SSL/TLS Attacks Network Security 2018/2019 Pedro Brandão

Seg. Redes

[d cc]

SSL/TLS attacks Network Security 2018/2019 Pedro Brandão

2 [d cc]

BEAST May 2011 Browser Exploit Against SSL/TLS

SegRedes 18/19 - TLS Attacks - pbrandao

Firewalls 1 Seg. Redes

BEAST 3

• Browser Exploit Against SSL/TLS, “Here Come The ⊕ Ninjas”, Thai Duong and Juliano Rizzo, May 13, 2011 o Client side attack • SSL v3.0 and TLS 1.0 • Attack on CBC mode with chained IVs o Mandatory on SSL and TLS o Chosen plaintext attack • Known since 2004 (G.V. Bard) o Thought un-exploitable (no practical exploit) • History of the development by Thai Duong

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

BEAST 4

• Requirements: o Ability to eavesdrop https requests (MiTM) o Ability to modify https requests being made . Agent loaded from evil.com that sends requests to victim.com . Same origin: victim.com may allow JavaScript from evil.com (WebSocket); Java may be used, Flash, Silverlight, etc. • Enables decryption of bytes in the requests o http cookies

From [⊕ Ninjas] ] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 2 Seg. Redes

BEAST - Solutions 5

• Don’t use SSL v3 or TLS 1.0 • Mitigate prediction of IVs o 1/1-n split. • Server o Use RC4 encryption (not CBC) . but there’s an attack for that

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

6 [d cc]

POODLE September 2014 Padding Oracle On Downgraded Legacy Encryption

SegRedes 18/19 - TLS Attacks - pbrandao

Firewalls 3 Seg. Redes

POODLE 7

• Padding Oracle On Downgraded Legacy Encryption • Google Security team: Bodo Möller, Thai Duong and Krzysztof Kotowicz • Affects even if server and client support recent versions of TLS o Need to downgrade to SSLv3

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

POODLE 8 • Use: o RC4 bias attack . if the same data is sent several times using RC4, info will leak o POODLE focus on block cipher in CBC mode • Attacker: o Interfere with TLS version negotiation to get to SSL v3.0; o Deploy js on browser to send HTTPS requests and intercept SSL records sent by browser o Send padding data with the partial contents of a previous block (cookie) o If record accepted, 1 byte can be recovered, continue o Expected requests are 256 per byte to decrypt

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 4 Seg. Redes

POODLE Solutions 9 • Disable support for SSLv3.0 o Browsers and/or servers o “Unlike with the BEAST [BEAST] and Lucky 13 [Lucky13] attacks, there is no reasonable workaround. “ [POODLEBites] • Server support for RFC7507: TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks o Client when downgrading sets 0x56, 0x00 (TLS_FALLBACK_SCSV) in the supported suites . Naturally it is not a selectable suite o This indicates server that client is downgrading o If server supports higher version than the one requested generate error.

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

10 [d cc]

FREAK March 2015 Factoring RSA Export Keys

SegRedes 18/19 - TLS Attacks - pbrandao

Firewalls 5 Seg. Redes

FREAK 11

• March 3, 2015, Karthikeyan Bhargavan at INRIA in Paris and the miTLS team • RSA_EXPORT cipher suites o Vulnerable (on purpose) to attacks • Need MiTM to trick browser to downgrade o Server does not sign chosen cipher suite • Some TLS Clients allowed the RSA_EXPORT cipher suites although not announcing them • Found using formal analysis tools ] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

FREAK – Export Crypto 12

• “introduced under the pressure of US governments agencies to ensure that they would be able to decrypt all foreign encrypted communication, while stronger algorithms were banned from export (as they were classified as weapons of war).“ o Do the current tendencies for crypto communication requested to companies ring a bell? • “export RSA moduli must be less than 512 bits long; hence, they can be factored in less than 12 hours for $100 on Amazon EC2”

From [SMACK]

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 6 Seg. Redes

FREAK – vulnerable 13

From [SMACK]

• Vulnerable TLS client libraries included o OpenSSL (CVE-2015-0204): versions before 1.0.1k are vulnerable. Upgrade. o BoringSSL: versions before Nov 10, 2014 are vulnerable. Upgrade. o SecureTransport (CVE-2015-1067, CVE-2015-2235): versions before iOS 8.2, AppleTV 7.1, and OS X Security Update 2015-002 are vulnerable. Update your OS. o SChannel (CVE-2015-1637): before KB3046049 is vulnerable. See the security bulletin. Update your OS. o LibReSSL: versions before 2.1.2 are vulnerable. Upgrade. o Mono: versions before 3.12.1 are vulnerable. Upgrade. o IBM JSSE: is vulnerable. A fix is being tested.

