ssl/tls eavesdropping with fullpath control

©A10 Networks, Inc.

The Mechanics of SSL/TLS Eavesdropping with Full Path ControlMike Thompson

2©A10 Networks, Inc.

Not a Mathematician!!! -> Don’t fault me on my math.

Work for A10 Networks as a Principal Architect.

Jack of all trades

Formula One Junky

Python Junky

You can find me on LinkedIn: Layer427expert

A little about myself


The topics of SSL/TLS is enormous.

We will not cover every topic.

We will try to give you the basis of understanding so that we can talk about eavesdropping.

We will not be covering cryptographic attacks in the eavesdropping section.

If you have questions we will be more than happy to talk after class.

There is a lot of things we can discuss but lets stay on point.

I am the only rat hole digger in this lab. After the lab we can dig over a drink.

Actors:

About this Lab/Lecture


Basics of SSL

Basics of SSL Eavesdropping

Utilizing SSL Eavesdropping for Defense

SSL Eavesdropping for Offense and Detection

Lab Agenda

Basics of SSL/TLS


The TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. - We will come back to this

Through Public key cryptography it is the basis for E-Commerce Security and Trust

Utilized by almost everyone: “Who wants to be secure…”

Source of pain felt globally when vulnerabilities are found.

For non-security people, it is:– Blindly Trusted

– Never questioned

– Always Secure

What is SSL?

http://en.wikipedia.org/wiki/Client%E2%80%93server_model

http://en.wikipedia.org/wiki/Eavesdropping

http://en.wikipedia.org/wiki/Tamper-evident


Think of SSL/TLS having four parts:– The Protocol

– Key Exchange

– Bulk Crypto Operations

– Chain of Trust

The primary purpose of SSL/TLS to compute a secret key that will be utilized for symmetric encryption. – This is accomplished through Asymmetric Cryptography

The Purpose of SSL/TLS


SSL/TLS can provide:– identification:

When the Chain of Trust can be established.

– authentication When client authentication is enabled.

– confidentiality Encryption of data in flight.

– integrity Through Cipher Suites

Benefits

The SSL/TLS Protocol


Protocol Basics

Think of the TLS handshake messages similar to TCP handshake.The messages are to negotiate a set of parameters that will be utilized going forward.


Client Hello

Purpose:

1. Establish Protocol Version2. Send Random Number 13. Session ID if it exist4. Send List of support

Cipher Suites1. Each Cipher will tell you what it

is doing. You have to just understand what each segment explains

5. Compression Algorithm


Purpose:

1. Version Number

2. Send Random Number 2

3. Session ID if exist.

4. Set the Cipher Suite

5. Send Public Certificate.

6. Compression Algorithm

Server Hello


Client Key ExchangePurpose:

1. Send Pre-shared Master encrypted with Public Key

Between the Server Hello and the Client Key Exchange the Client Validates the Certificate against its Root CA list.

We will discuss this a later section.


Client Change Cipher SpecPurpose:

1. Notify Server that all further messages will be Encrypted


Client Encrypted Handshake Message

Purpose:

1. First messaged send to server that is encrypted.

2. Will be utilized by server to see if encrypted channel is valid.

3. End of handshake from client


Server Change Cipher Spec & Encrypted Handshake Message

Purpose:

1. Notifies client that server decrypted messages

2. Generates the master secrete and sends the client a finish message encrypted.


Version Differences

SSL Alerts

MAC

HMAC

What was note covered

Public-Key Cryptographyand their corresponding cipher suites


RSA

– RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described the algorithm in 1977. Clifford Cocks, an English mathematician, had developed an equivalent system in 1973, but it was not declassified until 1997.[1]**wikipedia

– Currently is the most widely utilized.

– Utilizes a modular arithmetic.

DH <- We are not going to cover this topic. We will talk about PFS and ECDH specifically.

– first published by Whitfield Diffie and Martin Hellman in 1976.[2] By 1975, James H. Ellis,[3] Clifford Cocks and Malcolm J. Williamson within GCHQ, the British signals intelligence agency, had also shown how public-key cryptography could be achieved; however, their work was kept secret until 1997.[4]Utilizes **wikipedia

– Utilizes a modular arithmetic.

