Encryption-The Dark Side:
1
September 30, 2014
Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time
Welcome
Conference Moderator
3
September 30, 2014
Start Time: 9am US Pacific 12pm US Eastern/5pm London Time
CEO and Founder VigiTrust
•
Speaker Introduction
–
Paul Williams
Chief Technology Officer, White Badger Group
–
Jason Sabin
VP of Research & Development, DigiCert
–
Kenny Paterson
EPSRC Leadership Fellow & Professor of Information Security at Royal Holloway, University of London
•
Open Panel with Audience Q&A
•
Closing Remarks
4
Why Take Encryption Head On,
When You Can Bypass It?
Paul Williams Chief Technology Officer White Badger Group September 30, 2014
Why Take Encryption Head On, When You Can
Bypass It?
o Endpoint Attacks Bypass Encryption
o Application Attacks Don’t Play “Fair”
o Weak / Shared / Duplicative Passwords
o Password Capture Defeats Encryption
o Improperly Protected Backup & Recovery Keys
o Vulnerable PKI Architecture
o Attacking & Defeating Encryption Head On
o Risk Management 101: Do Gains Exceed Total Cost of Deployment and Maintenance?
1. Hacker targets network administrator “protected” with whole disk encryption,
encrypted VPN, and more 2. Administrator
connects to network as per
usual
Encrypted VPN tunnel
3. Hacker negates use of multiple defense
technologies, including encryption.
Endpoint Attacks Bypass Encryption
Application Attacks Don’t Play “Fair”
8
OS/2 App
Win32 App Posix App OS/2 Subsystem Win32 Subsystem Posix Subsystem
Executive Services Interface Security Ref. Monitor IPC Mgr. Virtual Memory Mgr. Process Mgr. GDI Window Mgr. Window Mgr. Device Drivers Hardware
Hardware Abstraction Layer Micro Kernel Object Manager Graphics Device Drivers IO Mgr. File Sys. Ntdll.dll Linux App
Win32 App Mac App
Wine or
Win4Lin Basilisk
System call interface
Scheduler Virtual Memory Manager Process Manager Socket Manager Hardware File Systems Memory Allocator Network Protocols Network Drivers Character Devices Block Devices Libc.so MAME Games VFS Interface
Microsoft Windows Unix/Linux/BSD
Weak / Shared / Duplicative Passwords
9
June 2011: An app developer estimated that 15% of all iPhone smartphones used
Password Capture Defeats Encryption
Improperly Protected Backup & Recovery Keys
11
o Serious Insider Threat Risk from Rogue Network Administrators
Vulnerable PKI Architecture
12
o Insider Threats
o Internal Network Attacks
o Computer Malware
Attacking & Defeating Encryption Head On
• Weak Key Generation:
– Pseudo-random algorithm flaws
– Application level attacks
– Computer malware
• Weak Encryption Ciphers
• Hash Collision Attacks
• Man-In-The Middle Attacks on Key Exchanges
• Encryption Hardware & Software Implementation Flaws
• Brute Force Key Factoring
Risk Management 101: Do Gains Exceed Total
Cost of Deployment and Maintenance?
14
1. The Law of Diminishing Returns strongly affects the selection and deployment of
encryption technology
2. The cost of deploying encryption may quickly
outweigh any gain
3. In large scale enterprise IT networks, far higher returns on investment can
typically be obtained with investments elsewhere
Contact Info
15
Paul Williams
Chief Technology Officer White Badger Group LLC Direct: (281) 719-9345
Main: (888) 505-3768 ext. 104
Email: [email protected]
Question and Answer
Paul Williams
Chief Technology Officer White Badger Group
[email protected] www.whitebadger.com
#ISSAWebConf
SSL: High Level View
• 51% of enterprises do not know all of the keys and certs on their network*
• 26% of websites support weak or insecure cipher suites**
• Still seeing 1024-bit key sizes or lower
• Only ~15% of SSL certificates on the web use SHA-2**
• Heartbleed in hardware and statically compiled applications
• Certificate Transparency * Based on research by Ponemon Institute
Is your network secure?
What is the one thing that most exploits have in common?
They exploit improper
SSL Implementation
Improper SSL Implementation
• Heartbleed • Goto Fail
• BEAST, CRIME, BREACH, etc • Weak cipher suites
• Weak algorithms • Weak private keys
SHA-1 Transition
• Microsoft SHA-1 Deprecation Timeline
– January 1, 2016 – Microsoft will end trust for SHA-1 Code Signing Certificates
– January 1, 2017 – Microsoft will end trust for SHA-1 SSL Certificates
• Mozilla SHA-1 Deprecation Timeline
– Firefox early 2015 release
• SHA-1 certs expiring Jan 1, 2017 or later receive a security warning
– Firefox 2016 release
• “Untrusted Connection” error when a newly issued SHA-1 certificate is encountered
– Firefox 2017 release
• “Untrusted Connection” error whenever a SHA-1 certificate is encountered.
