BULLETPROOF SSL AND TLS · 2020. 11. 2. · Mitigation 217 Protocol Downgrade Attacks 217 Rollback...

BULLETPROOF SSL AND TLSUnderstanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications

Ivan Ristic�

Freeedition:GettingStarted

SECOND EDITION

Last update: Sat Oct 31 12:31:42 GMT 2020 (build 922)

BulletproofSSLandTLSSecondEdition

IvanRistić

https://www.feistyduck.com

BulletproofSSLandTLSby Ivan RistićCopyright © 2020 Feisty Duck Limited. All rights reserved.

Second edition draft. Build 922. First published in August 2014.ISBN: 978-1-907117-09-1

Feisty Duck [email protected]

Production editor: Jelena Girić-RistićTechnical reviewer: Matt CaswellCopyeditor: Melinda RankinCover illustration: Michael Lester

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form orby any means, without the prior permission in writing of the publisher.The author and publisher have taken care in preparation of this book, but make no expressed or implied warranty of any kindand assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in con-nection with or arising out of the use of the information or programs contained herein.

Feisty Duck DigitalBook Distributionwww.feistyduck.com

Licensed for the exclusive use of:Ivan Ristić <[email protected]>

Ivan Ristic

TableofContentsPrefacetoSecondEditionPreview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

ScopeandAudience xviiiContents xixSSLversusTLS xxiOnlineResources xxiFeedback xxiAbouttheAuthor xxiiAcknowledgments xxii

1.SSL,TLS,andCryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1TransportLayerSecurity 1NetworkingLayers 2ProtocolHistory 3Cryptography 4

BuildingBlocks 5Protocols 14AttackingCryptography 16MeasuringStrength 16Man-in-the-MiddleAttacks 18

2.TLS1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23RecordProtocol 24

RecordStructure 24Encryption 26LengthHiding 27MessageFragmentation 28Subprotocols 28

HandshakeProtocol 29KeyExchange 31

Authentication 37

iii

TheTranscriptHash 37Certi!cate 37Certi!cateVerify 39Certi!cateRequest 39Finished 40Post-HandshakeAuthentication 40AuthenticationUsingPre-SharedKeys 40SessionResumption 42

AlertProtocol 43ConnectionClosure 44

CryptographicComputations 44KeyDerivation 45KeySchedule 46

Extensions 49CipherSuites 500-RTT 51

ImplementationDetails 520-RTTandForwardSecrecy 520-RTTandReplayAttacks 53Is0-RTTSafe? 54

Summary 543.TLS1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

RecordProtocol 58HandshakeProtocol 59

FullHandshake 60ClientAuthentication 66SessionResumption 68

KeyExchange 69RSAKeyExchange 72Dif!e-HellmanKeyExchange 72EllipticCurveDif!e-HellmanKeyExchange 74

Authentication 75Encryption 76

StreamEncryption 76BlockEncryption 77AuthenticatedEncryption 79

Renegotiation 79ApplicationDataProtocol 81AlertProtocol 81

iv

ConnectionClosure 82CryptographicOperations 82

PseudorandomFunction 82MasterSecret 83KeyGeneration 83

CipherSuites 84Extensions 86

ApplicationLayerProtocolNegotiation 87Certi!cateTransparency 88EllipticCurveCapabilities 88Heartbeat 89NextProtocolNegotiation 90SecureRenegotiation 91ServerNameIndication 92SessionTickets 92SignatureAlgorithms 93OCSPStapling 93

ProtocolLimitations 94DifferencesbetweenProtocolVersions 94

SSL3 95TLS1.0 95TLS1.1 95TLS1.2 96

4.PublicKeyInfrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97InternetPKI 97Standards 99Certi!cates 100

Certi!cateFields 101Certi!cateExtensions 102

Certi!cateChains 105RelyingParties 106Certi!cationAuthorities 108Certi!cateLifecycle 108Revocation 110Weaknesses 110RootKeyCompromise 113EcosystemMeasurements 114Improvements 116

5.AttacksagainstPKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

v

VeriSignMicrosoftCode-SigningCerti!cate 121Thawtelogin.live.com 122StartComBreach(2008) 123CertStar(Comodo)MozillaCerti!cate 123RapidSSLRogueCACerti!cate 124

Chosen-Pre!xCollisionAttack 126ConstructionofCollidingCerti!cates 126PredictingthePre!x 128WhatHappenedNext 130

ComodoResellersBreaches 130StartComBreach(2011) 132DigiNotar 133

PublicDiscovery 133FallofaCerti!cationAuthority 133Man-in-the-MiddleAttacks 136ComodoHackerClaimsResponsibility 137

DigiCertSdn.Bhd. 138Flame 139

FlameagainstWindowsUpdate 140FlameagainstWindowsTerminalServices 141FlameagainstMD5 141

TURKTRUST 143ANSSI 144NationalInformaticsCentreofIndia 145WidespreadSSLInterception 145

Gogo 146Super!shandFriends 146

CNNIC 148SymantecTestCerti!cates 148WoSignandStartCom 149VariousValidationIncidents 150SHA1FinallyFalls 152

Identical-Pre!xAttack 1536.HTTPandBrowserIssues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Sidejacking 155CookieStealing 157CookieManipulation 158

UnderstandingHTTPCookies 159CookieManipulationAttacks 160

vi

Impact 163Mitigation 164

SSLStripping 165MITMCerti!cates 167Certi!cateWarnings 168

WhySoManyInvalidCerti!cates? 168EffectivenessofCerti!cateWarnings 170Click-ThroughWarningsversusExceptions 171Mitigation 172

SecurityIndicators 172MixedContent 175

RootCauses 175Impact 177BrowserTreatment 178PrevalenceofMixedContent 179Mitigation 180

TowardaFullyEncryptedWeb 181ExtendedValidationCerti!cates 181Certi!cateRevocation 183

InadequateClient-SideSupport 183KeyIssueswithRevocation-CheckingStandards 184Certi!cateRevocationLists 185OnlineCerti!cateStatusProtocol 186

7.ImplementationIssues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Certi!cateValidationFlaws 194

LibraryandPlatformValidationFailures 194ApplicationValidationFailures 197HostnameValidationIssues 198

RandomNumberGeneration 200NetscapeNavigator(1994) 200Debian(2006) 201Insuf!cientEntropyonEmbeddedDevices 203

Heartbleed 204Impact 205Mitigation 206

FREAK 207ExportCryptography 208Attack 208ImpactandMitigation 211

vii

Logjam 212ActiveAttackagainstInsecureDHEKeyExchange 212PrecomputationAttackagainstInsecureDHEKeyExchange 214State-LevelThreatsagainstWeakDHKeyExchange 215Impact 215Mitigation 217

ProtocolDowngradeAttacks 217RollbackProtectioninSSL3 218InteroperabilityProblems 219VoluntaryProtocolDowngrade 221RollbackProtectioninTLS1.0andBetter 223AttackingVoluntaryProtocolDowngrade 224ModernRollbackDefenses 225GREASE:PreventingFutureInteroperabilityProblemsToday 226

TruncationAttacks 227TruncationAttackHistory 228CookieCutting 228

DeploymentWeaknesses 230VirtualHostConfusion 231TLSSessionCacheSharing 232

8.ProtocolAttacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233InsecureRenegotiation 233

WhyWasRenegotiationInsecure? 234TriggeringtheWeakness 235AttacksagainstHTTP 236AttacksagainstOtherProtocols 239InsecureRenegotiationIssuesIntroducedbyArchitecture 240Impact 240Mitigation 240DiscoveryandRemediationTimeline 241

BEAST 243HowtheAttackWorks 243Client-SideMitigation 247Server-SideMitigation 249History 250Impact 251

CompressionSideChannelAttacks 253HowtheCompressionOracleWorks 253HistoryofAttacks 255

viii

CRIME 256MitigationofAttacksagainstTLSandSPDY 264MitigationofAttacksagainstHTTPCompression 265

Lucky13 267WhatIsaPaddingOracle? 267AttacksagainstTLS 268Impact 269Mitigation 270

RC4Weaknesses 270KeySchedulingWeaknesses 271EarlySingle-ByteBiases 272BiasesacrosstheFirst256Bytes 273Double-ByteBiases 275SubsequentImprovedAttacks 276Mitigation:RC4versusBEAST,Lucky13,andPOODLE 276

TripleHandshakeAttack 278TheAttack 278Impact 283Prerequisites 284Mitigation 285

POODLE 286PracticalAttack 289Impact 290Mitigation 291

SLOTH 292AttacksagainstTLS 293Impact 294

DROWN 295AttacksagainstTLS 295Impact 296Mitigation 297

Sweet32 297Prerequisites 298Impact 300Mitigation 300

Bullrun 300DualEllipticCurveDeterministicRandomBitGenerator 301

9.Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303LatencyandConnectionManagement 304

ix

TCPOptimization 305ConnectionPersistence 306SPDY,HTTP/2,andBeyond 308ContentDeliveryNetworks 308

TLSProtocolOptimization 310KeyExchange 311Certi!cates 315RevocationChecking 316SessionResumption 317TransportOverhead 318SymmetricEncryption 320TLSRecordBufferingLatency 322Interoperability 324HardwareAcceleration 324

