DOCSLIB.ORG

Recent Breaches Have Tarnished This Web Security Technology. Here Are Five Ways to Keep It Going

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Recent breaches have tarnished this Web security technology. Here are five ways to keep it going. By Paul Roberts ne year ago, Gmail users in Iran woke up to a chill- mount a “man in the middle” attack to intercept thority in Beverwijk, Netherlands. DigiNotar ad- ing prospect: Their sensitive and supposedly se- and decrypt email sent to Google’s servers before mitted that it had been the victim of a cyberat- cure communications on Google’s email program passing the messages along to the intended tack a month earlier whereby the attackers gen- may have been tapped by unknown parties. A recipients. erated hundreds of bogus certificates in the Ophony digital certificate in Google’s name was In the search for the source of the phony certifi- names of some of the Internet’s most trusted used to impersonate the site and let the culprits cate, all eyes turned to DigiNotar, a certificate au- brands, including Google, Yahoo, Skype and the darkreading.com Copyright 2012 UBM LLC. Important Note: This PDF is provided solely as a reader service. It is not intended for reproduction or public distribution. For article November 2012 3 reprints, e-prints and permissions please contact: Wright’s Reprints, 1-877-652-5295 / [email protected] anonymity network Tor. Use of the fraudu- CA Compromises Come In Many Flavors lent certificates was concentrated among There’s more than one way for attackers to obtain fraudulent certificates that can be used to impersonate legitimate Iranian users, leading to speculation that the websites. This diagram presents various scenarios. D CA Key Theft: Steal attack was linked to that country’s intelli- or derive copy of gence ser vices, which have been cracking certificate authority private key and issue down on political dissidents. RA Compromise: fraudulent certificates The DigiNotar attack was the worst security Infiltrate registration authority or steal compromise at a certificate authority to date. credentials and authorize fraudulent Certificate But it was hardly the only such attack. It Authority certificates B came just months after an attack on a busi- Impersonation: Trick Registration ness affiliate of Comodo, a New Jersey CA. In registration authority Authority that incident, the attackers generated phony into issuing a fraudulent C certificate A certificates also in the names of prominent CA System online brands. Compromise: Use malware or other These successful attacks were earth shaking infiltration tactic to get because digital certificates and the encryp- fraudulent certificate signed by certificate Hacker tion keys they represent are the bedrock of In- authority (without ternet communications. They secure every- getting copy of CA key) thing from VPN connections to protocols such as TLS (Transport Layer Security) and SSL (Se- organizations before issuing digital certifi- der attack from sophisticated and possibly cure Sockets Layer) that protect billions of cates that contain the public and private en- nation-backed hacking crews, exposing Web sessions and online transactions daily. At cryption keys used to secure online ex- security lapses and poor internal controls. the heart of this system is a global public key change of information. The current system leaves security-con- infrastructure network of some 300 CAs en- At least that’s how it's supposed to work. scious businesses in a pinch. More than ever, trusted with issuing certificates to individuals As the DigiNotar attack revealed, CAs aren’t they need secure and reliable identity services and organizations. Fort Knox-style identity vaults but rather are to back up their growing online presences, Certificate authorities are gatekeepers. businesses subject to their own security but the system in place is more vulnerable They verify the identities of individuals and mishaps. In the last year, CAs have come un- than ever. darkreading.com November 2012 4 What’s to be done? Many experts say certifi- CAs, letting them issue cer tificates that are site that offers a suspicious or expired cer- cate technology still has a future and that se- accepted worldwide. Microsoft alone recog- tificate. If you need a certificate for a website curity-conscious organizations can protect nizes more than 300 CAs linked to more or other purposes, companies such as themselves by understanding the gaps in the than 80 organizations, says Hurst, who man- VeriSign and Go Daddy make buying system and taking common-sense steps to aged that company’s root server and other one easy and affordable. avoid them. cryptographic initiatives for close to a Convenience aside, all of those private and decade. commercial CAs make for a rickety identity A Disjointed Ecosystem Most Internet users have only a passing fa- infrastructure, says Craig Spiezle, executive DigiNotar’s compromise and the resulting miliarity with this global system of online director and founder of the Online Trust Al- collapse of that certificate authority exposed