Securing Wireless Channels

(Or the Case for Certificateand Public Key Pinning)

What is OWASP?

• The Open Web Application Security Project– Not just web anymore

• Mission Driven– World wide, nonprofit, unbiased organization

• Community Driven– 30,000 Mail List Participants– 200 Active Chapters in 70 countries – 1600+ Members, 56 Corporate Supporters – 69 Academic Supporters

200 Chapters, ~1600 Members, 30000+ Builders, Breakers and Defenders

Around the World

About Me

• Jeffrey Walton–Roles include•Mobile Security Architect• Senior Consultant• Security Engineer

–Secure Coding Evangelist• Live and die by SDLCs

Agenda and Topics

• Background– Architectures– Expectations

• VPN/SSL/TLS Issues– Past Problems– Current Issues

• Shared Secret– PSK– SRP

• Pinning– Certificate– Public Key

• Futures– Pinning (IETF)– Sovereign Keys– Convergence

• Wrap Up– Questions

It’s All About the Data

• Data is the only thing that matters– Who owns it– Who controls it– Who accesses it

• Share data with appropriate parties– Must determine identity of parties

• Can’t determine identity?– Don’t share data

Data Attributes

• Data States– Data at Rest

• Server/Desktop/Device• Remote and Local

– Data on Display• View/Read/Write/Edit• Local

– Data in Transit• Secure Channel• Local ↔ Remote

• Data Sensitivity– Low

• Public Information• Contact Information

– Medium• Social Security Number• Bank Account• Single Sign On?

– High• Pending Litigation, M&A• FERPA, HIPPA, GLBA, etc

Expectations

• User Expectations?– End-to-end security

• Web Applications– Padlocks tell me its secure– Green Bars tell me its secure– Marketing tells me its secure

• How can {VPN|SSL|TLS} not be secure?– When did that happen?

Training (Conditioning?)

• Padlock looks secure• Green bar looks secure• $1,500,000 is a lot of money• It looks secure• It must be secure

Two Architectures

• Two architectures in play– Employee ↔ Organization• VPN

– Individual ↔ Service Provider• SSL/TLS

• Security Boundaries– Sometimes Trust Zones– How many are traversed?

Architecture (Enterprise, VPN)

Architecture (Mobile, SSL/TLS)

Comes down to…

• Infrastructure– Domain Name System (DNS)– Public Key Infrastructure (PKI{X})– Certificate Authorities (CAs)

• Employee ↔ Organization– Organization

• Individual ↔ Service Provider– Individual, Provider

What’s Gone Wrong (1)?

• Governments Want/Require Interception– Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL,

cryptome.org/ssl-mitm.pdf– http://www.dailymail.co.uk/indiahome/indianews/article-2126277/No-secrets-

Blackberry-Security-services-intercept-data-government-gets-way-messenger-service.html

• Governments Engage in Interception– http://www.thetechherald.com/articles/Tunisian-government-harvesting-usernames-

and-passwords/12429/

• Vendors Provide Interception Taps– http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html

• Governments Use Interception Taps– https://www.eff.org/nsa-spying

• Mobile Interception is Patented– Lawful interception for targets in a proxy mobile internet protocol network,

http://www.google.com/patents/EP2332309A1

What’s Gone Wrong (2)?

• Handset manufactures add trusted roots– http://gaurangkp.wordpress.com/tag/nokias-man-in-the-middle-attack/

• Carriers can add trusted roots– No reference yet, but http://www.theregister.co.uk/2011/12/15/carrier_iq_privacy_latest/

• CAs can become compromised– http://isc.sans.edu/diary.html?storyid=11500

• Researchers can create Rogue CAs– http://www.win.tue.nl/hashclash/rogue-ca/

• DNS can become compromised– http://forums.theregister.co.uk/forum/2/2011/09/05/dns_hijack_service_updated/

• Physical plant can become compromised– http://www.pcworld.com/article/119851/paris_hilton_victim_of_tmobiles_web_flaws.html

• Its easy to set up an AP or Base Station (Chris Paget's IMSI Catcher)– http://www.wired.com/threatlevel/2010/07/intercepting-cell-phone-calls/

What’s Gone Wrong (3)?