DenialofServiceAttacks 325KeyExchangeandEncryptionCPUCosts 326Client-InitiatedRenegotiation 327OptimizedTLSDenialofServiceAttacks 327

10.HSTS,CSP,andPinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329HTTPStrictTransportSecurity 329

Con!guringHSTS 330EnsuringHostnameCoverage 331CookieSecurity 332AttackingHSTS 333BrowserSupport 335DeploymentChecklist 335PrivacyImplications 337

ContentSecurityPolicy 337PreventingMixedContentIssues 338PolicyTesting 339Reporting 340

Pinning 340WhattoPin? 341WheretoPin? 343ShouldYouUsePinning? 344PinninginNativeApplications 344ChromePublicKeyPinning 345Microsoft’sEnterpriseCerti!catePinning 347PublicKeyPinningExtensionforHTTP 347

x

DANE 349TrustAssertionsforCerti!cateKeys(TACK) 353Certi!cationAuthorityAuthorization 354

11.Con!gurationGuide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357PrivateKeysandCerti!cates 357

UseStrongPrivateKeys 357SecureYourPrivateKeys 358ChoosetheRightCerti!cationAuthority 359PreventCerti!cateWarnings 360ControlKeyandCerti!cateSharing 360ThinkChains,NotCerti!cates 361DeployCerti!cationAuthorityAuthorization 361AutomateCerti!cateRenewal 361UseCerti!cateTransparencyMonitoring 362

Con!guration 362UseSecureProtocols 362UseForwardSecrecy 363UseaStrongKeyExchange 363PrioritizetheBestCipherSuites 364UseSecureCipherSuites 364EnsureTicketKeysAreRotated 366MitigateKnownProblems 366SupportingLegacyPlatforms 367

HTTPandApplicationSecurity 368EncryptEverything 368SecureCookies 369DeployHTTPStrictTransportSecurity 369DeployContentSecurityPolicy 370DisableCaching 371BeAwareofIssueswithHTTPCompression 371UnderstandandAcknowledgeThird-PartyTrust 372

Performance 372Don’tUseTooMuchSecurity 372EnableSessionResumption 373OptimizeConnectionManagement 373EnableCachingofNonsensitiveContent 374UseFastCryptographicPrimitives 374

ValidateandMonitor 375AdvancedTopics 375

xi

12.OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377GettingStarted 377

DetermineOpenSSLVersionandCon!guration 378BuildingOpenSSL 379ExamineAvailableCommands 381BuildingaTrustStore 383

KeyandCerti!cateManagement 384KeyGeneration 385CreatingCerti!cateSigningRequests 388CreatingCSRsfromExistingCerti!cates 390UnattendedCSRGeneration 390SigningYourOwnCerti!cates 391CreatingCerti!catesValidforMultipleHostnames 392ExaminingCerti!cates 393ExaminingPublicCerti!cates 394KeyandCerti!cateConversion 397

Con!guration 400ObtainingSupportedSuites 400UnderstandingSecurityLevels 401Con!guringTLS1.3 403Con!guringOpenSSLDefaults 404RecommendedSuiteCon!guration 405GeneratingDHParameters 407LegacySuiteCon!guration 407

Performance 413CreatingaPrivateCerti!cationAuthority 416

FeaturesandLimitations 416CreatingaRootCA 417CreatingaSubordinateCA 423

13.TestingwithOpenSSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427Custom-CompileOpenSSLforTesting 427ConnectingtoTLSServices 428Certi!cateVeri!cation 432TestingProtocolsthatUpgradetoTLS 433ExtractingRemoteCerti!cates 433TestingProtocolSupport 434TestingCipherSuiteCon!guration 435TestingCipherSuitePreference 437TestingNamedGroups 439

xii

TestingDANE 440TestingSessionResumption 441KeepingSessionStateacrossConnections 443CheckingOCSPRevocation 444TestingOCSPStapling 446CheckingCRLRevocation 447TestingRenegotiation 449TestingforHeartbleed 451DeterminingtheStrengthofDif!e-HellmanParameters 454

14.Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

xiii

PrefacetoSecondEditionPreviewWelcome to the preview of the second edition of Bulletproof SSL and TLS. As I write this, it’sNovember 2020 and roughly seven years since we released the preview of the first edition. Iam happy to say that things have worked out approximately how I thought they would. Thefirst edition came out in 2014, but immediately in 2015 we released another version to keepup with the developments, and then a full revision followed in 2017. In 2018, the long-awaited TLS 1.3 protocol came out, making a big impact on the ecosystem. As a result, Istarted to plan the second edition, which needed to be a major rewrite. The trick was to be-gin writing when the support for this new protocol is stable across a range of technologies,so that the book is not obsolete the moment it comes out. And here we are.At this point, the key parts of the book have been written or rewritten. There is obviouslyone entirely new chapter to cover TLS 1.3. The two OpenSSL chapters have seen so manychanges that little text remains unchanged. (This is largely because Matt Caswell, a memberof the core OpenSSL team, joined me as technical reviewer. His insights have spurned me towrite more than planned.) I have also replaced the deployment chapter from the first edi-tion with a brand new configuration chapter that is better structured and touches on every-thing you need to know to setup everything just right.Some things have been removed. The chapters dealing with the Apache web server, Java,Microsoft technologies, and Nginx are now gone. When I originally started to write thisbook, I thought I would write about 250 pages, but the end result was closer to 600. On theone hand, there are so many details to convey, but, on the other, no one wants to read a bigbook. The new edition had to increase the amount of pages further, but I took a decision toremove some parts that I felt were not fully connected to the main body of content.Although there still remain several chapters to go through, I feel that the remaining changeswill fall in the supporting category. The bulk of the material is already here and ready foryou to enjoy. I continue with the remaining work and will publish the second edition whenit’s ready.

xv

PrefaceYou are about to undertake a journey into the mysterious world of cryptography. If you arelike me, and you find the journey equally challenging and rewarding, you may end up goingfurther and further. I write this in 2020, six years after the publication of the first edition ofBulletproof SSL and TLS, and my journey is still very much ongoing. Although I’d been auser of SSL since its beginnings, I developed a deep interest in it around 2004, when I start-ed to work on my first book, Apache Security. About five years later, in 2009, I was lookingfor something new to do; I decided to spend more time on SSL and TLS, and I’ve been fo-cusing on it ever since. The result is this book.My main reason for going back to SSL was the thought that I could improve things. I saw animportant technology hampered by a lack of tools and documentation. Cryptography is afascinating subject: it’s a field in which when you know more, you actually know less. Or, inother words, the more you know, the more you discover how much you don’t know. I can’tcount how many times I’ve had the experience of reaching a new level of understanding of acomplex topic only to have yet another layer of complexity open up to me; that’s what makesthe subject amazing.I spent about two years writing the first edition of this book. At first, I thought I’d be able tospread the effort so that I wouldn’t have to dedicate my life to it, but that didn’t work. Atsome point, I realized that things are changing so quickly that I constantly need to go backand rewrite the “finished” chapters. Toward the end, I had to spend every spare momentwriting to keep up. I am now working on the second edition, and the situation is very simi-lar. Since the first edition’s publication, TLS 1.3 was released, and that’s a brand-new proto-col that has led to many other changes elsewhere. It’s not surprising that I needed to write anew chapter for TLS 1.3. But in the next three chapters I worked on, I found there were deepchanges and a great deal of new content throughout there as well.I wrote this book to save you time. I spent many years learning everything I could aboutSSL/TLS and PKI, and I continue to keep my knowledge up to date. I know that only a fewcan afford to do the same. I thought that if I put the most important parts of what I know

xvii

into a book others might be able to achieve a similar level of understanding in a fraction ofthe time—and here we are.This book has the word “bulletproof ” in the title, but that doesn’t mean that TLS is unbreak-able. It does mean that if you follow the advice from this book you’ll be able to get the mostout of TLS and deploy it as securely as anyone else in the world. It’s not always going to beeasy—especially with web applications—but if you persist, you’ll have better security than99.99% of servers out there. In fact, even with little effort, you can actually have better secu-rity than 99% of the servers on the Internet.Broadly speaking, there are two paths you can take to read this book. One is to take it easyand start from the beginning. If you have time, this is going to be the more enjoyable ap-proach. I made sure to make the book approachable even if you have little experience withcryptography. You can also read the book from the end, so to speak, by starting with theconfiguration guide, which will give you practical advice you can use immediately. Afterthat, use the rest of the book as a reference guide as needed.

ScopeandAudienceThis book exists to document everything you need to know about SSL/TLS and PKI forpractical, daily work. I aimed for just the right mix of theory, protocol detail, vulnerabilityand weakness information, and deployment advice to help you get your job done.As I was writing the book, I imagined representatives of three diverse groups looking overmy shoulder and asking me questions:

System administratorsAlways pressed for time and forced to deal with an ever-increasing number of securi-ty issues on their systems, system administrators need reliable advice about TLS sothat they can deal with its configuration quickly and efficiently. Turning to the Webfor information on this subject is counterproductive, because there’s so much incor-rect and obsolete documentation out there.

DevelopersAlthough SSL initially promised to provide security transparently for any TCP-basedprotocol, in reality developers play a significant part in ensuring that applications re-main secure. This is particularly true for web applications, which evolved around SSLand TLS and incorporated features that can subvert them. In theory, you “just enableencryption”; in practice, you enable encryption but also pay attention to a dozen or soissues, ranging from small to big, that can break your security. In this book, I made aspecial effort to document every single one of those issues.

