Systematization of Knowledge Lessons Learned From SSL/TLS Attacks

69 

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

20.08.2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security christopher.meyer@rub.de

(2)
(3)
(4)

4 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

(5)
(6)

6 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Nearly 20 years of SSL/TLS

Some key data

(7)

Nearly 20 years of SSL/TLS

Some key data

Invented in 1994

(8)

8 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Nearly 20 years of SSL/TLS

Some key data

Invented in 1994

Evolutionary development

5 official and 1 unpublished revision

SSL 2.0, SSL 3.0

TLS 1.0, TLS 1.1, TLS 1.2

(9)

Nearly 20 years of SSL/TLS

Some key data

Invented in 1994

Evolutionary development

5 official and 1 unpublished revision

SSL 2.0, SSL 3.0

TLS 1.0, TLS 1.1, TLS 1.2

SSL 1.0

(10)

10 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

(11)
(12)

12 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Contribution

(13)

Contribution

Collected attacks on SSL/TLS

(14)

14 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Contribution

Collected attacks on SSL/TLS

Analyzed all attacks

(15)

Contribution

Collected attacks on SSL/TLS

Analyzed all attacks

Categorized each attack

Identified the root cause of the vulnerabilities

(16)

16 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Contribution

Collected attacks on SSL/TLS

Analyzed all attacks

Categorized each attack

Identified the root cause of the vulnerabilities

for each attack

(17)

Contribution

Collected attacks on SSL/TLS

Analyzed all attacks

Categorized each attack

Identified the root cause of the vulnerabilities

for each attack

Concluded Lessons Learned for each attack

Created a Guideline for Protocol Designers and

(18)

18 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attack Patterns

(19)

Attack Patterns

Abnormalities during the analysis of attacks

Attacks focus on specific parts/layers of

(20)

20 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attack Patterns

Abnormalities during the analysis of attacks

Attacks focus on specific parts/layers of

SSL/TLS

(21)

Attack Patterns

Abnormalities during the analysis of attacks

Attacks focus on specific parts/layers of

SSL/TLS

Attacks can be grouped into 4 categories

(22)

22 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attack Patterns

Abnormalities during the analysis of attacks

Attacks focus on specific parts/layers of

SSL/TLS

Attacks can be grouped into 4 categories

1. Attacks on the Handshake Protocol

(23)

Attack Patterns

Abnormalities during the analysis of attacks

Attacks focus on specific parts/layers of

SSL/TLS

Attacks can be grouped into 4 categories

1. Attacks on the Handshake Protocol

2. Attacks on the Record Layer

(24)

24 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attack Patterns

Abnormalities during the analysis of attacks

Attacks focus on specific parts/layers of

SSL/TLS

Attacks can be grouped into 4 categories

1. Attacks on the Handshake Protocol

2. Attacks on the Record Layer

3. Attacks on the PKI

(25)

Attacks on the Handshake Protocol

Details

(26)

26 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attacks on the Handshake Protocol

Details

Main goal: Influence Handshake Phase

ARISE

(27)

Attacks on the Handshake Protocol

Details

Main goal: Influence Handshake Phase

Alter messages or message parts

RISE

(28)

28 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attacks on the Handshake Protocol

Details

Main goal: Influence Handshake Phase

Alter messages or message parts

Replay communication or parts of it

ISE

(29)

Attacks on the Handshake Protocol

Details

Main goal: Influence Handshake Phase

Alter messages or message parts

Replay communication or parts of it

Interfere messages or message parts

SE

(30)

30 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attacks on the Handshake Protocol

Details

Main goal: Influence Handshake Phase

Alter messages or message parts

Replay communication or parts of it

Interfere messages or message parts

Systematically analyze communication

(31)

Attacks on the Handshake Protocol

Details

Main goal: Influence Handshake Phase

Alter messages or message parts

Replay communication or parts of it

Interfere messages or message parts

Systematically analyze communication

(32)

32 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attacks on the Handshake Protocol

(33)

Attacks on the Record Layer

Details

(34)

34 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attacks on the Record Layer

Details

Main goal: Violate Confidentiality or Integrity

BAT

(35)

Attacks on the Record Layer

Details

Main goal: Violate Confidentiality or Integrity

Break Encryption

AT

(36)

36 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attacks on the Record Layer

Details

Main goal: Violate Confidentiality or Integrity

Break Encryption

Analyze Encrypted Traffic

(37)

Attacks on the Record Layer

Details

Main goal: Violate Confidentiality or Integrity

Break Encryption

Analyze Encrypted Traffic

(38)

38 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attacks on the Record Layer

(39)

Attacks on the PKI

Details

(40)

40 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attacks on the PKI

Details

Main goal: Influence, Compromise or Trick PKI

RITCH

(41)

Attacks on the PKI

Details

Main goal: Influence, Compromise or Trick PKI

Recover or Break Private Keys

ITCH

(42)

