2016 TLS 1.3 - NDSS SymposiumRSA1 RSA2 Bleichenbacher‘s Agack The difficulty of prevenng such...
25
On the Security of TLS 1.3 (and QUIC) Against Weaknesses in PKCS#1 v1.5 EncrypHon Tibor Jager , Jörg Schwenk, Juraj Somorovsky Horst Görtz InsHtute for IT Security Ruhr-University Bochum TRON 1.0 Workshop 2016 21 February 2016 San Diego, CA, USA
Transcript of 2016 TLS 1.3 - NDSS SymposiumRSA1 RSA2 Bleichenbacher‘s Agack The difficulty of prevenng such...
OntheSecurityofTLS1.3(andQUIC)AgainstWeaknessesinPKCS#1v1.5EncrypHon
TiborJager,JörgSchwenk,JurajSomorovskyHorstGörtzInsHtuteforITSecurity
Ruhr-UniversityBochum
TRON1.0Workshop201621February2016SanDiego,CA,USA
RSA-PKCS#1v1.5EncrypHon
• MostfrequentlyusedkeytransportmechanisminTLSbeforev1.3– “Textbook-RSAencrypHon”withaddiHonalrandomizedpadding
– Aciphertextis“valid”,ifitcontainsacorrectlypaddedmessage
2
RSA-PKCS#1v1.5EncrypHon
• MostfrequentlyusedkeytransportmechanisminTLSbeforev1.3– “Textbook-RSAencrypHon”withaddiHonalrandomizedpadding
– Aciphertextis“valid”,ifitcontainsacorrectlypaddedmessage
• DeprecatedinTLS1.3– Vulnerable:Bleichenbacher’sa?ack(CRYPTO`98)– Sufficienttoprotectagainstitsweaknesses?
3
Bleichenbacher’sAgack(CRYPTO1998)
4
C‘
„valid“/„invalid“C‘‘
„valid“/„invalid“...
PKCS-CiphertextC
PlaintextM
Bleichenbacher’sAgack(CRYPTO1998)
• Oracleusuallyprovidedbyaserver:– Errormessageifciphertextisinvalid– Othersidechannels,likeGming
• AllowstoperformRSAsecretkeyoperaGon– DecryptRSA-PKCS#1v1.5ciphertexts– ComputedigitalRSAsignatures 5
C‘
„valid“/„invalid“C‘‘
„valid“/„invalid“...
PKCS-CiphertextC
PlaintextM
Bleichenbacher’sAgack(CRYPTO1998)
• Oracleusuallyprovidedbyaserver:– Errormessageifciphertextisinvalid– Othersidechannels,likeGming
• AllowstoperformRSAsecretkeyoperaGon– DecryptRSA-PKCS#1v1.5ciphertexts– ComputedigitalRSAsignatures 6
C‘
„valid“/„invalid“C‘‘
„valid“/„invalid“...
PKCS-CiphertextC
PlaintextM
Bleichenbacheragacksoverandover• Bleichenbacher(CRYPTO1998)• Klimaetal.(CHES2003)• Jageretal.(ESORICS2012)• Degabrieleetal.(CT-RSA2012)• Bardouetal.(CRYPTO2012)• Zhangetal.(ACMCCS2014)• Meyeretal.(USENIXSecurity2014)• … AssumpGon:Bleichenbacher-likeagacksremain
arealisHcthreat7
Manydifferenttechniquestoconstructtherequiredoracle
TypicaluseofTLS1.3inpracHce
8
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
TLS1.0
TLS1.3
TypicaluseofTLS1.3inpracHce
9
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
TLS1.0
TLS1.3
AssumpHon
Secure?
High-levelAgackDescripHon
10
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
High-levelAgackDescripHon
11
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
High-levelAgackDescripHon
12
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
CertVerify
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
High-levelAgackDescripHon
13
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
Bleichenbacher‘sAgack
CertVerify
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
High-levelAgackDescripHon
14
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
Bleichenbacher‘sAgack
CertVerify
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
S-Finished C-Finished
High-levelAgackDescripHon
15
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
Bleichenbacher‘sAgack
CertVerify
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
S-Finished C-Finished
TLS1.3maybevulnerabletoBleichenbacher‘sagack,eventhoughPKCS#1v1.5encrypGonisnotused!