ManagersLast but not least, I wrote the book for managers who, even though not necessarilyinvolved with the implementation, still have to understand what’s going on and make

xviii Preface

decisions. The security space is getting increasingly complicated, so understandingthe attacks and threats is often a job in itself. Often, there isn’t any one way to dealwith the situation, and the best way often depends on the context.

Overall, you will find very good coverage of HTTP and web applications here but little to nomention of other protocols. This is largely because HTTP is unique in the way it uses en-cryption, powered by browsers, which have become the most popular application-deliveryplatform we’ve ever had. With that power come many problems, which is why there is somuch space dedicated to HTTP.But don’t let that deceive you; if you take away the HTTP chapters, the remaining content(about two-thirds of the book) provides generic advice that can be applied to any protocolthat uses TLS.

ContentsThis book has 13 chapters, which can be grouped into several parts. The parts build on oneanother to provide a complete picture, starting with theory and ending with practical ad-vice.The first part, chapters 1 through 4, is the foundation of the book and discusses cryptogra-phy, SSL, TLS, and PKI:

• Chapter 1, SSL, TLS, and Cryptography, begins with an introduction to SSL and TLSand discusses where these secure protocols fit in the Internet infrastructure. The re-mainder of the chapter provides an introduction to cryptography and discusses theclassic threat model of the active network attacker.

• Chapter 2, TLS 1.3, discusses TLS 1.3, the most recent protocol revision. At the time ofwriting, TLS 1.3 is well supported by both clients and servers, and widely used. This isthe chapter you should read to understand how things work today.

• Chapter 3, TLS 1.2, discusses TLS 1.2, which is still very much relevant and needed inpractice. Understanding this protocol is also very useful to understand what improve-ments were made in TLS 1.3 and why. Information about earlier protocol revisions isprovided where appropriate. An overview of the protocol evolution from SSL 3 on-wards is included at the end for reference.

• Chapter 4, Public Key Infrastructure, is an introduction to Internet PKI, which is thepredominant trust model used on the Internet today. The focus is on the standards andorganizations as well as governance, ecosystem weaknesses and possible future im-provements.

The second part, chapters 5 through 8, details the various problems with trust infrastruc-ture, our security protocols, and their implementations in libraries and programs:

Contents xix

• Chapter 5, Attacks against PKI, deals with attacks on the trust ecosystem. It covers allthe major CA compromises, detailing the weaknesses, attacks, and consequences. Thischapter gives a thorough historical perspective on the security of the PKI ecosystem,which is important for understanding its evolution.

• Chapter 6, HTTP and Browser Issues, is all about the relationship between HTTP andTLS, the problems arising from the organic growth of the Web, and the messy interac-tions between different pieces of the web ecosystem.

• Chapter 7, Implementation Issues, deals with issues arising from design and program-ming mistakes related to random number generation, certificate validation, and otherkey TLS and PKI functionality. In addition, it discusses voluntary protocol downgradeand truncation attacks, as well as high-profile issues, such as Heartbleed, FREAK, andLogjam.

• Chapter 8, Protocol Attacks, is the longest chapter in the book. It covers all the majorprotocol flaws discovered in recent years: insecure renegotiation, BEAST, CRIME,Lucky 13, POODLE and POODLE TLS, RC4, TIME and BREACH, and Triple Hand-shake Attack. A brief discussion of Bullrun and its impact on the security of TLS is alsoincluded.

The third part, chapters 9 through 11, provides comprehensive advice about deploying TLSin a secure and efficient fashion:

• Chapter 9, Performance, focuses on the speed of TLS, going into great detail about vari-ous performance improvement techniques for those who want to squeeze every bit ofspeed out of their servers.

• Chapter 10, HSTS, CSP, and Pinning, covers some advanced topics that strengthen webapplications, such as HTTP Strict Transport Security and Content Security Policy. Italso covers pinning, which is an effective way of reducing the large attack surface im-posed by our current PKI model.

• Chapter 11, Configuration Guide, is the map for the entire book and provides step-by-step instructions on how to deploy secure and well-performing TLS servers and webapplications.

The fourth and final part consists of chapters 12 and 13, which focus on OpenSSL, the defacto standard for everyday TLS and PKI work on the command line:

• Chapter 12, OpenSSL, describes the most frequently used OpenSSL functionality, witha focus on installation, configuration, and key and certificate management. The lastsection in this chapter provides instructions on how to construct and manage a privatecertification authority.

• Chapter 13, Testing with OpenSSL, continues with OpenSSL and explains how to use itscommand-line tools to test server configuration. Even though it’s often much easier to

xx Preface

use an automated tool for testing, OpenSSL remains the tool you turn to when youwant to be sure about what’s going on.

SSLversusTLSIt is unfortunate that we have two names for essentially the same protocol. In my experi-ence, most people are familiar with the name SSL and use it in the context of transport layerencryption. Some people, usually those who spend more time with the protocols, use or tryto make themselves use the correct name, whichever is right in the given context. It’s proba-bly a lost cause. Despite that, I tried to do the same. It was a bit cumbersome at times, but Ithink I managed to achieve it by (1) avoiding either name where possible, (2) mentioningwhere advice applies to all protocol versions, and (3) using TLS in all other cases. You prob-ably won’t notice, and that’s fine.

OnlineResourcesThis book doesn’t have an online companion, but it does have an online file repository thatcontains the files referenced in the text. The repository is available at github.com/ivanr/bulletproof-tls.To be notified of events and news as they happen, follow @ivanristic on Twitter. TLS is all Ido these days, and I try to highlight everything that’s relevant. There’s hardly any noise. Inaddition, my Twitter account is where I will mention improvements to the book as theyhappen.You may also want to keep an eye on my blog, which is at blog.ivanristic.com. To be honest, Idon’t publish much these days, probably because, if I am not working on this book, I amspending all of my time on my startup called Hardenize, which is all about making the bestof the available security standards. If you like this book, I suspect you will like Hardenize aswell; check it out at www.hardenize.com.If you have access to this book in digital form, you should periodically log into your accounton the Feisty Duck web site to download the most recent version. Your access includes un-limited updates of the same edition. As an option, you may get an occasional email whennew content becomes available or when something very important happens (e.g., a newprotocol flaw is discovered).

FeedbackI am fortunate that I can update this book whenever I want to. It’s not a coincidence; Iworked hard to make it that way. I published my first book with a traditional publisher anddidn’t enjoy the fact that your book is set in stone once it’s out. So, for my other books, I

SSLversusTLS xxi

built a platform for continuous publishing. If I make a change today, it will be available toyou tomorrow, after an automated daily build takes place. It’s a tad more difficult to updatepaper books, but with print on demand we’re able to publish new revisions whenever thereis need.Therefore, unlike with many other books that might never see a new edition, your feedbackmatters. If you find an error, it will be fixed in a few days. The same is true for minor im-provements, such as language changes or clarifications. If one of the platforms changes insome way or there’s a new development, I can cover it. My aim with this book is to keep itup-to-date for as long as there’s interest in it.Please write to me at [email protected].

AbouttheAuthorIn this section, I get to write about myself in third person; this is my “official” biography:

Ivan Ristić is a security researcher, engineer, and author, known for his contri-bution to the web application firewall field and development of ModSecurity,an open source web application firewall, and for his SSL/TLS and PKI re-search, tools, and guides published on the SSL Labs web site.He has written three books—Apache Security, ModSecurity Handbook, andBulletproof SSL and TLS—which he publishes via Feisty Duck, his own plat-form for continuous publishing. Ivan is an active participant in the securitycommunity, and you’ll often find him speaking at security conferences such asBlack Hat, RSA, OWASP AppSec, and others.

AcknowledgmentsAlthough I wrote all of the words in this book, I am not the sole author. My work builds onan incredible wealth of information about cryptography and computer security scatteredamong books, standards documents, research papers, conference talks, and blog posts—andeven tweets. There are hundreds of people whose work made this book what it is.Over the years, I have been fortunate to correspond about computer security with manypeople who have enriched my own knowledge of this subject. Many of them lent me a handby reviewing parts of the manuscript. I am grateful for their help. It’s been particularly com-forting to have the key parts of the book reviewed by those who either designed the stan-dards or broke them and by those who wrote the programs I talk about.Kenny Paterson was tremendously helpful with his thorough review of the protocol attackschapter, which is easily the longest and the most complicated part of the book. I suspect he

xxii Preface

gave me the same treatment his students get, and my writing is much better because of it. Ittook me an entire week to update the chapter in response to Kenny’s comments.It’s been thrilling and comforting to work on the OpenSSL Chapters with Matt Caswell, whois a member of the core OpenSSL development team. Matt provided me with detail and in-sights only someone deeply familiar with the subject matter can give.Benne de Weger reviewed the chapters about cryptography and the PKI attacks. Nasko Os-kov reviewed the key chapters about the protocol and Microsoft’s implementation. Rick An-drews and his colleagues from Symantec helped with the chapters on PKI attacks andbrowser issues, as did Adam Langley. Marc Stevens wrote to me about PKI attacks and espe-cially about chosen-prefix attacks against MD5 and SHA1. Nadhem AlFardan, Thai Duong,and Juliano Rizzo reviewed the protocol attacks chapter and were very helpful answeringmy questions about their work. Ilya Grigorik’s review of the performance chapter was thor-ough and his comments very useful. Jakob Schlyter reviewed the chapter about advancedtopics (HSTS and CSP), with a special focus on DANE.Vincent Bernat’s microbenchmarking tool was very useful to me when I was writing theperformance chapter.Eric Lawrence sent me hundreds of notes and questions. I never thought I would see a re-view that thorough. Eric is every author’s dream reviewer, and I am incredibly grateful forhis attention.Also, a big thanks to my readers who sent me great feedback: Pascal Cuoq, Joost van Dijk,Daniël van Eeden, Dr Stephen N. Henson, Brian Howson, Rainer Jung, SaravananMusuwathi Kesavan, Brian King, Hendrik Klinge, Olivier Levillain, Colm MacCárthaigh,Dave Novick, Pascal Messerli, and Christian Sage.My special thanks goes to my copyeditor, Melinda Rankin, who was always quick to re-spond with her edits and adapted to my DocBook-based workflow.

