authenticated encryption and secure channelstce.webee.eedev.technion.ac.il › wp-content ›...

AuthenticatedEncryptionandSecureChannels

KennyPaterson

InformationSecurityGroup

@kennyog;www.isg.rhul.ac.uk/~kp

Overview

Monday:

•  Securechannelsandtheirproperties•  Securityforsymmetricencryption–fromblockcipherstoAEAD

Tuesday:

•  TLS•  SSH2

TLSOverview

IntroducingTLS

SSL=SecureSocketsLayer.DevelopedbyNetscapeinmid1990s.

SSLv2deprecated,SSLv3broken;bothwidelysupportedonservers.

TLS=TransportLayerSecurity.IETF-standardisedversionofSSL.

TLS1.0=SSLv3withminortweaks,RFC2246(1999).

TLS1.1=TLS1.0+tweaks,RFC4346(2006).

TLS1.2=TLS1.1+moretweaks,RFC5246(2008).

TLS1.3=majorredesigncurrentlyunderwayinTLSWGofIETF.

44

IntroducingTLS

Originallyforsecuree-commerce,nowusedmuchmorewidely.Retailcustomeraccesstoonlinebankingfacilities.

Useraccesstogmail,facebook,Yahoo.

Mobileapplications,includingbankingapps.

Paymentinfrastructures.

User-to-cloud.

PostSnowden:back-endoperationsforGoogle,Yahoo,…

TLShasbecomethedefactosecureprotocolofchoice.Usedbyhundredsofmillionsofpeopleanddeviceseveryday.

55

HighlySimplifiedViewofTLS

Client Server HandshakeProtocol

RecordProtocol

Usedbyclientandserverto1. Negotiateciphersuite2. Authenticate3. EstablishkeysusedintheRecordProtocol

ProvidesconfidentialityandauthenticityofapplicationlayerdatausingkeysfromHandshakeProtocol

66

TLSProtocolArchitecture

TCP

Record Protocol

Handshake Protocol

Alert Protocol

HTTP, other apps

Change Cipher Spec

Protocol

7

TheTLSEcosystem(1/3)

•  Servers•  Includingmanagedserviceproviders(CloudFlare,Akamai)

•  Clients•  Ofallshapesandsizes

•  Certificationserviceproviders•  Ofallshapes,sizesandlevelsofsecurity

•  Softwarevendors•  FromGoogledowntoone-manopen-sourceoperations

•  OpenSSLsomewherein-between•  Hardwarevendors

88

TheTLSEcosystem(2/3)

•  TLSversions:•  SSL3.0,TLS1.0,TLS1.1,TLS1.2

•  ManyserversevenstillsupportSSL2.0(-->DROWNattack)

•  200+ciphersuites•  https://www.thesprawl.org/research/tls-and-ssl-cipher-suites

•  Somequitecommon,e.g.TLS_RSA_WITH_AES_128_CBC_SHA256

•  Somemoreesoteric,e.g.TLS_KRB5_WITH_3DES_EDE_CBC_MD5

•  Some offering no security: TLS_NULL_WITH_NULL_NULL!

•  TLSextensions•  Toonumeroustomention.

•  DTLS99

TheTLSEcosystem(3/3)

•  IETFTLSWorkingGroup•  AlsoIETFUTAWorkingGroup(UTA=UsingTLSinApplications)

•  AndCFRG(CryptoForumResearchGroup)

•  Growingcommunityofresearchers

•  TheTLSecosystemhasbecomeverycomplexandvibrant.

1010

TheTLSEcosystem(4/3)(bonusslide)

11

ANewsworthyProtocol

TLShasbeeninthenews…..BEAST(2011),CRIME(2012),Lucky13(2013),RC4attacks(2013),POODLE(2014),RC4(again)(2015),AES-GCMwithbadrandomness(2016),SWEET32(2016),

Renegotiationattack(2009),tripleHandshakeattack(2014),FREAKandLOGJAM(2015),SLOTH(2016),DROWN(2016),…

Poorqualityofimplementations(particularlyincertificatehandling).

“WhyEveandMalloryLoveAndroid”(2012)

“Themostdangerouscodeintheworld”(2012)

Applegotofail(2013)

GnuTLScertificateprocessingbug(2013)

Truncationandcookiecutterattacks(2013,2014)

OpenSSLCCSbug(2014)

Frankencerts(2014)

Mostlytechpress,withlimitedcrossovertomainstreammedia.

1212

ANewsworthyProtocol

TLShasreallybeeninthenews…..

….Heartbleedbug.

•  Pressurebuiltandthedamfinallybroke?

•  Severityofthethreat:leakageofprivateinformation,inc.serverprivatekeys+widespreaduseofOpenSSL.

•  Practicaldemonstrationofthreat.

•  Agoodlogo!

1313

TLSProtocolArchitecture

TCP

Record Protocol

Handshake Protocol

Alert Protocol

HTTP, other apps

Change Cipher Spec

Protocol

14

TLSRecordProtocol

TLSRecordProtocolprovides:-  Dataoriginauthentication,integrityusingaMAC.

-  Confidentialityusingasymmetricencryptionalgorithm.

-  Anti-replayusingsequencenumbersprotectedbytheMAC.

-  Optionalcompression.

-  Fragmentationofapplicationlayermessages(butnotreassembly!).

-  Astreaminginterfacetocallingapplications.

15

TLSRecordProtocol:MAC-Encode-Encrypt

MAC

SQN||HDR Payload

Padding

Encrypt

Ciphertext

MACtagPayload

HDR

MAC HMAC-MD5, HMAC-SHA1, HMAC-SHA256

Encrypt CBC-AES128, CBC-AES256, CBC-3DES, RC4-128

1616Padding “00” or “01 01” or “02 02 02” or …. or “FF FF….FF”

OperationofTLSRecordProtocol

•  Datafromlayeraboveisreceivedandpartitionedintofragments(maxsize214bytes).

•  Optionaldatacompression.

•  Defaultoptionisnocompression.

•  CalculateMAConsequencenumber,headerfields,anddata,andappendMACtodata.

•  Pad(ifneededbyencryptionmode),thenencrypt.

•  Prepend5-byteheader,containing:

•  Contenttype(1byte,indicatingcontentofrecord,e.g.handshakemessage,applicationmessage,etc),

•  SSL/TLSversion(2bytes),

•  Lengthoffragment(2bytes).

•  SubmittoTCP.

17

OperationofTLSRecordProtocol

In-boundprocessingstepsreversesthesesteps:1.Receivemessage,oflengthspecifiedinHDR.2.Decrypt.3.Removepadding.4.CheckMAC.5.(Decompresspayload.)6.Passpayloadtoupperlayer

(note:nodefragmentation;TLSprovidesastreamoffragmentstotheapplication).

Errorscanarisefromanyofdecryption,paddingremovalorMACcheckingsteps.AllofthesearefatalerrorsinTLS.

18

AEADandTLSRecordProtocol

MEEonlyforallversionsofSSLandTLSuptoTLS1.1.

•  Security?

DedicatedAuthenticatedEncryptionwithAssociatedData(AEAD)algorithmswereaddedinTLS1.2.

