Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
ìForward Secrecy
Fall2017SecureSoftwareSystems
1
The Threat
ì “Eve”(cough,NSA,cough) recordsmultipleyearsofencryptedmessagesbetweenAliceandBobfrom2015-2017ì Can’tbreakthem– algorithm&implementation
containsnoknownflaws
ì Then,inOctober2017,azero-dayexploitallowsEvetostealtheencryptionkeyfromAlice
ì Result:Allhistoricalmessagessavedcanbedecrypted
Fall2017SecureSoftwareSystems
2
Revisiting – Heartbleed
ì Notjustahypotheticalconcern!
ì OpenSSL(2014)- CVE-2014-0160 :ì Allowsremoteattackers toobtainsensitive
informationfromprocessmemoryviacraftedpacketsthattriggerabufferover-read,asdemonstratedbyreadingprivatekeys
ì Allowsattackertorecoveraprivatekeytoday,anddecryptany&alloldencryptedtraffictheymayhavestored
Fall2017SecureSoftwareSystems
3
Forward Secrecy
ì ForwardSecrecy– Pastsessionsareprotectedagainstfuturecompromiseofsecretkeys
ì PerfectForwardSecrecy– Eachencryption/decryptionkeyisvalidforonlyone“session”ì Lookforthis!
Fall2017SecureSoftwareSystems
4
Perfect Forward Secrecy Examples
ì TransportLayerSecurity(TLS)ì Ephemeral EllipticCurveDiffie-Hellman
ECDHE-RSA,ECDHE-ECDSA (EisforEphemeral)ì Ephemeral Diffie-Hellman
ì DHE-RSA,DHE-DSAì Easytoenableserver-side,butcangetlostinblizzardof
TLSoptionsandbackwardscompatibility
ì SignalProtocolì DoubleRatchetAlgorithm
https://signal.org/blog/advanced-ratcheting/ì Signalmessenger,WhatsApp,FacebookMessenger
Fall2017SecureSoftwareSystems
5
ìTransport Layer Security (TLS)
Fall2017SecureSoftwareSystems
6
Transport Layer Security (TLS)
ì Encryptionprovidedattheapplicationlayerì Physicallayer– Ethernetì Networklayer– IPì Transportlayer– TCPì Applicationlayer– TLSfirst,then…
ì Commonuses:web(HTTPS),email,VOIP,messaging
Fall2017SecureSoftwareSystems
7
Transport Layer Security (TLS)
ì Twovariantsì SecureSocketLayer(SSL)– don’tuse!
ì SSL1.0(neverpubliclyused),SSL2.0,SSL3.0ì TransportLayerSecurity(TLS)–modernsuccessor
ì TLS1.0,TLS1.1,TLS1.2,TLS1.3 (draft)
Fall2017SecureSoftwareSystems
8
Transport Layer Security (TLS)
ì Hybridencryptionschemeì Publickeyencryptionfor handshakeì Symmetrickeyencryptionforbulkdatatransport
ì Keyisuniquepersessionandnegotiatedduringhandshake
ì MACs toprovideintegrityì Datadidn’tchangeintransit
ì Certificateauthorities(CAs)toprovideauthenticityì I’mcommunicatingwiththeintendedparty
ì Many(many!)choicesinspecificciphers&algorithms
Fall2017SecureSoftwareSystems
9
Transport Layer Security (TLS)
Fall2017SecureSoftwareSystems
10
ClientHelloVersion,cryptooptions,nonce
Serverhello+servercert(PKs)Version,cryptooptions,nonce,Signedcertificatew/server’spublickey
DataTransmission
(HTTPoverTLS)
HTTPSClient 🙋 🖥 HTTPSServer
Serverkeyexchange(whenusingDH)
ClientkeyexchangePreMaster secretencryptedwithserver’sPKs
Handshakefinished.Switchtonegotiatedblockcipher
Fall2017SecureSoftwareSystems
11
https://www.ssllabs.com/ssltest/analyze.html?d=cyberlab.pacific.edu