Acknowledgments xxiii

1SSL,TLS,andCryptographyWe live in an increasingly connected world. During the last decade of the 20th century theInternet rose to popularity and forever changed how we live our lives. Today we rely on ourphones and computers to communicate, buy goods, pay bills, travel, work, and so on. Manyof us, with always-on devices in our pockets, don’t connect to the Internet, we are the Inter-net. There are already more phones than people. The number of smart phones is measuredin billions and increases at a fast pace. In the meantime, plans are under way to connect allsorts of devices to the same network. Clearly, we’re just getting started.All the devices connected to the Internet have one thing in common—they rely on the pro-tocols called SSL (Secure Socket Layer) and TLS (Transport Layer Security) to protect the in-formation in transit.

TransportLayerSecurityWhen the Internet was originally designed, little thought was given to security. As a result,the core communication protocols are inherently insecure and rely on the honest behaviorof all involved parties. That might have worked back in the day, when the Internet consistedof a small number of nodes—mostly at universities—but falls apart completely today wheneveryone is online.SSL and TLS are cryptographic protocols designed to provide secure communication overinsecure infrastructure. What this means is that, if these protocols are properly deployed,you can open a communication channel to an arbitrary service on the Internet, be reason-ably sure that you’re talking to the correct server, and exchange information safe in knowingthat your data won’t fall into someone else’s hands and that it will be received intact. Theseprotocols protect the communication link or transport layer, which is where the name TLScomes from.Security is not the only goal of TLS. It actually has four main goals, listed here in the orderof priority:

1

Cryptographic securityThis is the main issue: enable secure communication between any two parties whowish to exchange information.

InteroperabilityIndependent programmers should be able to develop programs and libraries that areable to communicate with one another using common cryptographic parameters.

ExtensibilityAs you will soon see, TLS is effectively a framework for the development and deploy-ment of cryptographic protocols. Its important goal is to be independent of the actualcryptographic primitives (e.g., ciphers and hashing functions) used, allowing migra-tion from one primitive to another without needing to create new protocols.

EfficiencyThe final goal is to achieve all of the previous goals at an acceptable performance cost,reducing costly cryptographic operations down to the minimum and providing a ses-sion caching scheme to avoid them on subsequent connections.

NetworkingLayersAt its core, the Internet is built on top of protocols called IP (Internet Protocol) and TCP(Transmission Control Protocol), which are used to package data into small packets for trans-port. As these packets travel thousands of miles across the world, they cross many computersystems (called hops) in many countries. Because the core protocols don’t provide any secu-rity by themselves, anyone with access to the communication links can gain full access tothe data as well as change the traffic without detection.IP and TCP aren’t the only vulnerable protocols. There’s a range of other protocols that areused for routing—helping computers find other computers on the network. DNS and BGPare two such protocols. They, too, are insecure and can be hijacked in a variety of ways. Ifthat happens, a connection intended for one computer might be answered by the attackerinstead.When encryption is deployed, the attacker might be able to gain access to the encrypted da-ta, but she wouldn’t be able to decrypt it or modify it. To prevent impersonation attacks, SSLand TLS rely on another important technology called PKI (public key infrastructure), whichensures that the traffic is sent to the correct recipient.To understand where SSL and TLS fit, we’re going to take a look at the Open Systems Inter-connection (OSI) model, which is a conceptional model that can be used to discuss networkcommunication. In short, all functionality is mapped into seven layers. The bottom layer isthe closest to the physical communication link; subsequent layers build on top of one anoth-

2 Chapter1:SSL,TLS,andCryptography

er and provide higher levels of abstraction. At the top is the application layer, which carriesapplication data.

NoteIt’s not always possible to neatly organize real-life protocols into the OSI model. Forexample, SPDY and HTTP/2 could go into the session layer because they deal withconnection management, but they operate after encryption. QUIC and HTTP/3make this even more complicated, because they take control of the transport layer.

Table1.1.OSImodellayers

# OSILayer Description Exampleprotocols

7 Application Applicationdata HTTP,SMTP,IMAP

6 Presentation Datarepresentation,conversion,encryption SSL/TLS

5 Session Managementofmultipleconnections -

4 Transport Reliabledeliveryofpacketsandstreams TCP,UDP

3 Network Routinganddeliveryofdatagramsbetweennetworknodes IP,IPSec

2 Datalink Reliablelocaldataconnection(LAN) Ethernet

1 Physical Directphysicaldataconnection(cables) CAT5

Arranging communication in this way provides clean separation of concerns; protocolsdon’t need to worry about the functionality implemented by lower layers. Further, protocolsat different layers can be added and removed; a protocol at a lower layer can be used formany protocols from higher levels.SSL and TLS are a great example of how this principle works in practice. They sit above TCPbut below higher-level protocols such as HTTP. When encryption is not necessary, we canremove TLS from our model, but that doesn’t affect the higher-level protocols, which con-tinue to work directly with TCP. When you do want encryption, you can use it to encryptHTTP, but also any other TCP protocol, for example SMTP, IMAP and so on.

ProtocolHistorySSL protocol was developed at Netscape, back when Netscape Navigator ruled the Internet.1The first version of the protocol never saw the light of day, but the next—version 2—wasreleased in November 1994. The first deployment was in Netscape Navigator 1.1, which wasreleased in March 1995.

1ForamuchmoredetailedhistoryoftheearlyyearsoftheSSLprotocol,IrecommendEricRescorla’sbookSSLandTLS:DesigningandBuildingSecureSystems(Addison-Wesley,2001),pages47–51.

ProtocolHistory 3

Developed with little to no consultation with security experts outside Netscape, SSL 2 endedup being a poor protocol with serious weaknesses. This forced Netscape to work on SSL 3,which was released in late 1995. Despite sharing the name with earlier protocol versions,SSL 3 was a brand new protocol design that established the design we know today.In May 1996, the TLS working group was formed to migrate SSL from Netscape to IETF.2The process was painfully slow because of the political fights between Microsoft andNetscape, a consequence of the larger fight to dominate the Web. TLS 1.0 was finally re-leased in January 1999, as RFC 2246. Although the differences from SSL 3 were not big, thename was changed to please Microsoft.3

The next version, TLS 1.1, wasn’t released until April 2006 and contained essentially onlysecurity fixes. However, a major change to the protocol was incorporation of TLS extensions,which were released a couple of years earlier, in June 2003.TLS 1.2 was released in August 2008. It added support for authenticated encryption andgenerally removed all hard-coded security primitives from the specification, making theprotocol fully flexible.The next protocol version, TLS 1.3, spent a lot of time in development, with the work start-ing in late 2013 and the final RFC released in August 2018. Although initially it seemed thatthis update would only incorporate small incremental improvements, over time it turned in-to a complete protocol rewrite that kept backward compatibility, simplified the design, im-proved performance, and removed old and weak features. As always, you can follow all dis-cussions related to TLS on the TLS working group mailing list.4

CryptographyCryptography is the science and art of secure communication. Although we associate en-cryption with the modern age, we’ve actually been using cryptography for thousands ofyears. The first mention of a scytale, an encryption tool, dates to the seventh century BC.5Cryptography as we know it today was largely born in the twentieth century and for mili-tary use. Now it’s part of our everyday lives.When cryptography is correctly deployed, it addresses the three core requirements of secu-rity: keeping secrets (confidentiality), verifying identities (authenticity), and ensuring safetransport (integrity).In the rest of this chapter, I will discuss the basic building blocks of cryptography, with thegoal of showing where additional security comes from. I will also discuss how cryptography

2TLSWorkingGroup(IETF,retrieved23June2014)3SecurityStandardsandNameChangesintheBrowserWars(TimDierks,23May2014)4TLSworkinggroupmailinglistarchives(IETF,retrieved13March2017)5Scytale(Wikipedia,retrieved5June2014)


https://datatracker.ietf.org/wg/tls/documents/

http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html

http://www.ietf.org/mail-archive/web/tls/current/

https://en.wikipedia.org/wiki/Scytale

is commonly attacked. Cryptography is a very diverse field and has a strong basis in mathe-matics, but I will keep my overview at a high level, with the aim of giving you a foundationthat will enable you to follow the discussion in the rest of the text. Elsewhere in the book,where the topic demands, I will discuss some parts of cryptography in more detail.