•  Singlealgorithmprovidingbothconfidentialityandintegrity/dataorigin(authentication)

•  NeednotconformtoMEEtemplate.

•  GeneralAEADinterfacespecifiedinRFC5116.

•  AES-GCMspecifiedinRFC5288.

•  AES-CCMspecifiedinRFC6655.

19

20

AEADandTLSRecordProtocol

TLS1.2supportonmajorwebsites:

9/2012:5%;9/2013:17%;9/2014:43%;9/2015:66%;9/2016:79%

(source:sslpulse)

TLS1.2supportinbrowsers:

Chrome:sincerelease30.

Firefox:sincerelease28.

IE:sinceIE11.

Safari:sinceiOS5andOSX10.9.

(source:wikipedia,Nov.2013)

20

HistoricalAEADUsageinTLS

SnapshotfromICSICertificateNotaryProject(Sept.2014):

21

16.3%

1.6%

CurrentAEADUsageinTLS

SnapshotfromICSICertificateNotaryProject(Aug.2016):

22

>60%

1.2%

BEAST

24

BEAST

•  IVchaining:uselastblockofpreviousciphertextasIV.

•  DefaultinCBCmodeforSSLv3andTLS1.0.

•  Leadstoachosen-plaintextdistinguishingattackagainstTLS.•  FirstobservedforCBCmodeingeneralbyRogawayin1995.

•  ApplicationtoTLSnotedbyDaiandMöllerin2004.

•  ExtendedtotheoreticalplaintextrecoveryattackbyBardin2004/2006.

•  TurnedintoapracticalplaintextrecoveryattackonHTTPcookiesbyDuongandRizzoin2011–theBEAST.•  BEAST=BrowserExploitAgainstSSL/TLS

•  16-yeardemonstrationthatattacksdogetbetterwithtime.

24

25

Ci-1 Ci

Pi-1 Pi

dK dK

Pi-1 Pi

Ci-1 Ci

eK eK

InitialisationVector(IV):•  DefinesC0forprocessingfirst

block.•  ChainedIVsarecommonin

applications,andinSSL3.0andTLS1.oinparticular.

•  TLS1.1and1.2requireIVtoberandom.

CBCmodeneedssomeformofpaddingifplaintextlengthsarenotmultipleofblocklength.•  Moreonpaddinglater.

CBCModeReminder

26

AttackingChainedIVs

26

SupposeattackerwishestodistinguishencryptionsofsingleblocksP0,P1.AttackermakesLoRencryptionqueryformessagepair(P0,P1).

AttackerreceivesciphertextC=C1formessagePbwheresomeknown,previousblockC0wasusedastheIV.

Pb

C0 C1

eK

27

AttackingChainedIVs

27

C1willbeusedastheIVforthenextencryption.AttackernowmakesLoRqueryonmessageP0⊕C0⊕C1.AttackerreceivessingleblockciphertextC2.

Pb

C0 C1

eK

P0⊕C0⊕C1

C2

eK

AttackingChainedIVs

Pb

C0 C1

eK

P0⊕C0⊕C1

C2

eK

•  IfPb=P0,theninputstoblockcipherarethesameinbothencryptions.

•  Hence,ifPb=P0,thenC1=C2.•  Otherwise,ifPb=P1,thenC1≠C2.•  SolookingatC1andC2givesusatesttodistinguish

encryptionsofP0andP1.28

AttackingChainedIVs

Distinguishingattackextendseasilytomulti-blockmessages.

BreaksCBCmodeintheIND-CPAsecuritymodel.

SoIVchainingforCBCmodeisbrokenintheory.

HowcanweturnthisintoapracticalattackonTLS?

•  Wewantplaintextrecoveryratherthanadistinguishingattack.

•  Weneedtofindawaytorealisethechosenplaintextrequirement.

29

TheBEAST–Part1

•  AssumebytesP0,P1,…P14areknown,trytorecoverP15.•  UseP 0 P 1…P14asfirst15bytesofP’.•  Iterateover256possiblevaluesinP’15.•  P’15=P15ifandonlyifC1=C2.•  Soaverageof128trials(eachinvolvingonechosenplaintext)toextractP15

whenremainingbytesinblockareknown.

C0 C1

eK

P’⊕C0⊕C1

C2

eK

P0…P14

P15

30

TheBEAST–Part2

NowassumeattackercancontrolpositionofunknownbytesinstreamwithrespecttoCBCblockboundaries(chosenboundaryprivilege).Repeatprevioussingle-byterecoveryattackwithslidingbytes.

Green:initiallyknownbytes.Red:unknown(target)bytes.Orange:recoveredbytes.

P10 P11 T0 P12 P13 P14 T1 T2 T3 T4 T5 P9 P8 P7 P5 P6 …

P10 P11 T0 P12 P13 P14 T1 T2 T3 T4 T5 P9 P8 P7 P5 P6 …

P10 P11 T0 P12 P13 P14 T1 T2 T3 T4 T5 P9 P8 P7 P5 P6 …

P4 P3 P1 P2 P0

P4 P3 P1 P2 P0

P4 P3 P1 P2 P0

…

…

…

P10 P11 T0 P12 P13 P14 T1 T2 T3 T4 T5 P9 P8 P7 P5 P6 … P4 P3 P1 P2 P0 …

31

TheBEAST–Part3

Browser

TLStunnelCookiefor

remotesite

32

33

BEAST–KeyFeatures

•  BEASTJavaScriptloadedaheadoftimeintoclientbrowserfromcompromisedormaliciouswesbite.

•  Provideschosen-plaintextcapability.•  AttacktargetisHTTPsecurecookie.•  JavaScriptusesHTTPpaddingtocontrolpositionsofunknownbytes

(chosenboundaryprivilege).•  Difficulttogetfinecontroloverbyte/blockpositions.•  Needtobeabletoinjectchosenplaintextblockattheverystartof

RecordProtocolmessages.•  JavaScriptalsoneedstocommunicatewithMITMattacker.

•  Summary:it’scomplicated,butitcanbemadetowork.**Givenazero-dayinthebrowser!

33

34

BEAST–Impact

•  TheBEASTwasamajorheadacheforTLSvendors.•  Perceivedtobearealisticattack.•  Mostclientimplementationswere“stuck”atTLS1.0.

•  Bestsolution:switchtousingTLS1.1or1.2.•  UsesrandomIVs,soattackprevented.•  Buttheseversionwerenotwidelysupportedserver-sideattimeof

attack.

•  ForTLS1.0,varioushacksweredone:•  Use1/n-1recordsplittinginclient.

•  Nowimplementedinmostbrowsers.•  Send0-lengthdummyrecordaheadofeachrealrecord.

•  Breakssomeimplementations.•  OrswitchtousingRC4?

34

35

BEAST–Lessons

•  Atheoreticalvulnerabilitypointedoutin1995becamea“practical”attackin2011.•  Attacksreallydogetbetter(worse!)withtime.•  Practitionersreallyshouldlistento(some)theoreticians.•  And,inthiscase,theydid:TLS1.1and1.2userandomIVs.•  Problemwasthatno-onewasusingtheseversionsin2011.

•  Toolsfromthewidersecurityfieldwereneededtomaketheattacksheadlinenews.•  Man-in-the-browserviaJavascript.•  FairgamegiventhehugerangeofwaysinwhichTLSgetused.•  Maybethosetoolscanbeusedelsewhere?

