VIDEO Intypedia010en LESSON 10: ATTACKS TO THE SSL PROTOCOL AUTHORS: D. Luciano Bello and PhD. Alfonso Muñoz R&D Security Researcher (Chalmers University) R&D Security Researcher. T>SIC Group – UPM ALICE Hello and welcome to Intypedia. In previous lessons we learned the basics of the SSL protocol. Today we will delve into this protocol and see some real attacks to it and how to mitigate them. Join us! SCENE 1. IS SSL SECURE? ALICE Hello, Bob. In previous lessons we learned the basics of cryptography. We also learned how cryptography is implemented in algorithms and widely used protocols, like the SSL protocol we studied in lesson 9. However, sometimes there are news of attacks to such protocols and since SSL is a protocol widely used on the Internet, it's particularly interesting to study it. BOB Alice, don't trust everything that is published, I think that SSL is very secure and reliable. ALICE I agree with you. SSL is inherently secure because the protocols it uses are based on strong and mature theories. But even so, there are still many things that might become a problem. First of all, there’s complexity which is usually detrimental to usability. In addition, there might be programming bugs in the implementations. Furthermore, new techniques of cryptanalysis can be developed, making some protocols less secure than expected. This, added to the fact that Script Intypedia010en 1 the computing power of attackers is increasing according to Moore's Law, makes older versions of SSL insecure, stressing the need to review the protocols. BOB Wait... So you're telling me that SSL isn’t that secure? ALICE Don't stress out, Bob. SSL is secure in its theoretical design. But this is a necessary, although insufficient condition. Nowadays, the use of this protocol is crucial in e-commerce between clients (users) and suppliers of products. Its use is common in many transactions, such as buying a book on a Web store or in online banking. Although SSL has other uses, as we saw in the previous lesson, it is widely known for its use on the Web. Using SSL adequately will minimize attacks: not only classic ones like the man-in-the-middle attack against exchanged information, but also spoofing attacks in the access to social networks. Nonetheless, we must give an exact account of the "real security" of the SSL protocol. For example, its use on the Web goes far beyond the misconception that a page is secure if, and only if, it shows the famous "yellow padlock". To get an idea of what we're talking about, we will analyse some of the attacks this protocol has suffered in recent years and finish with some practical advice for a proper use. BOB Sounds like a great idea. Please continue, Alice. SCENE 2. PROGRAMMING ERRORS IN IMPLEMENTATIONS. CRYPTANALYSIS AND DOWNGRADE. ALICE Programming errors often cause really severe problems. One of the most famous attacks on SSL was the vulnerability announced in May 2008. The Argentinean researcher Luciano Bello discovered that random functions used in OpenSSL/Debian had been implemented incorrectly. This produced predictable "random" material that made it easier to reverse cryptographic processes. As a result, X.509 certificates, SSH keys and even encrypted material were exposed. BOB Yes... I remember vaguely. One implication was that private keys could be reconstructed from the distributed public keys. Without random cryptographic functions, cryptosystems were defenceless. ALICE Indeed, it was a specific problem that in the end got solved. However, to those implementation issues we must add the increasing computing capacity of attackers and the development of Script Intypedia010en 2 cryptanalysis. These factors could simplify the creation of false custom-made digital certificates. An example of this can be found in the results published by the 25th edition of the Chaos Communication Congress held in Berlin in December 2008. Researchers created a "valid" SSL certificate taking advantage of the emission particularities of certain certification authorities, a collision attack to the MD5 cryptographic algorithm and the huge computing capacity of one hundred PlayStations. It is true that MD5 is no longer used by certification authorities to calculate the hash of a certificate signed with a private key, but the current standard SHA-1 is also starting to encounter similar problems to those of its counterpart. This is a great example to justify why the cryptographic algorithms used in SSL are reviewed and updated by the scientific community. The use of older versions of the protocol should be avoided wherever possible, especially protocol downgrades forced by attackers. BOB Do you know of any other type of attack? ALICE Yes, another interesting attack was discovered by the researcher Moxie Marlinspike. When creating an SSL certificate and sending it to a certification authority to get it signed, the field that often gets more attention is CN (Common Name) which specifies the server name, like www.example.org. Moxie Marlinspike discovered that the standards for SSL and the X.509 certificate define the CN string as a PASCAL string (the length of the string is declared in position 0 and the chain is inserted in the other positions). Interestingly, most certificate processing software is written in C. Such software usually handles the string as a C string, inserting a NULL (\0) at the end of the string to indicate where it ends. The problem comes when someone obtains a certificate using www.realbank.com\0www.atacker.org. When processed by a browser, only the first part will be read (www.realbank.com), making it easy to falsify the bank. The easiest solution to this problem is for certification authorities to reject all certificates containing the NULL character. When fraudulent certificates are detected, they are usually revoked by the serial number included and, for this, the OCSP (Online Certificate Status Protocol) is usually used. Again, an incorrect configuration of the OCSP would allow attacks to the SSL protocol. BOB Excuse me, Alice; I think it would be interesting to define how to attack the OCSP. ALICE You're right. The Online Certificate Status Protocol is used to check online if a particular digital certificate has been revoked or not. For this, the client sends the request to the address of the Certificate Revocation List (CRL), which is included in the digital certificate. If an attacker is Script Intypedia010en 3 performing the man-in-the-middle attack to use one of these digital certificates, then they can intercept the OCSP requests and use them to their advantage. In a normal operation, a server using this protocol could send a Try Later response telling the client that it can't answer a request. The attacker could simulate this response, which has code 3 assigned, to tell the client that it is unable to attend its request at that moment. Given this situation, many Web clients will accept the digital certificate since they can't verify its validity. This is an obvious failure. BOB Alice, are you saying that it's easy to fool a system when the user accesses via https? ALICE Not only that. While many problems can be mitigated by updating our software, there is an element of the system that is very difficult to upgrade: the user. SCENE 3. TRICKING THE USER. SSL VULNERABILITY ON THE WEB. ALICE In practice, the easiest way to breach the security provided by SSL/TLS is to trick users into thinking they are using it when they actually aren't. BOB I would say that isn't possible, Alice. When I connect to my bank safely, I can see the yellow padlock in my browser, which tells me that the access to the site is secure and that the digital certificate that authenticates my bank has been properly validated. ALICE Unfortunately, Bob, that was a bad way to educate non-technical personnel on how to corroborate if a SSL protocol was being used. The truth is that many other conditions, which I will let you know shortly, must be considered. BOB Wait a minute. I know that if my computer has been compromised by a Trojan, for instance, it could be hoaxed to show a yellow padlock in the web browser implying that SSL encryption is being used when in fact it isn’t. ALICE Well, Bob, if you really have a Trojan in your computer, it could have total control and be able, not only to trick you, but to capture your passwords, redirect your data or authentication traffic and so on. But, possibly, the most interesting attacks are those that don't have internal access Script Intypedia010en 4 to your computer, like man-in-the-middle attacks whose main objective is to intercept a communication between client and server and view or alter the information in transit. BOB What if I connect to a page via https, is that possible? ALICE It depends on the complexity of the attack. Some may be solved with minimal training of the user; while other much more sophisticated attacks would be hardly detectable. The simplest example of a man-in-the-middle attack is to create a false digital certificate. That is, when a user connects via https to their online bank, the attacker connects between the two of them and sends their certificate to the client posing as the bank. The web browser detects that the digital certificate isn’t recognized and prompts the user whether they want to accept the connection. Most users with no security training will accept, so the attacker will be in the middle and will be able to do as they please with the data in transit, as well as the captured keys.