SHA-1 Transition
• Google SHA-1 Deprecation Timeline
– Chrome 37 – current version
– Chrome 38 – beta in progress
– Chrome 39 – beta launch Sep 26, 2014
• SHA-1 certs expiring Jan 1, 2017 or later receive yellow triangle warning
– Chrome 40 – beta launch Nov 7, 2014
• SHA-1 certs expiring between June 1, 2016-December 31, 2016 receive yellow triangle warning
• SHA-1 certs expiring after Jan 1, 2017 receive neutral warning (shows https in grey instead of green)
– Chrome 41 – beta launch Q1 2015
• SHA-1 certs expiring Jan 1, 2016 -> Dec 31, 2016 receive yellow triangle warning
• SHA-1 certs expiring Jan 1, 2017 or later receive red strike-through warning
Heartbleed still?
• Where is Heartbleed now?
• Statically compiled applications • Hardware devices
• Mobile/Table devices
• Internal servers and infrastructure
• Companies’ response
• Tech giants started funding OpenSSL and other critical open source
projects.
Always On SSL
•
Refocused with HTTPS Everywhere
•
Google SEO ranking
– Marketing cares and concerns
SSL “best practices”
•
Always-On SSL
•
Secure Cookies
•
HSTS (Http Strict Transport Security)
•
Disable Weak Cipher Suites
•
Secure Renegotiation
•
Disable TLS Compression
•
Perfect Forward Secrecy
Future Concerns
• Internet of Things
• Internet of Everything
Thanks
•
SSL Analysis Tools
– https://www.ssllabs.com – https://www.digicert.com/cert-inspector.htm – https://www.digicert.com/sha1-sunset/ – http://www.whynopadlock.com/Jason Sabin
Vice President of Research & Development
The Dark Side of… SSL/TLS
Information Security Group Royal Holloway University of London
Agenda
•
I plan to talk about some recent developments for
SSL/TLS and extract some learning points as we go
along.
•
SSL/TLS
•
Heartbleed
•
Wrap-up
About The Speaker
About The Speaker
Academic
But spent 5 years in industrial research lab, 1996-2001. Still involved in IPR, consulting, industry liaison.
RHUL since 2001
“You are teaching Network Security”.
Leading to research into how crypto is used in Network Security.
EPSRC Leadership Fellow, 2010-2015
“Cryptography: Bridging Theory and Practice”
e.g. attacks on IPsec (2006, 2007,2010), SSH (2009), SSL/TLS (2011, 2013, 2013), WPA (2014), EMV (2012), MPPE
(2014),…
SSL/TLS
•
Probably the world’s most widely deployed
cryptographic protocol.
•
Almost ubiquitous, not just secure e-commerce.
•
Increasing focus for analysis from research
community.
Highly Simplified View of TLS
Client Server
Handshake Protocol Record Protocol Used by client and server to
1.Negotiate ciphersuite 2.Authenticate
3.Establish keys used in the Record Protocol
Provides confidentiality and authenticity of application layer data using keys from Handshake Protocol
41 41
The TLS Ecosystem (1/3)
• Servers
• Including managed service providers (CloudFlare, Akamai)
• Clients
• Of all shapes and sizes
• Certification service providers
• Of all shapes , sizes and levels of security
• Software vendors
• From Google down to one-man open-source operations
• OpenSSL somewhere in-between
• Hardware vendors
42 42
The TLS Ecosystem (2/3)
• TLS versions:
• SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
• Many servers even still support SSL 2.0
• 200+ ciphersuites
• https://www.thesprawl.org/research/tls-and-ssl-cipher-suites
• Some highly esoteric, e.g.
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
• TLS extensions
• Too numerous to mention.
• DTLS
The TLS Ecosystem (3/3)
• IETF TLS Working Group
• Also IETF UTA Working Group (UTA = Using TLS in Applications)
• Growing community of researchers
• Blackhat or Crypto?
• Attacks or security proofs?
• Handshake Protocol, Record Protocol or both?
• Full protocol including session resumption, renegotiation, ciphersuite negotiation?
• Provable security or formal methods or something else? • Game-based, UC or constructive cryptography?
• The TLS ecosystem has become very complex and vibrant.
44 44
TLS Has Been in the News…
•
BEAST (2011)
•
CRIME (2012)
•
Lucky 13 and RC4 attacks (both 2013).
•
Renegotiation attack (2009), triple Handshake attack
(2014).
•
Poor quality of implementations (particularly in
certificate handling).
