing number of proto- grow in subsequent years. Such trends also increase the need cols relying on UDP. Compared to TCP, UDP offers perfor- to ensure that software designed for these devices is properly mance advantages such as simplicity and lower latency. This scrutinized, particularly with regards to its security. has motivated its adoption in Voice over IP, tunneling techno- DTLS is also used as one of the two security protocols in logies, IoT, and novel Web protocols. To protect sensitive data WebRTC, a framework enabling real-time communication. exchange in these scenarios, the DTLS protocol has been de- WebRTC can be used, for example, to implement video con- veloped as a cryptographic variation of TLS.
  • Secure Channels Secure Channels • Example Applications – PGP: Pretty Good Privacy CS 161/194-1 – TLS: Transport Layer Security Anthony D

    Secure Channels Secure Channels • Example Applications – PGP: Pretty Good Privacy CS 161/194-1 – TLS: Transport Layer Security Anthony D

    Main Points • Applying last week’s lectures in practice • Creating Secure Channels Secure Channels • Example Applications – PGP: Pretty Good Privacy CS 161/194-1 – TLS: Transport Layer Security Anthony D. Joseph – VPN: Virtual Private Network September 26, 2005 September 26, 2005 CS161 Fall 2005 2 Joseph/Tygar/Vazirani/Wagner What is a Secure Channel? Plaintext Plaintext Creating Secure Channels Encryption / Internet Encryption / • Authentication and Data Integrity Decryption Decryption Ciphertext and MAC – Use Public Key Infrastructure or third-party server to authenticate each end to the other • A stream with these security requirements: – Add Message Authentication Code for – Authentication integrity • Ensures sender and receiver are who they claim to be – Confidentiality • Confidentiality • Ensures that data is read only by authorized users – Data integrity – Exchange session key for encrypt/decrypt ops • Ensures that data is not changed from source to destination • Bulk data transfer – Non-repudiation (not discussed today) • Ensures that sender can’t deny message and rcvr can’t deny msg • Key Distribution and Segmentation September 26, 2005 CS161 Fall 2005 3 September 26, 2005 CS161 Fall 2005 4 Joseph/Tygar/Vazirani/Wagner Joseph/Tygar/Vazirani/Wagner Symmetric Key-based Symmetric Key-based Secure Channel Secure Channel Alice Bob • Sender (A) and receiver (B) share secret keys KABencrypt KABencrypt – One key for A è B confidentiality KABauth KABauth – One for A è B authentication/integrity Message MAC Compare? Message – Each message
  • Plaintext-Recovery Attacks Against Datagram TLS

    Plaintext-Recovery Attacks Against Datagram TLS

    Plaintext-Recovery Attacks Against Datagram TLS Nadhem J. AlFardan and Kenneth G. Paterson∗ Information Security Group Royal Holloway, University of London, Egham, Surrey TW20 0EX, UK fNadhem.Alfardan.2009, [email protected] Abstract GnuTLS2. Both of these provide source toolkits that imple- ment TLS and DTLS as well as being general purpose cryp- The Datagram Transport Layer Security (DTLS) proto- tographic libraries that software developers can use. The col provides confidentiality and integrity of data exchanged first release of OpenSSL to implement DTLS was 0.9.8. between a client and a server. We describe an efficient and Since its release, DTLS has become a mainstream proto- full plaintext recovery attack against the OpenSSL imple- col in OpenSSL. There are also a number of commercial mentation of DTLS, and a partial plaintext recovery attack products that have taken advantage of DTLS. For example, against the GnuTLS implementation of DTLS. The attack DTLS is used to secure Virtual Private Networks (VPNs)3;4 against the OpenSSL implementation is a variant of Vaude- and wireless traffic5. Platforms such as Microsoft Windows, nay’s padding oracle attack and exploits small timing differ- Microsoft .NET and Linux can also make use of DTLS6. ences arising during the cryptographic processing of DTLS In addition, the number of RFC documents that are be- packets. It would have been prevented if the OpenSSL im- ing published on DTLS is increasing. Recent examples in- plementation had been in accordance with the DTLS RFC. clude RFC 5415 [1], RFC 5953 [8] and RFC 6012 [13]. A In contrast, the GnuTLS implementation does follow the new version of DTLS is currently under development in the DTLS RFC closely, but is still vulnerable to attack.
  • Lucky 13, BEAST, CRIME,... Is TLS Dead, Or Just Resting?

