Prying open Pandora's box: KCI attacks against TLS
Abstract
Protection of Internet communication is becoming more common in many products, as the demand for privacy in an age of state-level adversaries and crime syndicates is steadily increasing. The industry standard for doing this is TLS. The TLS protocol supports a multitude of key agreement and authentication options which provide various different security guarantees. Recent attacks showed that this plethora of cryptographic options in TLS (including long forgotten government backdoors, which have been cunningly inserted via export restriction laws) is a Pandora's box, waiting to be pried open by heinous computer whizzes. Novel attacks lay hidden in plain sight. Parts of TLS are so old that their foul smell of rot cannot be easily distinguished from the flowery smell of 'strong' cryptography and water-tight security mechanisms. With an arcane (but well-known among some theoretical cryptographers) tool, we put new cracks into Pandora's box, achieving a full break of TLS security. This time, the tool of choice is KCI, or Key Compromise Impersonation.
The TLS protocol includes a class of key agreement and authentication methods that are vulnerable to KCI attacks: non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication - both on elliptic curve groups, as well as on classical integer groups modulo a prime. We show that TLS clients that support these weak handshakes pose serious security concerns in modern systems, opening the supposedly securely encrypted communication to full-blown Man-in-the-Middle (MitM) attacks.
This paper discusses and analyzes KCI attacks in regard to the TLS protocol. We present an evaluation of the TLS software landscape regarding this threat, including a successful MitM attack against the Safari Web Browser on Mac OS X. We conclude that the insecure TLS options that enable KCI attacks should be immediately disabled in TLS clients and removed from future versions and implementations of the protocol: their utility is extremely limited, their raison d'être is practically nil, and the existence of these insecure key agreement options only adds to the arsenal of attack vectors against cryptographically secured communication on the Internet.
References
[1]
T. Dierks and C. Allen, "The TLS Protocol Version 1.0,: RFC 2246 (Proposed Standard), Internet Engineering Task Force, Jan. 1999, obsoleted by RFC 4346, updated by RFCs 3546, 5746, 6176, 7465, 7507. [Online]. Available: http://www.ietf. org/rfc/rfc2246.txt
[2]
T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1," RFC 4346 (Proposed Standard), Internet Engineering Task Force, Apr. 2006, obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746, 6176, 7465, 7507. [Online]. Available: http://www.ietf.org/rfc/rfc4346.txt
[3]
T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2," RFC 5246 (Proposed Standard), Internet Engineering Task Force, Aug. 2008, updated by RFCs 5746, 5878, 6176, 7465, 7507. [Online]. Available: http://www.ietf.org/rfc/rfc5246.txt
[4]
K. E. Hickman, "The SSL protocol," 1995. [Online]. Available: http://www-archive.mozilla. org/projects/security/pki/nss/ssl/draft02.html
[5]
A. Freier, P. Karlton, and P. Kocher, "The Secure Sockets Layer (SSL) Protocol Version 3.0," RFC 6101 (Historic), Internet Engineering Task Force, Aug. 2011. [Online]. Available: http://www.ietf. org/rfc/rfc6101.txt
[6]
D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger, D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Beguelin, and P. Zimmermann, "Imperfect forward secrecy: How diffie-hellman fails in practice," https://weakdh.org/, 2015.
[7]
W. Diffie, P. C. Van Oorschot, and M. J. Wiener, "Authentication and authenticated key exchanges," Des. Codes Cryptography, vol. 2, no. 2, pp. 107-125, Jun. 1992.
[8]
S. Blake-Wilson, D. Johnson, and A. Menezes, "Key agreement protocols and their security analysis," in Proceedings of the 6th IMA International Conference on Cryptography and Coding. London, UK, UK: Springer-Verlag, 1997, pp. 30-45.