35

PaddingOracleAttacks

TLSRecordProtocol:MAC-Encode-Encrypt

MAC

SQN||HDR Payload

Padding

Encrypt

Ciphertext

MACtagPayload

HDR

MAC HMAC-MD5, HMAC-SHA1, HMAC-SHA256

Encrypt CBC-AES128, CBC-AES256, CBC-3DES, RC4-128

3737Padding “00” or “01 01” or “02 02 02” or …. or “FF FF….FF”

TLSRecordProtocolPadding

PaddinginTLS1.0anduphasaparticularformat:–  Alwaysaddatleast1byteofpadding.–  Iftbytesareneeded,thenaddtcopiesofthebyterepresentationoft-1.

–  SopossiblepaddingpatternsinTLSare: 00; 0101; 020202;…-  SSLv3hasweakerformatrequirements:

00; ??01; ????02;….38

TLSRecordProtocolPadding

•  VariablelengthpaddingispermittedinallversionsofTLS(butnotinSSL).

•  Upto256bytesofpaddingintotal: FFFF….FF

•  FromTLS1.0:Lengthslongerthannecessarymightbedesirabletofrustrateattacksonaprotocolbasedonanalysisofthelengthsofexchangedmessages.

39

HandlingPaddingDuringDecryption

•  TLS1.0erroralert:decryption_failed:ATLSCiphertextdecryptedinaninvalidway:eitheritwasn`tanevenmultipleoftheblocklengthoritspaddingvalues,whenchecked,weren’tcorrect.Thismessageisalwaysfatal.

•  Suggestspaddingformatshouldbechecked,butwithoutspecifyingexactlywhatchecksshouldbedone.

•  LegacyofSSLv3,wherenocheckingcanbedonebecauseoflooserequirementsonpaddingformat.

40

ExploitingWeakPaddingChecks–MöllerAttack

SSL/TLSdecryptionsequence:CBCmodedecrypt,removepadding,checkMAC.

[M04]:failuretocheckpaddingformatleadstoasimpleattackrecoveringthelastbyteofplaintextfromanyblock.

Assumptionsfortheattack:•  AttackerhasaspecialTLSciphertextcontainingacompleteblockof

padding.

•  SoMACendsonblockboundaryforthisciphertext.

•  Paddingisremovedbyinspectinglastbyteonly(cfSSLv3).

41

MöllerAttack

42

Ct-1 Ct

dK dK

Ct-2

dK

…

…

Blocks from special ciphertext

Byte value is “0F” here

MöllerAttack

43

Ct-1 C*

dK dK

Decryption succeeds if and only if byte value is “0F” here

Target ciphertext block from stream

Ct-2

dK

…

…

Blocks from special ciphertext

Enabling recovery of last byte of dK(C*) here.

MöllerAttack

•  Decryptionsucceedsifandonlyif:

Ct-1⊕dK(C*)=(??,??,....??,0F)

•  Failureofdecryptionresultsinvisibleerrormessage.

•  HenceattackercanrecoverlastbyteofdK(C*)withprobability1/256.

•  SuccessenablesrecoveryoflastbyteoforiginalplaintextP*correspondingtoC*intheCBCstream,bysolvingsystemofeqns:

Ct-1⊕dK(C*)=(??,??,....??,0F)

C*-1⊕dK(C*)=P*

whereC*-1istheblockprecedingC*inthestream.

44

POODLEattack

45

•  InSSLv3,noformatcheckingispossible!•  SoMöller’sattackalreadybreaksCBCmodeinSSLv3.•  CombinewithBEASTideastomovetargetplaintextbytesinto

correctpositionforattackone-by-one.•  ResultingcombinationoftechniquesisknownasthePOODLE

attack(Duongetal.2014).•  POODLE=PaddingOracleonDowngradeLegacyAttack•  https://www.openssl.org/~bodo/ssl-poodle.pdf•  Nozero-dayvulnerabilityisneeded.•  10yearsfromMöller’soriginalobservationtoPOODLE.

POODLEattack

46

•  ThereisnoeffectivecountermeasuretoPOODLEattack.•  Receivercannotdomorerigorouspaddingchecks,becausesendercannot

bereliedupontouseTLSformatinSSL!

•  CannotswitchtoRC4becausethat’salsobroken.•  SothisPOODLEkillsSSLv3.What’stheproblem?NomodernbrowserrequestsSSLv3!•  SSL/TLSversionnegotiationmechanismisnotproperly

implementedbymanyservers.•  AnactiveMITMattackercandowngradeclientandservertoSSLv3

byspoofingserverresponsesinSSL/TLShandshake.•  OnlysolutionistocompletelyremoveSSLv3supportinbrowsers.

FullPaddingCheck

•  InTLS1.1andup:

Eachuint8inthepaddingdatavectorMUSTbefilledwiththepaddinglengthvalue.ThereceiverMUSTcheckthispadding….

•  Sodecryptionchecksthatbytesattheendoftheplaintexthaveoneofthefollowingformats:

00;

01,01;

02,02,02;

….

FF,FF,………..FF;

andoutputsanerrorifnoneoftheseformatsisfound.

•  NBOther“sanity”checksmayalsobeneededduringdecryption.

47

PaddingOracles

48 48

•  Vaudenay[V02]proposedtheconceptofapaddingoracle.

C

Valid/Invalid

•  Vaudenayshowedthat,forCBCmodeandforcertainpaddingschemes,apaddingoraclecanbeusedtobuildadecryptionoracle!

PaddingOracle

P=DecK(C)

CheckpaddingofP

PaddingOracleAttackforTLSPadding

Ct-1 Ct

Pt-1 Pt

dK dK

XOR with various Δ here and submit to padding oracle

Eventually produces valid pad “00” here

Recovering true plaintext byte via Pt ⊕ Δ = (…. 00)

49

PaddingOracleAttackforTLSPadding

Ct-1 Ct

Pt-1 Pt

dK dK

XOR with Δ1Δ0 here and submit to oracle

Eventually produces valid pattern “01 01” here

This byte now set to “01” by setting Δ0:=Δ ⊕ 01

Recovering true plaintext byte via

Pt ⊕ (…..Δ1Δ0) = (….0101)

50

PaddingOracleAttackforTLSPadding

•  Anaverageof128trialsareneededtoextractthelastbyteofeachplaintextblock.

•  Canextendtotheentireblock,withanaverageof128trialsperbyte.

•  Canextendtotheentireciphertext.•  Becauseattackercanplaceanytargetblockaslastblockofciphertext.

51

TLSPaddingOraclesInPractice?

•  InTLS,anerrormessageduringdecryptioncanarisefromeitherafailureofthepaddingcheckoraMACfailure.

•  Vaudenay’spaddingoracleattackwillproduceanerrorofonetypeortheother.

•  Paddingfailureindicatesincorrectpadding.

•  MACfailureindicatescorrectpadding.

•  Iftheseerrorsaredistinguishable,thenapaddingoracleattackshouldbepossible.

52

TLSPaddingOraclesInPractice?