NoteIf you want to spend more time learning about cryptography, there’s plenty of goodliterature available. My favorite book on this topic is Understanding Cryptography,written by Christof Paar and Jan Pelzl and published by Springer in 2010.

BuildingBlocksAt the lowest level, cryptography relies on various cryptographic primitives. Each primitive isdesigned with a particular useful functionality in mind. For example, we might use oneprimitive for encryption and another for integrity checking. The primitives alone are notvery useful, but we can combine them into schemes and protocols to provide robust security.

WhoAreAliceandBob?Alice and Bob are names commonly used for convenience when discussing cryptography.6They make the otherwise often dry subject matter more interesting. Ron Rivest is credited forthe first use of these names in the 1977 paper that introduced the RSA cryptosystem.7 Sincethen, a number of other names have entered cryptographic literature. In this chapter, I use thename Eve for an attacker with an eavesdropping ability and Mallory for an active attacker whocan interfere with network traffic.

SymmetricEncryptionSymmetric encryption (or private-key cryptography) is a method for obfuscation that enablessecure transport of data over insecure communication channels. To communicate securely,Alice and Bob first agree on the encryption algorithm and a secret key. Later on, when Alicewants to send some data to Bob, she uses the secret key to encrypt the data. Bob uses thesame key to decrypt it. Eve, who has access to the communication channel and can see theencrypted data, doesn’t have the key and thus can’t access the original data. Alice and Bobcan continue to communicate securely for as long as they keep the secret key safe. Symmet-ric encryption is illustrated in Figure 1.1, “Symmetric encryption”

6AliceandBob(Wikipedia,retrieved5June2014)7Security’sinseparablecouple(NetworkWorld,2005)

BuildingBlocks 5

https://en.wikipedia.org/wiki/Alice_and_Bob

http://www.networkworld.com/article/2318241/lan-wan/security-s-inseparable-couple.html

NoteThree terms are commonly used when discussing encryption: plaintext is the datain its original form, cipher is the algorithm used for encryption, and ciphertext isthe data after encryption.

Symmetric encryption goes back thousands of years. For example, to encrypt with a substi-tution cipher, you replace each letter in the alphabet with some other letter; to decrypt, youreverse the process. In this case, there is no key; the security depends on keeping themethod itself secret. That was the case with most early ciphers. Over time, we adopted adifferent approach, following the observation of a nineteenth-century cryptographer namedAuguste Kerckhoffs:8

A cryptosystem should be secure even if the attacker knows everything aboutthe system, except the secret key.

Although it might seem strange at first, Kerckhoffs’s principle—as it has come to be known—makes sense if you consider the following:

• For an encryption algorithm to be useful, it must be shared with others. As the numberof people with access to the algorithm increases, the likelihood that the algorithm willfall into the enemy’s hands increases too.

• A single algorithm without a key is very inconvenient to use in large groups; everyonecan decrypt everyone’s communication.

• It’s very difficult to design good encryption algorithms. The more exposure and scruti-ny an algorithm gets, the more secure it can be. Cryptographers recommend a conser-vative approach when adopting new algorithms; it usually takes years of breaking at-tempts until a cipher is considered secure.

8lacryptographiemilitaire(FabienPetitcolas,retrieved1June2014)

Figure1.1.Symmetricencryption

Secretkey Secretkey

BOB ALICE

DecryptEncrypt

Originaldocument

Encrypteddocument

Originaldocument


http://petitcolas.net/kerckhoffs/

A good encryption algorithm is one that produces seemingly random ciphertext, whichcan’t be analyzed by the attacker to reveal any information about plaintext. For example, thesubstitution cipher is not a good algorithm, because the attacker could determine the fre-quency of each letter of ciphertext and compare it with the frequency of the letters in theEnglish language. Because some letters appear more often than others, the attacker coulduse his observations to recover the plaintext. If a cipher is good, the only option for the at-tacker should be to try all possible decryption keys, otherwise known as an exhaustive keysearch.At this point, the security of ciphertext depends entirely on the key. If the key is selectedfrom a large keyspace and breaking the encryption requires iterating through a prohibitivelylarge number of possible keys, then we say that a cipher is computationally secure.

NoteThe common way to measure encryption strength is via key length; the assumptionis that keys are essentially random, which means that the keyspace is defined by thenumber of bits in a key. As an example, a 128-bit key (which is considered very se-cure) is one of 340 billion billion billion billion possible combinations.

Ciphers can be divided into two groups: stream and block ciphers.

StreamCiphersConceptually, stream ciphers operate in a way that matches how we tend to imagine encryp-tion. You feed one byte of plaintext to the encryption algorithm, and out comes one byte ofciphertext. The reverse happens at the other end. The process is repeated for as long as thereis data to process.At its core, a stream cipher produces an infinite stream of seemingly random data called akeystream. To perform encryption, one byte of keystream is combined with one byte ofplaintext using the XOR logical operation. Because XOR is reversible, to decrypt you per-form XOR of ciphertext with the same keystream byte. This process is illustrated in Fig-ure 1.2, “RC4 encryption”.An encryption process is considered secure if the attacker can’t predict which keystreambytes are at which positions. For this reason, it is vital that stream ciphers are never usedwith the same key more than once. This is because, in practice, attackers know or can pre-dict plaintext at certain locations (think of HTTP requests being encrypted; things such asrequest method, protocol version, and header names are the same across many requests).When you know the plaintext and can observe the corresponding ciphertext, you uncoverparts of the keystream. You can use that information to uncover the same parts of futureciphertexts if the same key is used. To work around this problem, stream algorithms areused with one-time keys derived from long-term keys.

BuildingBlocks 7

RC4 is the best-known stream cipher.9 It became popular due to its speed and simplicity, butit’s no longer considered secure. I discuss its weaknesses at some length in the section called“RC4 Weaknesses” in Chapter 8. Other modern and secure stream ciphers are promoted bythe ECRYPT Stream Cipher Project.10

BlockCiphersBlock ciphers encrypt entire blocks of data at a time; modern block ciphers tend to use ablock size of 128 bits (16 bytes). A block cipher is a transformation function: it takes someinput and produces output that appears random. For every possible input combination,there is exactly one output, as long as the key stays the same. A key property of block ci-phers is that a small variation in input (e.g., a change of one bit anywhere) produces a largevariation in output.On their own, block ciphers are not very useful because of several limitations. First, you canonly use them to encrypt data lengths equal to the size of the encryption block. To use ablock cipher in practice, you need a scheme to handle data of arbitrary length. Anotherproblem is that block ciphers are deterministic; they always produce the same output for thesame input. This property opens up a number of attacks and needs to be dealt with.In practice, block ciphers are used via encryption schemes called block cipher modes, whichsmooth over the limitations and sometimes add authentication to the mix. Block cipherscan also be used as the basis for other cryptographic primitives, such as hash functions,message authentication codes, pseudorandom generators, and even stream ciphers.The world’s most popular block cipher is AES (short for Advanced Encryption Standard),which is available in strengths of 128, 192, and 256 bits.11

9RC4(Wikipedia,retrieved1June2014)

Figure1.2.RC4encryption

Ciphertext1 1 0 0

0 1 1 0 Plaintext

Key RC4 Keystream1 0 1 0


https://en.wikipedia.org/wiki/RC4

PaddingOne of the challenges with block ciphers is figuring out how to handle encryption of datalengths smaller than the encryption block size. For example, 128-bit AES requires 16 bytesof input data and produces the same amount as output. This is fine if you have all of yourdata in 16-byte blocks, but what do you do when you have less than that? One approach isto append some extra data to the end of your plaintext. This extra data is known as padding.The padding can’t consist of just any random data. It must follow some format that allowsthe receiver to see the padding for what it is and know exactly how many bytes to discard. InTLS, the last byte of an encryption block contains padding length, which indicates howmany bytes of padding (excluding the padding length byte) there are. All padding bytes areset to the same value as the padding length byte. This approach enables the receiver to checkthat the padding is correct.

Figure1.3.ExampleofTLSpadding

3 3 3348H

65e

6Cl

6Cl

21!

6Fo

6Fo

77w

72r

6Cl

64d

Padding

Paddinglength

To discard the padding after decryption, the receiver examines the last byte in the datablock and removes it. After that, he removes the indicated number of bytes while checkingthat they all have the same value.

HashFunctionsA hash function is an algorithm that converts input of arbitrary length into small, fixed-sizeoutput. The result of a hash function is often called simply a hash. Hash functions are com-monly used in programming, but not all hash functions are suitable for use in cryptography.Cryptographic hash functions are hash functions that have several additional properties:

Preimage resistanceGiven a hash, it’s computationally unfeasible to find or construct a message that pro-duces it.

Second preimage resistanceGiven a message and its hash, it’s computationally unfeasible to find a different mes-sage with the same hash.

10eSTREAM:theECRYPTStreamCipherProject(EuropeanNetworkofExcellenceinCryptologyII,retrieved1June2014)11AdvancedEncryptionStandard(Wikipedia,retrieved1June2014)

BuildingBlocks 9

http://www.ecrypt.eu.org/stream/

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Collision resistanceIt’s computationally unfeasible to find two messages that have the same hash.

