Low-Level TLS Hacking
Total Page:16
File Type:pdf, Size:1020Kb
Low-Level TLS Hacking Presented by Richard J. Moore E: [email protected] Presentation Outline ● An introduction to SSL/TLS ● Using pytls to create and decode TLS messages ● Fingerprinting TLS servers ● Fingerprinting the wider TLS landscape Brief intro to SSL/TLS ● TLS is a layered protocol ● Lowest layer is the record layer ● The same record format is used in SSL3, TLS 1.0 – 1.2 ● Binary protocol ● Symmetrical – the same record format is used in both directions TLS Record Structure Content Type Version Length Message MAC (optional) Padding (optional) Content Types ● Handshake message – Messages used to setup the crypto parameters ● ChangeCipherSpec – Activates the crypto ● Alert – Error reporting ● Application – The actual data ● Heartbeat – Probably the most famous TLS handshake messages ● The initial messages of a TLS session use the handshake protocol ● The ClientHello and ServerHello are the ones you’ve probably heard of ● Certificate messages containing the server certificate ● Handshake messages provide all the information needed to establish a secure connection ClientHello ● Preferred TLS version of the client ● Ciphersuites the client supports ● Client random data ● Extensions the client supports – Server Name Indication – Secure Renegotiation – Many more… ● Also other information such as the session id if we’re reusing a session ServerHello ● Selected TLS version ● Selected ciphersuite ● Server random data ● Similar to ClientHello but the server has decided on the cipher and version ● Extensions the server supports – Empty extensions indicating support – Extensions containing data (e.g. for EC cipher suites) Saying hello ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished TLS is not easy on the eye Heartbleed with pytls pytls ● A python library for creating TLS messages ● Easily create TLS records, handshake messages etc. ● Easily decode messages from the binary format ● Lets us deal with TLS as objects, no need to worry about the actual format ● Low-level tool – Create valid and invalid messages – Send messages in the wrong order Creating handshake messages Creating records with pytls ● Just create the object, it's that simple ● Supplying the length is optional – Default is to use the correct length – Can override to generate invalid records – The message field is the actual content ● Records are normally populated with messages created by pytls, but it is happy to put anything you want in the record Write new tests quickly DH prime check in minutes Low-level facilities ● Most cipher testing scripts try to connect with each cipher ● What if the connection fails for another reason? – Does the server need a client certificate we don't have? ● The cipher has already been sent in the ServerHello Also useful for testing clients What else can we do? ● Writing tests for vulnerabilities is useful, but more is possible ● Now have a toolbox for working with TLS as a bunch of building blocks ● Decided to build a server fingerprinting tool Basics of TLS probing ● There are a number of commonly used TLS stacks – Openssl (and variants such as BoringSSL, LibreSSL) – Microsoft SChannel – Java Secure Socket Extension – GnuTLS ● Less common ones too – PolarSSL, MatrixSSL, wolfSSL... Lots of small differences ● The TLS specification is often unclear and implementations aren't perfect ● Specification allows a single record to contains multiple handshake messages ● Variations in which Alert messages are sent ● Some implementations just close the connection on error ● Implementations vary on what they consider invalid too Example of a Probe ● TLS records can contain more than one handshake message ● OpenSSL never does this, but Microsoft and Java do Server Hello Certificate Server Hello Done Microsoft Schannel or Java SSE Server Hello Certificate Server Hello Done OpenSSL TLS Prober ● TLS prober sends the probes and records the response ● Only records fields that don't change Microsoft IIS Fingerprint OpenSSL Fingerprint Probing ● Can fingerprint a server by sending several different probes and recording the responses ● Probes include – Variations in the TLS version numbers – Invalid state transitions such as early CCS – Invalid lengths – Sending complete garbage in a valid record – Various valid and invalid Server Name Indication extensions ● Probe the implementation not the configuration Strengths and Weaknesses ● Can distinguish every implementation I have found ● Can even distinguish between specific versions when the fingerprint database is big enough ● Not affected by common configuration changes such as the cipher configuration ● Room for improvement though – Take steps to address differences in the enabled TLS versions – More fingerprints (please submit them!) Probe all the things! ● Alexa provide a list of the top million websites ● University of Michigan provide data on which support TLS etc. at https://scans.io/ ● We can run the TLS prober over all these! ● Probing is trivially parallelisable ● 50 concurrent probes fingerprinted all 686,176 of the top million with port 443 open in 2.5 days ● Generated around 2GB of fingerprint data... Headline Figures ● 686,176 targets, 668,809 valid results ● 17,367 failed to fingerprint (e.g. the port was now closed) ● 16,051,416 probes recorded ● Only 10,384 distinct fingerprints ● Most common fingerprint matches ~18% of the results OpenSSL is king ● 60% of the probes produced a result matching OpenSSL ● The IIS signatures only matched 6% of the probes ● Results are biased by a number of factors – Most high traffic sites use content delivery networks – Most hardware TLS accelerators use a stack based on OpenSSL ● The fact remains though, that in practice we have a monoculture for TLS What have we covered? ● The basics of the TLS protocol format ● Using pytls to create and decode TLS ● Using pytls to make readable and customisable vulerability tests ● Probing TLS implementations to determine the implementation and version ● Using parallel probing to look at the landscape of deployments in practice Getting the code ● All the code is available on github ● pytls – https://github.com/WestpointLtd/pytls ● tls_prober – https://github.com/WestpointLtd/tls_prober ● The parallelised version and the alexa top million data will soon be released too – Only 20MB when compressed Questions? Presented by Richard J. Moore E: [email protected] .