• Web browsers that use the above TLS libraries are vulnerable, including: o Chrome: versions before 41 on various platforms are vulnerable. Update. o Internet Explorer: on OS versions before March 9 are vulnerable. Update your OS. o Safari: on OS versions before March 9 are vulnerable. Update your OS. o Opera: versions before 28 are vulnerable. Update. o Android Browser: is vulnerable. Switch to Chrome 41. o Blackberry Browser: is vulnerable. See the advisory. Wait for a patch. o Cisco: products using OpenSSL are vulnerable. See the advisory.

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

FREAK solutions 14

• Server: o Disable TLS export suites • Browser: o Update • Update system libraries for SSL: o OpenSSL, Microsoft Schannel and Apple SecureTransport

“Encryption backdoors will always turn around and bite you in the ass. They are never worth it.” -- Matt Green (in [FREAK]) ] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 7 Seg. Redes

15 [d cc]

LogJam May 2015

SegRedes 18/19 - TLS Attacks - pbrandao

LogJam 16

o NRS, Inria Nancy-Grand Est, Inria Paris-Rocquencourt, Microsoft Research, Johns Hopkins University, University of Michigan, and the University of Pennsylvania: David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Beguelin, and Paul Zimmermann. • Attacks Diffie-Hellman using known and widely deployed prime numbers • Pre-compute 푙표푔 for given prime (they used 2 bundled in Apache and openssl) o Accelerate log calculation for connection key discovery ] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 8 Seg. Redes

LogJam 17

• Needs o downgrade to RSA_Export as FREAK o TLS False Start (client sends data before receiving final response from server)

• Attacks the TLS protocol (not the implementation)

• From [LogJam] o “512-bit prime used for TLS downgrade connections to 80% of TLS servers supporting DHE_EXPORT.” o “academic team can break a 768-bit prime and a nation-state can break a 1024-bit prime.” ] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

LogJam 18

From miTLS LogJam ] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 9 Seg. Redes

LogJam – Solutions 19

• Server o Disable export ciphers o Generate longer (2048) DH key o [LogJam] has instructions • Browser o Upgrade • Libraries o Upgrade

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

• BERserk: vulnerability in the Mozilla NSS crypto library. Error in parsing ASN.1 encoded in BER. Allows RSA sig 20 Others forging (2006) • CRIME, use of compression in the protocol allows for recovery of cookies. Presentation (2012) • BREACH, builds on CRIME attacking HTTP responses. (2013) • Lucky-13: timing attack on the result of padding in TLS (desc on GnuTLS)(2013) • SLOTH, Attacks TLS 1.2 RSA-MD5 signatures • Heart Bleed (XKCD explanation): use special crafted heart beat packets to get the server to send its memory content (2014) o CloudBleed (Cloudflare reverse proxy sends more data than it should), GoogleZero • DROWN, uses a secondary connection to a server using the same cert but with SSLv2. It allows to decrypt blocks of the non-SSLv2 connection. Paper (2016)

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 10 Seg. Redes

21 [d cc]

Certificates for everyone

SegRedes 18/19 - TLS Attacks - pbrandao

Let’s encrypt 22

• Effort by EFF

• Quick and one command install and configuration of working signed certificate

• Uses ACME protocol (being prepared as an IETF RFC) o Automated Certificate Management Environment

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 11 Seg. Redes

• Challenges by the let’s encrypt server 23 Let’s Encrypt oDNS control oHost control Process overview oSigning nonce

Image from Let’s Encrypt, Technology ] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Let’s Encrypt 24

• CertBot from EFF

$ sudo dnf install python-certbot-apache $ certbot –apache $ certbot renew

• Other clients

• Also uses: o Certificate transparency o SSL observatory o Scan data repository ] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 12 Seg. Redes