Goodnews(fortheattacker):

•  TheerrormessagesarisinginTLS1.0aredifferent:•  bad_record_mac

•  decryption_failed

Badnews:

•  Buttheerrormessagesareencrypted,socannotbeseenbytheattacker.

•  Andanerrorofeithertypeisfatal,leadingtoimmediateterminationoftheTLSsession.

•  53

TLSPaddingOraclesInPractice?

Canveletal.[CHVV03]:•  Recallthesequence:decrypt,checkpadding,checkMAC.•  AMACfailureerrormessagewillappearonthenetworklaterthan

apaddingfailureerrormessage.•  BecauseanimplementationwouldonlybothertochecktheMACif

thepaddingisgood.

•  Sotimingtheappearanceoferrormessagesmightgiveustherequiredpaddingoracle.

•  Eveniftheerrormessagesareencrypted!

•  Amplifythetimingdifferencebyusinglongmessages.

•  Buttheerrorsarefatal,soitseemstheattackercanstillonlylearn

onebyteofplaintext,andthenwithprobabilityonly1/256.

54

OpenSSLandPaddingOracles

Canveletal.[CHVV03]:

•  TheattackercanstilldecryptreliablyifafixedplaintextisrepeatedinafixedlocationacrossmanyTLSsessions.

•  e.g.passwordinloginprotocoloranHTTPsessioncookie.

•  Amulti-sessionattack.

•  Modernviewpoint:useBEAST-stylemalwaretogeneratetherequiredencryptions.

•  TheOpenSSLimplementationhadadetectabletimingdifference.

•  Roughly2msdifferenceforlongmessages(closeto214bytemaximum).

•  EnablingrecoveryofTLS-protectedOutlookpasswordsinabout3hours.

55

Multi-sessionVersion

Ct-1 Ct

Pt-1 Pt

dK dK

XOR with various Δ here and submit for decryption

Eventually produces valid pad “00” here

Recovering true plaintext byte via Pt ⊕ Δ = (…. 00)

56

Ct-1, Ct vary in each trial, but Pt is fixed

57

PaddingOracleAttackCountermeasures?

•  RedesignTLS:•  Pad-MAC-EncryptorPad-Encrypt-MAC.

•  Tooinvasive,didnothappen.

•  SwitchtoRC4?

•  Oraddafixtoensureuniformerrors:•  CheckaMACanyway,evenifthepaddingisbad.

•  Ifattackercan’ttelldifferencebetweenMACandpaderrors,thenmaybeTLS’sMEEconstructionissecure?

•  FixincludedinTLS1.1and1.2specifications.

57

PaddingOraclesPost[CHVV03]

•  RegardedasasolvedproblemforSSL/TLS.

•  Steadytrickleofotherpapersshowingpaddingoracleattacksinothersystems,e.g.

•  ISOstandardforCBC-modeencryption[PY04,YPM05].

•  TraileroracleattackonIPsec[DP07,DP10]

•  POETattackonASP.NET[DR10].

•  XMLencryption[JS11].

•  OpenSSLimplementationofDTLS[AP12].

58

Lucky13Attack

60

PaddingOracleCountermeasures,Revisited

Responsetotimingattacksin[V02,CHVV03]fromtheTLS1.1and1.2specifications:

…implementationsMUSTensurethatrecordprocessingtimeisessentiallythesamewhetherornotthepaddingiscorrect.Ingeneral,thebestwaytodothisistocomputetheMACevenifthepaddingisincorrect,andonlythenrejectthepacket.ComputetheMAConwhatthough?

60

TLSRecordProtocol:MAC-Encode-Encrypt

MAC

SQN||HDR Payload

Padding

Encrypt

Ciphertext

MACtagPayload

HDR

Problemis:howtoparseplaintextaspayload,paddingandMACfieldswhenthepaddingisnotoneoftheexpectedpatterns00,0101,…?

6161

62

EnsuringUniformErrors

FromtheTLS1.1and1.2specifications:Forinstance,ifthepadappearstobeincorrect,theimplementationmightassumeazero-lengthpadandthencomputetheMAC.•  Thisapproachwasadoptedinmanyimplementations,

includingOpenSSL,NSS(Chrome,Firefox),BouncyCastle,OpenJDK,…

•  Otherapproachespossible(e.g.GnuTLS).

62

63

EnsuringUniformErrors

…Thisleavesasmalltimingchannel,sinceMACperformancedependstosomeextentonthesizeofthedatafragment,butitisnotbelievedtobelargeenoughtobeexploitable,duetothelargeblocksizeofexistingMACsandthesmallsizeofthetimingsignal.

63

64

EnsuringUniformErrors

…Thisleavesasmalltimingchannel,sinceMACperformancedependstosomeextentonthesizeofthedatafragment,butitisnotbelievedtobelargeenoughtobeexploitable,duetothelargeblocksizeofexistingMACsandthesmallsizeofthetimingsignal.

64

65

Lucky13:DistinguishingAttack

65

CK C’

C=EncK(M) MiseitherR287||00orR32||FF256

K

•  AdversaryinterceptsC,mauls,andforwardsontorecipient.•  Timetakentorespondwitherrormessagewillindicate

whetherM=R287||00orM=R32||FF256.•  Ciphertext-onlydistinguishingattack.

Lucky13DistinguishingAttack–Choose

RR…..……….……………R00

FFFF………………………….FF

R

R

C

CIV

IV

66

Lucky13DistinguishingAttack–Maul

RR…..……….……………R00

FFFF………………………….FF

R

R

CIV

CIV

67

Lucky13DistinguishingAttack–Inject

RR…..……….……………R00

FFFF………………………….FF

R

R

C’IV

C’IV

1-bytevalidpadding20-byteMAC267-bytemessage

256-bytevalidpadding20-byteMAC12-bytemessage

68

Lucky13DistinguishingAttack–Decrypt

RR…..……….……..RR

R

CIV

CIV

69

RR…..……….……..RR

R

SlowMACverification

FastMACverification

Timingdifference:4SHA-1compressionfunctionevaluations

SQN||HDR

SQN||HDR

280bytes

25bytes

Lucky13DistinguishingAttack–Decrypt

70

Lucky13–ExperimentalResultsforDistinguishingAttack

71

Prob

abil

ity

1.50�106 1.51�106 1.52�106 1.53�106 1.54�106 1.55�106 1.56�106 1.57�1060

0.00001

0.00002

0.00003

0.00004

0.00005

0.00006

Hardware Cycles �Calculated by Attacker⇥OpenSSLv1.0.1onserverrunningat1.87Ghz.

100MbitLAN.

Differenceinmeansiscirca3.2μs.

Lucky13–SuccessProbabilityforDistinguishingAttack

72

NumberofSessions SuccessProbability

1 0.756

4 0.858

16 0.951

64 0.992

128 1

73

Lucky13–PlaintextRecovery

73

XOR 2-byte Δ here and submit for decryption

Produces valid patterns “01 01”

(or longer valid pad) or “00”,

OR bad pad.