Hash functions are most commonly used as a compact way to represent and compare largeamounts of data. For example, rather than compare two files directly (which might be diffi-cult, for example, if they are stored in different parts of the world), you can compare theirhashes. Hash functions are often called fingerprints, message digests, or simply digests.Today, hash functions from the SHA2 and SHA3 families are examples of secure hash func-tions. Others—for example, SHA1 and MD5—are now considered insecure and shouldn’t beused. Unlike with ciphers, the strength of a hash function doesn’t equal the hash length. Be-cause of the birthday paradox (a well-known problem in probability theory),12 the strengthof a hash function is at most one half of the hash length.

MessageAuthenticationCodesA hash function could be used to verify data integrity, but only if the hash of the data istransported separately from the data itself. Otherwise, an attacker could modify both themessage and the hash, easily avoiding detection. A message authentication code (MAC) or akeyed-hash is a cryptographic function that extends hashing with authentication. Only thosein possession of the hashing key can produce a valid MAC.MACs are commonly used in combination with encryption. Even though Mallory can’t de-crypt ciphertext, she can modify it in transit if there is no MAC; encryption provides confi-dentiality but not integrity. If Mallory is smart about how she’s modifying ciphertext, shecould trick Bob into accepting a forged message as authentic. When a MAC is sent alongwith ciphertext, Bob (who shares the hashing key with Alice) can be sure that the messagehas not been tampered with.Any hash function can be used as the basis for a MAC using a construction known asHMAC (short for hash-based message authentication code).13 In essence, HMAC works byinterleaving the hashing key with the message in a secure way.

BlockCipherModesBlock cipher modes are cryptographic schemes designed to extend block ciphers to encryptdata of arbitrary length. All block cipher modes support confidentiality, but some combineit with authentication. Some modes transform block ciphers to produce stream ciphers.There are many output modes, and they are usually referred to by their acronyms: ECB,CBC, CFB, OFB, CTR, GCM, and so forth. (Don’t worry about what the acronyms standfor.) I will discuss only ECB and CBC here: ECB as an example of how not to design a block

12Birthdayproblem(Wikipedia,retrieved6June2014)13RFC2104:HMAC:Keyed-HashingforMessageAuthentication(Krawczyketal.,February1997)


https://en.wikipedia.org/wiki/Birthday_problem

http://tools.ietf.org/html/rfc2104

cipher mode and CBC because it was used heavily in TLS until version 1.3. Authenticatedcipher suites (e.g., GCM) first appeared in TLS 1.2; they provide confidentiality and integri-ty in the same package and avoid the design problem inherent in CBC suites.

ElectronicCodebookModeElectronic Codebook (ECB) mode is the simplest possible block cipher mode. It supports on-ly data lengths that are the exact multiples of the block size; if you have data of differentlength, then you need to apply padding beforehand. To perform encryption, you split thedata into chunks that match the block size and encrypt each block individually.The simplicity of ECB is its downside. Because block ciphers are deterministic (i.e., they al-ways produce the same result when the input is the same), so is ECB. This has serious con-sequences: (1) patterns in ciphertext will appear that match patterns in plaintext; (2) the at-tacker can detect when a message is repeated; and (3) an attacker who can observe cipher-text and submit arbitrary plaintext for encryption (commonly possible with HTTP and inmany other situations) can, given enough attempts, guess the plaintext. This is what theBEAST attack against TLS was about; I discuss it in the section called “BEAST” in Chap-ter 8.

CipherBlockChainingModeCipher Block Chaining (CBC), illustrated in Figure 1.4, “CBC mode encryption”, is the nextstep up from ECB. To address the deterministic nature of ECB, CBC introduces the conceptof the initialization vector (IV), which makes output different every time, even when input isthe same.

Figure1.4.CBCmodeencryption

M2

C2/IV3

M3

C3

Messageblock3

Encrypt

Ciphertextblock3

Messageblock2

Encrypt

Ciphertextblock2

IV1

C1/IV2

Ciphertextblock1

Encrypt

M1

Messageblock1

BuildingBlocks 11

The process starts by generating a random (and thus unpredictable) IV, which is the samelength as the encryption block size. Before encryption, the first block of plaintext is com-bined with the IV using XOR. This masks the plaintext and ensures that the ciphertext isalways different. For the next encryption block, the ciphertext of the previous block is usedas the IV, and so forth. As a result, all of the individual encryption operations are part of thesame chain, which is where the mode name comes from. Crucially, the IV is transmitted onthe wire to the receiving party, who needs it to perform decryption successfully.

AsymmetricEncryptionSymmetric encryption does a great job at handling large amounts of data at great speeds,but it leaves a lot to be desired as soon as the number of parties involved increases:

• Members of the same group must share the same key. The more people join a group,the more exposed the group becomes to the key compromise.

• For better security, you could use a different key for every two people, but this ap-proach doesn’t scale. Although three people need only three keys, ten people wouldneed 45 (9 + 8 + . . . + 1) keys. A thousand people would need 499,500 keys!

• Symmetric encryption can’t be used on unattended systems to secure data. Because theprocess can be reversed by using the same key, a compromise of such a system leads tothe compromise of all data stored in the system.

Asymmetric encryption (also known as public key cryptography) is a different approach toencryption that uses two keys instead of one. One of the keys is private; the other is public.As the names suggest, one of these keys is intended to be private, and the other is intendedto be shared with everyone. There’s a special mathematical relationship between these keysthat enables some useful features. If you encrypt data using someone’s public key, only theircorresponding private key can decrypt it. On the other hand, if data is encrypted with theprivate key anyone can use the public key to unlock the message. The latter operationdoesn’t provide confidentiality, but it does function as a digital signature.

Figure1.5.Asymmetricencryption

Alice’spublickey Alice’sprivatekey

BOB ALICE

DecryptEncrypt

Originaldocument

Encrypteddocument

Originaldocument


Asymmetric encryption makes secure communication in large groups much easier. Assum-ing that you can securely share your public key widely (a job for PKI, which I discuss inChapter 4, Public Key Infrastructure), anyone can send you a message that only you canread. If they also sign that message using their private key, you know exactly whom it isfrom.Despite its interesting properties, public key cryptography is rather slow and unsuitable foruse with large quantities of data. For this reason, it’s usually deployed for authentication andnegotiation of shared secrets, which are then used for fast symmetric encryption.RSA (named from the initials of Ron Rivest, Adi Shamir, and Leonard Adleman) is by farthe most popular asymmetric encryption method deployed today.14 The recommendedstrength for RSA today is 2,048 bits, which is equivalent to about 112 symmetric bits. I’lldiscuss the strength of cryptography in more detail later in this chapter.

DigitalSignaturesA digital signature is a cryptographic scheme that allows us to verify the authenticity of adigital message or document. The MAC, which I described earlier, is a type of digital signa-ture; it can be used to verify authenticity provided that the secret hashing key is securelyexchanged ahead of time. Although this type of verification is very useful in certain situa-tions, it’s inherently limited because it still relies on a shared secret key.Digital signatures similar to the real-life handwritten ones are possible with the help of pub-lic key cryptography; we can exploit its asymmetric nature to devise an algorithm that al-lows a message signed by a private key to be verified with the corresponding public key.The exact approach depends on the selected public key cryptosystem. For example, RSA canbe used for encryption and decryption. If something is encrypted with a private RSA key,only the corresponding public key can decrypt it. We can use this property for digital sign-ing if we combine it with hash functions:

1. Calculate a hash of the document you wish to sign; no matter the size of the input doc-ument, the output will always be fixed, for example, 256 bits for SHA256.

2. Encode the resulting hash and some additional metadata. For example, the receiverwill need to know the hashing algorithm you used before she can process the signa-ture.

3. Encrypt the encoded hash using the private key; the result will be the signature, whichyou can append to the document as proof of authenticity.

To verify the signature, the receiver takes the document and calculates the hash indepen-dently using the same algorithm. Then, she uses your public key to decrypt the message and

14RSA(Wikipedia,retrieved2June2014)

BuildingBlocks 13

https://en.wikipedia.org/wiki/RSA_%28cryptosystem%29

recover the hash, confirm that the correct algorithms were used, and compare the decryptedhash with the one she calculated. The strength of this signature scheme depends on the indi-vidual strengths of the encryption, hashing, and encoding components.

NoteNot all digital signature algorithms function in the same way as RSA. In fact, RSAis an exception, because it can be used for both encryption and digital signing.Other popular public key algorithms, such as DSA and ECDSA, can’t be used forencryption and rely on different approaches for signing.

RandomNumberGenerationIn cryptography, all security depends on the quality of random number generation. You’vealready seen in this chapter that security relies on known encryption algorithms and secretkeys. Those keys are simply very long random numbers.The problem with random numbers is that computers tend to be very predictable. They fol-low instructions to the letter. If you tell them to generate a random number, they probablywon’t do a very good job.15 This is because true random numbers can be obtained only byobserving certain physical processes. In absence of that, computers focus on collecting smallamounts of entropy. This usually means monitoring keystrokes and mouse movements andthe interaction with various peripheral devices, such as hard disks.Entropy collected in this way is a type of true random number generator (TRNG), but theapproach is not reliable enough to use directly. For example, you might need to generate a4,096-bit key, but the system might have only a couple of hundreds of bits of entropy avail-able. If there are no reliable external events to collect enough entropy, the system might stall.For this reason, in practice we rely on pseudorandom number generators (PRNGs), whichuse small amounts of true random data to get them going. This process is known as seeding.From the seed, PRNGs produce unlimited amounts of pseudorandom data on demand.General-purpose PRNGs are often used in programming, but they are not appropriate forcryptography, even if their output is statistically random. Cryptographically secure pseudo-random number generators (CSPRNGs) are PRNGs that are also unpredictable. This at-tribute is crucial for security; an adversary mustn’t be able to reverse-engineer the internalstate of a CSPRNG by observing its output.

