Embed Size (px)
Citation preview
CSE484/CSEM584:ComputerSecurityandPrivacy
CertificateAuthoritiesand
SSL/TLS/HTTPS
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
AuthenticityofPublicKeys
11/2/16 CSE484/CSEM584-Fall2016 2
?
Problem:HowdoesAliceknowthatthepublickeyshereceivedisreallyBob’spublickey?
privatekey
AliceBob
publickey
Announcements
• Lab2(websecurity)willbecomingoutnextTuesday
11/2/16 CSE484/CSEM584-Fall2016 3
RSAdecryption
• Basedonfeedbackandinterest,notinlecture
• I’veaddedaslidetolecture12’sslideswhichexplainsit(it’sslide18)
11/2/16 CSE484/CSEM584-Fall2016 4
RSAdecryption
• Ontheinterestscaleof1-5…– ...someoneanswered0– ...someoneanswered6– …someoneansweredπ– …someoneanswered25
11/2/16 CSE484/CSEM584-Fall2016 5
Securitymindsetanecdote–MiningYourPsandQs
• A2012studytitled“MiningyourPsandQs:DetectionofWidespreadWeakKeysinNetworkDevices”
Scannedtheentireinternettolookforweakpublickeys
11/2/16 CSE484/CSEM584-Fall2016 6
MiningYourPsandQs
• TheywereabletodeterminetheRSAprivatekeyfor0.5%ofHTTPSserversand0.03%ofSSHservers
• How?Insufficientrandomness.0.5%ofkeyssharedaporqwithatleastoneotherkey(butnotboth).
11/2/16 CSE484/CSEM584-Fall2016 7
RSACryptosystem[Rivest,Shamir,Adleman1977]
• Keygeneration:– Generaterandomlargeprimesp,q
• Say,1024bitseach– Computen=pqandϕ(n)=(p-1)(q-1)– Choosesmalle,relativelyprimetoϕ(n)
• Typically,e=216+1=65537– Computeuniquedsuchthated=1modϕ(n)
• Modularinverse:d=e-1modϕ(n)
– Publickey=(e,n);privatekey=(d,n)• Encryptionofm:c=memodn• Decryptionofc:cdmodn=(me)dmodn=m
11/2/16 CSE484/CSEM584-Fall2016 8
Certificates
• Public-keycertificate– Signedstatementspecifyingthekeyandidentity• sigCA(“Bob”,PKB)
11/2/16 CSE484/CSEM584-Fall2016 9
Threat:Man-In-The-Middle(MITM)
11/2/16 CSE484/CSEM584-Fall2016 10
Google.com
Youencounterthiseveryday…
11/2/16 CSE484/CSEM584-Fall2016 11
SSL/TLS:Encryption&authenticationforconnections(Moreonthislater!)
CertificateAuthority
• Trustedorganizationthatverifieswhoownswhatkeysoutofbandandtellseveryoneelsewhosekeysarewhose
11/2/16 CSE484/CSEM584-Fall2016 12
StrawmanCAdesign
1. Youbrowsetowww.cs.washington.edu2. www.cs.washington.edusendsitskeyK3. YourbrowserasksatrustedCA:“hey,keyK
therightkeyforUWCSE?”4. CAreplies“yes”or“no”
Whyisthisabadidea?(Q1)
11/2/16 CSE484/CSEM584-Fall2016 13
RealCAdesign
• Thinkofacertificateasacryptographicallyhard-to-forgepieceofID
11/2/16 CSE484/CSEM584-Fall2016 14
Certificateauthority
(e.g.,VerisignorLet’sEncrypt)
www.cs.washington.edu
<proofthatI’mUWCSEandPKUWCSEismykey>
sigCA(“UWCSE”,PKUWCSE)
ExampleCertificate
11/2/16 CSE484/CSEM584-Fall2016 15
ExampleCertificate
11/2/16 CSE484/CSEM584-Fall2016 16
X.509Certificate
11/2/16 CSE484/CSEM584-Fall2016 17
HierarchicalApproach
• SingleCAcertifyingeverypublickeyisimpractical
• Instead,oneormoretrustedrootauthorities– Everybodymustknowthepublickeyforverifyingrootauthority’ssignatures
• CAsdelegatetootherauthorities– Whathappensifrootauthorityisevercompromised?
11/2/16 CSE484/CSEM584-Fall2016 18
HierarchicalApproach
• SingleCAcertifyingeverypublickeyisimpractical• Instead,useatrustedrootauthority– Forexample,Verisign– Everybodymustknowthepublickeyforverifyingroot
authority’ssignatures• Rootauthoritysignscertificatesforlower-level
authorities,lower-levelauthoritiessigncertificatesforindividualnetworks,andsoon– Insteadofasinglecertificate,useacertificatechain
• sigVerisign(“AnotherCA”,PKAnotherCA),sigAnotherCA(“Alice”,PKA)
– Whathappensifrootauthorityisevercompromised?
11/2/16 CSE484/CSEM584-Fall2016 19
ManyChallenges…
• CAsmakeseriousmistakes– Badsecuritypractices,badoperationalpractices
• Revocationishard…• Usersdon’tnoticewhenattackshappen– We’lltalkmoreaboutthislater
11/2/16 CSE484/CSEM584-Fall2016 20
MiningYourPsandQs
• Apacheshipswitha“snake-oil”certificate--anexamplecertificatefordemonstratinghowtosetupHTTPS
• Astudyfound>85khostsontheinternet(0.66%ofallTLShostsontheinternet)activelyusingthesekeys!
• 22hostshadcertificatesusingthesekeysTHATWERESIGNEDBYACA!
11/2/16 CSE484/CSEM584-Fall2016 21
11/2/16 CSE484/CSEM584-Fall2016 22
AttackingCAsSecurityofDigiNotarservers:• Allcorecertificate
serverscontrolledbyasingleadminpassword(Pr0d@dm1n)
• Softwareonpublic-facingserversoutofdate,unpatched
• Noanti-virus(couldhavedetectedattack)
CollidingCertificates
11/2/16 CSE484/CSEM584-Fall2016 23
serialnumber
validityperiod
realcertdomainname
realcertRSAkey
X.509extensions
signatureidenticalbytes
(copiedfromrealcert)
collisionbits(computed)
chosenprefix(difference)
serialnumber
validityperiod
roguecertdomainname
???
X.509extensions
signature
setbytheCA
HashtothesameMD5value!
Validforbothcertificates!
[Sotirovetal.“RogueCertificates”]
ConsequencesofHackingaCA
• Attackermakesthemselfafakecertificateforasite(say,mail.yahoo.com): fakeCert=sigCA(“Yahoo”,<attacker’skey>)
11/2/16 CSE484/CSEM584-Fall2016 24
Q2:Man-In-The-Middle(MITM)
11/2/16 CSE484/CSEM584-Fall2016 25
mail.yahoo.com
ConsequencesofHackingaCA
• Attackermakesthemselvesafakecertificateforasite(say,mail.yahoo.com): fakeCert=sigCA(“Yahoo”,<attacker’skey>)
• Anattackercanpretendtobeanyrealsite– Forexample,useDNStopoisonthemappingof
mail.yahoo.comtoanIPaddress
• …“authenticate”astherealsite• …decryptalldatasentbyusers– Email,phoneconversations,Webbrowsing
11/2/16 CSE484/CSEM584-Fall2016 26
MoreRogueCerts
• InJan2013,arogue*.google.comcertificatewasissuedbyanintermediateCAthatgaineditsauthorityfromtheTurkishrootCATurkTrust– TurkTrustaccidentallyissuedintermediateCAcertsto
customerswhorequestedregularcertificates– Ankaratransitauthorityuseditscertificatetoissueafake
*.google.comcertificateinordertofilterSSLtrafficfromitsnetwork
• Thisrogue*.google.comcertificatewastrustedbyeverybrowserintheworld
11/2/16 CSE484/CSEM584-Fall2016 27
ManyChallenges…
• CAsmakeseriousmistakes– Badsecuritypractices,badoperationalpractices
• Revocationishard…• Usersdon’tnoticewhenattackshappen– We’lltalkmoreaboutthislater
11/2/16 CSE484/CSEM584-Fall2016 28
CertificateRevocation(Q3)
11/2/16 CSE484/CSEM584-Fall2016 29
CertificateRevocation
• Revocationisveryimportant• Manyvalidreasonstorevokeacertificate– Privatekeycorrespondingtothecertifiedpublickeyhas
beencompromised– UserstoppedpayingtheircertificationfeetothisCAand
CAnolongerwishestocertifyhim– CA’sprivatekeyhasbeencompromised!
• Expirationisaformofrevocation,too– Manydeployedsystemsdon’tbotherwithrevocation– Re-issuanceofcertificatesisabigrevenuesourcefor
certificateauthorities
11/2/16 CSE484/CSEM584-Fall2016 30
CertificateRevocationMechanisms
• Certificaterevocationlist(CRL)– CAperiodicallyissuesasignedlistofrevokedcertificates• Creditcardcompaniesusedtoissuethickbooksofcanceledcreditcardnumbers
– Canissuea“deltaCRL”containingonlyupdates• Onlinerevocationservice– Whenacertificateispresented,recipientgoestoaspecialonlineservicetoverifywhetheritisstillvalid• Likeamerchantdialingupthecreditcardprocessor
11/2/16 CSE484/CSEM584-Fall2016 31
Keybase
• Basicidea:– Relyonexistingtrustofaperson’sownershipofother
accounts(e.g.,Twitter,GitHub,website)– Eachuserpublishessignedproofstotheirlinkedaccount
https://keybase.io/
11/2/16 CSE484/CSEM584-Fall2016 32
SSL/TLS
• SecureSocketsLayerandTransportLayerSecurity– Sameprotocol,newversion(TLSiscurrent)
• DefactostandardforInternetsecurity– “TheprimarygoaloftheTLSprotocolistoprovide
privacyanddataintegritybetweentwocommunicatingapplications”
• DeployedineveryWebbrowser;alsoVoIP,paymentsystems,distributedsystems,etc.