Ct

Pt

dK

Ct-1

dK

R2 R1

dK dK

IV

(HMAC-SHA-1+AES-CBC)

Target ciphertext block from

stream

74

Case1:“0101”(orlongervalidpad)

74

Ct

Pt

dK

Ct-1

dK

R2 R1

dK dK

IV

XOR 2-byte Δ here and submit for decryption

SQN||HDR

13+16+16+10=55bytes 20bytes

4SHA-1compressionfunctionevaluations

“01 01” (or longer valid pad)

75

Case2:“00”

75

Ct

Pt

dK

Ct-1

dK

R2 R1

dK dK

IV

XOR 2-byte Δ here and submit for decryption

SQN||HDR

56bytes 20bytes

5SHA-1compressionfunctionevaluations

“00”

76

Case3:Badpadding

76

Ct

Pt

dK

Ct-1

dK

R2 R1

dK dK

IV

XOR 2-byte Δ here and submit for decryption

SQN||HDR

57bytes 20bytes

5SHA-1compressionfunctionevaluations

zero-length pad

77

Lucky13–PlaintextRecovery

77

Theinjectedciphertextcausesbadpaddingand/orabadMAC.ThisleadstoaTLSerrormessage,whichtheattackertimes.

Thereisatimingdifferencebetween“0101”caseandtheother2cases.AsingleSHA-1compressionfunctionevaluation.

Roughly1000clockcycles,circa1μsontypicalprocessor.

Measurabledifferenceonsamehost,LAN,orafewhopsaway.

(Comparewithoriginalpaddingoracleattack:2ms.)

Detectingthe“0101”caseallowslast2plaintextbytesinthetargetblockCttoberecovered.

UsingthestandardCBCalgebra:Pt ⊕ (…..Δ1Δ0) = (….0101).

Attackthenextendstoallbytesasinastandardpaddingoracleattack.

78

Lucky13–PlaintextRecovery

78

Weneed216attemptstotryall2-byteΔvalues.

Andweneedaround27trialsforeachΔvaluetoreliablydistinguishthedifferentevents.

(Actualnoiseleveldependsonexperimentalset-up.)

EachtrialkillstheTLSsession.

Hencetheheadlineattackcostis223sessions,allencryptingthesameplaintext.

Seemsrathertheoretical?

79

Lucky13–Improvements(AttacksGetBetter!)

79

If1-out-of-2lastplaintextbytesknown,thenweonlyneed28attemptsperbyte.

Iftheplaintextisbase64encoded,thenweonlyneed26attemptsperbyte.

And27trialsperattempttode-noise,foratotalof213.

BEAST-styleattacktargetingHTTPcookies.

Maliciousclient-sideJavascriptmakesHTTPGETrequests.

TLSsessionsareautomaticallygeneratedandHTTPcookiesattached.

GETrequestsare“padded”sothat1-out-of-2conditionalwaysholds.

Costofattackis213GETrequestsperbyteofcookie.

Nowapracticalattack!

80

Lucky13–ExperimentalResults

80

Hard

ware

Cycl

es�Cal

cula

tedby

Adve

rsar

y⇥

⇥15 � 0xFE

0 50 100 150 200 2501.286⇤106

1.287⇤106

1.288⇤106

1.289⇤106

1.290⇤106

1.291⇤106

1.292⇤106

�15Byte14ofplaintextsetto01;byte15settoFF.

ModifyΔinposition15.

OpenSSLv1.0.1onserverrunningat1.87Ghz,100MbitLAN.

Mediantimes(noisenotshown).

81

Lucky13–Countermeasures

81

Wereallyneedconstant-timedecryptionforTLS-CBC.

Adddummyhashcompressionfunctioncomputationswhenpaddingisgoodtoensuretotalisthesameaswhenpaddingisbad.

Adddummypaddingcheckstoensurenumberofiterationsdoneisindependentofpaddinglengthand/orcorrectnessofpadding.

Watchoutforlengthsanitycheckstoo.

Needtoensurethere’senoughspaceforsomeplaintextafterremovingpaddingandMAC,butwithoutleakinganyinformationaboutamountofpaddingremoved.

PerformanceofBasicCountermeasures

82

Prob

abil

ity

1.50�106 1.51�106 1.52�106 1.53�106 1.54�106 1.55�106 1.56�106 1.57�1060

0.00001

0.00002

0.00003

0.00004

0.00005

0.00006

Hardware Cycles �Calculated by Attacker⇥Pr

obab

ilit

y1.54�106 1.55�106 1.56�106 1.57�106 1.58�106 1.59�106 1.60�106 1.61�1060

0.00001

0.00002

0.00003

0.00004

0.00005

0.00006

Hardware Cycles �Calculated by Attacker⇥

Before After

83

ConstantTimeDecryptionforMEE

•  Better,butstillnotperfect.

•  Distinguishingattackstillpossible.

•  Properconstant-time,constant-memoryaccessimplementationisreallyneeded.

•  Challengingtotestpaddingcorrectnessanddosanitycheckingwithoutbranchingonsecretdata.

•  SeeAdamLangley’sblogpostat:

https://www.imperialviolet.org/2013/02/04/luckythirteen.html

forfulldetailsonhowLucky13wasfixedinOpenSSLandNSS.

83

84

Lucky13–Impact

84

OpenSSLpatchedinversions1.0.1d,1.0.0kand0.9.8y,released05/02/2013.

NSS(Firefox,Chrome)patchedinversion3.14.3,released15/02/2013.

Apple:patchedinOSXv10.8.5(iOSversiontbd).

Operapatchedinversion12.13,released30/01/2013

OraclereleasedaspecialcriticalpatchupdateofJavaSE,19/02/2013.

BouncyCastlepatchedinversion1.48,10/02/2013

AlsoGnuTLS,PolarSSL,CyaSSL,MatrixSSL.

Microsoft“determinedthattheissuehadbeenadequatelyaddressedinpreviousmodificationstotheirTLSandDTLSimplementation”.

(Fulldetailsat:www.isg.rhul.ac.uk/tls/lucky13.html)

85

SecurityproofforMEEinTLS

85

Theorem([PRS11],informalstatement)SupposeEisablockcipherwithblocksizenthatisSPRP-secure.SupposeMAChastagsizetandisPRF-secure.SupposethatforallmessagesMqueriedbytheadversary:

|M|+t≥n.

ThenMEEwithCBCmodeencryption,randomIVs,TLSpadding,anduniformerrorsprovidesAEsecurity.

C0 C1

eK

C2

eK

C3

eK

86

Lucky13–Lessons

86

TLS’sMAC-Encode-Encryptconstructionishardtoimplementsecurelyandhardtoprovepositivesecurityresultsabout.

Longhistoryofattacksandfixes.

Eachfixwasthe“easiestoptionatthetime”.

Nowreachedpointwherea500linepatchtoOpenSSLwasneededtofullyeliminatetheLucky13attack.

BettertouseanEtMconstructionfromdayone,oreatthecostofswitchingatthefirstsignoftrouble.

Aconservativeapproachseemsmeritedforsuchanimportantprotocol.

AtthetimeTLSwasfirstdesigned,EtMversusMtEdebatewasnotsoclearcut.

CurrentStatusandFutureDevelopmentsinTLS

CurrentStatus–CBC-mode

MostCBC-modeimplementationshavebeenpatchedagainstBEASTandLucky13,butreputationhasbeendamagedbylongseriesofattacks.

•  Largeecosystemandtrickinessofproperpatchmeansthatnoteveryimplementationispatchedtothesamedegree.

