CSE 484 / CSE M 584: Computer Security and Privacy SSL/TLS · SSL/TLS • Secure Sockets Layer and...
42
CSE 484 / CSE M 584: Computer Security and Privacy SSL/TLS Fall 2016 Ada (Adam) Lerner [email protected] Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...
Transcript of CSE 484 / CSE M 584: Computer Security and Privacy SSL/TLS · SSL/TLS • Secure Sockets Layer and...
CSE484/CSEM584:ComputerSecurityandPrivacy
SSL/TLS
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
Wehaveallthepieces!
• SymmetricEncryption(privacy!)• MACs(integrity!)• AsymmetricCrypto(bootstrapping!)• CertificateAuthorities(authenticity!)
11/4/16 CSE484/CSEM584-Fall2016 2
SSL/TLS
• SecureSocketsLayerandTransportLayerSecurity– Sameprotocol,newversion(TLSiscurrent)
• DefactostandardforInternetsecurity– “TheprimarygoaloftheTLSprotocolistoprovide
privacyanddataintegritybetweentwocommunicatingapplications”
• DeployedineveryWebbrowser;alsoVoIP,paymentsystems,distributedsystems,etc.
11/4/16 CSE484/CSEM584-Fall2016 3
SSL/TLS
• TLSistypicallyusedontopofaTCPconnection
TLS
• Canbeusedoverothertransportprotocols
11/4/16 CSE484/CSEM584-Fall2016 4
TLSBasics
• TLSconsistsoftwoprotocols– Familiarpatternforkeyexchangeprotocols
• Handshakeprotocol– Usepublic-keycryptographytoestablishasharedsecretkeybetweentheclientandtheserver
• Recordprotocol– Usethesecretsymmetrickeyestablishedinthehandshakeprotocoltoprotectcommunicationbetweentheclientandtheserver
11/4/16 CSE484/CSEM584-Fall2016 5
BasicHandshakeProtocol
11/4/16 CSE484/CSEM584-Fall2016 6
C
ClientHello
S
Clientannounces(inplaintext):• Protocolversionitisrunning• Cryptographicalgorithmsitsupports• Fresh,randomnumber
BasicHandshakeProtocol
11/4/16 CSE484/CSEM584-Fall2016 7
C
C,versionc,suitesc,Nc
ServerHello
SServerresponds(inplaintext)with:• Highestprotocolversionsupportedby
boththeclientandtheserver• Strongestcryptographicsuiteselected
fromthoseofferedbytheclient• Fresh,randomnumber
BasicHandshakeProtocol
11/4/16 CSE484/CSEM584-Fall2016 8
C
versions,suites,Ns,ServerKeyExchange
SServersendsitspublic-keycertificatecontainingeitheritsRSA,orhisDiffie-Hellmanpublickey(dependingonchosencryptosuite)
C,versionc,suitesc,Nc
BasicHandshakeProtocol
11/4/16 CSE484/CSEM584-Fall2016 9
C
versions,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc,suitesc,Nc
ClientKeyExchange
Theclientgeneratessecretkeymaterialandsendsittotheserverencryptedwiththeserver’spublickey(ifusingRSA)
BasicHandshakeProtocol
11/4/16 CSE484/CSEM584-Fall2016 10
C
versions,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc,suitesc,Nc
{Secretc}PKsifusingRSA
switchtokeysderivedfromsecretc,Nc,Ns
CandSsharesecretkeymaterial(secretc)atthispoint
switchtokeysderivedfromsecretc,Nc,Ns
FinishedFinished
Recordofallsentandreceivedhandshakemessages
“Core”SSL3.0Handshake(NotTLS)
11/4/16 CSE484/CSEM584-Fall2016 11
C
versions=3.0,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc=3.0,suitesc,Nc
{Secretc}PKsifusingRSA
switchtokeysderivedfromsecretc,Nc,Ns
CandSsharesecretkeymaterial(secretc)atthispoint
switchtokeysderivedfromsecretc,Nc,Ns
FinishedFinished
VersionRollbackAttack
11/4/16 CSE484/CSEM584-Fall2016 12
C
Versions=2.0,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc=2.0,suitesc,Nc
{Secretc}PKsifusingRSA
CandSendupcommunicatingusingSSL2.0(weakerearlierversionoftheprotocolthat
doesnotinclude“Finished”messages)
ServerisfooledintothinkingheiscommunicatingwithaclientwhosupportsonlySSL2.0
“Chosen-Protocol”Attacks
• Whydopeoplereleasenewversionsofsecurityprotocols?Becausetheoldversiongotbroken!