trust. Most major online service providers of- liance, a nonprofit that promotes privacy, se- deep cracks in the global PKI system. Chief curity and identity best practices. “So much among them is the sheer number of organi- of the Internet relies on SSL and the whole “So much of the Internet relies on zations with a license to issue certificates and chain of trust,” Spiezle says, “but it’s a vouch for online identities. SSL and the whole chain of trust, confusing, convoluted and disjointed An offshoot of the development of SSL by but it’s a confusing, convoluted ecosystem.” Internet pioneer Netscape, CAs were envi- and disjointed ecosystem.” First, there’s no single list of supported root sioned as highly secure and single-purpose CAs. Instead, each browser platform has its — Craig Spiezle, Online Trust Alliance facilities, akin to passport offices, says Ryan own policies for selecting the root CAs it rec- Hurst, a cryptography expert and CTO at ognizes. That means each browser supports GlobalSign, a CA. fer their users the option of communicating a slightly different mix of CAs, with lots of As use of the Web and e-commerce ex- over encrypted connections; many even re- overlap, says Serge Egelman, a security re- ploded, however, the job of issuing certifi- quire it. The major browsers offer Web users searcher at the University of California, Berke- cates turned into a business — and a prof- clear visual cues to let them know when a ley. Second, the sheer number of competing itable one. Dozens of companies entered the particular session is protected using SSL or CAs has created a race to the bottom, he says, market, led by firms such as VeriSign (now some other encryption method. These cues putting financial pressure on companies to owned by Symantec). National govern- include the well-known “padlock” icon in cut corners. ments, large corporations and commercial the URL bar. Browsers keep track of rep- Further down the chain of trust, browser certificate vendors set up their own root utable CAs and warn users when they visit a makers such as Microsoft, Google and the darkreading.com November 2012 5 Mozilla Foundation worry that they’ll drive attackers then used that account to generate berg. Poorly implemented SSL and certificate fickle users to other platforms if they issue too nine fraudulent certificates, signed by Co- infrastructure within organizations is also a many security alerts and warnings, so they modo, for seven domains, including big problem. bundle into their software a liberal list of CAs google.com and yahoo.com. SSL Pulse, a real-time online dashboard whose certificates they accept. This approach In an age of nation-backed attacks, certifi- that surveys the security of close to 200,000 lessens the likelihood users will get an irritat- cate CAs with ties to authoritarian regimes SSL-enabled websites, documents the over- ing error or warning message when connect- also bear scrutiny. Felix Lindner, the hacker all health of the SSL eco sys tem based on ing to a website, but it also increases the known as FX, says travelers connecting to several measures, such as proper configura- chances that certificates from a compromised online services within China should treat tion and the strength of the encryption keys or disreputable CA will be trusted, Egelman even secure Web sessions there with skepti- used to sign certificates. Close to 40% of the says. cism. “We’ve seen [fraudulent] certificates sites that are monitored support weak or in- Having so many companies with a hand in that checked out as valid on iPhones and secure cipher suites of 128 bits or less, while issuing certificates also extends the risk. That other Apple devices for sites like mac.com,” about a third still support the 17-year-old was evident in the case of fraudulent certifi- he says. “Your little lock icon is not good in SSL v2.0 protocol, which is known to be in- cates issued by Comodo, in which attackers China.” secure, according to SSL Pulse. compromised an administrative account at a In response, Microsoft and other vendors Comodo reseller, which was acting as a regis- Poor SSL Implementation are putting pressure on software publishers tration authority, a sort of subordinate CA. The Compromised CAs are just the tip of the ice- and downstream websites to clean up their Certificate Authorities Under Attack Jan. 2001 July 2003 aug. 2008 Dec. 2008 March 2011 May 2011 June 2011 June-Sept. 2011 Sept. 2011 nov. 2011 Feb. 2012 Sept. 2012 VeriSign issues Thawte warns Thawte issues Comodo issues Comodo issues Flame malware StartSSL CA DigiNotar CA Researchers Dutch CA KPN Trustwave is Researchers release Microsoft code customers of certificate for Mozilla.org nine counterfeit authors forge compromised. compromised, reveal details of says it will cease caught issuing Crime attack, signing certificate doppelganger Live.com, a certificate to Start- certificates Microsoft CA 531 fraudulent Beast attack on operations “skeleton key” allowing hijacking to a non-Microsoft certificates.
Recommended publications
  • Secure Shell- Its Significance in Networking (Ssh)

