SSL Tls and Their Attacks
SSL Tls and Their Attacks
to SSL/TLS &
Rian Saaty
Senior Cybersecurity
Consultant
Their Attacks
Who Am I?
´ We trust CAs
´ If they were compromised, we will STILL trust them until we revoke the
certificate!
´ We can sign as the CA and users will TRUST us!
´ This happened in 2011 with a CA called, DigiNotar, who got bankrupt in
weeks after the incident.
SSL/TLS
Passive Adversary
Threat Models
Active Adversary
In Other Words …
SSL/TLS History
Negotiate Capabilities
´ Consists of:
1. Key Agreement Protocol (I.e. RSA, DH, Elliptic Curve)
2. Symmetric Encryption Protocol (AES)
3. HASH Function
´ KA_SE_Hash
SSL/TLS: Certificate Exchange
Exchanging Certificate
Sends a certificate:
{PK, example.com, expiration
date, signed by PK}
SSL/TLS: Certificate Exchange
SSL/TLS: Session Key Establishment
Note: in this step, they list and use the ciphersuites that they chose earlier
SSL/TLS: Secure Communication
Encrypted Handshake
Attacks on SSLv2
´ Many issues …
´ Major vulnerabilities:
´ Ciphersuite list that is sent from the client to the server was NOT authenticated
´ Active attacker could modify the message to specify export-weakened
ciphers [will talk about it in the next slide] or even Null!
´ RSA_NULL_NULL
Negotiate Capabilities
´ 40-bit ciphers
´ In 2004, a home computer can break it in
under 2 weeks
´ With dedicated hardware, it can be
broken in seconds!
Deepcrack (1998)
Browsers No Longer Support Export
Ciphers
´ In 2015, a statistic proved that about 30% of the servers in the wild still use
export ciphersuites!
´ Modern browsers no longer support export ciphers today.
´ However, we can still use curl and wget ^_^
SSLv2 Deprecation
´ With the request, an attacker can see the size of the HTTP request.
´ This may allow him to “guess” things such as:
´ The file the user downloaded via its size
´ The visited URL
´ This is even worse in VoIP! Why?
´ Silence !
´ How is this fixed?
SSLv3: Weak Ciphers All the WAY!
´ SSLv3 and below only supported cipher suites that were affected by
POODLE (Padding Oracle Attack)
´ The only cipher that wasn’t affected was RC4, which leaks information!
´ As a result, SSLv3 was deprecated in 2015
HTTP > HTTPS
https://google.com
This will be an HTTPS request on port 443
´ IF it is enabled at that server, and your browser has already contacted the
server before using a secure communication, it will NEVER send an HTTP
request to that server!
´ Basically, what it does is that it will PIN this website to ALWAYS use HTTPS
´ Downside?
´ Trust on first use
Chrome HSTS
Chrome has a list of websites that it
will always connect to via HTTPS
Deterministic Encryption
m1 m2 m3 m4 m5 m6
´ Enc(plaintext message,key):
c1 c2 c3 c4 c5 c6
Issue of Using Deterministic Encryption
Enc(plaintext message,key):
? ? ? ? ? ?
Issue of Using Deterministic Encryption
Semantic Security
´ Allows an attacker to decrypt the data without knowing the encryption key
´ Only works when the application returns different responses to deciphering
messages. I.e. valid or invalid padding/mac.
´ Assuming that an attacker was able to capture the ciphertext & the
destination returns a meaningful message when the padding is wrong.
´ 256 unique ASCII characters.
´ Basically, we need to loop from 0-255 for every byte at the end of the
ciphertext until the oracle says the padding is correct. Once it is correct, we
move on to the next character and so on. Then byte by byte the plaintext
will be revealed.
´ SSLv3 was vulnerable to POODLE
Padding Oracle Attack Testing
´ Allows for downgrading the connection into SSLv3, which also downgrades
to SSLv2 …
´ Vulnerable to BEAST and DROWN Attack, which will be explained soon
Drown Attack
´ An Active MITM attacker can predict the IV, therefore, making the result of
the encryption deterministic.
´ Technically, an attacker can’t decrypt any data, however, he can find out
if his guessing is right or wrong.
´ With enough guessing, any data can be recovered!
´ The only way to prevent BEAST attack from the server side is to enable RC4.
´ However, RC4 is worse!
´ This makes enabling TLS 1.0 a bad idea as well
Beast Attack Risk
´ You can actually get away with TLS 1.1 with certain rules. In fact, Google still
uses TLS 1.1!
´ 1- you MUST disable all the insecure ciphersuites. This may or may not introduce
other problems (i.e. legacy systems)
´ 2- you must NOT have SSL v3.0 or SSLv2.0 enabled in your server.
´ The main issue here (including in TLS 1.2) is the ciphersuites selected!
´ Consider having NULL cipher in TLS 1.2, does that make your connection
secure?
´ Note: I’m NOT suggesting that you keep TLS 1.1, they are old already
Browsers Ended Support for TLS1.0 & TLS1.1 in
2020
Qualys SSLLabs Also Decreased the
Grade!
HeartBleed
´ Basically, when you use OpenSSL, you are securing a socket between you
and the server.
´ A server can only accept and keep alive a number of sockets at the same
time.
´ It terminates a socket after a certain threshold if there is no more activities
and the client will have to renegotiate over and over again.
´ Hence, the “Heartbeat Extension” was introduced to avoid having the
renegotiation and provide a keep-alive functionality without continues
data transfer.
´ The Heartbeat can contain anything up to 64KB of data.
HeartBeat in Action (Normal Usage)
´ We will be using 2 NSEs because one is simply not enough when it comes to
Nmap
´ For SSLv2, we will be using the following:
´ nmap -p 443 --script sslv2 TARGET
´ Sample output: