Attacks on TLS Douglas Stebila

Last updated June 6, 2019 Attacks on TLS Stebila • 2019-06-06 2

Components of TLS

Crypto Ciphersuite Advanced primitives details functionality Libraries Applications

• RSA, DSA, • Data structures • Alerts & errors • OpenSSL • Web browsers: ECDSA • Key derivation • Certification / • LibreSSL, Chrome, Firefox, • Diffie–Hellman, • Encryption revocation BoringSSL IE/Edge, Safari ECDH modes, IVs • Negotiation • NSS • Web servers: • HMAC • Padding • Renegotiation • GnuTLS Apache, IIS, nginx, node, … • MD5, SHA1, • Session • SChannel SHA-2 resumption • Java JSSE • Application SDKs • DES, 3DES, • Key reuse • Everest / miTLS • Certificates RC4, AES • Compression • s2n • Protocols • Export grade • State machine • HTTP, IMAP, .. Attacks on TLS Stebila • 2019-06-06 3

Provable security analysis of TLS

Crypto Ciphersuite Advanced primitives details functionality Libraries Applications

• RSA, DSA, • Data structures • Alerts & errors • OpenSSL • Web browsers: ECDSA • Key derivation • Certification / • LibreSSL, Chrome, Firefox, • Diffie–Hellman, • Encryption revocation BoringSSL IE/Edge, Safari ECDH modes, IVs • Negotiation • NSS • Web servers: • HMAC • Padding • Renegotiation • GnuTLS Apache, IIS, nginx, node, … • MD5, SHA1, • Session • SChannel SHA-2 resumption • Java JSSE • Application SDKs • DES, 3DES, • Key reuse • Everest / miTLS • Certificates RC4, AES • Compression • s2n • Protocols • Export grade • State machine • HTTP, IMAP, ..

Provable security Record layer: sLHAE Handshake layer: ACCE Attacks on TLS Stebila • 2019-06-06 4 Provable security and formal methods analysis of TLS

Crypto Ciphersuite Advanced primitives details functionality Libraries Applications

• RSA, DSA, • Data structures • Alerts & errors • OpenSSL • Web browsers: ECDSA • Key derivation • Certification / • LibreSSL, Chrome, Firefox, • Diffie–Hellman, • Encryption revocation BoringSSL IE/Edge, Safari ECDH modes, IVs • Negotiation • NSS • Web servers: • HMAC • Padding • Renegotiation • GnuTLS Apache, IIS, nginx, node, … • MD5, SHA1, • Session • SChannel SHA-2 resumption • Java JSSE • Application SDKs • DES, 3DES, • Key reuse • Everest / miTLS • Certificates RC4, AES • Compression • s2n • Protocols • Export grade • State machine • HTTP, IMAP, ..

Provable security Record layer: sLHAE Formal methods Handshake layer: ACCE Attacks on TLS Stebila • 2019-06-06 5

Attacks on TLS Termination, POODLE Cookie Cutter SLOTH ZombiePOODLE GoldenDOODLE Bleichenbacher Debian OpenSSL Goldberg & Bleichenbacher, BEAST entropy bug Wagner SSL 2.0 Netscape Cross-protocol downgrade, PRNG attack Heartbleed Collisions DH/ECDH attack FREAK, Logjam Crypto Ciphersuite Advanced primitives details functionality Libraries Applications

• RSA, DSA, • Data structures • Alerts & errors • OpenSSL • Web browsers: goto

ECDSA • Key derivation • Certification / • LibreSSL, BERserk Chrome, Firefox, High • Diffie–Hellman, • Encryption STEKs revocation BoringSSL IE/Edge, Safari fail; Lucky13 ECDH modes, IVs - • Negotiation • NSS • Web servers: Apache, IIS, • HMAC • Padding • Renegotiation • GnuTLS“Most dangerous code…” Selfie nginx, node, … Frankencerts • MD5, SHA1, • Session • SChannel CA breaches SHA-2 Triple handshake resumption Ray &• Java JSSE • Application attack Dispensa SDKs • DES, 3DES, • Key reuse • Everest /MalloDroid miTLS • Certificates RC4, AES • Compression • s2n -protocol • Protocols • Export grade Cross • State machine Jager et al. • HTTP, IMAP, .. FREAK, DH/ECDH attack Sweet32 CRIME, DROWN Logjam BREACH, HEIST SSL stripping RC4 biases, SMACK rc4nomore, CCS Lucky Virtual host STARTTLS Bar Mitzvah injection microseconds confusion injection Attacks on TLS Stebila • 2019-06-06 6

Attacks on TLS

* denotes theoretical basis for later practical attack Attacks on TLS Stebila • 2019-06-06 7

Attacks on TLS

* denotes theoretical basis for later practical attack