    Secure Shell- Its Significance in Networking (Ssh)

    International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: [email protected] Volume 4, Issue 3, March 2015 ISSN 2319 - 4847 SECURE SHELL- ITS SIGNIFICANCE IN NETWORKING (SSH) ANOOSHA GARIMELLA , D.RAKESH KUMAR 1. B. TECH, COMPUTER SCIENCE AND ENGINEERING Student, 3rd year-2nd Semester GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India 2.Assistant Professor Computer Science and Engineering GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India ABSTRACT This paper is focused on the evolution of SSH, the need for SSH, working of SSH, its major components and features of SSH. As the number of users over the Internet is increasing, there is a greater threat of your data being vulnerable. Secure Shell (SSH) Protocol provides a secure method for remote login and other secure network services over an insecure network. The SSH protocol has been designed to support many features along with proper security. This architecture with the help of its inbuilt layers which are independent of each other provides user authentication, integrity, and confidentiality, connection- oriented end to end delivery, multiplexes encrypted tunnel into several logical channels, provides datagram delivery across multiple networks and may optionally provide compression. Here, we have also described in detail what every layer of the architecture does along with the connection establishment. Some of the threats which Ssh can encounter, applications, advantages and disadvantages have also been mentioned in this document. Keywords: SSH, Cryptography, Port Forwarding, Secure SSH Tunnel, Key Exchange, IP spoofing, Connection- Hijacking. 1. INTRODUCTION SSH Secure Shell was first created in 1995 by Tatu Ylonen with the release of version 1.0 of SSH Secure Shell and the Internet Draft “The SSH Secure Shell Remote Login Protocol”.
  • You Really Shouldn't Roll Your Own Crypto: an Empirical Study of Vulnerabilities in Cryptographic Libraries

    You Really Shouldn't Roll Your Own Crypto: an Empirical Study of Vulnerabilities in Cryptographic Libraries

    You Really Shouldn’t Roll Your Own Crypto: An Empirical Study of Vulnerabilities in Cryptographic Libraries Jenny Blessing Michael A. Specter Daniel J. Weitzner MIT MIT MIT Abstract A common aphorism in applied cryptography is that cryp- The security of the Internet rests on a small number of open- tographic code is inherently difficult to secure due to its com- source cryptographic libraries: a vulnerability in any one of plexity; that one should not “roll your own crypto.” In par- them threatens to compromise a significant percentage of web ticular, the maxim that complexity is the enemy of security traffic. Despite this potential for security impact, the character- is a common refrain within the security community. Since istics and causes of vulnerabilities in cryptographic software the phrase was first popularized in 1999 [52], it has been in- are not well understood. In this work, we conduct the first voked in general discussions about software security [32] and comprehensive analysis of cryptographic libraries and the vul- cited repeatedly as part of the encryption debate [26]. Conven- nerabilities affecting them. We collect data from the National tional wisdom holds that the greater the number of features Vulnerability Database, individual project repositories and in a system, the greater the risk that these features and their mailing lists, and other relevant sources for eight widely used interactions with other components contain vulnerabilities. cryptographic libraries. Unfortunately, the security community lacks empirical ev- Among our most interesting findings is that only 27.2% of idence supporting the “complexity is the enemy of security” vulnerabilities in cryptographic libraries are cryptographic argument with respect to cryptographic software.
  • Ten Strategies of a World-Class Cybersecurity Operations Center Conveys MITRE’S Expertise on Accumulated Expertise on Enterprise-Grade Computer Network Defense

