1

Back Doors in SSL/TLS

Team members Akshay veerayyagari Jaya Surya Dondapati Avinash Yeluri

George Mason University ECE646 2 CONTENTS

 Attacks on SSL/TLS

 Evaluation criteria

 Server security levels

 Experiment

 Conclusion

George Mason University ECE646 3 CATEGORIZING ATTACKS ON SSL/TLS

 Attacks on the SSL/TLS Handshake Protocol.

 Attacks on the SSL/TLS Record and Application

Data Protocols.

 Attacks on the SSL/TLS Public Key Infrastructure.

 Various other attacks.

George Mason University ECE646 4 TIMELINE OF ATTACKS

George Mason University ECE646 5 EVALUATION CRITERIA FOR COMPARISON

 Required intruder’s knowledge  Type of attack  Dependence of version  Time of attack  Countermeasures  Probability of reoccurrence  Severity of attack  Limitations of the attacker

George Mason University ECE646 6 COMPARISON

CRIME Lucky13

Required By leveraging Pre-implementation intruder’s property of of man in the knowledge compression middle attack in to functions, and intercept the noting how the encrypted packets. length of the compressed data changes.

George Mason University ECE646

7 CRIME Lucky13

Dependence of The latest versions of all TLS 1.1, TLS 1.2 version browsers will not offer compression in SSL. HTTP response compression, is not vulnerable.

Severity of the Only the client is Only the client is attack effected. The clients effected. The sensitive information is encrypted data is obtained. leaked.

George Mason University ECE646 8

CRIME Lucky13

Limitations The attacker must be •The attacker should of the the man in the middle be in the same attacker and he must also network. control the plaintext. The attack is based on the repetitive guess work.

Type of Active Active attack

George Mason University ECE646 9

CRIME Lucky13

Counter measures Upgrade to the most Abandonment of recent version. CBC-mode Disable compression encryption if your web software eliminates this allows you to do it. flaw in TLS.

Probability of The vulnerable Dependence on CBC-mode. reoccurrence clients will thus be restricted to those using older clients.

George Mason University ECE646 10

George Mason University ECE646 11 EVALUATING SERVER SECURITY LEVELS

 Inspection of certificates to verify that it is valid and trusted.

 We inspect server configuration in three categories:

• Protocol support • Key exchange support • Cipher support

George Mason University ECE646 12 CERTIFICATE INSPECTION

 Server certificate is often the weakest point of an SSL server configuration.

 A certificate that is not trusted fails to prevent man-in- the-middle (MITM) attacks and renders SSL effectively useless.

 A certificate that is incorrect in some other way erodes trust and, in the long term, jeopardizes the security of the internet as a whole.

George Mason University ECE646 13 CIPHER SUPPORT

 A cipher suite is a collection of symmetric and asymmetric encryption algorithms.  These are used to protection, encryption and generate signatures.  The structure for cipher suite

George Mason University ECE646 Before POODLE

14

After POODLE

George Mason University ECE646

15 Forward Secrecy Specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server is compromised.

OCSP Stapling When connecting to a server, clients should verify the validity of the server certificate using either a Certificate Revocation List (CRL), or an Online Certificate Status Protocol (OCSP) record. Using OCSP, only one record is retrieved at a time.

George Mason University ECE646

16 EXPERIMENT: Cain & Abel

George Mason University ECE646 17

George Mason University ECE646 18 CONCLUSION

 Any new attack occurred is always a modified form of one or more previous attacks.

 Most of the attacks are directed at specific cryptographic algorithms and every new attack occurring is mostly based on those specific cryptographic algorithms.

 At the time of analyzing the present server security the majority of the servers and modern browsers still support SSL version 3.0 despite it being vulnerable to attacks. It is time to phase out SSL version 3.0 and to implement TLS version 1.2.

 SSL ~ “Intercept Today, Decrypt Tomorrow.”

George Mason University ECE646 19

THANK YOU 

George Mason University ECE646