dr. omar ali alibrahim - ssl talk
TRANSCRIPT
SSL, The Ugly Beast! Dr. Omar Al Ibrahim Security Consultant & Researcher, omProtect. [email protected] Website: www.omprotect.com
Who am I ? • Security Researcher & Consultant, omProtect. • Assistant Professor at Kuwait University. • Previous: Virtual Security Research (VSR) LLC. , Cigital
Inc. (USA) • Application Security, Penetration Testing and Vulnerability
Assessment • Ph.D. in Computer Science from Southern Methodist
University (USA) in 2012, Masters in Computer Science from Rice University (USA) in 2007
• GIAC Reverse Engineering Malware (GREM) certified • Associate of ISC2 (CISSP) • OWASP Lifetime Member
Our Services
• Consultancy / Penetration Testing – Internal/External Network Penetration Testing – Web Application Penetration Testing – Enterprise Product Testing – Architecture Review, Source Code Review – Digital Forensics, Malware Analysis
• Compliance – PCI, ISO 27000 series, smart card standards ...
• Training – Fundamental Security Concepts – Organizational Security Awareness – Developer Training
Unencrypted Traffic
• Suppose you login to the unencrypted KU-Wifi hotspot and type in your KU account credentials on the prompted web form.
BY OMAR AL IBRAHIM
Unencrypted Traffic
BY OMAR AL IBRAHIM
Wireshark Capture of the Submitted Login Form
Our wifi password in plaintext!
We need encryption!
What is SSL?
• SSL is the protocol used for most secure transactions over the Internet
• For example, if you want to buy a book at amazon.com… – You want to be sure you are dealing with Amazon (authentication) – Your credit card information must be protected in transit
(confidentiality and/or integrity) – As long as you have money, Amazon doesn’t care who you are
(authentication need not be mutual)
• Defined in RFC2246, http://www.ietf.org/rfc/rfc2246.txt
• Open-source implementation at http://www.openssl.org/
SSL History
• Evolved through – Unreleased v1 (Netscape) – Flawed-but-useful v2 – Version 3 from scratch – Standard TLS1.0
• SSL3.0 with minor tweaks, hence Version field is 3.1 – Standard TLS1.1
• Protection against CBC attacks and handling of padding errors
– Standard TLS1.2 • Enhancements to ciphersuite
BY OMAR AL IBRAHIM
Technical Description
OFFER CIPHER SUITE MENU TO SERVER
SELECT A CIPHER SUITE
SEND CERTIFICATE AND CHAIN TO CA ROOT
CLIENT SIDE SERVER SIDE
SEND PUBLIC KEY TO ENCRYPT SYMM KEY
SERVER NEGOTIATION FINISHED
SEND ENCRYPTED SYMMETRIC KEY
SOURCE: THOMAS, SSL AND TLS ESSENTIALS
ACTIVATE ENCRYPTION
CLIENT PORTION DONE
( SERVER CHECKS OPTIONS )
ACTIVATESERVER ENCRYPTION
SERVER PORTION DONE
( CLIENT CHECKS OPTIONS )
NOW THE PARTIES CAN USE SYMMETRIC ENCRYPTION
BY OMAR AL IBRAHIM
Client Hello - Cipher Suites INITIAL (NULL) CIPHER SUITE
PUBLIC-KEY ALGORITHM
SYMMETRIC ALGORITHM
HASH ALGORITHM
CIPHER SUITE CODES USED IN SSL MESSAGES
SSL_NULL_WITH_NULL_NULL = { 0, 0 }
SSL_RSA_WITH_NULL_MD5 = { 0, 1 }
SSL_RSA_WITH_NULL_SHA = { 0, 2 }
SSL_RSA_EXPORT_WITH_RC4_40_MD5 = { 0, 3 }
SSL_RSA_WITH_RC4_128_MD5 = { 0, 4 }
SSL_RSA_WITH_RC4_128_SHA = { 0, 5 }
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0, 6 }
SSL_RSA_WITH_IDEA_CBC_SHA = { 0, 7 }
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0, 8 }
SSL_RSA_WITH_DES_CBC_SHA = { 0, 9 }
SSL_RSA_WITH_3DES_EDE_CBC_SHA = { 0, 10 }
BY OMAR AL IBRAHIM
Server Hello
• Version • Random Number
– Protects against handshake replay
• Session ID – Provided to the client for later resumption of the session
• Cipher suite – Usually picks client’s best preference – No obligation
• Compression method
BY OMAR AL IBRAHIM
sslscan
BY OMAR AL IBRAHIM
Tool to scan server-side cipher-suite:
Weak algorithms
Short keys
No encryption
Qualys SSL Scan
• Qualys SSL Server Test https://www.ssllabs.com/ssltest/
• Deep analysis of the configuration of any SSL web server on the public Internet
• Checks for cipher-suite strength, certificate trust and resistance to emerging attacks.