11/2/16 CSE484/CSEM584-Fall2016 33
SSL/TLS
• TLSistypicallyusedontopofaTCPconnection
TLS
• Canbeusedoverothertransportprotocols
11/2/16 CSE484/CSEM584-Fall2016 34
TLSBasics
• TLSconsistsoftwoprotocols– Familiarpatternforkeyexchangeprotocols
• Handshakeprotocol– Usepublic-keycryptographytoestablishasharedsecretkeybetweentheclientandtheserver
• Recordprotocol– Usethesecretsymmetrickeyestablishedinthehandshakeprotocoltoprotectcommunicationbetweentheclientandtheserver
11/2/16 CSE484/CSEM584-Fall2016 35
BasicHandshakeProtocol
11/2/16 CSE484/CSEM584-Fall2016 36
C
ClientHello
S
Clientannounces(inplaintext):• Protocolversionitisrunning• Cryptographicalgorithmsitsupports• Fresh,randomnumber
BasicHandshakeProtocol
11/2/16 CSE484/CSEM584-Fall2016 37
C
C,versionc,suitesc,Nc
ServerHello
SServerresponds(inplaintext)with:• Highestprotocolversionsupportedby
boththeclientandtheserver• Strongestcryptographicsuiteselected
fromthoseofferedbytheclient• Fresh,randomnumber
BasicHandshakeProtocol
11/2/16 CSE484/CSEM584-Fall2016 38
C
versions,suites,Ns,ServerKeyExchange
SServersendshispublic-keycertificatecontainingeitherhisRSA,orhisDiffie-Hellmanpublickey(dependingonchosencryptosuite)
C,versionc,suitesc,Nc
BasicHandshakeProtocol
11/2/16 CSE484/CSEM584-Fall2016 39
C
versions,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc,suitesc,Nc
ClientKeyExchange
Theclientgeneratessecretkeymaterialandsendsittotheserverencryptedwiththeserver’spublickey(ifusingRSA)
BasicHandshakeProtocol
11/2/16 CSE484/CSEM584-Fall2016 40
C
versions,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc,suitesc,Nc
{Secretc}PKsifusingRSA
switchtokeysderivedfromsecretc,Nc,Ns
CandSsharesecretkeymaterial(secretc)atthispoint
switchtokeysderivedfromsecretc,Nc,Ns
FinishedFinished
Recordofallsentandreceivedhandshakemessages
“Core”SSL3.0Handshake(NotTLS)
11/2/16 CSE484/CSEM584-Fall2016 41
C
versions=3.0,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc=3.0,suitesc,Nc
{Secretc}PKsifusingRSA
switchtokeysderivedfromsecretc,Nc,Ns
CandSsharesecretkeymaterial(secretc)atthispoint
switchtokeysderivedfromsecretc,Nc,Ns
FinishedFinished
VersionRollbackAttack
11/2/16 CSE484/CSEM584-Fall2016 42
C
Versions=2.0,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc=2.0,suitesc,Nc
{Secretc}PKsifusingRSA
CandSendupcommunicatingusingSSL2.0(weakerearlierversionoftheprotocolthat
doesnotinclude“Finished”messages)
ServerisfooledintothinkingheiscommunicatingwithaclientwhosupportsonlySSL2.0
“Chosen-Protocol”Attacks
• Whydopeoplereleasenewversionsofsecurityprotocols?Becausetheoldversiongotbroken!
• Newversionmustbebackward-compatible– Noteverybodyupgradesrightaway
• Attackercanfoolsomeoneintousingtheold,brokenversionandexploitknownvulnerability– Similar:foolvictimintousingweakcryptoalgorithms
• Defenseishard:mustauthenticateversioninearlydesigns• Manyprotocolshad“versionrollback”attacks
– SSL,SSH,GSM(cellphones)
11/2/16 CSE484/CSEM584-Fall2016 43
VersionCheckinSSL3.0
11/2/16 CSE484/CSEM584-Fall2016 44
C
versions=3.0,suites,Ns,certificateforPKs,“ServerHelloDone”
S
C,versionc=3.0,suitesc,Nc
{versionc,secretc}PKs
CandSsharesecretkeymaterialsecretcatthispoint
“Embed”versionnumberintosecret
CheckthatreceivedversionisequaltotheversioninClientHello
switchtokeyderivedfromsecretc,Nc,Ns
switchtokeyderivedfromsecretc,Nc,Ns
![DRL : Deep Learning-based Automated Testing of Certificate … · The Transport Layer Security (SSL) [?] and its predeces-sor Transport Layer Security (TLS) [18] protocols are the](https://img.pdfslide.us/doc/110x75/6009b0e965566a1c87217852/drl-deep-learning-based-automated-testing-of-certiicate-the-transport-layer.jpg)