[9]
S. Blake-Wilson, N. Bolyard, V. Gupta, C. Hawk, and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)," RFC 4492 (Informational), Internet Engineering Task Force, May 2006, updated by RFCs 5246, 7027. [Online]. Available: http://www.ietf.org/rfc/rfc4492.txt
[10]
A. K. Lenstra, X. Wang, and B. de Weger, "Colliding X.509 certificates." IACR Cryptology ePrint Archive, vol. 2005, p. 67, 2005.
[11]
M. Stevens, A. Sotirov, J. Appelbaum, A. Lenstra, D. Molnar, D. A. Osvik, and B. Weger, "Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate," in Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology, ser. CRYPTO '09. Berlin, Heidelberg: Springer-Verlag, 2009, pp. 55-69.
[12]
N. J. AlFardan, D. J. Bernstein, K. G. Paterson, B. Poettering, and J. C. N. Schuldt, "On the security of RC4 in TLS," in Proceedings of the 22Nd USENIX Conference on Security, ser. SEC'13. Berkeley, CA, USA: USENIX Association, 2013, pp. 305-320.
[13]
M. Vanhoef and F. Piessens, "All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS," in 24th USENIX Security Symposium (USENIX Security 15). Washington, D.C.: USENIX Association, Aug. 2015. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity15/technical-sessions/presentation/vanhoef
[14]
D. Wagner and B. Schneier, "Analysis of the SSL 3.0 protocol," in Proceedings of the 2Nd Conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2, ser. WOEC'96. Berkeley, CA, USA: USENIX Association, 1996, pp. 4-4.
[15]
S. Turner and T. Polk, "Prohibiting Secure Sockets Layer (SSL) Version 2.0," RFC 6176 (Proposed Standard), Internet Engineering Task Force, Mar. 2011. [Online]. Available: http://www.ietf.org/rfc/rfc6176.txt
[16]
A. Diquet and A. Grattafiori, "sslyze." [Online]. Available: https://github.com/iSECPartners/sslyze
[17]
I. Ventura-Whiting and J. Applebaum, "sslscan." [Online]. Available: https://github.com/DinoTools/sslscan
[18]
Y. Sheffer, R. Holz, and P. Saint-Andre, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)," RFC 7525 (Best Current Practice), Internet Engineering Task Force, May 2015. [Online]. Available: http://www.ietf.org/rfc/rfc7525.Txt
[19]
"IETF TLS WG." [Online]. Available: https://tools.ietf.org/wg/tls/
[20]
E. Rescorla, "The transport layer security (TLS) protocol version 1.3." [Online]. Available: https://tools.ietf.org/html/draft-ietf-tls-tls13-05
[21]
M. Ray, "Renegotiating TLS," 2009.
[22]
K. Bhargavan, A. D. Lavaud, C. Fournet, A. Pironti, and P. Y. Strub, "Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS," in Proceedings of the 2014 IEEE Symposium on Security and Privacy, ser. SP '14. Washington, DC, USA: IEEE Computer Society, 2014, pp. 98-113.
[23]
D. Bleichenbacher, "Chosen ciphertext attacks against protocols based on the rsa encryption standard pkcs #1," in Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology, ser. CRYPTO '98. London, UK, UK: Springer-Verlag, 1998, pp. 1-12.
[24]
S. Vaudenay, "Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS ..." in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology, ser. EUROCRYPT '02. London, UK, UK: Springer-Verlag, 2002, pp. 534-546.
[25]
B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux, "Password interception in a SSL/TLS channel," in Advances in Cryptology - CRYPTO 2003, ser. Lecture Notes in Computer Science, D. Boneh, Ed. Springer Berlin Heidelberg, 2003, vol. 2729, pp. 583-599.
[26]
V. Klima, O. Pokorny, and T. Rosa, "Attacking rsa-based sessions in SSL/TLS," in Cryptographic Hardware and Embedded Systems - CHES 2003, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2003, vol. 2779, pp. 426-440.
[27]
D. Brumley and D. Boneh, "Remote timing attacks are practical," in Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12, ser. SSYM'03. Berkeley, CA, USA: USENIX Association, 2003, pp. 1-1.
