Assignments I Choice of topic: before Thursday, November 26th, 23:59 (today). I Assignment of topic: Friday, November 27th. I Deadline of first assignment: Sunday, December 13th, 23:59. The deadlines are strict! / department of mathematics and computer science Attacks on SSL/TLS Applied Cryptography, Lecture 6 Ruben Niederhagen Nov. 26th, 2015 / department of mathematics and computer science Timeline of attacks on SSL/TLS 3/42 2010 2011 2012 2013 2014 2015 2016 SSLstrip BEAST CRIMELuckyRoyal 13BREACH HollowayFREAKBar-mitzvahHeartbleedPOODLE LogjamNOMORE RC4 − 2002 Padding Oracle / department of mathematics and computer science I Problem: Bob offers http via TLS. I Solution: Make sure Alice uses an unencrypted connection. People usually start SSL connections in two different ways: I Click on links that happen to be https. I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.) Idea: Parse web traffic and strip the “s” from all links to https. https −! http SSLstrip Attack (2009) 4/42 I Eve wants to read the traffic between Alice and Bob’s webserver. / department of mathematics and computer science I Solution: Make sure Alice uses an unencrypted connection. People usually start SSL connections in two different ways: I Click on links that happen to be https. I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.) Idea: Parse web traffic and strip the “s” from all links to https. https −! http SSLstrip Attack (2009) 4/42 I Eve wants to read the traffic between Alice and Bob’s webserver. I Problem: Bob offers http via TLS. / department of mathematics and computer science People usually start SSL connections in two different ways: I Click on links that happen to be https. I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.) Idea: Parse web traffic and strip the “s” from all links to https. https −! http SSLstrip Attack (2009) 4/42 I Eve wants to read the traffic between Alice and Bob’s webserver. I Problem: Bob offers http via TLS. I Solution: Make sure Alice uses an unencrypted connection. / department of mathematics and computer science Idea: Parse web traffic and strip the “s” from all links to https. https −! http SSLstrip Attack (2009) 4/42 I Eve wants to read the traffic between Alice and Bob’s webserver. I Problem: Bob offers http via TLS. I Solution: Make sure Alice uses an unencrypted connection. People usually start SSL connections in two different ways: I Click on links that happen to be https. I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.) / department of mathematics and computer science SSLstrip Attack (2009) 4/42 I Eve wants to read the traffic between Alice and Bob’s webserver. I Problem: Bob offers http via TLS. I Solution: Make sure Alice uses an unencrypted connection. People usually start SSL connections in two different ways: I Click on links that happen to be https. I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.) Idea: Parse web traffic and strip the “s” from all links to https. https −! http / department of mathematics and computer science SSLstrip Attack (2009) 5/42 / department of mathematics and computer science SSLstrip Attack (2009) 5/42 / department of mathematics and computer science SSLstrip Attack (2009) 5/42 / department of mathematics and computer science SSLstrip Attack (2009) 5/42 I Watch HTTP traffic go by. I Switch <a href="https://..."> to <a href="http://..."> and remember what has changed. I Switch request https://... to http://... and remember what has changed. / department of mathematics and computer science SSLstrip Attack (2009) 5/42 I Watch HTTP traffic go by. I If we see an HTTP request for an URL that we had stripped, proxy that as HTTPS. I Watch the HTTPS traffic go by; remember relative links, CSS links, JavaScript, ... / department of mathematics and computer science SSLstrip Attack (2009) 5/42 I Server does not notice any difference. I No warning message displayed to the client; needs to look out for https marks explicitly (and know about it). I Eve sees all the traffic. / department of mathematics and computer science Best countermeasure: Carefully check that site is encrypted when handling sensitive information! SSLstrip Attack (2009) 6/42 Countermeasure: HTTP Strict Transport Security (HSTS). I Inform the browser to always use SSL/TLS to the site. I This information is stored by the browser for all future connections. I Can also be stripped by attacker; only works if first connection was not intercepted. I Some browsers are shipped with static HSTS list for some sites. / department of mathematics and computer science SSLstrip