ECC

– The use of elliptic curves in cryptography was suggested independently by Neal Koblitz[1] and Victor S. Miller[2] in 1985. Elliptic curve cryptography algorithms entered wide use in 2004 to 2005.

– Based on the algebraic structure of elliptic curves over finite fields.

– Hurts my head to think don’t let the pretty graph fool you….

Public-Key Encryption Algorithms

http://en.wikipedia.org/wiki/Whitfield_Diffie

http://en.wikipedia.org/wiki/Martin_Hellman

http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange%23cite_note-Diffie_1976-3

http://en.wikipedia.org/wiki/James_H._Ellis

http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange%23cite_note-4

http://en.wikipedia.org/wiki/Clifford_Cocks

http://en.wikipedia.org/wiki/Malcolm_J._Williamson

http://en.wikipedia.org/wiki/Government_Communications_Headquarters

http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange%23cite_note-5

http://en.wikipedia.org/wiki/Neal_Koblitz

http://en.wikipedia.org/wiki/Elliptic_curve_cryptography%23cite_note-1

http://en.wikipedia.org/wiki/Victor_S._Miller

http://en.wikipedia.org/wiki/Elliptic_curve_cryptography%23cite_note-2

Cipher Suites


Cipher Suites notation

cipher id a unique 2-3 byte cipher identifier. For example, SSL2_RC4_128_WITH_MD5 is identified as 0x010080 and TLS_RSA_WITH_3DES_EDE_CBC_SHA is identified as 0x00000A or simply 0x000A.Name common cipher suite name. TLS ciphers have //TLS_Kx_[Au]_FROM_Enc_MAC// format. SSL2 only use RSA for key exchange and authentication, so their names have //SSL2_Enc_WITH_MAC// format.Protocol Most ciphers suites fall into either //TLS// or //SSL/SSL2// protocols. The only exception is Microsoft's proprietary //PCT// protocol.Kx Key exchange algorithm. Most popular exchange methods are RSA and Diffie-Hellman (DH/DHE). Some of the more exotic methods include Kerberos (KRB5), Pre-Shared Key (PSK), and others.Au Authentication algorithm. RSA is commonly used for key authentication.Enc Symmetric encryption algorithm (e.g. DES, 3DES, AES, RC4, etc.)Bits Effective symmetric encryption key size in bits. Export for export outside US are limited to 40-56 bits.MAC Hashing algorithm used for TLS/SSL data packets integrity and authentication checks.Anon Anonymous cipher suites with no key authentication. Highly vulnerable to man in the middle attack.Export Intentionally crippled cipher suite to conform to US export laws. Symmetric cipher used in export cipher suites typically does not exceed 56bits.NULL Null cipher suites do not provide any data encryption and/or data integrity. //TLS_NULL_WITH_NULL_NULL (0x0000)// cipher suite is used during initial session establishment.

Source:https://www.thesprawl.org/research/tls-and-ssl-cipher-suites/


Cipher Suite Examples

Cipher ID Name Protocol Kx Au Enc Bits Mac0x000009 TLS_RSA_WITH_DES_CBC_SHA TLS RSA RSA DES_CBC 56 SHA0x00003C TLS_RSA_WITH_AES_128_CBC_SHA256 TLS RSA RSA AES_128_CBC 128 SHA2560x00003D TLS_RSA_WITH_AES_256_CBC_SHA256 TLS RSA RSA AES_256_CBC 256 SHA2560x00003E TLS_DH_DSS_WITH_AES_128_CBC_SHA256 TLS DH DSS AES_128_CBC 128 SHA2560x00003F TLS_DH_RSA_WITH_AES_128_CBC_SHA256 TLS DH RSA AES_128_CBC 128 SHA2560x00C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS ECDH RSA AES_128_CBC 128 SHA0x00C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS ECDH RSA AES_256_CBC 256 SHAx00009E TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS DHE RSA AES_128_GCM 128 SHA256

Green Indicates Perfect Forward Secrecy Support


Note: We are not talking about ECC Cipher Suite yet….. We will get to that.