Fall2017SecureSoftwareSystems
12
https://www.ssllabs.com/ssltest/analyze.html?d=cyberlab.pacific.edu
Fall2017SecureSoftwareSystems
13
https://www.ssllabs.com/ssltest/analyze.html?d=cyberlab.pacific.edu
Fall2017SecureSoftwareSystems
14
https://www.ssllabs.com/ssltest/analyze.html?d=cyberlab.pacific.edu
Listwasmuchlonger(andweaker!)untilcustomconfigurationwasappliedtoserver
Fall2017SecureSoftwareSystems
15
Fall2017SecureSoftwareSystems
16
Fall2017SecureSoftwareSystems
17
Fall2017SecureSoftwareSystems
18
Certificate Authorities
ì Trustedthirdpartyì Trustedbyownerofcertificate(e.g.website)ì Trustedbypartyrelyingoncertificate(e.g.visitor)
Fall2017SecureSoftwareSystems
19
Certificate Authorities
ì Comodo isusedby16.4%ofallwebsites
ì Comodo isaSSLcertificateauthoritywithamarketshareof39.2%
ì October132017data
Fall2017SecureSoftwareSystems
20
https://w3techs.com/technologies/overview/ssl_certificate/all
Certificate Weaknesses
ì Method1:Placedesiredcommonname(e.g.“fakebook.com”inaboguscertì Webbrowserswillvalidatecertanddetectforgeryì Othersoftwarelibrariesmayhavebrokenvalidation
codeandmisstheforgery!
ì Method2:Trick/hack/bribeaCAtoissue&sign.AnyCAcanissueanycertificateforanydomain!ì Apple“SystemRoots”keychain:168entriesì OtherplayersalsodecidewhatrootCAs totrust
ì Microsoft,Mozilla,Android
Fall2017SecureSoftwareSystems
21
Root CA Misuse
ì DigiNotar (DutchCA)ì Attackersignedwildcardcertfor*.google.comì UsedtoconductMITM attackagainstGoogle
(multipleISPsinIran)ì IssuedJuly272011,detectedAug272011ì RemovedastrustedrootCAAug292011ì Companybankrupt
Fall2017SecureSoftwareSystems
22
Root CA Misue
ì WoSign (ChineseCA)ì Issuedfakecertin2016forsubdomain.github.com due
toshoddy/missingownershipverificationprocessì https://www.schrauger.com/the-story-of-how-wosign-
gave-me-an-ssl-certificate-for-github-comì BackdatedSHA-1certifications
ì BrowserswereintentionallyblockingweakSHA-1certsafterJan12016
ì https://wiki.mozilla.org/CA:WoSign_Issuesì SubsidiaryStartCom/StartSSL (Isreal)ì SlowlyremovedastrustedrootCAin2016-2017by
Google,Mozilla,Appleì ButstillinmyKeychain?(?????)
Fall2017SecureSoftwareSystems
23
Root CA Misuse
ì Symantec(USCA)ì AccusedbyGoogleofissuing30,000suspectcertificates
ì Not30kattacks,but30kcertswithinsufficientvalidation,audit,assurance,etc…
ì ChromeRootCertificatePolicy-WhatyoumustdoifyouwantGoogletotrustyou!ì https://www.chromium.org/Home/chromium-security/root-ca-
policyì Googleissuedprogressivedeathpenalty(Chromewillstop
trustingcustomer certssignedbySymantecinlate2018)ì Aug22017:Symantecsellscertificatebusinessto
competitorDigiCert for$950million(cheap!)whowillauditandre-certifyfollowingbestpractices
Fall2017SecureSoftwareSystems
24
“IntenttoDeprecateandRemove:TrustinexistingSymantec-issuedCertificates”- March232017https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/eUAKwjihhBs/rpxMXjZHCQAJ