[28]
G. V. Bard, "The vulnerability of SSL to chosen plaintext attack," IACR Cryptology ePrint Archive, vol. 2004, p. 111, 2004. [Online]. Available: http://eprint.iacr.org/2004/111
[29]
B. Moeller, "Security of CBC ciphersuites in SSL/TLS. problems and countermeasures," https://www.openssl.org/~bodo/tls-cbc.txt, 2004.
[30]
G. V. Bard, "A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL," in Secrypt 2006, Proceedings of the International Conference on Security and Cryptography. INSTICC Press, 2006, pp. 7-10.
[31]
M. Marlinspike, "New tricks for defeating SSL in practice," Black Hat USA, 2009.
[32]
M. Marlinspike, "More tricks for defeating SSL in practice," Black Hat USA, 2009.
[33]
T. Duong and J. Rizzo, "Here come the ⊕ ninjas," 2011.
[34]
K. Paterson, T. Ristenpart, and T. Shrimpton, "Tag size does matter: Attacks and proofs for the TLS record protocol," in Advances in Cryptology - ASIACRYPT 2011, ser. Lecture Notes in Computer Science, D. Lee and X. Wang, Eds. Springer Berlin Heidelberg, 2011, vol. 7073, pp. 372-389.
[35]
B. Brumley and N. Tuveri, "Remote timing attacks are still practical," in Computer Security - ESORICS 2011, ser. Lecture Notes in Computer Science, V. Atluri and C. Diaz, Eds. Springer Berlin Heidelberg, 2011, vol. 6879, pp. 355-371.
[36]
T. Duong and J. Rizzo, "The crime attack," Presentation at Ekoparty Security Conference, 2012.
[37]
N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel, "A cross-protocol attack on the TLS protocol," in Proceedings of the 2012 ACM Conference on Computer and Communications Security, ser. CCS '12. New York, NY, USA: ACM, 2012, pp. 62-72.
[38]
K. G. Paterson and N. J. AlFardan, "Plaintext-recovery attacks against datagram TLS," in 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA, February 5-8, 2012, 2012.
[39]
C. Meyer, J. Somorovsky, E. Weiss, J. Schwenk, S. Schinzel, and E. Tews, "Revisiting SSL/TLS implementations: New bleichenbacher side channels and attacks," in 23rd USENIX Security Symposium (USENIX Security 14). San Diego, CA: USENIX Association, Aug. 2014, pp. 733-748.
[40]
B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue, "A messy state of the union: Taming the composite state machines of TLS," in IEEE Symposium on Security & Privacy 2015 (Oakland'15). IEEE, 2015.
[41]
C. Meyer, "20 Years of SSL/TLS Research: An analysis of the Internet's Security Foundation," Ph.D. dissertation, Ruhr-University Bochum, February 2014. [Online]. Available: http://www-brs.ub.ruhr-uni-bochum.de/ netahtml/HSS/Diss/MeyerChristopher/diss.pdf
[42]
C. Meyer and J. Schwenk, "Lessons learned from previous SSL/TLS attacks - a brief chronology of attacks and weaknesses," Cryptology ePrint Archive, Report 2013/049, 2013, http://eprint.iacr.org/.
[43]
L. S. Huang, A. Rice, E. Ellingsen, and C. Jackson, "Analyzing forged SSL certificates in the wild," in Proceedings of the 2014 IEEE Symposium on Security and Privacy, ser. SP '14. Washington, DC, USA: IEEE Computer Society, 2014, pp. 83-97.
[44]
"Diginotar reports security incident," https://www.vasco.com/company/about_vasco/press_ room/news_archive/2011/news_diginotar_reports_ security_incident.aspx, 2011.