Based on the RSA algorithm

Encryption: c = m^e mod n

Decryption: m = c^d mod n

– Encryption and Decryption are inverse functions

Remember how back in school:

15 = 3*5 and the inverse is 5 = 15/3

RSA Asymmetric Cryptography

Where:e = exponentm = messagen = public certd = private keyc = cipher text


Non-Padded Example

e = 7d = 1810402843n = 2534665157

msg = "Hello World!"print "Message Send:", msgcipher_buffer = []for m in msg: #c = pow(ord(m), e, n) c = pow(ord(m), e, n) print "Clear Text:",m, "| Cipher Text:",c cipher_buffer.append(c)print ”Message in flight", "".join(str(x) for x in cipher_buffer)msg = ""for c in cipher_buffer: m = chr(pow(c,d,n)) print "Cipher Text:", c, "| Clear Text:", m msg = msg + mprint "Message Recieved:",msg

Message Send: Hello World!Clear Text: H | Cipher Text: 942978039Clear Text: e | Cipher Text: 2268399915Clear Text: l | Cipher Text: 1042287397Clear Text: l | Cipher Text: 1042287397Clear Text: o | Cipher Text: 1592280001Clear Text: | Cipher Text: 1409091327Clear Text: W | Cipher Text: 2057956152Clear Text: o | Cipher Text: 1592280001Clear Text: r | Cipher Text: 2200164507Clear Text: l | Cipher Text: 1042287397Clear Text: d | Cipher Text: 2390226036Clear Text: ! | Cipher Text: 2063800465

Message in flight: 94297803922683999151042287397104228739715922800011409091327205795615215922800012200164507104228739723902260362063800465

Cipher Text: 942978039 | Clear Text: HCipher Text: 2268399915 | Clear Text: eCipher Text: 1042287397 | Clear Text: lCipher Text: 1042287397 | Clear Text: lCipher Text: 1592280001 | Clear Text: oCipher Text: 1409091327 | Clear Text: Cipher Text: 2057956152 | Clear Text: WCipher Text: 1592280001 | Clear Text: oCipher Text: 2200164507 | Clear Text: rCipher Text: 1042287397 | Clear Text: lCipher Text: 2390226036 | Clear Text: dCipher Text: 2063800465 | Clear Text: !

Message Received: Hello World!


This is where padding schemas come into play.

However lots of padding attacks are discovered.

Read online about this if you want to dig deeper.

.

Plain RSA is vulnerable to attack….

Basic SSL/TLS Math – Using ECC Cipher Suites

and enabling Perfect Forward Secrecy


ECC CryptographyEquation:

y^2 = x^3 + ax + b

However there is a lot of complex subject behind it…

If you want to read a great set of post visit:http://jeremykun.com/2014/02/08/introducing-elliptic-curves/

https://www.certicom.com/10-introduction

So lets move on to ECDH to get a practical example.

http://jeremykun.com/2014/02/08/introducing-elliptic-curves/






Diffie–Hellman

Alice and Bob agree to use a prime number p = 23 and base g = 5 (which is a primitive root modulo 23). Alice chooses a secret integer a = 6, then sends Bob A = ga mod p A = 56 mod 23 = 8 Bob chooses a secret integer b = 15, then sends Alice B = gb mod p B = 515 mod 23 = 19 Alice computes s = Ba mod p s = 196 mod 23 = 2 Bob computes s = Ab mod p s = 815 mod 23 = 2 Alice and Bob now share a secret (the number 2).

http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange


Elliptic curve Diffie–Hellman (ECDH) is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public–private key pair, to establish a shared secret over an insecure channel.