Attack (2009) 6/42 Countermeasure: HTTP Strict Transport Security (HSTS). I Inform the browser to always use SSL/TLS to the site. I This information is stored by the browser for all future connections. I Can also be stripped by attacker; only works if first connection was not intercepted. I Some browsers are shipped with static HSTS list for some sites. Best countermeasure: Carefully check that site is encrypted when handling sensitive information! / department of mathematics and computer science BEAST Attack (2011) 7/42 Recall the CBC mode of operation: Plaintext Plaintext Plaintext Initialization Vector (IV) block cipher block cipher block cipher Key Key Key encryption encryption encryption Ciphertext Ciphertext Ciphertext Cipher Block Chaining (CBC) mode encryption / department of mathematics and computer science BEAST Attack (2011) 8/42 Plaintext 0 Plaintext 1 Plaintext 2 Initialization Vector (IV) block cipher block cipher block cipher Key Key Key encryption encryption encryption Ciphertext 0 Ciphertext 1 Ciphertext 2 guessed Plaintext 1 Ciphertext 2 block cipher Key encryption Ciphertext 3 / department of mathematics and computer science BEAST Attack (2011) 8/42 Plaintext 0 Plaintext 1 Plaintext 2 Initialization Vector (IV) block cipher block cipher block cipher Key Key Key encryption encryption encryption Ciphertext 0 Ciphertext 1 Ciphertext 2 guessed Plaintext 1 Ciphretext 2 Ciphertext 0 Ciphertext 2 block cipher Key encryption Ciphertext 1 / department of mathematics and computer science Countermeasures: I For TLS 1.0: send an empty package ahead of each packet. I TLS 1.1 and newer are not affected by this attack because each packet has a new IV that is send in plain text. BEAST Attack (2011) 9/42 BEAST: Browser Exploit Against SSL/TLS I Attacker must be able to force the client to send deliberate data. I There have been proof-of-concepts using cross-site scripting for stealing session cookies (byte by byte). I Do we need to worry about information leaking when the attacker can modify or inject data on the client side? / department of mathematics and computer science BEAST Attack (2011) 9/42 BEAST: Browser Exploit Against SSL/TLS I Attacker must be able to force the client to send deliberate data. I There have been proof-of-concepts using cross-site scripting for stealing session cookies (byte by byte). I Do we need to worry about information leaking when the attacker can modify or inject data on the client side? Countermeasures: I For TLS 1.0: send an empty package ahead of each packet. I TLS 1.1 and newer are not affected by this attack because each packet has a new IV that is send in plain text. / department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 10/42 CRIME: Compression Ratio Info-leak Made Easy I Some parts of the plaintext are VERY predictable. I Session cookies can be found on well-defined spots: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) I Try to send data from the client in the TLS context and see how this affects the ciphertext; “guess” session cookie character by character. / department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 11/42 CRIME attack: exploit SSL/TLS compression I Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=0XXX I E.g., with DEFLATE compression, the second occurrence of “secret=” is encoded as back reference. I Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter. I Continue with next digit. / department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 11/42 CRIME attack: exploit SSL/TLS compression I Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=1XXX I E.g., with DEFLATE compression, the second occurrence of “secret=” is encoded as back reference. I Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter. I Continue with next digit. / department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 11/42 CRIME attack: exploit SSL/TLS compression I Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=2XXX I E.g., with DEFLATE compression, the second occurrence of “secret=” is encoded as back reference. I Once the correct 1st digit has been reached, the compressed plaintext and thus the ciphertext will be shorter. I Continue with next digit. / department of mathematics and computer science CRIME (2012) and BREACH (2013) Attacks 11/42 CRIME attack: exploit SSL/TLS compression I Iteratively increase secret value: GET index.html HTTP/1.1 Host: thebankserver.com (...) Cookie: secret=7xc89f+94/wa (...) Cookie: secret=3XXX I E.g., with DEFLATE compression, the second occurrence of “secret=” is encoded as back reference.