A cross-protocol attack on the TLS protocol
16 Oct 2012-pp 62-72
TL;DR: The attack enables an adversary to successfully impersonate a server to a random client after obtaining 240 signed elliptic curve keys from the original server and proposes a fix that renders the protocol immune to this family of cross-protocol attacks.
Abstract: This paper describes a cross-protocol attack on all versions of TLS; it can be seen as an extension of the Wagner and Schneier attack on SSL 3.0. The attack presents valid explicit elliptic curve Diffie-Hellman parameters signed by a server to a client that incorrectly interprets these parameters as valid plain Diffie-Hellman parameters. Our attack enables an adversary to successfully impersonate a server to a random client after obtaining 240 signed elliptic curve keys from the original server. While attacking a specific client is improbable due to the high number of signed keys required during the lifetime of one TLS handshake, it is not completely unrealistic for a setting where the server has high computational power and the attacker contents itself with recovering one out of many session keys. We remark that popular open-source server implementations are not susceptible to this attack, since they typically do not support the explicit curve option. Finally we propose a fix that renders the protocol immune to this family of cross-protocol attacks.
Citations
More filters
12 Oct 2015
TL;DR: Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "export-grade" Diffie-Hellman, is presented and a close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved a break.
Abstract: We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "export-grade" Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete log algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites. In response, major browsers are being changed to reject short groups. We go on to consider Diffie-Hellman with 768- and 1024-bit groups. We estimate that even in the 1024-bit case, the computations are plausible given nation-state resources. A small number of fixed or standardized groups are used by millions of servers; performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.
409 citations
19 May 2013
TL;DR: This work survey and categorize prominent security issues with HTTPS and provides a systematic treatment of the history and on-going challenges, intending to provide context for future directions.
Abstract: Internet users today depend daily on HTTPS for secure communication with sites they intend to visit. Over the years, many attacks on HTTPS and the certificate trust model it uses have been hypothesized, executed, and/or evolved. Meanwhile the number of browser-trusted (and thus, de facto, user-trusted) certificate authorities has proliferated, while the due diligence in baseline certificate issuance has declined. We survey and categorize prominent security issues with HTTPS and provide a systematic treatment of the history and on-going challenges, intending to provide context for future directions. We also provide a comparative evaluation of current proposals for enhancing the certificate infrastructure used in practice.
262 citations
Cites background from "A cross-protocol attack on the TLS ..."
...4) Cross-Protocol Attacks: An extended version of this paper [32] addresses cross-protocol attacks [105], [74] where parameters intended to be used in one setting (e....
[...]
17 May 2015
TL;DR: This work systematically test popular open-source TLS implementations for state machine bugs and discovers several critical security vulnerabilities that have lain hidden in these libraries for years, and have now finally been patched due to the disclosures.
Abstract: Implementations of the Transport Layer Security (TLS) protocol must handle a variety of protocol versions and extensions, authentication modes, and key exchange methods. Confusingly, each combination may prescribe a different message sequence between the client and the server. We address the problem of designing a robust composite state machine that correctly multiplexes between these different protocol modes. We systematically test popular open-source TLS implementations for state machine bugs and discover several critical security vulnerabilities that have lain hidden in these libraries for years, and have now finally been patched due to our disclosures. Several of these vulnerabilities, including the recently publicized FREAK flaw, enable a network attacker to break into TLS connections between authenticated clients and servers. We argue that state machine bugs stem from incorrect compositions of individually correct state machines. We present the first verified implementation of a composite TLS state machine in C that can be embedded into OpenSSL and accounts for all its supported cipher suites. Our attacks expose the need for the formal verification of core components in cryptographic protocol libraries, our implementation demonstrates that such mechanized proofs are within reach, even for mainstream TLS implementations.
202 citations
Cites background from "A cross-protocol attack on the TLS ..."
