beast attack on ssl/tls explained
TRANSCRIPT
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 1
Secure Sockets Layer
Transport Layer Security
BEAST Attack
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 2
Outline● History● Design Goals● SSL/TLS Stack● Attacks
● Attack on CBC● BEAST
● Solution
CBC Cipher Block Chaining
BEAST Browser Exploit Against SSL/TLS
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 3
History
201219961994
NetscapeSSL 2.0
IETFTLS 1.0 TLS 1.1 TLS 1.2
1999 20082006
SSL 3.0TLS 1.2“refined”
2011
completeredesign
● minor changes● no interoperation
with SSL3● can downgrade
connections toSSL3ch
anges
vers
ion
● MD5-SHA-1 SHA-256↣● authenticated encryption
e.g. AES in CCM mode
● protection against CBC-attacks● implicit IV explicit IV↣
MAC Message Authentication Code MD5 Message Digest Algorithm
IETF Internet Engineering Task Force SHA Secure Hash Algorithm
CBC Cipher Block Chaining AES Advanced Encryption Standard
IV Initialization Vector CCM Counter with CBC-MAC
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 4
Design Goals● Cryptographic security
● establish secure connections● secure existing connections● data confidentiality● authentication● reliability
● Interoperability● applications exchange parameters with each other● applications establish connections with each other● specified protocols
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 5
Design Goals● Extensibility
● SSL/TLS provides a framework● cryptographic methods can be added
– public key– bulk encryption
● no extensive library/protocol rewriting● Relative efficiency
● ability to adopt to its environment● session caching (saves CPU)● minimal messaging (saves network bandwidth)
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 6
SSL/TLS in Common Models
Session
Transport
Network
Data Link
Physical
Application
Transport
Internet
Link
ISO/OSI model TCP/IP model
Presentation
Record
Han
dsh
ake
Ch
an
ge
Cip
her
Sp
ec
Ale
rt
Ap
pli
cati
on
Data Application
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 7
SSL/TLS Protocol Stack
Record
Han
dsh
ake
Ch
an
ge
Cip
her
Sp
ec
Ale
rt
Ap
plica
tio
nD
ata
● provides shared transaction layer● ensures
● cryptographic security (data confidentiality)● integrity of payload
● optional payload compression
● negotiates session● crypt. methods● versions
● authentication (opt.)● one-way● two-way
transports upperlayer payload
tells the other partyto apply previouslynegotiated parameters error reporting
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 8
BEAST● Browser Exploit Against SSL/TLS (BEAST)● Chosen Plaintext Attack● Targets deterministic Initialization Vectors of
Cipher-Block Chaining
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 9
Please note that this is a simplified example,consult reference Educated Guesswork for details.
TLS 1.0CBC
Attack Scenario
Alice Bob
Mallory ● wants to know secret P[16]● eavesdrops encrypted data
between Alice and Bob● can force Alice to send
chosen plaintext● can force Alice to send P
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 10
Ciphertext Ciphertext
Cipher-Block Chaining
Block CipherEncryption
Block CipherEncryption
Plaintext Plaintext
IV
C0 = E(Key, IV M⊕
0) C
i = E(Key, C
i-1 M⊕
i)
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 11
CBC Chosen Plaintext Attack● Force Alice to send P
● Eavesdrop and get Cp= E(Key, C
p-1 ⊕ P)
● Let G be a blind guess of P
● Force Alice to send plaintext Ci-1 ⊕ C
p-1 ⊕ G
● Alice sends Ci = E(Key, C
i-1 ⊕ C
i-1 ⊕ C
p-1 ⊕ G)
● Ci = E(Key, C
p-1 ⊕ G)
● If Ci==C
p then G==P
This requires a lot of guessingand it is not very handy!
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 12
BEAST● Force Alice to send NULL[0-14] P[0]● Eavesdrop and get
Cp= E(Key, C
p-1 ⊕ NULL[0-14] P[0])
● Let G be a blind guess of P[0]● Force Alice to send plaintext
Ci-1
⊕ Cp-1
⊕ NULL[0-14] G
● Alice sendsC
i = E(Key, C
i-1 ⊕ C
i-1 ⊕ C
p-1 ⊕ NULL[0-14] G)
Ci = E(Key, C
p-1 ⊕ NULL[0-14] G)
● If Ci==C
p then G==P[0] This requires up to 28=256
guesses. We can do this!
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 13
BEAST
Ci-1
C⊕p-1
NULL[0-13]⊕
P[0]
P[0]P[1]
Ci-1
C⊕p-1
NULL[0-14]⊕
P[0-15]
.
.
.
256 possibleciphertexts
256 possibleciphertexts
voilà!
known
unknown
legend:
16 byte block
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 14
Solution: Explicit IV
Ciphertext Ciphertext
Block CipherEncryption
IV
Block CipherEncryption
IV
Plaintext Plaintext
Ci = E(Key, IV
i M⊕
i)C
0 = E(Key, IV
0 M⊕
0)
Dan Luedtke <[email protected]> ● Wed Apr 18, 2012 ● University of the German Federal Armed Forces, Munich ● Slide 15
Questions?
Thank you for your kind attention.
● References
● Jörg Schwenk. Sicherheit und Kryptographie im Internet: Von sicherer E-Mail bis zu IP-Verschlüsselung (German Edition). Vieweg+Teubner Verlag, 2010.
● T. Dierks and C. Allen. The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard), January 1999. Obsoleted by RFC 4346, updated by RFCs 3546, 5746, 6176.
● T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard), April 2006. Obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746, 6176.
● Dan Goodin. Hackers break SSL encryption used by millions of sites. The Register, 2011. http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ (Retrieved 2012-04-13)
● Security impact of the Rizzo/Duong CBC "BEAST" attack. Educated Guesswork, 2011.http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html (Retrieved 2012-04-13)