Attacks on SSL/TLS Applied Cryptography Andreas Hülsing (Slides mostly by Ruben Niederhagen) November 30th, 2017 / department of mathematics and computer science Timeline of attacks on SSL/TLS 2/41 2010 2011 2012 2013 2014 2015 2016 SSLstrip BEAST CRIMELuckyRoyal 13BREACH HollowayFREAKBar-mitzvahHeartbleedPOODLE LogjamNOMORE RC4 − 2002 Padding Oracle / department of mathematics and computer science I Problem: Bob offers http via TLS. I Solution: Make sure Alice uses an unencrypted connection. People usually start SSL connections in two different ways: I Click on links that happen to be https. I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.) Idea: Parse web traffic and strip the “s” from all links to https. https −! http SSLstrip Attack (2009) 3/41 I Eve wants to read the traffic between Alice and Bob’s webserver. / department of mathematics and computer science I Solution: Make sure Alice uses an unencrypted connection. People usually start SSL connections in two different ways: I Click on links that happen to be https. I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.) Idea: Parse web traffic and strip the “s” from all links to https. https −! http SSLstrip Attack (2009) 3/41 I Eve wants to read the traffic between Alice and Bob’s webserver. I Problem: Bob offers http via TLS. / department of mathematics and computer science People usually start SSL connections in two different ways: I Click on links that happen to be https. I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.) Idea: Parse web traffic and strip the “s” from all links to https. https −! http SSLstrip Attack (2009) 3/41 I Eve wants to read the traffic between Alice and Bob’s webserver. I Problem: Bob offers http via TLS. I Solution: Make sure Alice uses an unencrypted connection. / department of mathematics and computer science Idea: Parse web traffic and strip the “s” from all links to https. https −! http SSLstrip Attack (2009) 3/41 I Eve wants to read the traffic between Alice and Bob’s webserver. I Problem: Bob offers http via TLS. I Solution: Make sure Alice uses an unencrypted connection. People usually start SSL connections in two different ways: I Click on links that happen to be https. I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.) / department of mathematics and computer science SSLstrip Attack (2009) 3/41 I Eve wants to read the traffic between Alice and Bob’s webserver. I Problem: Bob offers http via TLS. I Solution: Make sure Alice uses an unencrypted connection. People usually start SSL connections in two different ways: I Click on links that happen to be https. I Through HTTP 302 redirects. (Try to enter http://www.google.nl/ in your web browser.) Idea: Parse web traffic and strip the “s” from all links to https. https −! http / department of mathematics and computer science SSLstrip Attack (2009) 4/41 / department of mathematics and computer science SSLstrip Attack (2009) 4/41 / department of mathematics and computer science SSLstrip Attack (2009) 4/41 / department of mathematics and computer science SSLstrip Attack (2009) 4/41 I Watch HTTP traffic go by. I Switch <a href="https://..."> to <a href="http://..."> and remember what has changed. I Switch request https://... to http://... and remember what has changed. / department of mathematics and computer science SSLstrip Attack (2009) 4/41 I Watch HTTP traffic go by. I If we see an HTTP request for an URL that we had stripped, proxy that as HTTPS. I Watch the HTTPS traffic go by; remember relative links, CSS links, JavaScript, ... / department of mathematics and computer science SSLstrip Attack (2009) 4/41 I Server does not notice any difference. I No warning message displayed to the client; needs to look out for https marks explicitly (and know about it). I Eve sees all the traffic. / department of mathematics and computer science Best countermeasure: Carefully check that site is encrypted when handling sensitive information! SSLstrip Attack (2009) 5/41 Countermeasure: HTTP Strict Transport Security (HSTS). I Inform the browser to always use SSL/TLS to the site. I This information is stored by the browser for all future connections. I Can also be stripped by attacker; only works if first connection was not intercepted. I Some browsers are shipped with static HSTS list for some sites. / department of mathematics and computer science SSLstrip Attack (2009) 5/41 Countermeasure: HTTP Strict Transport Security (HSTS). I Inform the browser to always use SSL/TLS to the site. I This information is stored by the browser for all future connections. I Can also be stripped by