Gives letter grade rating
SSL Certificate • Subject. Provides the name of the computer,
user, network device, or service that the CA issues the certificate to. The subject name is commonly represented by using an X.500 or Lightweight Directory Access Protocol (LDAP) format.
• Serial Number. Provides a unique identifier for each certificate that a CA issues.
• Issuer. Provides a distinguished name for the CA that issued the certificate. The issuer name is commonly represented by using an X.500 or LDAP format.
• Valid From. Provides the date and time when the certificate becomes valid.
• Valid To. Provides the date and time when the certificate is no longer considered valid.
• Public Key. Contains the public key of the key pair that is associated with the certificate.
BY OMAR AL IBRAHIM
Generating SSL Certificates
Using Openssl library • Generate a private key and a certificate signing request
(CSR): Omars-MacBook-Pro-2:OpensslTutorial omar$ openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr Generating a 2048 bit RSA private key ...............+++ ..............+++ writing new private key to 'domain.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. […] ----- Country Name (2 letter code) [AU]:KW State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:Kuwait City Organization Name (eg, company) [Internet Widgits Pty Ltd]:omProtect Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:omprotect.com Email Address []:[email protected]
Certificate Authority (CA)
• Entity that issues digital certificates • CA is a trusted third party – i.e. trusted by both the
owner of the certificate and the party relaying upon it. • Examples of CAs include Comodo, GlobalSign,
VeriSign, and DigiCert.
BY OMAR AL IBRAHIM
Root CAs
• CA can issue multiple certificates in the form of a tree.
• Root certificates are the top-most certificates of the tree.
• Web browsers are equipped with root certificates that are self-signed by root CAs.
• Root CAs are considered the trust anchors of the certificate chain.
BY OMAR AL IBRAHIM
Digital Signature for Certificate
BY OMAR AL IBRAHIM
• A CA uses its private key to digitally sign each certificate it issues.
• To create the digital signature, the CA generates a message digest from the certificate, encrypts using its private key, and includes the digital signature as part of the certificate.
• Anyone can use the message digest function and the CA’s public key to verify the certificate’s integrity.
• If a certificate becomes corrupted or someone tampers with it, the message digest for the altered certificate does not match the digest in the CA’s digital signature.
K-(H(Cert))
Certificate Chain
BY OMAR AL IBRAHIM
A certificate chain consists of all the certificates needed to certify the subject identified by the end certificate. In practice this includes the end certificate, the certificates of intermediate CAs, and the certificate of a root CA trusted by all parties in the chain.
Validating a Certificate
OwnerA DN Owner A public
key Issuer B’s DN
Issuer B’s Signature
Cert Ext.
Owner B DN Owner B public
key
Issuer C’s DN Issuer C’s Signature
Cert Ext.
Owner A
Owner B
Decrypt
Digest
Equal? N
Reject
YContinue
Validation
Owner C DN Owner C public
key Owner C Signature Cert Ext.
Owner C (Root)
…..
Certificate Chain A-B-C
• Hard-code in the client the certificate known to be used by the server.
1. Pin the server’s certificate itself 2. Pin the CA certificate used to sign the server’s
certificate • Advantages: Avoid risks of flaws in certificate
validation checks and threats of rogue or compromised CA
• Disadvantages: Unscalable, requires provisioning
Certificate Pinning
Problems in the certificate chain: • Compromised CAs issuing fraudulent certificates • Uncompromised CAs issuing fraudulent certificates (by mistake or
otherwise) • If a user (or browser vendor) loses trust in a CA, removing the CA from the
browser's list of trusted authorities means losing trust in all the sites which used that CA.
SSL Convergence
Certificate Authority Market Share Courtesy of Netcraft, 2013 Survey
• Convergence provides a level of redundancy by having several authorities (so called notaries) to vouch for a single site.
• A user can choose to trust several notaries and consults them to decide whether a site should be trusted or not (as opposed to trusting a single authority).
SSL Convergence
• Padding Oracle On Downgraded Legacy Encryption (CVE-2014-3566)
• Unlike proper negotiations, many TLS clients implement a protocol downgrade dance to work around server-side interoperability bugs.