    Ten Strategies of a World-Class Cybersecurity Operations Center Conveys MITRE’S Expertise on Accumulated Expertise on Enterprise-Grade Computer Network Defense

    Bleed rule--remove from file Bleed rule--remove from file MITRE’s accumulated Ten Strategies of a World-Class Cybersecurity Operations Center conveys MITRE’s expertise on accumulated expertise on enterprise-grade computer network defense. It covers ten key qualities enterprise- grade of leading Cybersecurity Operations Centers (CSOCs), ranging from their structure and organization, computer MITRE network to processes that best enable effective and efficient operations, to approaches that extract maximum defense Ten Strategies of a World-Class value from CSOC technology investments. This book offers perspective and context for key decision Cybersecurity Operations Center points in structuring a CSOC and shows how to: • Find the right size and structure for the CSOC team Cybersecurity Operations Center a World-Class of Strategies Ten The MITRE Corporation is • Achieve effective placement within a larger organization that a not-for-profit organization enables CSOC operations that operates federally funded • Attract, retain, and grow the right staff and skills research and development • Prepare the CSOC team, technologies, and processes for agile, centers (FFRDCs). FFRDCs threat-based response are unique organizations that • Architect for large-scale data collection and analysis with a assist the U.S. government with limited budget scientific research and analysis, • Prioritize sensor placement and data feed choices across development and acquisition, enteprise systems, enclaves, networks, and perimeters and systems engineering and integration. We’re proud to have If you manage, work in, or are standing up a CSOC, this book is for you. served the public interest for It is also available on MITRE’s website, www.mitre.org. more than 50 years.
  • SSL Checklist for Pentesters

    SSL Checklist for Pentesters

    SSL Checklist for Pentesters Jerome Smith BSides MCR, 27th June 2014 # whoami whoami jerome • Pentester • Author/trainer – Hands-on technical – Web application, infrastructure, wireless security • Security projects – Log correlation – Dirty data – Incident response exercises • Sysadmin • MSc Computing Science (Dist) • www.exploresecurity.com | @exploresecurity Introduction • Broad review of SSL/TLS checks – Viewpoint of pentester – Pitfalls – Manually replicating what tools do (unless you told the client that SSL Labs would be testing them ) – Issues to consider reporting (but views are my own) • While SSL issues are generally low in priority, it’s nice to get them right! • I’m not a cryptographer: this is all best efforts SSLv2 • Flawed, e.g. no handshake protection → MITM downgrade • Modern browsers do not support SSLv2 anyway – Except for IE but it’s disabled by default from IE7 – That mitigates the risk these days – http://en.wikipedia.org/wiki/Transport_Layer_Security#W eb_browsers • OpenSSL 1.0.0+ doesn’t support it – Which means SSLscan won’t find it – General point: tools that dynamically link to an underlying SSL library in the OS can be limited by what that library supports SSLv2 • Same scan on different OpenSSL versions: SSLv2 • testssl.sh warns you – It can work with any installed OpenSSL version • OpenSSL <1.0.0 s_client -ssl2 switch – More on this later • Recompile OpenSSL – http://blog.opensecurityresearch.com/2013/05/fixing-sslv2-support- in-kali-linux.html • SSLyze 0.7+ is statically linked – Watch out for bug https://github.com/iSECPartners/sslyze/issues/73
  • A Systematic Study of Cache Side Channels Across AES Implementations

