Plaintext-Recovery Attacks Against Datagram TLS Nadhem Alfardan and Kenneth Paterson Information Security Group Royal Holloway, University of London 6th Feb 2012 Results Introduction to DTLS Previous Attacks Padding Oracle Realisation Against OpenSSL Attacking the GnuTLS Implementation of DTLS Lessons Contents 4 Padding Oracle Realisation Against OpenSSL 1 Results 5 Attacking the GnuTLS 2 Introduction to DTLS Implementation of DTLS 3 Previous Attacks 6 Lessons Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS Previous Attacks Padding Oracle Realisation Against OpenSSL Attacking the GnuTLS Implementation of DTLS Lessons Results 4 Padding Oracle Realisation Against OpenSSL 1 Results 5 Attacking the GnuTLS 2 Introduction to DTLS Implementation of DTLS 3 Previous Attacks 6 Lessons Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS Previous Attacks Padding Oracle Realisation Against OpenSSL Attacking the GnuTLS Implementation of DTLS Lessons Plaintext-recovery attacks through which we were able to: Decrypt arbitrary amount of ciphertext in the case of the OpenSSL implementation of DTLS. Decrypt the four most significant bits of the last byte in every block in the case of the GnuTLS implementation of DTLS. Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS Previous Attacks Background Padding Oracle Realisation Against OpenSSL DTLS versus TLS Attacking the GnuTLS Implementation of DTLS Lessons Introduction to DTLS 4 Padding Oracle Realisation Against OpenSSL 1 Results 5 Attacking the GnuTLS 2 Introduction to DTLS Implementation of DTLS Background DTLS versus TLS 6 Lessons 3 Previous Attacks Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS Previous Attacks Background Padding Oracle Realisation Against OpenSSL DTLS versus TLS Attacking the GnuTLS Implementation of DTLS Lessons Datagram Transport Layer Security (DTLS) was first introduced in NDSS 2004. IETF assigned RFC 4347 to DTLS 1.0 in 2006. RFC 6347 updates RFC 4347 and was published in Jan 2012 under DTLS 1.2. By design, DTLS 1.0 is very similar to TLS 1.1. RFC 4347 presents only the changes to TLS 1.1 and refers to RFC 4346 for the rest of the specification. A number of RFC documents have been published on DTLS. DTLS is used in a number of implementations. Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS Previous Attacks Background Padding Oracle Realisation Against OpenSSL DTLS versus TLS Attacking the GnuTLS Implementation of DTLS Lessons DTLS runs over an unreliable protocol such as Unreliable Datagram Protocol (UDP). Handshake Change Alert Applications Protocol Cipher Spec Protocol TLS! Record Protocol Reliable Transport Protocol Handshake Change Alert Applications Protocol Cipher Spec Protocol DTLS! Record Protocol Unreliable Transport Protocol Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS Previous Attacks Background Padding Oracle Realisation Against OpenSSL DTLS versus TLS Attacking the GnuTLS Implementation of DTLS Lessons Changes to TLS 1.1 also include: Implementations of DTLS should silently discard data with bad MACs or padding. No error messages are generated in both cases. In DTLS, connections are not terminated in the case of an error. In DTLS, fragmentation of record messages is not permitted. DTLS optionally supports record replay protection. There are other changes, but they are not of relevance. Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS Previous Attacks Vaudenay’s Padding Oracle Padding Oracle Realisation Against OpenSSL Canvel et al. Work Attacking the GnuTLS Implementation of DTLS Lessons Previous Attacks 4 Padding Oracle Realisation Against OpenSSL 1 Results 5 Attacking the GnuTLS 2 Introduction to DTLS Implementation of DTLS 3 Previous Attacks 6 Lessons Vaudenay’s Padding Oracle Canvel et al. Work Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS Previous Attacks Vaudenay’s Padding Oracle Padding Oracle Realisation Against OpenSSL Canvel et al. Work Attacking the GnuTLS Implementation of DTLS Lessons Vaudenay’s padding oracle, ( ) applies to CBC-mode encryption.PO Algorithm 1: Decrypting a block returns VALID if the padding using a padding oracle for TL- PO PO is correct and INVALID otherwise. S/DTLS. The realisation of this oracle relies Data: Ct∗ 1, Ct∗ − Result: Pt∗ = Dk (Ct∗) Ct∗ 1 on the attacker having access to ⊕ − Let R be a random b-byte block.; TLS error messages; for i =0to b 1 do for byte−=0to 255 do decryption failed and R[i]=byte; C = R Ct∗; bad record mac which are if (||C) = VALID then PO P[i]=R[i] Ct∗ 1[i] i; classified as fatal. ⊕ − ⊕ Break; In the case of TLS 1.0, both of for j =0to i do R[j]=R[j] (i) (i +1); these error messages are encrypted. ⊕ ⊕ Connections are terminated Output P; immediately whenever such errors are encountered. Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS Previous Attacks Vaudenay’s Padding Oracle Padding Oracle Realisation Against OpenSSL Canvel et al. Work Attacking the GnuTLS Implementation of DTLS Lessons The work of Canvel et al. exploits the fact that processing a message with valid padding may take longer than the processing of a message with invalid padding: The timing difference comes from the MAC verification process. Canvel et al. were able to extract fixed plaintext in the form of TLS-encrypted passwords. Connections had to be re-established after being terminated, making the attack difficult to implement. Countermeasures were introduced in TLS 1.1: One of them is to perform MAC verification on packets that fail the padding check. Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS OpenSSL Implementation of DTLS Previous Attacks Timing and Packet Processing Padding Oracle Realisation Against OpenSSL Results Attacking the GnuTLS Implementation of DTLS Lessons Padding Oracle Realisation Against OpenSSL OpenSSL Implementation of DTLS 1 Results Timing and Packet Processing 2 Introduction to DTLS Results 3 Previous Attacks 5 Attacking the GnuTLS Implementation of DTLS 4 Padding Oracle Realisation Against OpenSSL 6 Lessons Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS OpenSSL Implementation of DTLS Previous Attacks Timing and Packet Processing Padding Oracle Realisation Against OpenSSL Results Attacking the GnuTLS Implementation of DTLS Lessons Algorithm 2: Padding Oracle for DTLS Packets with invalid padding are silently discarded and MAC OpenSSL implementation of DTLS Data: C verification is not performed. No Result: VALID or INVALID error messages are generated when for q =1to m do RTTq = Timer(C); the padding error is encountered. RTT =Mean(RTT1, RTT2,...,RTTm); if RTT T then This protects the system from return≥ VALID; else the attack introduced by return INVALID; Canvel et al. Timer(C) Set Ts =currenttime; We constructed a new realisation Send n copies of PC ,aDTLSpacketcontainingC,to the targeted system; for the padding oracle to exploit Send a Heartbeat request packet to the targeted system; the OpenSSL implementation of Set Te = time when Heartbeat response packet is seen; return (Te Ts ) DTLS. − Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS OpenSSL Implementation of DTLS Previous Attacks Timing and Packet Processing Padding Oracle Realisation Against OpenSSL Results Attacking the GnuTLS Implementation of DTLS Lessons We were able to use Heartbeat messages to compensate the lack of error messages. The advisory sends a Heartbeat request message right after the attack message(s). The advisory calculates the time from sending the first message to receiving the Heartbeat response message. To amplify the timing difference we used a train of packets. Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS packet 1 t1,0 t1,1 t1,2 t1,3 packet 2 Heartbeat Request t2,0 t2,1 t2,2 t2,3 Heartbeat Response Ts Tf Te Results Figure 11. Time-line for a train with n =2(not to scale). Introduction to DTLS OpenSSL Implementation of DTLS Previous Attacks Timing and Packet Processing Padding Oracle Realisation Against OpenSSL Results Attacking the GnuTLS Implementation of DTLS Lessons packet 1 t1,0 t1,1 t1,2 t1,3 packet 2 t2,0 t2,1 t2,2 t2,3 Heartbeat Request Time-line for packet train with valid padding Heartbeat Response Ts Tf Te packet 1 t1,0 t1,1 t1,3 packet 2 Time-line for packet train with invalid padding t2,0 t2,1 t2,3 Heartbeat Request Heartbeat Response Ts Tf Te Nadhem Alfardan and Kenneth Paterson Plaintext-Recovery Attacks Against Datagram TLS Results Introduction to DTLS OpenSSL Implementation of DTLS Previous Attacks Timing and Packet Processing Padding Oracle Realisation Against OpenSSL Results Attacking the GnuTLS Implementation of DTLS Lessons 0.30 0.08 0.06 0.25 0.05 0.06 0.20 0.04 0.15 0.04 0.03 0.10 0.02 0.02 0.05 0.01 540 560 580 600 620 640 1240 1260 1280 1300 1320 1340 1660 1680 1700 1720 (a) l =256 (b) l =1024 (c) l =1456 Figure: 3DES – PDFs for trains of 10 packets and varying the DTLS payload length,