attacker; only works if first connection was not intercepted. I Some browsers are shipped with static HSTS list for some sites. Best countermeasure: Carefully check that site is encrypted when handling sensitive information! / department of mathematics and computer science BEAST Attack (2011) 6/41 Recall the CBC mode of operation: Plaintext Plaintext Plaintext Initialization Vector (IV) block cipher block cipher block cipher Key Key Key encryption encryption encryption Ciphertext Ciphertext Ciphertext Cipher Block Chaining (CBC) mode encryption / department of mathematics and computer science BEAST Attack (2011) 7/41 Plaintext 0 Plaintext 1 Plaintext 2 Initialization Vector (IV) block cipher block cipher block cipher Key Key Key encryption encryption encryption Ciphertext 0 Ciphertext 1 Ciphertext 2 guessed Plaintext 1 Ciphertext 2 block cipher Key encryption Ciphertext 3 / department of mathematics and computer science BEAST Attack (2011) 7/41 Plaintext 0 Plaintext 1 Plaintext 2 Initialization Vector (IV) block cipher block cipher block cipher Key Key Key encryption encryption encryption Ciphertext 0 Ciphertext 1 Ciphertext 2 guessed Plaintext 1 Ciphertext 2 Ciphertext 0 Ciphertext 2 block cipher Key encryption Ciphertext 1 / department of mathematics and computer science • Ci+1 = E(k; X ⊕ Ci ) • For correct guess Ci+1 6= C2! 0 • Step 1: X = X ⊕ Ci (remove wrong chaining value) 00 0 • Step 2: X = X ⊕ C1 (add correct chaining value) I Target: E(k; P2 ⊕ C1) = C2 I Use guess X for P2. I Insert X after ith ciphertext Ci : I Fix chaining value: 00 I Ci+1 = E(k; X ⊕ Ci ) = E(k; X ⊕ Ci ⊕ C1 ⊕ Ci ) = E(k; X ⊕ C1) I For X == P2 we now get Ci+1 == C2! BEAST Attack (2011) 8/41 I Idea: De-randomize encryption to verify guess / department of mathematics and computer science • Ci+1 = E(k; X ⊕ Ci ) • For correct guess Ci+1 6= C2! 0 • Step 1: X = X ⊕ Ci (remove wrong chaining value) 00 0 • Step 2: X = X ⊕ C1 (add correct chaining value) I Use guess X for P2. I Insert X after ith ciphertext Ci : I Fix chaining value: 00 I Ci+1 = E(k; X ⊕ Ci ) = E(k; X ⊕ Ci ⊕ C1 ⊕ Ci ) = E(k; X ⊕ C1) I For X == P2 we now get Ci+1 == C2! BEAST Attack (2011) 8/41 I Idea: De-randomize encryption to verify guess I Target: E(k; P2 ⊕ C1) = C2 / department of mathematics and computer science • Ci+1 = E(k; X ⊕ Ci ) • For correct guess Ci+1 6= C2! 0 • Step 1: X = X ⊕ Ci (remove wrong chaining value) 00 0 • Step 2: X = X ⊕ C1 (add correct chaining value) I Insert X after ith ciphertext Ci : I Fix chaining value: 00 I Ci+1 = E(k; X ⊕ Ci ) = E(k; X ⊕ Ci ⊕ C1 ⊕ Ci ) = E(k; X ⊕ C1) I For X == P2 we now get Ci+1 == C2! BEAST Attack (2011) 8/41 I Idea: De-randomize encryption to verify guess I Target: E(k; P2 ⊕ C1) = C2 I Use guess X for P2. / department of mathematics and computer science 0 • Step 1: X = X ⊕ Ci (remove wrong chaining value) 00 0 • Step 2: X = X ⊕ C1 (add correct chaining value) • Ci+1 = E(k; X ⊕ Ci ) • For correct guess Ci+1 6= C2! I Fix chaining value: 00 I Ci+1 = E(k; X ⊕ Ci ) = E(k; X ⊕ Ci ⊕ C1 ⊕ Ci ) = E(k; X ⊕ C1) I For X == P2 we now get Ci+1 == C2! BEAST Attack (2011) 8/41 I Idea: De-randomize encryption to verify guess I Target: E(k; P2 ⊕ C1) = C2 I Use guess X for P2. I Insert X after ith ciphertext Ci : / department of mathematics and computer science 0 • Step 1: X = X ⊕ Ci (remove wrong chaining value) 00 0 • Step 2: X = X ⊕ C1 (add correct chaining value) • For correct guess Ci+1 6= C2! I Fix chaining value: 00 I Ci+1 = E(k; X ⊕ Ci ) = E(k; X ⊕ Ci ⊕ C1 ⊕ Ci ) = E(k; X ⊕ C1) I For X == P2 we now get Ci+1 == C2! BEAST Attack (2011) 8/41 I Idea: De-randomize encryption to verify guess I Target: E(k; P2 ⊕ C1) = C2 I Use guess X for P2. I Insert X after ith ciphertext Ci : • Ci+1 = E(k; X ⊕ Ci ) / department of mathematics and computer science 0 • Step 1: X = X ⊕ Ci (remove wrong chaining value) 00 0 • Step 2: X = X ⊕ C1 (add correct chaining value) I Fix chaining value: 00 I Ci+1 = E(k; X ⊕ Ci ) = E(k; X ⊕ Ci ⊕ C1 ⊕ Ci ) = E(k; X ⊕ C1) I For X == P2 we now get Ci+1 == C2! BEAST Attack (2011) 8/41 I Idea: De-randomize encryption to verify guess I Target: E(k; P2 ⊕ C1) = C2 I Use guess X for P2. I Insert X after ith ciphertext Ci : • Ci+1 = E(k; X ⊕ Ci ) • For correct guess Ci+1 6= C2! / department of mathematics and computer science 0 • Step 1: X = X ⊕ Ci (remove wrong chaining value) 00 0 • Step 2: X = X ⊕ C1 (add correct chaining value) 00 I Ci+1 = E(k; X ⊕ Ci ) = E(k; X ⊕ Ci ⊕ C1 ⊕ Ci ) = E(k; X ⊕ C1) I For X == P2 we now get Ci+1 == C2! BEAST Attack (2011) 8/41 I Idea: De-randomize encryption to verify guess I Target: E(k; P2 ⊕ C1) = C2 I Use guess X for P2.