    A Systematic Study of Cache Side Channels Across AES Implementations

    A Systematic Study of Cache Side Channels across AES Implementations Heiko Mantel1, Alexandra Weber1, and Boris K¨opf 2 1 Computer Science Department, TU Darmstadt, Darmstadt, Germany [email protected], [email protected] 2 IMDEA Software Institute, Madrid, Spain [email protected] Abstract While the AES algorithm is regarded as secure, many imple- mentations of AES are prone to cache side-channel attacks. The lookup tables traditionally used in AES implementations for storing precom- puted results provide speedup for encryption and decryption. How such lookup tables are used is known to affect the vulnerability to side chan- nels, but the concrete effects in actual AES implementations are not yet sufficiently well understood. In this article, we analyze and compare multiple off-the-shelf AES implementations wrt. their vulnerability to cache side-channel attacks. By applying quantitative program analysis techniques in a systematic fashion, we shed light on the influence of im- plementation techniques for AES on cache-side-channel leakage bounds. 1 Introduction The Advanced Encryption Standard (AES) is a widely used symmetric cipher that is approved by the U.S. National Security Agency for security-critical ap- plications [8]. While traditional attacks against AES are considered infeasible as of today, software implementations of AES are known to be highly suscepti- ble to cache side-channel attacks [5, 15, 18, 19, 32]. While such side channels can be avoided by bitsliced implementations [6,23], lookup-table-based implementa- tions, which aim at better performance, are often vulnerable and wide spread. To understand the vulnerability to cache side-channel attacks, recall that the 128bit version of AES relies on 10 rounds of transformations.
  • The BEAST Wins Again: Why TLS Keeps Failing to Protect HTTP Antoine Delignat-Lavaud, Inria Paris Joint Work with K

    The BEAST Wins Again: Why TLS Keeps Failing to Protect HTTP Antoine Delignat-Lavaud, Inria Paris Joint Work with K

    The BEAST Wins Again: Why TLS Keeps Failing to Protect HTTP Antoine Delignat-Lavaud, Inria Paris Joint work with K. Bhargavan, C. Fournet, A. Pionti, P.-Y. Strub INTRODUCTION Introduction Cookie Cutter Virtual Host Confusion Crossing Origin Boundaries Shared Session Cache Shared Reverse Proxies SPDY Connection Pooling Triple Handshake Conclusion Why do we need TLS? 1. Authentication – Must be talking to the right guy 2. Integrity – Our messages cannot be tampered 3. Confidentiality – Messages are only legible to participants 4. Privacy? – Can’t tell who we are and what we talk about Why do we need TLS? 1. Authentication – Must be talking to the right guy Active Attacks 2. Integrity (MitM) – Our messages cannot be tampered 3. Confidentiality – Messages are only legible to participants Passive Attacks 4. Privacy? (Wiretapping) – Can’t tell who we are and what we talk about What websites expect of TLS • Web attacker – Controls malicious websites – User visits honest and malicious sites in parallel – Web/MitB attacks: CSRF, XSS, Redirection… • Network attacker – Captures (passive) and tampers (active) packets What websites expect of TLS • Web attacker – Controls malicious websites – User visits honest and malicious sites in parallel – Web/MitB attacks: CSRF, XSS, Redirection… • Network attacker Strictly stronger – Captures (passive) and tampers (active) packets What websites expect of TLS If a website W served over HTTP is secure against a Web attacker, then serving W over HTTPS makes it secure against a network attacker. What websites expect of TLS If a website W served over HTTP is secure against a Web attacker, then serving W over HTTPS makes it secure against a network attacker.
  • Security Economics in the HTTPS Value Chain

    Security Economics in the HTTPS Value Chain

    Security Economics in the HTTPS Value Chain Hadi Asghari*, Michel J.G. van Eeten*, Axel M. Arnbak+ & Nico A.N.M. van Eijk+1 * [email protected], [email protected] Delft University of Technology, Faculty of Technology Policy and Management + [email protected], [email protected] University van Amsterdam, Faculty of Law, Institute for Information Law Abstract. Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications. Keywords: HTTPS, Cybersecurity, Internet Governance, Constitutional Values, E-Commerce, Value Chain Analysis, Security Economics, eSignatures Regulation, SSL, TLS, Digital Certificates, Certificate Authorities.
  • Searching for Trust