ProtocolsCryptographic primitives such as encryption and hashing algorithms are seldom useful bythemselves. We combine them into schemes and protocols so that we can satisfy complex se-

15Somenewerprocessorshavebuilt-inrandomnumbergeneratorsthataresuitableforuseincryptography.Therearealsospecializedexternaldevices(e.g.,intheformofUSBsticks)thatcanbeaddedtofeedadditionalentropytotheoperatingsystem.


curity requirements. To illustrate how we might do that, let’s consider a simplistic crypto-graphic protocol that allows Alice and Bob to communicate securely. We’ll aim for all threemain requirements: confidentiality, integrity, and authentication.Let’s assume that our protocol allows exchange of an arbitrary number of messages. Becausesymmetric encryption is very good at encrypting bulk data, we might select our favorite al-gorithm to use for this purpose, say, AES. With AES, Alice and Bob can exchange securemessages, and Mallory won’t be able to recover the contents. But that’s not quite enough,because Mallory can do other things, for example, modify the messages without being de-tected. To fix this problem, we can calculate a MAC of each message using a hashing keyknown only to Alice and Bob. When we send a message, we send along the MAC as well.Now, Mallory can’t modify the messages any longer. However, she could still drop or replayarbitrary messages. To deal with this, we extend our protocol to assign a sequence numberto each message; crucially, we make the sequences part of the MAC calculation. If we see agap in the sequence numbers, then we know that there’s a message missing. If we see a se-quence number duplicate, we detect a replay attack. For best results, we should also use aspecial message to mark the end of the conversation. Without such a message, Mallorywould be able to end (truncate) the conversation undetected.With all of these measures in place, the best Mallory can do is prevent Alice and Bob fromtalking to one another. There’s nothing we can do about that.So far, so good, but we’re still missing a big piece: how are Alice and Bob going to negotiatethe two needed keys (one for encryption and the other for integrity validation) in the pres-ence of Mallory? We can solve this problem by adding two additional steps to the protocol.First, we use public key cryptography to authenticate each party at the beginning of the con-versation. For example, Alice could generate a random number and ask Bob to sign it toprove that it’s really him. Bob could ask Alice to do the same.With authentication out of the way, we can use a key-exchange scheme to negotiate encryp-tion keys securely. For example, Alice could generate all the keys and send them to Bob byencrypting them with his public key; this is how the RSA key exchange works. Alternatively,we could have also used a protocol known as Diffie-Hellman (DH) key exchange for thispurpose. The latter is slower, but it has better security properties.In the end, we end up with a protocol that (1) starts with a handshake phase that includesauthentication and key exchange, (2) follows with the data exchange phase with confiden-tiality and integrity, and (3) ends with a shutdown sequence. At a high level, our protocol issimilar to the work done by SSL and TLS.

Protocols 15

AttackingCryptographyComplex systems can usually be attacked in a variety of ways, and cryptography is no ex-ception. First, you can attack the cryptographic primitives themselves. If a key is small, theadversary can use brute force to recover it. Such attacks usually require a lot of processingpower as well as time. It’s easier (for the attacker) if the used primitive has known vulnera-bilities, in which case she can use analytic attacks to achieve the goal faster.Cryptographic primitives are generally very well understood, because they are relativelystraightforward and do only one thing. Schemes are often easier to attack because they in-troduce additional complexity. In some cases, even cryptographers argue about the rightway to perform certain operations. But both are relatively safe compared to protocols,which tend to introduce far more complexity and have a much larger attack surface.Then, there are attacks against protocol implementation; in other words, exploitation of soft-ware bugs. For example, most cryptographic libraries are written in low-level languagessuch as C and even assembly, and that makes it very easy to introduce catastrophic pro-gramming errors. Even in the absence of bugs, sometimes great skill is needed to implementthe primitives, schemes, and protocols in such a way that they can’t be abused. For example,naïve implementations of certain algorithms can be exploited in timing attacks, in which theattacker breaks encryption by observing how long certain operations take.It is also common that programmers with little experience in cryptography nevertheless at-tempt to implement—and even design—cryptographic protocols and schemes, with pre-dictably insecure results.For this reason, it is often said that cryptography is bypassed, not attacked. What this meansis that the primitives are solid, but the rest of the software ecosystem isn’t. Further, the keysare an attractive target: why spend months to brute-force a key when it might be much easi-er to break into a server to obtain it? Many cryptographic failures can be prevented by fol-lowing simple rules such as these: (1) use well-established protocols and never design yourown schemes; (2) use high-level libraries and never write code that deals with cryptographydirectly; and (3) use well-established primitives with sufficiently strong key sizes.

MeasuringStrengthWe measure the strength of cryptography using the number of operations that need to beperformed to break a particular primitive, presented as bits of security. Deploying withstrong key sizes is the easiest thing to get right, and the rules are simple: 128 bits of security(2128 operations) is sufficient for most deployments; use 256 bits if you need very long-termsecurity or a big safety margin.


NoteThe strength of symmetric cryptographic operations increases exponentially asmore bits are added. This means that adding just another bit makes a key twice asstrong.

In practice, the situation is somewhat more complicated, because not all operations areequivalent in terms of security. As a result, different bit values are used for symmetric opera-tions, asymmetric operations, elliptic curve cryptography, and so on. You can use the infor-mation in Table 1.2, “Security levels and equivalent strength in bits, adapted from ECRYPT2(2012)” to convert from one size to another.

Table1.2.Securitylevelsandequivalentstrengthinbits,adaptedfromECRYPT2(2012)

# Protection Sym-metric

Asym-metric

DH EllipticCurve

Hash

1 Attacksinrealtimebyindividuals 32 - - - -

2 Veryshort-termprotectionagainstsmallorganizations 64 816 816 128 128

3 Short-termprotectionagainstmediumorganizations 72 1,008 1,008 144 144

4 Veryshort-termprotectionagainstagencies 80 1,248 1,248 160 160

5 Short-termprotection(10years) 96 1,776 1,776 192 192

6 Medium-termprotection(20years) 112 2,432 2,432 224 224

7 Long-termprotection(30years) 128 3,248 3,248 256 256

8 Long-termprotectionandincreaseddefensefromquan-tumcomputers

256 15,424 15,424 512 512

The data, which I adapted from a 2012 report on key and algorithm strength,16 shows roughmappings from bits of one type to bits of another, but it also defines strength in relation toattacker capabilities and time. Although we tend to discuss whether an asset is secure (as-suming now), in reality security is a function of time. The strength of encryption changes,because as time goes by computers get faster and cheaper. Security is also a function of re-sources. A key of a small size might be impossible for an individual to break, but doing socould be within the reach of an agency. For this reason, when discussing security it’s moreuseful to ask questions such as “secure against whom?” and “secure for how long?”

NoteThe strength of cryptography can’t be measured accurately, which is why you willfind many different recommendations. Most of them are very similar, with smalldifferences. In my experience, ENISA (the European Union Agency for Network andInformation Security) provides useful high-level documents that offer clear guid-

16ECRYPT2YearlyReportonAlgorithmsandKeysizes(EuropeanNetworkofExcellenceforCryptologyII,30September2012)

MeasuringStrength 17

http://www.ecrypt.eu.org/

ance17 at various levels.18 To view and compare other recommendations, visitkeylength.com.19

Although the previous table provides a lot of useful information, you might find it difficultto use because the values don’t correspond to commonly used key sizes. In practice, you’llfind the following table more useful to convert from one set of bits to another:20

Table1.3.Encryptionstrengthmappingforcommonlyusedkeysizes

Symmetric RSA/DSA/DH Ellipticcurvecrypto Hashfunctions

80 1,024 160 160

112 2,048 224 224

128 3,072 256 256

256 15,360 512 512

The fact that measuring and comparing different security approaches is difficult hasn’t es-caped cryptographers. In 2013, Lenstra published a paper in which he “proposed” that westop using bits to represent security strength; instead, he offered intuitive security levels,such as how much energy is needed to boil all the water in a swimming pool (“pool securi-ty”), boiling the lake of Geneva (“lake security”), and so on.21

Man-in-the-MiddleAttacksMost attacks against transport-layer security come in the form of a man-in-the-middle(MITM) attack. What this means is that in addition to the two parties involved in a conver-sation there is a malicious party. If the attacker is just listening in on the conversation, we’retalking about a passive network attack. If the attacker is actively modifying the traffic or in-fluencing the conversation in some other way, we’re talking about an active network attack.Both attack types require access to the network, which can be achieved in several ways, asillustrated in Figure 1.6, “Conceptual SSL/TLS threat model”.