•  Variantattacksarediscoveredfromtime-to-time.

•  Lucky13strikesagain–flushandreloadattacks[IIES15].•  LuckymicrosecondsonAWSs2n[AP16].

•  ErrorinLucky13countermeasureinOpenSSLNIcodepath[S16].

Relativeperformancealsoanissue(HMACquiteslowcomparedtomodernMACalgorithms).

88

CurrentStatus–RC4

RC4isnearlydeadforHTTPoverTLS

•  Usagehasdroppedfrom50%to1-2%since2013.

•  ButstillwidelyusedinotherTLSapplications,e.g.STARTTLSforSMTP.

AES-GCMandAES-CCMareavailableforTLS1.2.

•  TLS1.2isnowsupportedinallmajorbrowsersandinmajorityofhightrafficwebservers(wikipedia,sslpulse).

•  Morethan60%ofTLStrafficisusingTLS1.2(ICSICertificateNotary).

89

CurrentStatus–AES-GCM

AES-GCMistrickytoimplementsecurelypurelyinsoftware.•  Mainissueisavoidingleakageofhashkeyviaside-channelattack.

•  Alsoneedside-channelresistantimplementationofAES.

AES-GCMisrelativelyfast

•  EspeciallywithAES-NIandPCLMULQDQinstructions(IntelandAMD).

•  2.53to1.03cyclesperbyte,dependingonprocessor.

http://2013.diac.cr.yp.to/slides/gueron.pdf

•  RoughlytwiceasfastasAES-CBC+HMAC-SHA-*

•  ButOCBwouldbeevenfaster!

90

Otherdevelopments

ChaCha20-Poly1305definedinIETFRFC7905.•  ImportantforenvironmentswhereAESisnotavailableinhardware.

•  ChaCha20isastreamcipher;Poly1305aMACalgorithmbasedonpolynomialhashing.

•  CombinationisagoodAEADschemeassumingChaCha20isideal[P14].

•  Smallamountofusagecurrently.

ReformofMEEtoEtMtomakeCBC-modeeasiertoimplementsecurely.

•  RFC7366.

•  DeploymentviaTLSextension,unclearhowwidelyadopteditwillbecome.

91

92

TLS1.3

TLS1.3isnownearingcompletioninIETFTLSWG.

•  ReducinglatencyinHandshake.

•  SimplificationofkeyexchangeandauthenticationmethodsinHandshake.

•  Servername/identityhiding/handshakeencryptionforimprovedprivacy(?)

•  Reformofsymmetricalgorithms–AEADonly.

92

SSH

IntroductiontoSSH

94

Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Used primarily on Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for TELNET and other insecure remote shells, which send information, notably passwords, in plaintext, leaving them open for interception. The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet.

– Wikipedia

SSHBinaryPacketProtocol(RFC4253)

•  Encode-then-E&Mconstruction,statefulbecauseofinclusionof4-bytesequencenumber.

•  Packetlengthfieldmeasuresthesizeofthepacket:|PadLen|+|Payload|+|Padding|.•  Encrypted,sosequenceofencryptedpacketslookslikealongstringofrandombytes.

•  EncryptionoptionsinRFC4253:CBCmode;RC4.•  AES-CTRdefinedinRFC4344.95

Encrypt

PRF-MAC

Payload

Ciphertext MAC tag

Sequence Number 4

Packet Length 4

Pad Len 1

Padding ≥4

CBCmodeinSSH

96

•  RFC4253mandates3DES-CBCandrecommendsAES-CBC.

•  SSHusesachainedIVinCBCmode:–  IVforcurrentpacketisthelast

ciphertextblockfromthepreviouspacket.

–  EffectivelycreatesasinglestreamofdatafrommultipleSSHpackets.

Ci-1 Ci

Pi-1 Pi

dK dK

Pi-1 Pi

Ci-1 Ci

eK eK

CTRmodeinSSH

97

•  CTRmodeusesblockciphertobuildastreamcipher.

•  CTRmodeforSSHisstandardisedinRFC4344.•  Initialvalueofcounteris

obtainedfromhandshakeprotocol.

•  Counterrunsacrosspackets.•  Packetformatispreservedfrom

CBCcase.•  RFCrecommendsuseofAES-

CTRwith128,192and256-bitkeys,and3DES-CTR.

Ci

eK

Pi

ctr+i

Pi

eK

Ci

ctr+i

SSHBinaryPacketProtocol(RFC4253)

•  IVchainingattack:•  Chosenplaintext,distinguishingattackduetoRogaway,appliedtoSSHin[BKN04].•  NotfullyrealisticforSSHbecauseofformatrequirementsonthefirstblockof

plaintextandbecauseofchosenplaintextrequirement.•  ConstructionwithrandomIVsisIND-sfCCAsecure[BKN04].

98

Encrypt

PRF-MAC

Payload

Ciphertext MAC tag

Sequence Number 4

Packet Length 4

Pad Len 1

Padding ≥4

SSHBinaryPacketProtocol(RFC4253)

•  Howdoesdecryptionwork?•  Recall:receivergetsastreamofbytes,andasingleciphertext

canbefragmentedoverseveralTCPmessages.

99

Encrypt

PRF-MAC

Payload

Ciphertext MAC tag

Sequence Number 4

Packet Length 4

Pad Len 1

Padding ≥4

BreakingCBCmodeinSSH[APW09]

100

IV Ci*

P0’

dK

•  Thereceiverwilltreatthefirst32bitsofthecalculatedplaintextblockasthepacketlengthfieldforthenewpacket.

•  Here: P0’=IV⊕dK(Ci*)whereIVisknown.

Targetciphertextblockfromstream

Lengthfield

BreakingCBCmodeinSSH[APW09]

101

IV Ci*

P0’

dK

R R

P2’

dK dK

P1’

Theattackerthenfeedsrandomblockstothereceiver–  Oneblockatatime,waitingtoseewhathappensattheserver

wheneachnewblockisprocessed–  ThisispossiblebecauseSSHrunsoverTCPandtriestodoonline

processingofincomingblocks

BreakingCBCmodeinSSH[APW09]

102

IV Ci*

P0’

dK

•  Onceenoughdatahasarrived,thereceiverwillreceivewhatitthinksistheMACtag–  TheMACcheckwillfailwithoverwhelmingprobability–  Consequentlytheconnectionisterminated(withanerrormessage)

•  Howmuchdatais“enough”sothatthereceiverdecidestochecktheMAC?

•  Answer:whateverisspecifiedinthelengthfield:

R R

P2’

dK dK

P1’

MAC tag

BreakingCBCmodeinSSH[APW09]

103

IV Ci*

P0’

dK

Ci-1* Ci

*

Pi*

dK

•  KnowingIVand32bitsofP0’,theattackercannowrecover

32bitsofthetargetplaintextblockPi*:

Pi*=Ci-1

*⊕dK(Ci*)=Ci-1

*⊕IV⊕P0’

Furtherdetails

•  Theattackasdescribedrequirestheinjectionofcirca231bytesofciphertext(expectedvalueoflengthfield).

•  Itrecovers32bitsofplaintextwithprobability1.

•  AndleadstoanSSHconnectionteardown(onMACfailure).