PracHcalImpact
16
• PracHcalimpactonTLS1.3isratherlimited– TypicalBleichenbacher-agackstakehoursordays– WouldLisawaitthatlong?– Machine-to-machinecommunicaHon?
PracHcalImpact
17
• PracHcalimpactonTLS1.3isratherlimited– TypicalBleichenbacher-agackstakehoursordays– WouldLisawaitthatlong?– Machine-to-machinecommunicaHon?
• Nevertheless:– BackwardscompaGbilitymustbeconsidered
• Cf.Jager,Paterson,Somorovsky(NDSS2013)
– FutureimprovementsofBleichenbacher’sagack?
AgackontheQUICprotocol
ServerS
QUIC
TLS1.0
RSA
QUICBleichenbacher‘s
Agack
FullQUICprotocol
AgackerA
AgackontheQUICprotocol
ServerS
QUIC
TLS1.0
RSA
QUICBleichenbacher‘s
Agack
FullQUICprotocol
• AcanrunBleichenbacher’sagackbeforeLisaconnectstoS• OnesignatureisequivalenttothesecretkeyofS• PracGcal,evenifagacktakesweeks!
AgackerA
LimitedImpactonTLS1.3
TLS1.3
CertVerify
ServerS
TLS1.3
TLS1.0
RSA
Bleichenbacher‘sAgack
• AcanimpersonateSonlyinasingleTLSsession• OnlypracHcalwithveryfastBleichenbacheragack
“Hello”
“Finished”
AgackerA
ThedifficultyofprevenHngsuchagacks(example)
21
TLS1.3ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA1
RSA2
ThedifficultyofprevenHngsuchagacks(example)
22
TLS1.3 RSA1 ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA1
RSA2
Bleichenbacher‘sAgack
ThedifficultyofprevenHngsuchagacks(example)
23
TLS1.3 RSA2 ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA1
RSA2• X.509cerHficatesdonotcontainprotocolversion
Bleichenbacher‘sAgack
FurtherdifficulHes
• KeyseparaHonnotsupportedbymajorserverimplementaHons
• CerHficatescostmoney(extendedvalidaHon)• X.509supports“sign/encrypt-only”certs
– “Sign-only”keysforTLS>=1.3– “Encrypt-only”keysforTLS<=1.2
• NoForwardSecrecyforversions<=1.2L
– Dobrowsersreallycheckthis?
SummaryandrecommendaHons
• RemovingRSA-PKCS#1v1.5fromTLSisanexcellentdecision– Notsufficienttoprotectcompletelyagainstweakness
• TLS1.3ismore“robust”thanQUIC– Butnotimmune– Signingephemeralvaluesisagoodidea
• RecommendaHonforfutureTLSversions:promotekeyseparaGon– TalktoX.509andsozwaredevelopers
25
![TLS 1.3: A Collision of Implementation, Standards, and ... · Stebila. A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol, 2016. [JSS15]Tibor](https://static.fdocuments.net/doc/165x107/5f21b93dee70283919239a1c/tls-13-a-collision-of-implementation-standards-and-stebila-a-cryptographic.jpg)
![A Cryptographic Analysis of the TLS 1.3 draft-10 Full and ... · full TLS-DHE (ACCE)[JKSS]2012 verified MITLS impl.[BFK+]2013 TLS-DH, TLS-RSA-CCA[KSS] multiple ciphersuites[KPW]](https://static.fdocuments.net/doc/165x107/5f8bccc223ce105af623c077/a-cryptographic-analysis-of-the-tls-13-draft-10-full-and-full-tls-dhe-accejkss2012.jpg)
![Partially Speci ed Channels: The TLS 1.3 Record Layer ... · The TLS 1.3 standard [30], whose record layer mechanism is the subject of this paper, contains numerous \SHOULDs", \SHOULD](https://static.fdocuments.net/doc/165x107/6052b6e3ec91165d3254ebf7/partially-speci-ed-channels-the-tls-13-record-layer-the-tls-13-standard-30.jpg)