• Newversionmustbebackward-compatible– Noteverybodyupgradesrightaway
• Attackercanfoolsomeoneintousingtheold,brokenversionandexploitknownvulnerability– Similar:foolvictimintousingweakcryptoalgorithms
• Defenseishard:mustauthenticateversioninearlydesigns• Manyprotocolshavehad“versionrollback”attacks
– SSL,SSH,GSM(cellphones)
11/4/16 CSE484/CSEM584-Fall2016 13
VersionCheckinSSL3.0
11/4/16 CSE484/CSEM584-Fall2016 14
C
versions=3.0,suites,Ns,certificateforPKs,“ServerHelloDone”
S
C,versionc=3.0,suitesc,Nc
{versionc,secretc}PKs
CandSsharesecretkeymaterialsecretcatthispoint
“Embed”versionnumberintosecret
CheckthatreceivedversionisequaltotheversioninClientHello
switchtokeyderivedfromsecretc,Nc,Ns
switchtokeyderivedfromsecretc,Nc,Ns
Network
WebSecurity!BigPicture:BrowserandNetwork
11/4/16 CSE484/CSEM584-Fall2016 15
Browser
OS
Hardware
websiterequest
reply
ThebrowserrendersorexecutesarbitraryHTML,CSS,andJavascriptsendbyhostsontheInternet.
WhereDoestheAttackerLive?
11/4/16 CSE484/CSEM584-Fall2016 16
Network
Browser
OS
Hardware
websiterequest
replyWeb
attacker
Networkattacker
Malwareattacker
AllofTheseShouldBeSafe
• Safetovisitanevilwebsite
• Safetovisittwopagesatthesametime
• Safedelegation
11/4/16 CSE484/CSEM584-Fall2016 17
BuildingBlocksoftheWeb(andWebSecurity)
• HTTP(S)• Cookies
11/4/16 CSE484/CSEM584-Fall2016 18
HTTP:HyperTextTransferProtocol
• Applicationlayerprotocolusedbybrowsersandwebservers
• Statelessrequest/responseprotocol– Eachrequestisindependentofpreviousrequests
– Statelessnesshasasignificantimpactondesignandimplementationofapplications
11/4/16 CSE484/CSEM584-Fall2016 19
HTTPRequest
11/4/16 CSE484/CSEM584-Fall2016 20
GET /default.asp HTTP/1.0 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Connection: Keep-Alive If-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMT
Method File HTTP version Headers
Data – none for GET Blank line
HTTPResponse
11/4/16 CSE484/CSEM584-Fall2016 21
HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML>
HTTP version Status code Reason phrase Headers
Data
HTTPVerbs
• HTTPdeclaresanumberof“verbs”thatclientscanusetorequestorprovideinformation– GETasksforaresource– POSTsendsinformation– HEADgetsmetadata(headers)foraresource
– Also:PUT,DELETE,TRACE,OPTIONS,CONNECT,PATCH
11/4/16 CSE484/CSEM584-Fall2016 22
HTTPResources
• URLstandsforUniformResourceLocator• Specifiesthelocationofaresourceonanetwork–whatserverisiton,whereisitonthatserver?
• ResourcescouldincludeHTMLpages,images,data,etc.
11/4/16 CSE484/CSEM584-Fall2016 23
HTTPVerbs
• HTTPdeclaresanumberof“verbs”thatclientscanusetorequestorprovideinformation– GETasksforaresource– POSTsendsinformation– HEADgetsmetadata(headers)foraresource
– Also:PUT,DELETE,TRACE,OPTIONS,CONNECT,PATCH
11/4/16 CSE484/CSEM584-Fall2016 24
HTTPVerbs
• HTTPdeclaresanumberof“verbs”thatclientscanusetorequestorprovideinformation– GETasksforaresource(Givemethisimage)– POSTsendsinformation– HEADgetsmetadata(headers)foraresource
– Also:PUT,DELETE,TRACE,OPTIONS,CONNECT,PATCH
11/4/16 CSE484/CSEM584-Fall2016 25
HTTPVerbs
• HTTPdeclaresanumberof“verbs”thatclientscanusetorequestorprovideinformation– GETasksforaresource(Givemethisimage)– POSTsendsinformation(Iwanttologin)– HEADgetsmetadata(headers)foraresource
– Also:PUT,DELETE,TRACE,OPTIONS,CONNECT,PATCH
11/4/16 CSE484/CSEM584-Fall2016 26
HTTP:HyperTextTransferProtocol
• Applicationlayerprotocolusedbybrowsersandwebservers
• Statelessrequest/responseprotocol– Eachrequestisindependentofpreviousrequests
– Statelessnesshasasignificantimpactondesignandimplementationofapplications
11/4/16 CSE484/CSEM584-Fall2016 27
Cookies–StatefulnessforHTTP
11/4/16 CSE484/CSEM584-Fall2016 28
Acookieisafilecreatedbyawebsitetostoreinformationinthebrowser
BrowserServer
POSTlogin.cgiusernameandpwd
BrowserServer
GETrestricted.html
Cookie:userID=Alice
HTTPisastatelessprotocol;cookiesaddstate
HTTPHeader:Set-cookie: userID=Alice;
CookieFormat
• CookiesarejustKEY=VALUEpairs,e.g.,– language=ENGLISH – userID=Alice – sessionID= 8113d906-62e8-49e1-80e1-65805cb51cab
– adID= 9c740c60-8d88-4da6-bb83-041e95c1efac
11/4/16 CSE484/CSEM584-Fall2016 29
Cookies–StatefulnessforHTTP
11/4/16 CSE484/CSEM584-Fall2016 30
Acookieisafilecreatedbyawebsitetostoreinformationinthebrowser
BrowserServer
POSTlogin.cgiusernameandpwd
BrowserServer
GETrestricted.html
Cookie:NAME=VALUE
HTTPisastatelessprotocol;cookiesaddstate
Ifexpires=NULL,thissessiononly
HTTPHeader:Set-cookie: NAME=VALUE;
domain=(whocanread);expires=(whenexpires);secure=(sendonlyoverHTTPS)
WhatAreCookieUsedFor?