•  TheattackworkswithrandomIVstoo,breakingtheschemethatwasprovensecurein[BKN04].

•  Somethingwentwrongsomewhere!

104

Furtherdetails–Lengthchecking

•  RFC4253requiresimplementationstocheckthatlengthfieldis“reasonable”.

•  Detailsareimplementation-specific.

•  Backin2009,theleadingimplementationwasOpenSSH,thenatversion5.1.

•  AccordingtoSSHwebpage,80%ofserversontheInternetwereusingOpenSSHaroundthattime.

105

Furtherdetails–LengthcheckinginOpenSSH

•  OpenSSH5.1performstwolengthchecksonthelengthfield(LF)whendecryptingthefirstciphertextblock:

•  Check1:5≤LF≤218.

•  Check2:totallength(4+LF)isamultipleoftheblocksize:

LF+4modBL=0.

•  Eachcheckproducesadifferenterrormessageonthenetwork,distinguishablebyattacker.

•  Ifbothcheckspass,thenOpenSSHwaitsformorebytes,thenperformsMACcheck,resultinginathirdkindoferrormessage.

106

Furtherdetails–LengthcheckinginOpenSSH

•  Check1(5≤LF≤218)passeswithprobabilityapprox.2-14.

•  Ifitpasses,thenwithhighprobability,14MSBsofLFare“0”.•  Pass/faildetectableviaerrormessage.

•  Henceattackwithsuccessprob.2-14recovering14bitsofconfirmedplaintext.

•  Check2(LF+4modBL=0)passeswithprobability1/BL,typically2-3or2-4.•  Ifitpasses,thensome(3or4)LSBsofLFarerevealed.

•  Pass/faildetectableviaerrormessage/connectionenteringwaitstate.

•  Ifwaitstateisentered,thentheattackproceedsasbefore.

•  Overall,theattackonOpenSSH5.1recovers32bitsofplaintextwithprob.2-18(forBL=16)andrequiresinjectionofatmost218bytesofdata.

107

Doestheattackmatter?

•  Ontheonehand,theattackhaslowsuccessrate,onlyrecovers32bitsofplaintext,andcausestheSSHconnectiontoabort.

•  Ontheotherhand,anattackercanapplytheattacktomanyconnections,boostinghisoverallsuccessrate.

•  Canalsoiteratetheattackagainstclientsthatperformauto-reconnects.

•  ThinkaboutwhatkindsofdataSSHmightbeprotecting.•  SSHwasmeanttobebullet-proof;theattackshoweditwasnot.

•  ItlefttheprovablesecurityoftheSSHBPPunresolved.108

Countermeasurestotheattack

•  AbandonCBC-mode?•  Alternativesavailableatthattime:CTR,RC4.

•  DropbearimplementedCTRandrelegatedCBCmodeinversion0.53.

•  Developnewmodes?•  ModesbasedonGenericEtM,AES-GCM,ChaCha20-Poly1305

weresubsequentlyaddedtoOpenSSH.

•  PatchCBC-mode?•  OpenSSH5.2alsointroducedapatchtostopthespecificattack

onCBCmode.

109

TheOpenSSHpatch

•  Basicidea:hidetheerrorsfromtheadversary.•  Ifthelengthchecksfail,donotsendanerrormessage,but

waituntil218byteshavearrived,thenchecktheMAC.

•  Ifthelengthcheckspass,buttheMACcheckeventuallyfails,thenwaituntil218byteshavearrived,thenchecktheMAC.

•  Noerrormessageiseversentuntil218bytesofciphertexthavearrived.

•  CannolongercountbytestoseehowmanyarerequiredtotriggerMACfailure.

110

TheorylessonfromtheSSHattack

•  Modelusedforsecurityproofin[BKN04]wasinadequate.

•  Itassumedlengthwasknownandatomicprocessingofciphertexts.

•  ButfragmentedadversarialdeliveryofciphertextoverTCPispossible.

•  Implementationshavetodecryptfirstblocktofindouthowlongplaintextismeanttobe,andactonitbeforeperforminganyauthentication.

•  That’snotreflectedinanyoftheAE/AEADsecuritymodels!

111

MoreSSHsecurityanalysis

•  [PW10]:bespokesecuritymodelforCTRmodeinSSHandproveditsecure(assumingblockcipherisaPRP).

•  [BDPS12]:generalframeworkforstudying“SymmetricEncryptionschemessupportingfragmenteddecryption”likethoseusedinSSH.•  IND-sfCFAallowstheattackertodeliverciphertexttoa

decryptionoracleinasymbol-by-symbolfashionandobserveanyerrors/messageoutputs.

•  [BDPS12]alsoidentifiedadditionalsecuritypropertiesthatSSHattemptstoprovide:•  BoundaryHiding(BH)andDenial-of-Serviceresistance.

112

TheStateofAEADinSSHToday

ThestateofAEADinSSHtoday

•  In[ADHP16],weperformedameasurementstudyofSSHdeployment.

•  WeconductedtwoIPv4addressspacescansinNov/Dec2015andJan2016usingZGrab/ZMap.

•  GrabbingbannersandSSHservers’preferredciphers.•  ActualcipherusedinagivenSSHconnectiondependsonclient

andserverpreferences.

•  Roughly224serversfoundineachscan.

•  Nmapfingerprintingsuggestsmostlyembeddedrouters,firewalls.

114

ThestateofAEADinSSHtoday:SSHversions

115

MostlyOpenSSHanddropbear;others

lessthan5%.

ThestateofAEADinSSHtoday:SSHversions

116

Dropbearat56-58%.886kolderthanversion0.53,sovulnerabletovariantof2009CBC-

modeattack!

ThestateofAEADinSSHtoday:SSHversions

117

OpenSSHat37-39%.130-166kolderthanversion5.2andprefer

CBCmode,sovulnerableto2009

attack!

ThestateofAEADinSSHtoday:SSHversions

•  DropbearnowdominatesOpenSSH.•  Butmaybeswitchingbackagain:ComcastcableIPaddress

rangedroppedfrom2M+devicesrunningDropbear(Feb2016)to83k(May2016).

•  Longtailofoldsoftwareversions.•  MostpopularversionofOpenSSHisversion5.3,releasedOct

2009(currentversionis7.2).

•  DeterminedbymajorLinuxdistros?

•  SignificantpercentageofDropbearandOpenSSHserversarepotentiallystillvulnerabletothe2009attack.•  8.4%forDropbear.

118

ThestateofAEADinSSHtoday:preferredalgorithms

119

OpenSSH preferred algorithms

•  Lotsofdiversity,surprisingamountof“genericEtM”(gEtM).

•  CTRdominates,followedbyCBC.

•  ChaCha20-Poly1305ontherise?(becamedefaultinOpenSSH6.9).

•  SmallamountofGCM.

ThestateofAEADinSSHtoday:preferredalgorithms

120

Dropbear preferred algorithms

•  LessdiversitythanOpenSSH.

•  CTRdominates,followedatalongdistancebyCBC.

•  No“exotic”options.

ANewAttackonCBCmodeinOpenSSH

TheOpenSSHpatch

•  Version5.2+CBCmodepreferredbyroughly20kOpenSSHservers.