    Lucky 13, BEAST, CRIME,... Is TLS Dead, Or Just Resting?

    Lucky 13, BEAST, CRIME,... Is TLS dead, or just resting? Kenny Paterson Information Security Group Overview Introduction to TLS (and why YOU should care) BEAST and CRIME Lucky 13 and RC4 attacks Current/future developments in TLS 2 About the Speaker Academic But spent 5 years in industrial research lab Still involved in IPR, consulting, industry liaison RHUL since 2001 “You are teaching Network Security” Leading to research into how crypto is used in Network Security EPSRC Leadership Fellow, 2010-2015 “Cryptography: Bridging Theory and Practice” Support from I4, HP, BT, Mastercard, CPNI Attacks on IPsec (2006, 2007), SSH (2009) So what about TLS? 3 A Word from my Sponsors 4 TLS – And Why You Should Care SSL = Secure Sockets Layer. Developed by Netscape in mid 1990s. SSLv2 now deprecated; SSLv3 still widely supported. TLS = Transport Layer Security. IETF-standardised version of SSL. TLS 1.0 = SSLv3 with minor tweaks, RFC 2246 (1999). TLS 1.1 = TLS 1.0 + tweaks, RFC 4346 (2006). TLS 1.2 = TLS 1.1 + more tweaks, RFC 5246 (2008). TLS 1.3? 5 TLS – And Why You Should Care Originally for secure e-commerce, now used much more widely. Retail customer access to online banking facilities. User access to gmail, facebook, Yahoo. Mobile applications, including banking apps. Payment infrastructures. User-to-cloud. Post Snowden: back-end operations for google, yahoo, … Not yet Yahoo webcam traffic, sadly. TLS has become the de facto secure protocol of choice. Used by hundreds of millions of people and devices every day. A serious attack could be catastrophic, both in real terms and in terms of perception/confidence.
  • Prying Open Pandora's Box: KCI Attacks Against

    Prying Open Pandora's Box: KCI Attacks Against

    Prying open Pandora’s box: KCI attacks against TLS Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes RISE – Research Industrial Systems Engineering GmbH {clemens.hlauschek, markus.gruber, florian.fankhauser, christian.schanes}@rise-world.com Abstract and implementations of the protocol: their utility is ex- tremely limited, their raison d’ˆetre is practically nil, and Protection of Internet communication is becoming more the existence of these insecure key agreement options common in many products, as the demand for privacy only adds to the arsenal of attack vectors against cryp- in an age of state-level adversaries and crime syndi- tographically secured communication on the Internet. cates is steadily increasing. The industry standard for doing this is TLS. The TLS protocol supports a multi- 1 Introduction tude of key agreement and authentication options which provide various different security guarantees. Recent at- The TLS protocol [1, 2, 3] is probably the most tacks showed that this plethora of cryptographic options widely used cryptographic protocol on the Internet. in TLS (including long forgotten government backdoors, It is designed to secure the communication between which have been cunningly inserted via export restric- client/server applications against eavesdropping, tamper- tion laws) is a Pandora’s box, waiting to be pried open by ing, and message forgery, and it also provides additional, heinous computer whizzes. Novel attacks lay hidden in optional security properties such as client authentica- plainsight. Parts of TLS areso oldthat theirfoul smell of tion. TLS is an historically grown giant: its predecessor, rot cannot be easily distinguished from the flowery smell SSL [4,5], was developed more than 20 years ago.