• Personalization– Websiteremembersvisitorpreferences– language=ENGLISH
• Authentication– Thecookie“proves”clientisloggedin– sessionID=8113d906-62e8...
• Tracking– Followtheuserfromsitetosite;– adID=9c740c60-8d88…
11/4/16 CSE484/CSEM584-Fall2016 31
GoalsofWebSecurity
• SafelybrowsetheWeb– Amaliciouswebsitecannotstealinformationfromor
modifylegitimatesitesorotherwiseharmtheuser…– …evenifvisitedconcurrentlywithalegitimatesite--in
aseparatebrowserwindow,tab,oreveniframeonthesamewebpage
• SupportsecureWebapplications– ApplicationsdeliveredovertheWebshouldhavethe
samesecuritypropertieswerequireforstandaloneapplications
11/4/16 CSE484/CSEM584-Fall2016 32
AllofTheseShouldBeSafe
• Safetovisitanevilwebsite
• Safetovisittwopagesatthesametime
• Safedelegation
11/4/16 CSE484/CSEM584-Fall2016 33
TwoSidesofWebSecurity
• Webbrowser– ResponsibleforsecurelyconfiningWebcontentpresentedbyvisitedwebsites
• Webapplications– Onlinemerchants,banks,blogs,GoogleApps…– Mixofserver-sideandclient-sidecode
• Server-sidecodewritteninPHP,Ruby,ASP,JSP…runsontheWebserver
• Client-sidecodewritteninJavaScript…runsintheWebbrowser
– Manypotentialbugs:XSS,XSRF,SQLinjection
11/4/16 CSE484/CSEM584-Fall2016 34
WhereDoestheAttackerLive?
11/4/16 CSE484/CSEM584-Fall2016 35
Network
Browser
OS
Hardware
websiterequest
replyWeb
attacker
Networkattacker
Malwareattacker
Attackermaycontrol1ormoredomainsorwebsites
AttackergetstorunJavascriptandHTMLcodeinthebrowser
Attackercanmakemaliciousrequeststowebservers–canevenuseHTML/JStomakethoserequestsFromusers’browsers!
WebAttacker
• Controlsamaliciouswebsite(attacker.com)– CanobtainanTLScertificateforattacker.com
• Uservisitsattacker.com–why?– Phishingemail,enticingcontent,searchresults,placedbyanadnetwork,blindluck…
– Or,attacker.comisembeddedonanotherpage–loadingthefriendlypageloadscontentfromattacker.com
11/4/16 CSE484/CSEM584-Fall2016 36
WebAttacker
11/4/16 CSE484/CSEM584-Fall2016 37
www.attacker.com
Javascript,or,SoftwareSecurityfortheWeb! <html> … <p> The script on this page is totally trustworthy <script>
doSomethingEvil() </script> … </html>
11/4/16 CSE484/CSEM584-Fall2016 38
Browserreceivescontent,displaysHTMLandexecutesscripts
Apotentiallymaliciouswebpagegetstoexecutesomecodeonuser’smachine!
www.attacker.com
BrowserSandbox
• Goal:safelyexecuteJavaScriptcodeprovidedbyawebsite– No/limitedaccesstoOS/network/filesystem/browserdata.
– Nobufferoverflows,nowaytoexecutearbitrarynativecode,processisolationbetweentabs
– Attackershouldn’tbeabletoaccessdatafromothertabsorbrowserwindows
– attacker.comshouldn’tbeabletoaccessdatafrombank.com,evenifyou’reloggedin
11/4/16 CSE484/CSEM584-Fall2016 39
AStrawpersonAttack
www.attacker.com
www.bank.com(e.g.,
balance:$500)
www.attacker.com(theparent)cannotaccessHTMLelementsin
theiframe(andviceversa).
11/4/16 CSE484/CSEM584-Fall2016 40
Same-OriginPolicy:DOM
OnlycodefromsameorigincanaccessHTMLelementsonanothersite(orinaniframe).
www.example.com
www.example.com/iframe.html
www.evil.com
www.example.com/iframe.html
www.example.com(theparent)canaccessHTMLelementsintheiframe
(andviceversa).
www.evil.com(theparent)cannotaccessHTMLelementsintheiframe
(andviceversa).11/4/16 CSE484/CSEM584-Fall2016 41
Same-OriginPolicy
Websiteorigin=(scheme,domain,port)
[ExamplethankstoWikipedia.]11/4/16 CSE484/CSEM584-Fall2016 42