Misuses 25 • Phishing and fraud o Get certificate for amazom.com o See Let’s Encrypt and Comodo issue thousands of certificates for phishing by NetCraft and Let’s Encrypt The CA's Role in Fighting Phishing and Malware o Lessons From Top-to-Bottom Compromise of Brazilian Bank, by Kasperski ThreatPost . Modify DNS servers’ entries (ability to configure via web, get credentials via social eng.) . Modified entries pointed to attackers machines . Machines had Let’s Encrypt Certs . Even ATMs fell for it . “bank’s website was serving malware to each of its visitors” ] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Certificate Transparency 26

• Open framework from Google • Components: o Logs of certificates issued (public, append only, crypto valid (Merkle Hash Trees), auditable) o Monitors for the logs to detect misuse o Auditors of the logs to validate currently seen certificates

Image from Certificate Transparency ] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 13 Seg. Redes

Certificate Image from Certificate Transparency 27 Transparency

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Certificate Image from Certificate Transparency 28 Transparency

SCT: Signed Certificate Timestamp; which is simply a promise to add the certificate to the log within some time period. The time period is known as the Maximum Merge Delay (MMD)

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 14 Seg. Redes

Similar approaches 29

• HTTPS Everywhere & the Decentralized SSL Observatory, by EFF • Perspective Project

• CheckMYHTTPS • Internet-Wide Scan Data Repository, with scans of SSL enabled hosts

• Certificate pinning, RFC 7469 ] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

30 [d cc]

Tools

SegRedes 18/19 - TLS Attacks - pbrandao

Firewalls 15 Seg. Redes

Testing 31

• Test the browser client, SSL Labs o Tests Logjam, FREAK, POODLE o Shows browser characteristics

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Tools 32

• Nogotofail, from Google Labs

Internet nogotofail MiTM

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 16 Seg. Redes

Keyless SSL in Cloudflare 33

• Objective is to use the origin server’s certificate and its secured connection • Adds the session key generation being done on the origin server • The origin server returns the key to the cloudfare server. • Resumption and session id is also supported • Needs change in TLS library/server • Works for RSA and DH handshakes

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Keyless SSL in Cloudflare 34

From Cloudflare ] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 17 Seg. Redes

Summary 35

• SSL attacks: o BEAST, POODLE, FREAK, LogJAM • Certificate wide use • Some tools

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

References - BEAST 36

• “Here Come The ⊕ Ninjas”, Thai Duong Juliano Rizzo May 13, 2011 • New Attack Breaks Confidentiality Model of SSL, Allows Theft of Encrypted Cookies, Dennis Fisher, Threatpost, Sep 2011 • BEAST Cryptographic Attack Mitigations Overturned, Michael Mimoso, Threatpost, Sep 2013

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 18 Seg. Redes

References - POODLE 37

• The POODLE Attack and the End of SSL 3.0 | Mozilla Security Blog • [POODLEBites] Bodo Möller, Thai Duong, Krzysztof Kotowicz, “This POODLE Bites: Exploiting The SSL 3.0 Fallback”, Security Advisory, Google, September 2014

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

References - FREAK 38

• Tracking the FREAK Attack, University of Michigan, Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. • State Machine AttACKs against TLS (SMACK TLS), miTLS • Attack of the week: FREAK (or 'factoring the NSA for fun and profit') , Matt Green, John Hopkins

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 19 Seg. Redes

References - LogJam 39

• The Logjam Attack, May 2015 o Attacks on Weak DH Groups in TLS, miTLS Group • New Logjam Attack on Diffie-Hellman Threatens Security of Browsers, VPNs, Dennis Fisher, Threatpost, May 2015

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

References 40

• Attacking SSL when using RC4, Hacker Intelligence Initiative, Imperva, March 2015 • Rivest, Ron; Schuldt, Jacob. "Spritz - a spongy RC4-like stream cipher and hash function" , October 2014 o RC4 algorithm update • Kenny Paterson, “TLS Security - Where Do We Stand?”, Oct 2013 o Nadhem AlFardan and Kenny Paterson “Lucky Thirteen: Breaking the TLS and DTLS Record Protocols”, paper.

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 20 Seg. Redes

Other stuff 41

• TLS attacks, by Accunetix • Attacks on protocol, by MiTLS • Understanding the prevalence of web traffic interception, by CloudFlare

] SegRedes 18/19 - TLS Attacks - pbrandao [d cc

Firewalls 21