Return of Bleichenbacher's Oracle Threat (ROBOT)

Return of Bleichenbacher's Oracle Threat (ROBOT)

Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities Juraj Somorovsky TLS History Secure Sockets Layer (SSL), SSLv2 Wagner, Schneier: Analysis of 1995 SSLv3 SSLv3 Bleichenbacher’s attack Transport Layer Security Padding oracle 2000 attack Padding oracle attack 2005 TLS 1.1 TLS 1.2 2010 BEAST, CRIME, BREACH, Lucky 13 TLS 1.3 2015 2 2 Provably secure crypto Constant-time implementations Man-in-the- Middle attacks Padding oracle attacks 3 Padding oracle attacks 4 About this talk • Return Of Bleichenbacher’s Oracle Threat (ROBOT). Hanno Böck, Juraj Somorovsky, Craig Young. USENIX Security 2018 • Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities. Robert Merget, Juraj Somorovsky, Nimrod Aviram, Craig Young, Janis Fliegenschmidt, Jörg Schwenk, Yuval Shavitt. USENIX Security 2019 Overview – ROBOT 1. Bleichenbacher’s (padding oracle) attack 2. How we started – Attack on Facebook 3. Performing the scans 4. Responsible disclosure 5. What did we learn Designed by Ange Albertini 6 TLS Protocol (High Level Overview) 1. TLS Handshake • Selection of algorithm, version, extensions • Key exchange: RSA, (EC)DH, (EC)DHE 2. Encrypted and authenticated data transport 7 TLS RSA Handshake ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec RSA encrypted premaster (Client-) Finished secret ChangeCipherSpec (Server-) Finished 8 RSA PKCS#1 v1.5 • Used to pad and encrypt the premaster secret: • To pad it to the RSA key length • To add randomization • Example for TLS 1.2: 00 02 [non-zero padding] 00 03 03 [secret] Encryption 0x00 TLS 1.2 version block type Delimiter (Yes, very intuitive) 9 Bleichenbacher’s Attack • 1998: Adaptive chosen-ciphertext attack • Exploits strict RSA PKCS#1 v1.5 padding validation Ciphertext C C1 valid/invalid C2 valid/invalid Starts with 00 02 ? … M = Dec(C) 10 Bleichenbacher’s Attack • The attack needs some math (not going into details here) • “Million message attack” (but could also be faster) Questions: 11 Creating Bleichenbacher’s Oracle ClientHello Server ServerHello Certificate Modified ServerHelloDone ciphertext ClientKeyExchange’ ChangeCipherSpec (Client-) Finished: Decrypt Bad Record Error / MAC Alert 12 TLS Countermeasure ClientHello ServerHello Certificate ServerHelloDone If the attacker can ClientKeyExchange’ distinguish valid / ChangeCipherSpec (Client-) Finished: invalid PKCS#1 messages, he wins Alert 13 Overview – ROBOT 1. Bleichenbacher’s (padding oracle) attack 2. How we started – Attack on Facebook 3. Performing the scans 4. Responsible disclosure 5. What did we learn Designed by Ange Albertini 14 Hanno Found a Weird Behavior of Facebook ClientHello Server ServerHello Certificate ServerHelloDone ClientKeyExchange’ ChangeCipherSpec (Client-) Finished: Illegal Bad Record Parameter / MAC Alert 15 Can We Exploit It? • Idea: It would be funny to sign a message with Facebook’s private key • Yes, signing is possible as well • Millions of queries needed…would Facebook block us? • Successful after several tries: “We hacked Facebook with a Bleichenbacher Oracle (JS/HB).” • Facebook fixed 16 Facebook: New Attempt ClientHello Server ServerHello Certificate ServerHelloDone ClientKeyExchange’ ChangeCipherSpec (Client-) Finished: / 17 Facebook Fixed Again • This is interesting. So how about other servers? 18 Overview – ROBOT 1. Bleichenbacher’s (padding oracle) attack 2. How we started – Attack on Facebook 3. Performing the scans 4. Responsible disclosure 5. What did we learn Designed by Ange Albertini 19 Let’s Start Scanning • Careful selection of ClientKeyExchange messages: • Wrong TLS version • Wrong padding length 00 02 [non-zero padding] 00 03 03 [secret] • Not starting with 0x00 02 • Full / Shortened TLS handshakes: ClientHello ClientHello ServerHello ServerHello Certificate Certificate ServerHelloDone ServerHelloDone ClientKeyExchange’ ClientKeyExchange’ ChangeCipherSpec ChangeCipherSpec (Client-) Finished: (Client-) Finished: 20 Alexa Top 1 Million Scan • 2,8 % vulnerable • PayPal, Apple, ebay, Cisco, … • Different behaviors…different combinations: TCP connection resets Timeouts Illegal Bad Record Handshake Internal Different alerts Parameter / MAC Alert / Failure / Error /.. Duplicate alerts Alert / Alert Alert 21 Overview – ROBOT 1. Bleichenbacher’s (padding oracle) attack 2. How we started – Attack on Facebook 3. Performing the scans 4. Responsible disclosure 5. What did we learn Designed by Ange Albertini 22 Who Is Responsible for These Mistakes? • Reporting is not always that easy … Your server is vulnerable to Bleichenbacher‘s attack. No worries, we use millitary grade encryption. 