[45]
D. Wendlandt, D. G. Andersen, and A. Perrig, "Perspectives: Improving ssh-style host authentication with multi-path probing," in USENIX 2008 Annual Technical Conference, ser. ATC'08. Berkeley, CA, USA: USENIX Association, 2008, pp. 321-334. [Online]. Available: http://dl.acm.org/citation.cfm?id=1404014.1404041
[46]
M. Marlinspike, "Digital trust and the future of authenticity," Presentation at Blackhat conference, 2011.
[47]
M. Marlinspike, "Trust assertions for certificate keys," http://tack.io/draft.html, 2013.
[48]
P. Hoffman and J. Schlyter, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA," RFC 6698 (Proposed Standard), Internet Engineering Task Force, Aug. 2012, updated by RFC 7218. [Online]. Available: http://www.ietf.org/rfc/rfc6698.txt
[49]
B. Schneier, "Man-in-the-middle attacks on lenovo computers," https://www.schneier.com/blog/ archives/2015/02/man-in-the-midd_7.html, 2015.
[50]
J. Hodges, C. Jackson, and A. Barth, "HTTP Strict Transport Security (HSTS)," RFC 6797 (Proposed Standard), Internet Engineering Task Force, Nov. 2012. [Online]. Available: http://www.ietf.org/rfc/rfc6797.txt
[51]
H. Krawczyk, K. Paterson, and H. Wee, "On the security of the TLS protocol: A systematic analysis," in Advances in Cryptology - CRYPTO 2013, ser. Lecture Notes in Computer Science, R. Canetti and J. Garay, Eds. Springer Berlin Heidelberg, 2013, vol. 8042, pp. 429-448.
[52]
P. Morrissey, N. Smart, and B. Warinschi, "A modular security analysis of the TLS handshake protocol," in Advances in Cryptology - ASIACRYPT 2008, ser. Lecture Notes in Computer Science, J. Pieprzyk, Ed. Springer Berlin Heidelberg, 2008, vol. 5350, pp. 55-73.
[53]
T. Jager, F. Kohlar, S. Schäge, and J. Schwenk, "On the security of TLS-DHE in the standard model," in Advances in Cryptology - CRYPTO 2012, ser. Lecture Notes in Computer Science, R. Safavi-Naini and R. Canetti, Eds. Springer Berlin Heidelberg, 2012, vol. 7417, pp. 273-293. [Online]. Available: http://dx.doi.org/10. 1007/978-3-642-32009-5_17.
[54]
H. Krawczyk, "HMQV: A high-performance secure diffie-hellman protocol," in Advances in Cryptology - CRYPTO 2005, ser. Lecture Notes in Computer Science, V. Shoup, Ed., vol. 3621. Springer Berlin Heidelberg, 2005, pp. 546-566.
[55]
A. Menezes, M. Qu, and S. Vanstone, "Some new key agreement protocols providing mutual implicit authentication," in Selected Areas in Cryptography (SAC 95), 1995.
[56]
L. Law, A. Menezes, M. Qu, J. Solinas, and S. +Vanstone, "An efficient protocol for authenticated key agreement," Designs, Codes and Cryptography, vol. 28, no. 2, pp. 119-134, 2003.
[57]
H. Krawczyk, "HMQV: A high-performance secure diffie-hellman protocol," Cryptology ePrint Archive, Report 2005/176, 2005, http://eprint.iacr.org/.
[58]
R. Canetti and H. Krawczyk, "Analysis of key-exchange protocols and their use for building secure channels," in Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, ser. EUROCRYPT '01. London, UK, UK: Springer-Verlag, 2001, pp. 453-474.