– Apple goto fail (2013)
– GnuTLS certificate processing bug (2013)
– OpenSSL CCS bug (2014)
– Frankencerts (2014)
46
Focus: Lucky 13
• Key dates:
– We started work in December 2011.
– Key breakthrough in March 2012 (+4 months)
– Research paper completed November 2012 (+11 months).
– Attack disclosed in February 2013 (+15 months).
– Research paper presented in May 2013 (+18 months).
47
Focus: Lucky 13
– Full plaintext recovery attack on CBC-mode encryption.
– Exploiting a timing side-channel introduced because of implementation advice in TLS specification.
– Hard to mount attack in practice – semi-practical/semi-theoretical.
48
Focus: Lucky 13
• How do you disclose an attack on a protocol that has
dozens of different implementations and millions of users?
– Coordination amongst all stakeholders.
– Risk of leakage and panic before agreed time.
• We opened up multiple channels of communication.
– Initially IETF
– OpenSSL, Mozilla, Cisco, Apple, Microsoft, Google, Oracle, Opera, BouncyCastle, F5, and numerous open source projects.
– NOT end users.
– Hundreds of e-mails, December 2012 to February 2013.
– We helped a number of vendors with patch testing.
• Also building a website, preparing a press release, priming journalists and bloggers.
49
Focus: Lucky 13
• D-Day: February 4th 2013
– One week after expected paper notification.
• Significant media exposure.
– Viral spread of the story across Internet over a 72 hour period.
– Ars Technica, TheRegister, Slashdot, Wired,…
• Most major vendors issued patches within a few days.
• Eventual presentation at academic conference in May 2013 was a damp squib by comparison!
• To read more: http://www.isg.rhul.ac.uk/tls/Lucky13.html
50
The Changing Face of TLS
• 42.6% of Alexa top 200k servers now support TLS 1.2.
• Up from 17% one year ago and 5% two years ago.
(source: ssl pulse, Sept. 2014)
TLS 1.2 support in browsers:
Chrome: since release 30. Firefox: since release 28. IE: since IE11.
Safari: since iOS5 and OS X 10.9.
(source: wikipedia, Nov. 2013)
The Changing Face of TLS
• Snapshot from ICSI Certificate Notary Project:
15.3%
1.6%
A Newsworthy Protocol
• TLS has really been in the news….. …. the Heartbleed bug.
• What is it about Heartbleed that caught the wider media’s imagination?
• Pressure built and the dam finally broke?
• Severity of the threat (leakage of private information, inc. server private keys)?
• Widespread use of OpenSSL.
• A good logo?
Heartbleed
•
Heartbleed was not a crypto problem, per se.
•
It was software bug that happens to affect one
implementation of a cryptographic protocol.
•
Classic problem of (un)safe handling of untrusted
user input.
• Heartbeat = Secure ping for SSL/TLS
• Response to ping read beyond boundary of buffer assigned to incoming message.
• A memory leak.
Impact
•
Only vulnerable if using a recent version of
OpenSSL and if Heartbeat feature enabled.
• OpenSSL versions 1.0.1 and 1.0.1a – 1.0.1f affected, bug fixed in version 1.o.1g.
• Heartbeat enabled by default.
• Window of exposure: 14/3/2012 – 7/4/2014.
•
Still, the Internet melted…
Web Server Stats
Heartbleed Impact
• More than 80% of the Alexa top 1 million websites run on Apache or Nginx
• Both of these rely on OpenSSL for provision of SSL/TLS/HTTPS.
• About 45% of the top 1 million sites do run HTTPS.
• It was initially unclear how much and what types of sensitive data could be extracted from “vulnerable” servers.
• Usernames and passwords?
• SSL private keys?
CloudFlare Challenge
• Cloudflare host websites and manage certs for their 100k+ customers.
• They set a challenge…
•
•
Consequently…
• Cloudflare revoked all its certificates (134,000 of them).
• From SANS Internet Storm Center:
Impact
•
Cloudflare is just one web hosting company
(there are many others).
•
They are clearly well-organised and responsive,
and put a lot of information in the public domain.
•
Others less so?
It Wasn’t Just Webservers…
• E-mail servers also vulnerable.
• Amazon Web Services had a major headache updating.
• Network appliance products from Cisco, Juniper also affected.
• Tor nodes.
• Heartbleed can also be applied to clients rather than servers.
• Including millions of smartphones running Android 4.1.1 (which uses OpenSSL 1.0.1e).
• Netgear NAS devices.
• Two-factor authentication systems.
• OpenVPN.
It Wasn’t Just Private Keys…
•
Mumsnet: a large UK online forum for parents.
• 1.5 million users.
• http://www.mumsnet.com/features/mumsnet-and-heartbleed-as-it-happened
•
Patched within 48 hours of the OpenSSL
vulnerability announcment.