• Can't trust some CAs – they will sell you out and issue subordinate CAs for money– http://www.net-security.org/secworld.php?id=12369– http://www.zdnet.com/trustwave-sold-root-certificate-for-surveillance-3040095011/

• Can't trust some browsers – they will sell you out and elide their responsibility– https://bugzilla.mozilla.org/show_bug.cgi?id=724929

• Can't trust some browsers – they include questionable certificates out of the box– https://bugzilla.mozilla.org/show_bug.cgi?id=542689

• Can't override some browser's CA list– http://my.opera.com/community/forums/topic.dml?id=1580452

• Can't override OS's CA list– http://support.google.com/android/bin/answer.py?hl=en&answer=1649774

• CRL/OCSP does not work as expected/intended– http://blog.spiderlabs.com/2011/04/certificate-revocation-behavior-in-modern-

browsers.html– https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-

browser-collusion

What’s Gone Wrong (4)?

• User will break it too (not just bad guys)– http://www.esecurityplanet.com/mobile-security/hacker-bypasses-apples-ios-in-app-

purchases.html– http://www.h-online.com/security/news/item/Apps-for-Windows-8-easily-hacked-

1767839.html

• Interception proxies add additional risk– http://blog.cryptographyengineering.com/2012/03/how-do-interception-proxies-

fail.html

• HTTPS is broken– http://www.thoughtcrime.org/software/sslstrip/

• PKI is broken– www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf

• The Internet is Broken :)– http://blog.cryptographyengineering.com/2012/02/how-to-fix-internet.html

Decisions, Decisions…

Remediation

• Stop Conferring Trust!• Cut-out the middle men

• Harden the Channel!• Leverage the pre-existing relationship• Verify the Host

• Password Authenticated Key Exchange– Shared secret

• Public Key Cryptography– Public/Private key pair

Secure Remote Password (SRP)

• Secure Remote Password (SRP)– Thomas Wu, RFC 5054

• User knows the password– Client hashes before use

• Server knows the verifier– Similar to Unix passwd file

• Diffie-Hellman based– Discrete logs (hard problem)– gab → g{(salt + password)|verifier} + nonces

Pre Shared Key (PSK)

• Pre Shared Key (PSK)– RFC 4279

• Three Flavors– PSK Key Exchange

• Secret used as Premaster Secret, use only symmetric key algorithms

– DHE_PSK Key Exchange• PSK authenticates Diffie-Hellman exchange

– RSA_PSK Key Exchange• combines public-key-based server authentication with mutual

authentication using a PSK

Public Key Cryptography

• All we need is a signing key for identity…– RSA, DSA, ECDSA

• … and an ephemeral exchange– DHE, ECDHE, MQV, HMQV, FHMQV, etc

• SSH got it right– StrictHostKeyChecking option

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the RSA host key has just been changed.

General Idea

• Whitelist expected Certificates or Public keys– There’s a pre-existing relationship–Or, make a note during first connect– Side step the “key distribution” problem

• Certificate or Public Key Pinning– Libraries offer ‘OnConnect’ callback– In the callback, inspect certificate or public key

Bad Cases

• Good case– Server is identified by expected cert or key

• Bad case– Adversary is using a different public key

• Not expected, so fail

– Adversary is advertising expected public key• Can’t decrypt communications

• Really Bad Case– Adversary is using expected public key

• Can decrypt communications – pwn’d

Certificate or Public Key?

• X509 Certificate– Binds public key to entity– Version 3 information– Certificate may be rotated

• Public Key– Must be static, cannot change– May violate some key rotation policies– Does not depend on certificate

Sample Code

• Sample Code–Windows/.Net–Android/Java– iOS/Objective C–OpenSSL/C

Futures

• Public Key Pinning Extension for HTTP– draft-ietf-websec-key-pinning-04– http://www.ietf.org/id/draft-ietf-websec-key-pinning-

04.txt

• Sovereign Keys Project– http://www.eff.org/sovereign-keys– DNSSEC to distribute certificates and keys

• Convergence– http://convergence.io– Redundant view of sites and certificates/keys

Does It Work?

Wrap Up

• Data is all that matters– Identify parties, then share data

• PSK, SRP and Pinning– Does not confer trust– Don’t care about answers from DNS or CAs– Leverages pre-existing relationship

• Sovereign Keys and Convergence– Does confer trust– Still getting answers from others– Useful if no pre-existing relationship

• Questions?–Hopefully useful Answers

• Jeffrey Walton–jeffrey.waltοn@softwareintegrity.cοm

Wrap Up