[59]
E. Rescorla, "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)," RFC 5289 (Informational), Internet Engineering Task Force, Aug. 2008. [Online]. Available: http://www.ietf.org/rfc/rfc5289.txt
[60]
S. Moriai, A. Kato, and M. Kanda, "Addition of Camellia Cipher Suites to Transport Layer Security (TLS)," RFC 4132 (Proposed Standard), Internet Engineering Task Force, Jul. 2005, obsoleted by RFC 5932. [Online]. Available: http://www.ietf.org/rfc/rfc4132.txt
[61]
H. Lee, J. Yoon, and J. Lee, "Addition of SEED Cipher Suites to Transport Layer Security (TLS)," RFC 4162 (Proposed Standard), Internet Engineering Task Force, Aug. 2005. [Online]. Available: http://www.ietf.org/rfc/rfc4162.txt
[62]
J. Salowey, A. Choudhury, and D. McGrew, "AES Galois Counter Mode (GCM) Cipher Suites for TLS," RFC 5288 (Proposed Standard), Internet Engineering Task Force, Aug. 2008. [Online]. Available: http://www.ietf.org/rfc/rfc5288.txt
[63]
W. Diffie and M. Hellman, "New directions in cryptography," IEEE Trans. Inf. Theor., vol. 22, no. 6, 1976.
[64]
C. Brubaker, S. Jana, B. Ray, S. Khurshid, and V. Shmatikov, "Using frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations," in Proceedings of the 2014 IEEE Symposium on Security and Privacy, ser. SP '14. Washington, DC, USA: IEEE Computer Society, 2014, pp. 114-129. [Online]. Available: http://dx.doi.org/10.1109/SP.2014.15
[65]
"HTML5. a vocabulary and associated APIs for HTML and XHTML," 2014. [Online]. Available: http://www.w3.org/TR/2014/REC-html5-20141028/
[66]
Z. Durumeric, E. Wustrow, and J. A. Halderman, "ZMap: Fast internet-wide scanning and its security applications," in Proceedings of the 22Nd USENIX Conference on Security, ser. SEC'13. Berkeley, CA, USA: USENIX Association, 2013, pp. 605-620. [Online]. Available: http://dl.acm.org/citation.cfm?id=2534766.2534818
[67]
D. Adrian, Z. Durumeric, G. Singh, and J. A. Halderman, "Zippier zmap: Internet-wide scanning at 10 gbps," in 8th USENIX Workshop on Offensive Technologies (WOOT 14). San Diego, CA: USENIX Association, Aug. 2014. [Online]. Available: https://www.usenix.org/conference/woot14/ workshop-program/presentation/adrian
[68]
R. Graham, "Masscan: the entire internet in 3 minutes," http://blog.erratasec.com/2013/09/ masscan-entire-internet-in-3-minutes.html, 2013.
[69]
J. Vehent, H. Kario, and et. al., "cipherscan: A very simple way to find out which ssl ciphersuites are supported by a target." [Online]. Available: https://github.com/jvehent/cipherscan
[70]
N. Sullivan, "ECDSA: The digital signature algorithm of a better internet," https://blog.cloudflare.com/ ecdsa-the-digital-signature-algorithm-of-a-better-internet/, 2013.
[71]
T. Porin, "Answer to: Which key usages are required by each key exchange method?" [Online]. Available: http://security.stackexchange.com/a/24107
- Prying open Pandora's box: KCI attacks against TLS
Recommendations
Opening Pandora's box through ATFuzzer: dynamic analysis of AT interface for Android smartphones
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications ConferenceThis paper focuses on checking the correctness and robustness of the AT command interface exposed by the cellular baseband processor through Bluetooth and USB. A device's application processor uses this interface for issuing high-level commands (or, AT ...
Black-box adversarial attacks on XSS attack detection model
AbstractCross-site scripting (XSS) has been extensively studied, although mitigating such attacks in web applications remains challenging. While there is an increasing number of XSS attack detection approaches designed based on machine learning and deep ...
Black-box adversarial transferability: An empirical study in cybersecurity perspective
AbstractThe rapid advancement of artificial intelligence within the realm of cybersecurity raises significant security concerns. The vulnerability of deep learning models in adversarial attacks is one of the major issues. In adversarial machine learning, ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Publisher
USENIX Association
United States
Publication History
Published: 10 August 2015
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 12 Nov 2024