23 Don’t Fix for Some Vendors … Cisco ACE • Supports only TLS RSA • Cisco: We won't fix it, it's out of support for several years • But there were plenty of webpages still running with these devices Like cisco.com 24 Identified (Most of) Them 25 Test Tools • No easily usable test tool for Bleichenbacher attacks available • Currently implemented in SSL Labs, testssl.sh, TLS-Attacker, tlsfuzzer 26 Overview – ROBOT 1. Bleichenbacher’s (padding oracle) attack 2. How we started – Attack on Facebook 3. Performing the scans 4. Responsible disclosure 5. What did we learn Designed by Ange Albertini 27 What Did We Learn? • 20 year old attacks still work • New side channels • Timeouts • TCP resets • Duplicated alerts • How about scanning for other vulnerabilities? 28 About this talk • Return Of Bleichenbacher’s Oracle Threat (ROBOT). Hanno Böck, Juraj Somorovsky, Craig Young. USENIX Security 2018 • Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities. Robert Merget, Juraj Somorovsky, Nimrod Aviram, Craig Young, Janis Fliegenschmidt, Jörg Schwenk, Yuval Shavitt. USENIX Security 2019 • Can we effectively scan for CBC oracles at scale? • Can we also identify vulnerabilities and avoid false positives/negatives? • Are these vulnerabilities exploitable? Overview – Padding Oracle Attacks 1. Vaudenay’s (padding oracle) attack 2. Padding oracle attack on TLS 3. Scalable scanning 4. Vulnerability clustering 5. Findings 30 Cipher Block Chaining (CBC) Encryption m1 m2... m3 ... pad Block Cipher Block Cipher Block Cipher k Encryption k Encryption k Encryption IV C1 C2 C3 31 Cipher Block Chaining (CBC) Decryption IV C1 C2 C3 Block Cipher Block Cipher Block Cipher k Decryption k Decryption k Decryption m1 m2... m3 ... pad 32 CBC Malleability IV C1 Block Cipher k CBC decryption Decryption m1 33 CBC Malleability: Example 10 Block Cipher k CBC decryption Decryption 01 34 CBC Malleability: Example 10 10 Block Cipher k CBC decryption Decryption 10 01 35 Why Are We Talking about Padding Oracles? • CBC has a fixed padding structure m1 m2... m3 ... pad • Valid padding values: • 0x01 • 0x02 0x02 • 0x03 0x03 0x03 • …. 36 Vaudenay’s Padding Oracle Attack Scenario • 2002 • Adaptive chosen-ciphertext attack CBC Ciphertext C IV C1,...,Cn C’ IV‘ C1 valid/invalid C’’ IV‘‘ C1 valid/invalid Correct padding? 0x01 … M = Dec(C) 0x02 0x02 … 37 Vaudenay’s Padding Oracle Attack IV‘ IV | C1 16 IV’16=0...0xFF AES dec Goal x x16 m 01 m'16=0...0xFF x16 = 0x01 ⊕ IV’16 38 Vaudenay’s Padding Oracle Attack IV‘ IV‘ IV | C1 15 016 IV’15=0...0xFF AES dec Goal x X15` x16 m 02 0102 m'15=0...0xFF 39 Padding Oracles Exploited in Many Scenarios d Privacy ecurity an sium on S E Sympo 2011 IEE in ASP.NET DesignFlaws of Cryptographic eb: The Case y in the W Cryptograph JulianoRizzo Netifera gentina Aires,Ar Buenos a.com Thai Duong juliano@netifer AOnline Vnsecurity/HV , Vietnam a gold Minh City Web become Ho Chi .net make the together thaidn@vnsecurity errors cryptographic xt attacks. case misused chosen-cipherte the y is mine for by examining based how cryptograph . Our focus this point scusses the Web illustrate web applications paper di part of developed paper, we in in —This a large ork e In this first released Abstract design of framew sites. W implementationsork was As application net web framew work. in the security the web all Inter design of cryptographic The .NET Frame .NET, 25% of .NET [12]. of the Internet is on ASP powers cryptographicdescribe on ASP ersion1.0 of all the osoft that use multiple We with v that25% view by Micr can ab applications. ers to 2002 believed 1 we re attackers web w attack January it is .NET. Here show that ASP.NET that allo tokens 2010, ASP on at the compromise attacks of September eloped using stableversi flaws to efficient for ge authentication are dev current several and highly keysand decryption web sites was the apply to practical secret combine keysfor which also The attacks reuseof v4.0, comments steal cryptographic ormation. and the easons ASP.NET Our ve inf e some r accesssensiti encryptions, , we giv and of submission. .NET. to Finally time of ASP .NET v4.0. oracles,unauthenticatedpurposes. in web technologies, vious versions in ASP encryption misused pre flaws present differ ent y is often es. cryptographic have been thesemistak several out to of why cryptograph to avoid , observe turns steps eb security We flaw (which is a consequence recommend , W serious years) and Security The most almost three two practical y, Application encryption. .NET for We present crypto- -Cryptograph in ASP ers to steal Keywords attack, Unauthenticated encryption. w attack destroy oracle unauthenticated that allo tokensand Decryption ficient attacks ef ge authentication v4.0 application. ION highly keys, for .NET ODUCT secret ASP decryption I. I NTR graphic of every combine know if model that audenay can one the security xt attacks by V ed, “How

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    69 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us