    Searching for Trust

    SEARCHing for Trust Scott Rea1, TBA GOV2, TBA EDU3 1DigiCert Inc, Lindon, UT U.S.A., [email protected] 2Gov Agency, TBA, Australia, [email protected] 3University or Corporation, TBA, Australia, [email protected] ABSTRACT The security of the X.509 “oligarchy” Public Key Infrastructure for browsers and SSL web servers is under scrutiny in response to Certification Authority (CA) compromises which resulted in the circulation of fraudulent certificates. These rogue certificates can and have been used to execute Man-in-the-Middle attacks and gain access to users’ sensitive information. In wake of these events, there has been a call for change to the extent of either securing the current system or altogether replacing it with an alternative design. This panel will review the results of the research paper to be published that will explore the following proposals which have been put forth to replace or improve the CA system with the goal of aiding in the prevention and detection of MITM attacks and improving the trust infrastructure: Convergence, Perspectives, Mutually Endorsed Certification Authority Infrastructure (MECAI), DNS-Based Authentication of Named Entities (DANE), DNS Certification Authority Authorization (CAA) Resource Records, Public Key Pinning, Sovereign Keys, and Certificate Transparency. In the paper, a new metric is described that ranks each proposal according to a set of well-identified criteria and gives readers an idea of the costs and benefits of implementing the proposed system and the potential strengths and weaknesses of the design. The results of the research and the corresponding impacts for eResearchers and Government collaborators will be discussed by the panel.
  • Whither Deprecating TCP-MD5? a Light Dose of Reality Vs

    Whither Deprecating TCP-MD5? a Light Dose of Reality Vs

    Deprecating MD5 for LDP draft-nslag-mpls-deprecate-md5- 00.txt The IETF MPLS and PALS WG Chairs Our Problem • Control plane protocols are often carried over simple transport layers such as UDP or TCP. • Control planes are good targets for attack and their disruption or subversion can have serious operational consequences. • TCP RST attacks against BGP routers were the original motivation for RFC 2385, TCP-MD5. • LDP runs over TCP. • It currently uses TCP MD5 for authentication, which is no longer considered secure (see RFC 5925) • This is frequently pointed out to us when our documents go to the IESG for publication. Small Survey among operators and vendors - I • The survey was totally un-scientific, and just a small number of vendors and operators were asked. Questions could be better formulated. • Operators were asked. • If TCP-AO were available in products, would you use it? • Are you planning to deploy it? • Vendors were asked. • Do you have TCP-AO? • We will consider making a bigger and more scientific survey to send out to “everybody”. Small Survey among operators and vendors - II • Operators answered: • No plan to deploy TCP-AO as long as vendors support their MD-5 implementations. • Very few authenticated LDP sessions. • There is a cost to deploy TCP-AO. • Vendors answered: • No we don’t have TCP-AO in our products. • One vendor said that it will be available later this year. • We will not implement it until we hear from the operators that they need it. What we need • A security suit that: • Is more secure than MD5 when used over the long-lived sessions that support routing.
  • Analysis of DTLS Implementations Using Protocol State Fuzzing