42 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attacks on the PKI

Details

Main goal: Influence, Compromise or Trick PKI

Recover or Break Private Keys

Influence Certificate Revocation Systems

TCH

(43)

Attacks on the PKI

Details

Main goal: Influence, Compromise or Trick PKI

Recover or Break Private Keys

Influence Certificate Revocation Systems

Trick Certificate Validation

CH

(44)

44 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attacks on the PKI

Details

Main goal: Influence, Compromise or Trick PKI

Recover or Break Private Keys

Influence Certificate Revocation Systems

Trick Certificate Validation

Compute Colliding Certificates

(45)

Attacks on the PKI

Details

Main goal: Influence, Compromise or Trick PKI

Recover or Break Private Keys

Influence Certificate Revocation Systems

Trick Certificate Validation

Compute Colliding Certificates

(46)

46 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Attacks on the PKI

(47)

Various Other Attacks

Details

(48)

48 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Various Other Attacks

Details

Main goal: Predict, Disturb, Inject, Disable

GASP

(49)

Various Other Attacks

Details

Main goal: Predict, Disturb, Inject, Disable

Guess Random Numbers

ASP

(50)

50 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Various Other Attacks

Details

Main goal: Predict, Disturb, Inject, Disable

Guess Random Numbers

Affect Reliability

SP

(51)

Various Other Attacks

Details

Main goal: Predict, Disturb, Inject, Disable

Guess Random Numbers

Affect Reliability

Smuggle Data into Running Connections

(52)

52 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Various Other Attacks

Details

Main goal: Predict, Disturb, Inject, Disable

Guess Random Numbers

Affect Reliability

Smuggle Data into Running Connections

(53)

Various Other Attacks

(54)

54 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Finally...

(55)

Finally...

… I tried to put the keywords in a meaningful context

unfortu

nately w

ithout s

(56)

56 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Lessons Learned 1/2

(57)

Lessons Learned 1/2

… what can we conclude?

(58)

58 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Lessons Learned 1/2

… what can we conclude?

1. Theoretical attacks can turn into practice

2. Side channels may appear at different layers

(59)

Lessons Learned 1/2

… what can we conclude?

1. Theoretical attacks can turn into practice

2. Side channels may appear at different layers

in different situations

(60)

60 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Lessons Learned 1/2

… what can we conclude?

1. Theoretical attacks can turn into practice

2. Side channels may appear at different layers

in different situations

3. Reliable cryptographic primitives are important

4. Processes must leak as little information as

(61)

Lessons Learned 1/2

… what can we conclude?

1. Theoretical attacks can turn into practice

2. Side channels may appear at different layers

in different situations

3. Reliable cryptographic primitives are important

4. Processes must leak as little information as

possible

5. Specifications have to be implemented

(62)

62 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Lessons Learned 1/2

… what can we conclude?

1. Theoretical attacks can turn into practice

2. Side channels may appear at different layers

in different situations

3. Reliable cryptographic primitives are important

4. Processes must leak as little information as

possible

5. Specifications have to be implemented

without own improvements

6. Critical parts in specifications and source

(63)

Lessons Learned 2/2

… what can we conclude?

7. Specifications have to verbose, unambiguous

(64)

64 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Lessons Learned 2/2

… what can we conclude?

7. Specifications have to verbose, unambiguous

and technically detailed

8. Details on requirements and preconditions

(65)

Lessons Learned 2/2

… what can we conclude?

7. Specifications have to verbose, unambiguous

and technically detailed

8. Details on requirements and preconditions

are necessary

(66)

66 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Lessons Learned 2/2

… what can we conclude?

7. Specifications have to verbose, unambiguous

and technically detailed

8. Details on requirements and preconditions

are necessary

9. Data has to be protected

10. The interplay between different layers must

(67)

Lessons Learned 2/2

… what can we conclude?

7. Specifications have to verbose, unambiguous

and technically detailed

8. Details on requirements and preconditions

are necessary

9. Data has to be protected

10. The interplay between different layers must

be part of the security analysis

(68)

68 SoK: Lessons Learned From SSL/TLS Attacks - Christopher Meyer, Jörg Schwenk | WISA2013 | 19.-21. August 2013

Horst Görtz Institute for IT-Security

Chair for Network and Data Security

Lessons Learned 2/2

… what can we conclude?

7. Specifications have to verbose, unambiguous

and technically detailed

8. Details on requirements and preconditions

are necessary

9. Data has to be protected

10. The interplay between different layers must

be part of the security analysis

11. Flexibility mostly means additional risks

(69)

Chris Meyer christopher.meyer@rub.de http://armoredbarista.blogspot.com http://www.nds.rub.de/chair/people/cmeyer @armoredbarista Source: https://www.trustworthyinternet.org/ssl-pulse/

Figure

Updating...