The shared secrete will be utilized to perform symmetric encryption. – In the case of the following Cipher Specification AES^256 is utilized:

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

ECDH

When reviewing ECC I was configured about how the Finite Field was initialized and I realized it specified in the domain parameters. For more information http://csrc.nist.gov/groups/ST/toolkit/documents/SP800-56Arev1_3-8-07.pdf


Session 1:

FiniteField: 3851

Secret keys, Alice: 194 , Bob:33

base_point (920 (mod 3851), 303 (mod 3851)) 3014 2809

Public keys, Alice:(3014 (mod 3851), 2809 (mod 3851)) , Bob:(1324 (mod 3851), 2950 (mod 3851))

Shared secret: ALice:(2462 (mod 3851), 3558 (mod 3851)) , Bob:(2462 (mod 3851), 3558 (mod 3851))

Bob is extracing x-coordinate to get an integer shared secret: 2462

Alice is extracing x-coordinate to get an integer shared secret: 2462

ECDH Working Example Session 1


FiniteField: 3851

Secret keys, Alice: 90 , Bob:74

base_point (920 (mod 3851), 303 (mod 3851)) 1034 733

Public keys, Alice:(1034 (mod 3851), 733 (mod 3851)) , Bob:(3241 (mod 3851), 1093 (mod 3851))

Shared secret: Alice:(2718 (mod 3851), 3657 (mod 3851)) , Bob:(2718 (mod 3851), 3657 (mod 3851))

Bob is extracing x-coordinate to get an integer shared secret: 2718

Alice is extracing x-coordinate to get an integer shared secret: 2718

ECDH Working Example Session 2


forward secrecy is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future.

You do not get this with RSA– Remember Client Random 1 and Sever Random 1

– If session was recorded and private key is compromised past sessions can be compromised

– If private key is compromised then present and future sessions are also compromised.

Cipher suites that use ephemeral Diffie-Hellman (DHE) or the elliptic-curve variant (ECDHE) will have perfect forward secrecy

Perfect Forward Secrecy


Lots of things….

Items Not in slides Covered in this section

Chain of Trust Anchored by Roots


Building the Chain


The RootTrusted Root Store on your device


CRL

CSR

Items Not in slides Covered in this section

Basics of SSL/TLS Eavesdropping


http://threatpost.com/lenovo-superfish-certificate-password-cracked/111165

http://www.pcworld.com/article/2453343/microsoft-revokes-trust-in-certificate-authority-operated-by-the-indian-government.html

http://www.fastcompany.com/3042030/tech-forecast/the-huge-web-security-loophole-that-most-people-dont-know-about-and-how-its-be

on and on and on

In the news













The rest of the class we will focus on Trusted Root CA Poisoning and Root CA Compromise.

We will focus on full-wire-control eavesdropping a.k.a Man-in-the-Middle

We not cover brute force or crypto attacks for eavesdropping.

If you want to explore server private key compromise then take a private key off the server and utilize wire shark.

Eavesdropping


BGP

Route Injection

ARP Poison

Wireless control

so on.

Ways to Gain Full Wire Control


Lets look at the chain of Trust one more time. 1. Lets talk, but I need to know if I should

trust you. 2. Here is my cert saying I know ICARus

and there is his signature. 3. Have I untrusted ICArus? No4. Do I Trust ICArus? Let me Check5. Here is my cert that says Carolyn Trust

me and here is her signature. 6. Have I untrusted CArolyn? No7. Do I Trust CArolyn?8. Here is my cert that says I Trust myself

and here is my signature signature. --- Carolyn’s Signature was Trusted by someone who put it their so I must Trust it, right? Why note……9. Hey buddy you’re a swell guy…


Lost of money gets spent to become a CA.

Last time I checked in 2002 it was going to cost more in audit fees the first year then we calculated the first 10 years revenue would be…

Here is how to get into the Windows OS– https://msdn.microsoft.com/en-us/library/cc751157.aspx

If you are “really” a corporation you will do everything to make sure you are Trusted.

Not being Trusted can put you out of business…. An this is the problem…

TO be or not to be...Trusted

https://msdn.microsoft.com/en-us/library/cc751157.aspx

https://msdn.microsoft.com/en-us/library/cc751157.aspx


From the time the CA is compromised to the time the compromise is discovered puts anyone who trusted that CA at risk for Man in the Middle Attacks.

After the CA compromise is discovered there is still a delta between a updated Revocation list or security update made available.