    Analysis of DTLS Implementations Using Protocol State Fuzzing

    Analysis of DTLS Implementations Using Protocol State Fuzzing Paul Fiterau-Brostean and Bengt Jonsson, Uppsala University; Robert Merget, Ruhr-University Bochum; Joeri de Ruiter, SIDN Labs; Konstantinos Sagonas, Uppsala University; Juraj Somorovsky, Paderborn University https://www.usenix.org/conference/usenixsecurity20/presentation/fiterau-brostean This paper is included in the Proceedings of the 29th USENIX Security Symposium. August 12–14, 2020 978-1-939133-17-5 Open access to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX. Analysis of DTLS Implementations Using Protocol State Fuzzing Paul Fiterau-Bro¸stean˘ Bengt Jonsson Robert Merget Joeri de Ruiter Uppsala University Uppsala University Ruhr University Bochum SIDN Labs Konstantinos Sagonas Juraj Somorovsky Uppsala University Paderborn University Abstract reach 11.6 billion by 2021 [26]. This will constitute half of all devices connected to the Internet, with the percentage set to Recent years have witnessed an increasing number of proto- grow in subsequent years. Such trends also increase the need cols relying on UDP. Compared to TCP, UDP offers perfor- to ensure that software designed for these devices is properly mance advantages such as simplicity and lower latency. This scrutinized, particularly with regards to its security. has motivated its adoption in Voice over IP, tunneling techno- DTLS is also used as one of the two security protocols in logies, IoT, and novel Web protocols. To protect sensitive data WebRTC, a framework enabling real-time communication. exchange in these scenarios, the DTLS protocol has been de- WebRTC can be used, for example, to implement video con- veloped as a cryptographic variation of TLS.
  • Prying Open Pandora's Box: KCI Attacks Against

    Prying Open Pandora's Box: KCI Attacks Against

    Prying open Pandora’s box: KCI attacks against TLS Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes RISE – Research Industrial Systems Engineering GmbH {clemens.hlauschek, markus.gruber, florian.fankhauser, christian.schanes}@rise-world.com Abstract and implementations of the protocol: their utility is ex- tremely limited, their raison d’ˆetre is practically nil, and Protection of Internet communication is becoming more the existence of these insecure key agreement options common in many products, as the demand for privacy only adds to the arsenal of attack vectors against cryp- in an age of state-level adversaries and crime syndi- tographically secured communication on the Internet. cates is steadily increasing. The industry standard for doing this is TLS. The TLS protocol supports a multi- 1 Introduction tude of key agreement and authentication options which provide various different security guarantees. Recent at- The TLS protocol [1, 2, 3] is probably the most tacks showed that this plethora of cryptographic options widely used cryptographic protocol on the Internet. in TLS (including long forgotten government backdoors, It is designed to secure the communication between which have been cunningly inserted via export restric- client/server applications against eavesdropping, tamper- tion laws) is a Pandora’s box, waiting to be pried open by ing, and message forgery, and it also provides additional, heinous computer whizzes. Novel attacks lay hidden in optional security properties such as client authentica- plainsight. Parts of TLS areso oldthat theirfoul smell of tion. TLS is an historically grown giant: its predecessor, rot cannot be easily distinguished from the flowery smell SSL [4,5], was developed more than 20 years ago.
  • An Analysis of the Transport Layer Security Protocol

    An Analysis of the Transport Layer Security Protocol

    An Analysis of the Transport Layer Security Protocol Thyla van der Merwe Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group School of Mathematics and Information Security Royal Holloway, University of London 2018 Declaration These doctoral studies were conducted under the supervision of Professor Kenneth G. Paterson. The work presented in this thesis is the result of original research I conducted, in collabo- ration with others, whilst enrolled in the School of Mathematics and Information Security as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Thyla van der Merwe March, 2018 2 Dedication To my niece, Emma. May you always believe in your abilities, no matter what anybody tells you, and may you draw on the strength of our family for support, as I have done (especially your Gogo, she’s one tough lady). “If you’re going through hell, keep going.” Winston Churchill 3 Abstract The Transport Layer Security (TLS) protocol is the de facto means for securing commu- nications on the World Wide Web. Originally developed by Netscape Communications, the protocol came under the auspices of the Internet Engineering Task Force (IETF) in the mid 1990s and today serves millions, if not billions, of users on a daily basis. The ubiquitous nature of the protocol has, especially in recent years, made the protocol an attractive target for security researchers. Since the release of TLS 1.2 in 2008, the protocol has suffered many high-profile, and increasingly practical, attacks.