beast attack on ssl/tls explained

Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 1

Secure Sockets Layer

Transport Layer Security

BEAST Attack

mailto:[email protected]


Outline● History● Design Goals● SSL/TLS Stack● Attacks

● Attack on CBC● BEAST

● Solution

CBC Cipher Block Chaining

BEAST Browser Exploit Against SSL/TLS



History

201219961994

NetscapeSSL 2.0

IETFTLS 1.0 TLS 1.1 TLS 1.2

1999 20082006

SSL 3.0TLS 1.2“refined”

2011

completeredesign

● minor changes● no interoperation

with SSL3● can downgrade

connections toSSL3ch

anges

vers

ion

● MD5-SHA-1 SHA-256↣● authenticated encryption

e.g. AES in CCM mode

● protection against CBC-attacks● implicit IV explicit IV↣

MAC Message Authentication Code MD5 Message Digest Algorithm

IETF Internet Engineering Task Force SHA Secure Hash Algorithm

CBC Cipher Block Chaining AES Advanced Encryption Standard

IV Initialization Vector CCM Counter with CBC-MAC



Design Goals● Cryptographic security

● establish secure connections● secure existing connections● data confidentiality● authentication● reliability

● Interoperability● applications exchange parameters with each other● applications establish connections with each other● specified protocols



Design Goals● Extensibility

● SSL/TLS provides a framework● cryptographic methods can be added

– public key– bulk encryption

● no extensive library/protocol rewriting● Relative efficiency

● ability to adopt to its environment● session caching (saves CPU)● minimal messaging (saves network bandwidth)



SSL/TLS in Common Models

Session

Transport

Network

Data Link

Physical

Application

Transport

Internet

Link

ISO/OSI model TCP/IP model

Presentation

Record

Han

dsh

ake

Ch

an

ge

Cip

her

Sp

ec

Ale

rt

Ap

pli

cati

on

Data Application



SSL/TLS Protocol Stack

Record

Han

dsh

ake

Ch

an

ge

Cip

her

Sp

ec

Ale

rt

Ap

plica

tio

nD

ata

● provides shared transaction layer● ensures

● cryptographic security (data confidentiality)● integrity of payload

● optional payload compression

● negotiates session● crypt. methods● versions

● authentication (opt.)● one-way● two-way

transports upperlayer payload

tells the other partyto apply previouslynegotiated parameters error reporting



BEAST● Browser Exploit Against SSL/TLS (BEAST)● Chosen Plaintext Attack● Targets deterministic Initialization Vectors of

Cipher-Block Chaining



Please note that this is a simplified example,consult reference Educated Guesswork for details.

TLS 1.0CBC

Attack Scenario

Alice Bob

Mallory ● wants to know secret P[16]● eavesdrops encrypted data

between Alice and Bob● can force Alice to send

chosen plaintext● can force Alice to send P



Ciphertext Ciphertext

Cipher-Block Chaining

Block CipherEncryption


Plaintext Plaintext

IV

C0 = E(Key, IV M⊕

0) C

i = E(Key, C

i-1 M⊕

i)



CBC Chosen Plaintext Attack● Force Alice to send P

● Eavesdrop and get Cp= E(Key, C

p-1 ⊕ P)

● Let G be a blind guess of P

● Force Alice to send plaintext Ci-1 ⊕ C

p-1 ⊕ G

● Alice sends Ci = E(Key, C

i-1 ⊕ C

i-1 ⊕ C

p-1 ⊕ G)

● Ci = E(Key, C

p-1 ⊕ G)

● If Ci==C

p then G==P

This requires a lot of guessingand it is not very handy!



BEAST● Force Alice to send NULL[0-14] P[0]● Eavesdrop and get

Cp= E(Key, C

p-1 ⊕ NULL[0-14] P[0])

● Let G be a blind guess of P[0]● Force Alice to send plaintext

Ci-1

⊕ Cp-1

⊕ NULL[0-14] G

● Alice sendsC

i = E(Key, C

i-1 ⊕ C

i-1 ⊕ C

p-1 ⊕ NULL[0-14] G)

Ci = E(Key, C

p-1 ⊕ NULL[0-14] G)

● If Ci==C

p then G==P[0] This requires up to 28=256

guesses. We can do this!



BEAST

Ci-1

C⊕p-1

NULL[0-13]⊕

P[0]

P[0]P[1]

Ci-1

C⊕p-1

NULL[0-14]⊕

P[0-15]

.

.

.

256 possibleciphertexts

256 possibleciphertexts

voilà!

known

unknown

legend:

16 byte block



Solution: Explicit IV

Ciphertext Ciphertext


IV


IV

Plaintext Plaintext

Ci = E(Key, IV

i M⊕

i)C

0 = E(Key, IV

0 M⊕

0)



Questions?

Thank you for your kind attention.

● References

● Jörg Schwenk. Sicherheit und Kryptographie im Internet: Von sicherer E-Mail bis zu IP-Verschlüsselung (German Edition). Vieweg+Teubner Verlag, 2010.

● T. Dierks and C. Allen. The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard), January 1999. Obsoleted by RFC 4346, updated by RFCs 3546, 5746, 6176.

● T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard), April 2006. Obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746, 6176.

● Dan Goodin. Hackers break SSL encryption used by millions of sites. The Register, 2011. http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ (Retrieved 2012-04-13)

● Security impact of the Rizzo/Duong CBC "BEAST" attack. Educated Guesswork, 2011.http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html (Retrieved 2012-04-13)


beast attack on ssl/tls explained

Technology