There is another delta between the revocation list or security update being made available until it is applied by the home user or the corporate administrator.

This is the WORST OF THE WORST because it could compromise everyone on the internet.

Effects Root CA Compromise


This is where a ROOT CA certificate is implanted with in the Trusted ROOT CA store with out the knowledge or authorization of the owner of the system.

How can this happen?– Malware

– Physical Access

– Trusted programs

– Ignorance…

This is a more targeted approach. This will also be the most common encountered.

Root CA Poisoning


Eve’s Frame of Reference


Eve C2 - DefenseYou are allowed one rule group at a time.

What this means is you can fill in every field however this will be the compete rule set.

Click the activate button to send the defensive commands.

Click the disable protection to remove the commands

Active will overwrite the existing rule


EVE C2 - Offense

This tool be be utilized to inject content into the data path.

It will also load the data that was captured form the Eavesdropping.

Do not goose yourself by putting sensitive information into the lab systems.


EVEC2 - Exploit

This tool in conjunction with your browser or python scripts will give you the ability to send pre defined exploits to the server over SSL.

The bot payload will send a pre-defind payload to the command server over SSL


EVEC2 - Utility

This will place your latest pcap file that has data.


Add Server Information here when lab it build

We will be utilizing DVWA which is a vulnerable web application written in PHP for as the target.

There are Twisted Instances that are written for

Server Type

Utilizing SSL Eavesdropping for Defense


Cyber Threats Hidden in SSL Traffic

–35%+ of Internet traffic is encrypted

–50% of attacks will use encryption to bypass controls by 2017

–80%+ of organizations with firewalls, IPS, or UTM do not decrypt SSL traffic

70%+SSL Traffic

For some organizations

Sources: “SSL Performance Problems,” NSS Labs, 2013 and service provider data“Security Leaders Must Address Threats From Rising SSL Traffic,” 2013


SSL Traffic Observed by a Service Provider

SSL ~40% of Traffic


Drivers for SSL Traffic Growth

Snowden Leaks in June 2013–Revelations of NSA snooping

increased privacy concerns

Privacy watchdogs now publish SSL report cards


Surveillance and Search Engine Ranking

New disclosures in 2014 that governments were leveraging app vulnerabilities to inject surveillance software in web traffic

– Targeted sites YouTube and Microsoft Liveused as conduits to inject malware

– Now YouTube & MS Live encrypt traffic

In August 2014, Google announced itwould rank SSL sites higher for SEO

Source: Washington Post


SSL Performance Impact on Next Gen Firewalls

Juniper SRX3600 Stonesoft 3202 Palo Alto Networks PA-5020

SourceFire 8250 Check Point 12600 Dell SonicWALL E10800

Fortinet 3600C SourceFire 82900%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Performance Impact with 2048-bit SSL Ciphers

81%: The average of performance loss across 7 NG Firewalls

Source: “SSL Performance Problems,” NSS Labs, 2013


SSL Encryption Risks


BACKGROUND Organization had deployed

security devices from many leading security vendors

SSL traffic not inspected due to performance, scale, & complexity

RESULT OF ATTACK Attackers infiltrated network,

installed malware, and stole data across multiple end-points

Organization dropped internet connectivity for days, performed lengthy forensics and remediation

ESTIMATED FINANCIAL COSTS Lost productivity and forensic investigation= Medium Cost Loss of intellectual property = High Cost

Impact of Not Inspecting SSL: A Case Study

FINDINGS: Network security tools could have prevented this attack if the tools had had visibility into SSL traffic