...For instance, they presented an early variant of a cross-ciphersuite attack (predating [17]) by observing that the ephemeral key exchange parameters signed by TLS servers could be misinterpreted by the client....
[...]
...In current versions of TLS, this is a difficult property to guarantee because of the possibility of cross-protocol attacks [17]....
[...]
...[16] analyzes the multi-ciphersuite security of SSH using a black-box composition technique that falls short of analyzing TLS because it does not account for cross-protocols attacks [17]....
[...]
18 Aug 2013
TL;DR: This paper shows how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol.
Abstract: TLS is the most widely-used cryptographic protocol on the Internet. It comprises the TLS Handshake Protocol, responsible for authentication and key establishment, and the TLS Record Protocol, which takes care of subsequent use of those keys to protect bulk data. In this paper, we present the most complete analysis to date of the TLS Handshake protocol and its application to data encryption (in the Record Protocol). We show how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol. The security notion we achieve is a variant of the ACCE notion recently introduced by Jager et al. (Crypto ’12). Our approach enables us to analyse multiple different key establishment methods in a modular fashion, including the first proof of the most common deployment mode that is based on RSA PKCS #1v1.5 encryption, as well as Diffie-Hellman modes. Our results can be applied to settings where mutual authentication is provided and to the more common situation where only server authentication is applied.
189 citations
Cites background from "A cross-protocol attack on the TLS ..."
...On the other hand, we do not treat ciphersuite (re)negotiation nor the TLS Record Protocol’s compression or fragmentation features, meaning that, for example, none of the attacks from [19, 30, 38] are covered by our analysis....
[...]
...In view of its importance, TLS has long been the subject of intense research analysis, including, in chronological order, [41, 12, 36, 28, 25, 40, 16, 27, 5, 32, 22, 6, 33, 18, 35, 9, 2, 24, 30, 19, 13, 3, 10, 4]....
[...]
References
More filters
Journal Article•
TL;DR: Copyright (©) 1999–2012 R Foundation for Statistical Computing; permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and permission notice are preserved on all copies.
Abstract: Copyright (©) 1999–2012 R Foundation for Statistical Computing. Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this manual into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the R Core Team.
272,030 citations
TL;DR: Several models are formulated in which the security of protocols can be discussed precisely, and algorithms and characterizations that can be used to determine protocol security in these models are given.
Abstract: Recently the use of public key encryption to provide secure network communication has received considerable attention. Such public key systems are usually effective against passive eavesdroppers, who merely tap the lines and try to decipher the message. It has been pointed out, however, that an improperly designed protocol could be vulnerable to an active saboteur, one who may impersonate another user or alter the message being transmitted. Several models are formulated in which the security of protocols can be discussed precisely. Algorithms and characterizations that can be used to determine protocol security in these models are given.
5,145 citations
"A cross-protocol attack on the TLS ..." refers background in this paper
...The adversary in both attacks is a Dolev-Yao adversary [12], that has full control over the network communications....
[...]
01 Aug 2008
TL;DR: This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol, which provides communications security over the Internet by allowing client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
Abstract: This document specifies Version 1.2 of the Transport Layer Security
(TLS) protocol. The TLS protocol provides communications security over
the Internet. The protocol allows client/server applications to
communicate in a way that is designed to prevent eavesdropping,
tampering, or message forgery. [STANDARDS-TRACK]
2,675 citations
01 Feb 1997
TL;DR: This document describes HMAC, a mechanism for message authentication using cryptographic hash functions that can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key.
Abstract: This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function.
2,265 citations
01 Jan 1999
TL;DR: This document specifies Version 1.0 of the Transport Layer Security (TLS) protocol, which provides communications privacy over the Internet by allowing client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
Abstract: This document specifies Version 1.0 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
1,956 citations
"A cross-protocol attack on the TLS ..." refers methods in this paper
...0 [9] the TLS protocol has been augmented with various other key exchange methods such as SRP, PSK or ECDH [3, 13, 25]....
[...]