•
But 30+ accounts were hacked, including that of
one of the site’s founders...
How Many Sites Were Vulnerable?
• Data from https://zmap.io/heartbleed/
• Generated using IPv4 address space scans with zmap tool.
• On 16/4/2014, 5.2% of Alexa top 1 million sites were still vulnerable, 32% supported secure Heartbeat, 63% did not support Heartbeat.
• None of top 1000 sites vulnerable by 16/4/2014
Was Heartbleed Being Actively Exploited?
•
Robin Seggelmann at OpenSSL has denied
deliberate insertion of a backdoor.
•
Bloomberg claimed NSA knew “for at least two
years” about Heartbleed according to “two
people familiar with the matter.”
•
US government issued a denial.
• One would expect a large team at NSA to be searching for such vulnerabilities.
• Question is what do they then do with them – use them in attacks or notify vendors?
• Ongoing debate in US about duty of NSA in such cases.
Heartbleed Disclosure
• First discovered (21/03) by Neel Mehta at Google.
• Rediscovered by Codenomicon and disclosed to Finnish NCSC (02/04).
• OpenSSL informed by Google (01/04) and Finnish NCSC (07/04).
• Cloudflare (31/03) and Akamai (04/04) patch their servers.
• 06/04: Redhat (on behalf of OpenSSL) notify (some) other Linux who requested details got them in time.
• 07/04 (or earlier): Facebook patch their servers.
Heartbleed Disclosure
• 07/04, 10:27: OpenSSL release v1.0.1g with Heartbleed patch and security advisory on website.
• 07/04, 10:49: OpenSSL e-mail advisory.
• 07/04, 11:00: CloudFlare blog entry goes live.
• 07/04, 12:23: CloudFlare tweet.
• 07/04, 12:37: Neel Mehta tweet.
• 07/04, 13:13: Codenomicon tweet with link to their heartbleed.com website.
Heartbleed Disclosure
•
The disclosure process was particularly messy.
•
This is not uncommon.
•
Personal experience with Lucky 13:
• Tell one of the big boys and they will want to tell their friends.
• There are informal communication channels and formal information sharing agreements outside of CERT/CC and other official processes.
• Hard to contain leakage when many vendors are affected.
•
Double discovery of Heartbleed complicated
matters.
What next for OpenSSL?
•
LibreSSL fork.
• Heartbleed was the straw that broke the camel’s back for OpenBSD.
•
Core Infrastructure Initiative:
• Will identify and fund critical open source projects that are in need of assistance.
• Founding backers of the initiative include Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation.
Current Developments
•
Fresh algorithms are under active consideration in
IETF TLS WG.
– Important for environments where AES is not available in hardware.
– Momentum behind ChaCha20 stream cipher plus Poly1305 MAC.
•
Reform of TLS’s encryption process to make
CBC-mode easier to implement securely.
– Recently published RFC 7366.
– Deployment via TLS extension, unclear how widely adopted it will become.
Current Developments in TLS
70
Current Developments in TLS
•
TLS 1.3 now under active development in TLS WG
– Reducing latency in Handshake.
– Simplification of key exchange and authentication methods in Handshake.
– Reform of symmetric crypto algorithms.
•
Development process is somewhat
ad hoc.
– Active review of drafts needed by users and cryptographers.
Current Developments
• There is little diversity in the code-base of the web.
– Apache and Nginx, both reliant on OoenSSL.
• Critical vulnerabilities in that code-base will have major impacts.
– Shellshock only the latest example, there will be more.
• Disclosure and patching at these scales is messy.
– Many affected vendors.
– Different parties at different points in the “foodchain”.
– Informal information exchanges.
• Cryptography does not stand still.
– Attacks only get better over time.
– Large deployed base means TLS practices are slow to change.
Closing Remarks
72
Thank you!
Kenny Paterson
Question and Answer
Information Security Group Royal Holloway, University of London
#ISSAWebConf
73
•
Paul Williams
Chief Technology Officer, White Badger Group
•
Jason Sabin
VP of Research & Development, DigiCert
•
Kenny Paterson
Information Security Group
Royal Holloway, University of London
74
#ISSAWebConf
Generously supported by:
Thank you
Citrix for donating the Webcast service
75
#ISSAWebConf
•
Within
24 hours of the conclusion
of this webcast, you
will receive a link via email to a post Web Conference
quiz.
•
After the successful completion of the quiz you will be
given an opportunity to PRINT a certificate of
attendance to use for the submission of CPE credits.
•
On-Demand Viewers Quiz Link information:
http://www.surveygizmo.com/s3/1825751/ISSA-Web-Conference-Sept-30-2014-Encryption-The-Dark-Side
76
#ISSAWebConf