How Malware Developers Exploit Encrypted Traffic

Botnet Herder

Clients

Data exfiltration over SSL channels Command

and Control Servers

HTTPS

Malicious file ininstant messaging

Drive-by downloadfrom an HTTPS site

Malicious attachmentsent over SMTPS

• Encryption obscures:– Bot installation– C&C communication– Data exfiltration


Reference Architecture: Inline Deployment

1. A10 Thunder ADC decrypts outbound SSL traffic

2. A third-party security device inspects traffic in clear text

3. A second Thunder ADC appliance encrypts SSL traffic and forwards it to the Internet

4. Thunder ADC decrypts the response from the Internet

5. The third-party security device inspects inbound traffic

6. Thunder ADC encrypts and forwards the response to the server

Other

DLPUTM

IDS

Server

A10 ADC

A10 ADC

Encrypted

Decrypted

Encrypted

Inspection and

Protection

Client

16

2

5

3

4


Reference Architecture: Non-inline Deployment

A Thunder ADC intercepts and decrypts SSL traffic

Thunder ADC forwards decrypted traffic to third party security devices

Security devices inspects traffic for attacks or data loss

Thunder ADC encrypts decrypted traffic and forwards it to the intended destination

Encrypted

Decrypted

Encrypted

Client

A10 Thunder ADC

Security Devices

Internet Server

SSL/TLS Eavesdropping for Offense and Detection of.


In the News


SSL Eavesdropping Offense


Governments– Gathering Intelligence

– Hiding exfiltration traffic

– Avoid Detection

– Bot Command and Control

– others?

Criminals– Click Fraud

– Theft of personal data

– money

– Ego

What is the motivation?

SKY-NET– Destruction of the human race.

– Kill John Conner



SSL ~40% of Traffic

Lab 3: Offense


Lab 3 Scenario

You are at some coffee shop.You need to check your bank account because your (“Mine, I am projecting”) calls up and says I need $5000.00 today for college. So you connect to the WIFI hot spot and…

Little did you know that DNS has been hijack and a server is in play owned by the attacker. The Eve here has full-wire-control because they own the hotspot.

You figure that everything would be alright. So just click ok…


Open Your Browser and go to and type in https://www.hotspot.dcc.lab/login/login.html

Enter any username

Enter any password

Click Login

You will be redirected.

Lab 3 Instructions: Step 1

https://www.hotspot.dcc.lab/login/login.html


Once redirected download the application.


Click


Install the application



Application Will install ICON on Desktop.

If the Application is Not started click on the icon.

Enter any username and password again.

And Click Logon,



Since we still need to install the certificate we will utilize a little bit of social engineering to get you do this.

Older Version of Windows or other operating systems this could be bypassed easier if we are delegated foo super user privileges during setup...

Just click ok… You son needs money.



Accept is like most users.




When you see the log out button you know everything thing is good.

Your Browser will open over the application window. And take you to your banking website.

If you are not able to connect to install the certificate or can not signal to the attacker you will be denied access.


Validate the Bad Root CA is installed.


SSL/TLS Eavesdropping for Offense and Detection of.


Governments– Gathering Intelligence

– Hiding exfiltration traffic

– Avoid Detection

– Bot Command and Control

– others?

Criminals– Click Fraud

– Theft of personal data

– money

– Ego

What is the motivation?

SKY-NET– Destruction of the human race.

– Kill John Conner



SSL ~40% of Traffic

Offense Attack Example


Attack Scenario

You are at some coffee shop.You need to check your bank account because your (“Mine, I am projecting”) calls up and says I need $5000.00 today for college. So you connect to the WIFI hot spot and…

Little did you know that DNS has been hijack and a server is in play owned by the attacker. The Eve here has full-wire-control because they own the hotspot.

You figure that everything would be alright. So just click ok…


Open Your Browser and go to and type in https://www.hotspot.dcc.lab/login/login.html

Enter any username

Enter any password

Click Login

You will be redirected.

Redirect to the webpage

https://www.hotspot.dcc.lab/login/login.html


Once redirected download the application.

Install Agent

Click


Application Will install ICON on Desktop.

If the Application is Not started click on the icon.

Enter any username and password again.

And Click Logon,



Validate the Bad Root CA is installed.


Eaves Drop Detection Detection


In the News


Cert Pinning

Embedded Certificate in Compiled Code.

OCSP

CRL

How to protect against offensive attacks?


Physically Proximity Full-wire-control is needed for a successful attack.

Potentially PGP Encrypted Payload to validation services.

Validation Server outside of last mile different path.

Third Party Alternate Path


Example CodeDetected

Clear Path