•  RecalltheOpenSSHpatch,inversion5.2andup:•  Ifthelengthchecksfail,donotsendanerrormessage,butwait

until218byteshavearrived,thenchecktheMAC.

•  Ifthelengthcheckspass,buttheMACcheckeventuallyfails,thenwaituntil218byteshavearrived,thenchecktheMAC.

•  OneMACcheckisdoneiflengthchecksfail:on218bytes.

•  TwoMACchecksaredoneiflengthcheckspass:oneonroughlyLFbytes,theotheron218bytes.

122

AttackingtheOpenSSHpatch[ADHP16]

•  ThisleadstoatimingattackonCBCmodeinOpenSSH5.2andup:1. InjecttargetciphertextblockCi

*.2. Thensend218bytesasquicklyaspossibletoserver.

3. TimethearrivaloftheMACfailuremessage.

•  FastarrivalindicatesthatlengthchecksfailedandoneMACcomputation.

•  SlowarrivalindicatesthatthelengthcheckspassedandtwoMACcomputations.

•  Thisleaks18bitsofinformationaboutthelengthfield,andhence18bitsaboutthetargetblock.

123

AttackingtheOpenSSHpatch[ADHP16]

•  Sizeoftimingdifference:•  AMACcomputationonroughly217bytes(theexpectedvalueofLF).

•  ForHMAC-SHA1,thisrequires211hashcompressionfunctionevaluations.

•  cf.Lucky13timingdifference:asinglehashcompressionfunction!

•  Remoteattackercaneasilydetectdifference.

•  Successprobabilityoftheattack:•  Needtopassbothlengthchecks,so2-18.

•  Canincreasesuccessrategivenpartialplaintextknowledgeintargetblock.

•  (Idea:waitfortherightIVbeforemountingtheattack;moresevereattackforrandom,explicitIVversion.)

124

AttackingtheOpenSSHpatch[ADHP16]

•  Increasenumberofplaintextbitsrecoveredbyusingfiner-grainedtiminginformation.•  BecausethetimingdelayisproportionaltothevalueofLF.

•  Iftiminggranularity=1compressionfunctionevaluation,thenwecanrecoverupto30bitsofplaintextfromtargetblock.

•  Challenging,butnotimpossibleinco-residentattackerscenario.

•  Possiblecountermeasuretotheattack:ifMACfails,thencomputesecondMACon218–LFbytesinsteadofonall218bytes.

•  StillleavesresidualtimingdifferencebecauseoffinedetailsofHMAC.

•  Reallyneedconstanttimeimplementationofdecryptionalgorithmtoeliminatethisclassofattack.

125

Disclosureoftheattack

•  WenotifiedtheOpenSSHteamoftheattack(5/5/16).

•  “…wedonotfeelthatanemergencyreleaseisnecessary,northattheattackremainsecretaheadofsucharelease.”

•  TheyaddedcountermeasuresinOpenSSH7.3(1/8/16).

•  OpenSSHhassteadilybeendeprecatingoldalgorithmsandmodes.

•  CBCmodewasalreadydisabledbydefaultinOpenSSH6.7(butcanbere-enabled).

•  ButOpenSSHcannotforcepeopletostopusingoldversionsofthesoftware.

126

SecurityanalysisofotherSSHandOpenSSHmodes–CTR,gEtM,AES-GCM,ChaCha20Poly1305

SecurityanalysisofotherOpenSSHencryptionmodes

•  In[ADHP16],wealsousetheframeworkof[BDPS12]toprovesecuritypropertiesofgEtM,AES-GCM,andChaCha20-Poly1305inOpenSSH.

•  Theframeworkallowsfragmenteddecryptioncapability,multipledecryptionerrors,etc.

• Wefoundasubtleerrorinthesecuritymodelsin[BDPS12].

• Wealsoextendedthemodelstoincludeintegrityaswellasconfidentiality.

128

SecurityanalysisofotherOpenSSHencryptionmodes

gEtMandAES-GCMinOpenSSH:•  DerivedfromAEADschemeswithAD=lengthfield(nowunencrypted).

•  Hencesanitycheckingoflengthfieldcannotrevealanythingusefultoadversary.

•  IssueingEtMcode:

•  MACiscomputedoncetheciphertexthasarrivedbutisnotcomparedtoreceivedMACuntilafterdecryption.

•  Henceanyerrorsarisingduringdecryptionstepwillbesignalledtoattacker.

•  Arisesfromsharedcode-pathandreuseoflegacyE&Mcode.

•  Notasecuritythreatforanycurrentlyspecifiedencryptionschemes.

•  FixedinOpenSSH7.3.

•  Both(fixed)gEtMandAES-GCMareprovablysecure:achievingIND-sfCFA,INT-sfCFAsecurity.

129

ChaCha20-Poly1305inOpenSSH

130

Payload

MAC tag

SQN 4

Packet Length 4

Pad Len 1

Padding ≥4

C1 C2

K1IV = SQN||064 ChaCha20 ChaCha20

K2IV = SQN||0631

ChaCha20 K2

IV = SQN||0630

0256

KpolyPoly1305

SecurityanalysisofChaCha20-Poly1305inOpenSSH

•  ChaCha20-Poly1305inOpenSSH:•  64-bytekeyissplitintotwohalves,K1,K2.

•  K1usedtoencryptSSHlengthfieldusingChaCha20.

•  K2usedtoencrypteverythingelse,alsousingChaCha20.

•  Poly1305MACkeyisobtainedas:

ChaCha20(K2,IV=SQN||0630,M=0256).

•  MACappliedtobothciphertextcomponents.

•  Analysismorecomplexbecauseofencryptedlengthfield.

•  Ideaisthatusingseparatekeysforencryptinglengthfieldandthereststopsattacks.

•  CTRmodeanalysisshowsthistobeunnecessary.

131

Closingremarks

133

Closingremarks

•  Onceabadcryptographicchoiceisoutthereinimplementations,it’sveryhardtoundo.

•  OldversionsofTLShangaroundforalongtime.

•  ThereisnoTLSproductrecallprogramme!

•  SlowuptakeofTLS1.1,1.2.

•  TLShascomeundersustainedpressurefromattacks.

•  BEAST,Lucky13andRC4attackshaveprovidedincentivestomovetoTLS1.2andinfluencedthedesignofTLS1.3.

•  Attacksare“semi-practical”butweignoresuchattacksatourperil.

•  GoodvendorresponsetoLucky13viapatching,slowerresponsetoRC4attacksviaswitchingoffsupport.

133

Closingremarks

•  Goodalgorithmdesignishard.

•  Butsoisgoodprotocoldesign.•  Attacksareusuallyobviousinretrospect,butfinding

themisnotsoeasy.

•  Keepinmindthevalueofattacksonpaperversusattacksinpractice.

•  Implementedattacksareneededtoconvincepractitioners.

•  Butanon-paperattackisoftentheharbingerofapracticalattack.

134

Closingremarks

• We’veseentheevolutionfromsimplesecuritymodelsforsymmetricencryptiontomoresophisticatedsecuritynotionsforsecurechannels.

•  ThecryptographycommunityisfocussedonAEADasanendgoal.

•  AEADisanimportanttoolbutnotthesamethingasasecurechannel.

135