GainingAccessIn many cases, attacks require proximity to the victim or the server or access to the commu-nication infrastructure. Whoever has access to the cables and intermediary communicationnodes (e.g., routers) can see the packets as they travel across the wire and interfere with

17Algorithms,KeySizesandParametersReport(ENISA,11November2014)18Recommendedcryptographicmeasures-Securingpersonaldata(ENISA,4November2013)19BlueKrypt:CryptographicKeyLengthRecommendation(BlueKrypt,retrieved13July2015)20NISTSpecialPublication800-57:RecommendationforKeyManagement—Part1:General,Revision3(NIST,July2012)21Universalsecurity;frombitsandmipstopools,lakes—andbeyond(Lenstraetal.,October2013)


https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-size-and-parameters-report-2014

https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/recommended-cryptographic-measures-securing-personal-data

https://www.keylength.com/

http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf

https://eprint.iacr.org/2013/635

them. Access can be obtained by tapping the cables,22 in collaboration with telecoms,23 orby hacking the equipment.24

Conceptually, the easiest way to execute a MITM attack is by joining a network and rerout-ing the victims’ traffic through a malicious node. Wireless networks without authentication,which so many people use these days, are particularly vulnerable because anyone can accessthem.Other ways to attack include interfering with the routing infrastructure for domain nameresolution, IP address routing, and so on.

ARP spoofingAddress Resolution Protocol (ARP) is used on local networks to associate networkMAC addresses25 with IP addresses. An attacker with access to the network can claimany IP address and effectively reroute traffic.

WPAD hijackingWeb Proxy Auto-Discovery Protocol (WPAD) is used by browsers to automatically re-trieve HTTP proxy configuration. WPAD uses several methods, including DHCP

22TheCreepy,Long-StandingPracticeofUnderseaCableTapping(TheAtlantic,16July2013)

Figure1.6.ConceptualSSL/TLSthreatmodel

Server

User

LocalMITMattacks(e.g.,overWi-Finetwork)

DNSserverhijackingandcachepoisoningattacks

Attacksagainstusers

DNShijackingatregistryandotherroutingattacks

Exposedcommunicationlink:14hops,severalthousandmilesandseveralcountries

Attacksagainstservers

Man-in-the-MiddleAttacks 19

http://www.theatlantic.com/international/archive/2013/07/the-creepy-long-standing-practice-of-undersea-cable-tapping/277855/

and DNS. To attack WPAD, an attacker starts a proxy on the local network and an-nounces it to the local clients who look for it.

DNS hijackingBy hijacking a domain name with the registrar or changing the DNS configuration,an attacker can hijack all traffic intended for that domain name.

DNS cache poisoningDNS cache poisoning is a type of attack that exploits weaknesses in caching DNSservers and enables the attacker to inject invalid domain name information into thecache. After a successful attack, all users of the affected DNS server will be given in-valid information.

BGP route hijackingBorder Gateway Protocol (BGP) is a routing protocol used by the core internet routersto discover where exactly IP address blocks are located. If an invalid route is acceptedby one or more routers, all traffic for a particular IP address block can be redirectedelsewhere, that is, to the attacker.

PassiveAttacksPassive attacks are most useful against unencrypted traffic. During 2013, it became apparentthat government agencies around the world routinely monitor and store large amounts ofinternet traffic. For example, it is alleged that GCHQ, the British spy agency, records all UKinternet traffic and keeps it for three days.26 Your email messages, photos, internet chats,and other data could be sitting in a database somewhere, waiting to be cross-referenced andcorrelated for whatever purpose. If bulk traffic is handled like this, it’s reasonable to expectthat specific traffic is stored for much longer and perhaps indefinitely. In response to thisand similar discoveries, the IETF declared that “pervasive monitoring is an attack” andshould be defended against by using encryption whenever possible.27

Even against encrypted traffic, passive attacks can be useful as an element in the overallstrategy. For example, you could store captured encrypted traffic until such a time when youcan break the encryption. Just because some things are difficult to do today doesn’t meanthat they’ll be difficult ten years from now, as computers get more powerful and cheaper andas weaknesses in cryptographic primitives are discovered.

23NewDetailsAboutNSA’sCollaborativeRelationshipsWithAmerica’sBiggestTelecomCompaniesFromSnowdenDocs(WashingtonPost,30August2013)24PhotosofanNSA“upgrade”factoryshowCiscoroutergettingimplant(ArsTechnica,14May2014)25Inthiscase,MACstandsformediaaccesscontrol.It’sauniqueidenti!erassignedtonetworkingcardsduringmanufacture.26GCHQtaps!bre-opticcablesforsecretaccesstoworld’scommunications(TheGuardian,21June2013)27RFC7258:PervasiveMonitoringIsanAttack(S.FarrellandH.Tschofenig,May2014)


http://www.matthewaid.com/post/59765378513/new-details-about-nsas-collaborative

http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

http://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa

http://tools.ietf.org/html/rfc7258

To make things worse, computer systems often contain a critical configuration weaknessthat allows for retroactive decryption of recorded traffic. A very common key-exchangemechanism in TLS is based on the RSA algorithm; on the systems that use this approach,the RSA key used for the key exchange can also be used to decrypt all previous conversa-tions. Other key-exchange mechanisms don’t suffer from this problem and are said to sup-port forward secrecy. Unfortunately, many stay with the RSA key exchange. For example,Lavabit—the encrypted email service famously used by Edward Snowden—didn’t supportforward secrecy on its web servers. Using a court order, the FBI compelled Lavabit to dis-close its encryption key.28 With the key in its possession, the FBI could decrypt any record-ed traffic (if it had any, of course).Passive attacks work very well, because there is still so much unencrypted traffic and be-cause bulk traffic collection can be fully automated. Google’s Transparency Report providesa good way to observe the deployment of encryption over time.29

ActiveAttacksWhen someone talks about MITM attacks, they most commonly refer to active network at-tacks in which Mallory interferes with the traffic in some way. Traditionally, MITM attackstarget authentication to trick Alice into thinking she’s talking to Bob. If the attack is success-ful, Mallory receives messages from Alice and forwards them to Bob. The messages are en-crypted when Alice sends them, but that’s not a problem, because she’s sending them toMallory, who can decrypt them using the keys she negotiated with Alice.When it comes to TLS, the ideal case for Mallory is when she can present a certificate thatAlice will accept as valid. In that case, the attack is seamless and almost impossible to de-tect.30 A valid certificate could be obtained by playing the public key infrastructure ecosys-tem. There have been many such attacks over the years; in Chapter 5, Attacks against PKI, Idocument the ones that are publicly known. A certificate that seems valid could be con-structed if there are bugs in the validation code that could be exploited. Historically, this isan area in which bugs are common. I discuss several examples in Chapter 7, ImplementationIssues. Finally, if everything else fails, Mallory could present an invalid certificate and hopethat Alice overrides the certificate warning. This happened in Syria in 2011.31

The rise of browsers as a powerful application-delivery platform created additional attackvectors that can be exploited in active network attacks. In this case, authentication is notattacked, but the victims’ browsers are instrumented by the attacker to submit speciallycrafted requests that are used to subvert encryption. These attack vectors have been exploit-

28Lavabit(Wikipedia,retrieved4June2014)29TransparencyReport(Google,retrieved13March2017)30Unlessyou’revery,veryparanoid,andkeeptrackofallthecerti!catespreviouslyencountered.Therearesomebrowseradd-onsthatdothis(e.g.,Certi!catePatrolforFirefox).31ASyrianMan-In-The-MiddleAttackagainstFacebook(TheElectronicFrontierFoundation,5May2011)

Man-in-the-MiddleAttacks 21

https://en.wikipedia.org/wiki/Lavabit

https://www.google.com/transparencyreport/

https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook

ed in recent years to attack TLS in novel ways; you can find more information about themin Chapter 8, Protocol Attacks.Active attacks can be very powerful, but they’re difficult to scale. Whereas passive attacksonly need to make copies of observed packets (which is a simple operation), active attacksrequire much more processing and effort to track individual connections. As a result, theyrequire much more software and hardware. Rerouting large amounts of traffic is difficult todo without being noticed. Similarly, fraudulent certificates are difficult to use successfullyfor large-scale attacks because there are so many individuals and organizations who arekeeping track of certificates used by various web sites. The approach with the best chance ofsuccess is exploitation of implementation bugs that can be used to bypass authentication,but such bugs, devastating as they are, are relatively rare.For these reasons, active attacks are most likely to be used against individual, high-value tar-gets. Such attacks can’t be automated, which means that they require extra work, cost a lot,and are thus more difficult to justify. Also, in almost all cases it’s much easier to attack thesoftware itself, usually from a ready-made exploit arsenal.There are some indications that the NSA deployed extensive infrastructure that enablesthem to attack almost arbitrary computers on the Internet, under the program called Quan-tumInsert.32

This program, which is a variation on the MITM theme, doesn’t appear to target encryption;instead, it’s used to deliver browser exploits against selected individuals. By placing specialpacket-injection nodes at important points in the communication infrastructure, the NSA isable to respond to connection requests faster than the real servers and redirect some trafficto the exploitation servers instead.

32AttackingTor:HowtheNSATargetsUsers’OnlineAnonymity(BruceSchneier,4October2013)


https://www.schneier.com/essays/archives/2013/10/attacking_tor_how_th.html

BULLETPROOF SSL AND TLS · 2020. 11. 2. · Mitigation 217 Protocol Downgrade Attacks 217 Rollback...

Documents

Transcript of BULLETPROOF SSL AND TLS · 2020. 11. 2. · Mitigation 217 Protocol Downgrade Attacks 217 Rollback...