• This allows MitM attacks to confine clients with SSLv3, from which hackers can exploit CBC encryption.
POODLE Attack
• After downgrade, hackers can break the cryptographic security of SSL 3.0 using padding oracle attacks.
• To remediate against vulnerability, SSL 3.0 must be disabled or at the very least TLS implementations should make use of TLS_FALLBACK_SCSV.
POODLE Attack
Heartbleed Bug • Security bug disclosed in April
2014 in the OpenSSL cryptography library (CVE-2014-0160).
• Allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
• Compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.
Heartbleed Example
• Run attack script: $ python ssltest.py somewebsite.gov.kw Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 58 ... received message: type = 22, ver = 0302, length = 4256 ... received message: type = 22, ver = 0302, length = 4 Sending heartbeat request... ... received message: type = 24, ver = 0302, length = 16384
Heartbleed Example
• Received Heartbleed response: 0170: 2C 2A 3B 71 3D 30 2E 33 0D 0A 43 6F 6F 6B 69 65 ,*;q=0.3..Cookie 0180: 3A 20 4A 53 65 72 76 53 65 73 73 69 6F 6E 49 64 : JServSessionId 0190: 72 6F 6F 74 3D 78 6D 75 66 67 66 62 6D 6A 67 2E root=xmufgfbmjg. 01a0: 6F 52 6A 52 6D 6B 7A 4F 6D 51 58 50 71 42 66 4E oRjRmkzOmQXPqBfN 01b0: 63 41 4C 4A 6D 51 35 47 6F 36 58 4E 72 33 43 4D cALJmQ5Go6XNr3CM 01c0: 62 33 79 4F 3B 20 42 4E 45 53 5F 4A 53 65 72 76 b3yO; BNES_JServ 01d0: 53 65 73 73 69 6F 6E 49 64 72 6F 6F 74 3D 49 4F SessionIdroot=IO 01e0: 76 6A 66 6B 2F 42 2B 6B 58 78 4B 35 32 38 4C 31 vjfk/B+kXxK528L1 01f0: 67 70 47 45 6F 36 31 33 71 38 43 70 43 4C 2B 79 gpGEo613q8CpCL+y 0200: 49 42 71 2F 70 76 47 79 77 4C 34 61 62 59 59 65 IBq/pvGywL4abYYe 0210: 58 76 4C 62 64 30 68 76 5A 64 55 4E 49 54 4E 56 XvLbd0hvZdUNITNV 0220: 41 46 37 57 6E 69 6B 62 6A 71 50 5A 71 4F 35 55 AF7WnikbjqPZqO5U 0230: 33 65 36 65 52 75 73 43 6B 56 39 44 53 50 37 69 3e6eRusCkV9DSP7i 0240: 6F 70 35 57 7A 52 51 51 73 48 46 34 79 46 79 37 op5WzRQQsHF4yFy7 0250: 73 33 63 35 6F 2F 73 4D 47 6C 5A 77 78 59 65 74 s3c5o/sMGlZwxYet 0260: 68 69 61 48 76 69 43 68 5A 42 64 50 69 32 42 36 hiaHviChZBdPi2B6 0270: 72 46 75 41 3D 3D 0D 0A 0D 0A E6 C0 41 C7 A5 32 rFuA==…
• Tool provided by Moxie Marlinspike in 2009 • MITM attack tool that forces a victim's browser
into communicating with an adversary in plaintext over HTTP, and the adversary proxies the modified content from an HTTPS server.
• "stripping" https:// URLs and turning them into http:// URLs
• Uses ARP spoofing to redirect traffic of victim host at the link-level.
sslstrip
Superfish Lenovo Incident
• Lenovo sold laptops that contained Superfish adware pre-installed since Dec 2014.
• The adware delivers its web content through SSL-encrypted channel using trusted self-signed certificate.
• The root private key is also included on all affected systems which are encrypted with a guessable password “komodia”
• Allowed for widespread MitM attacks.
• Configure server to choose strong cipher-suite for key exchange, authentication, bulk ciphers, and message authentication. – Use sufficiently long key size (e.g. 2048 bits asymmetric, 168 bit
symmetric) – Avoid null ciphers and RC4 – Give precedence to most secure ciphers first.
• Disable SSL 2.0 and SSL 3.0 to prevent POODLE and calculation of plaintext by network attackers.
• Disable TLS 1.0 Compression to avoid CRIME attacks. • Utilize TLSFALLBACKSCSV that seeks to prevent forced SSL
downgrades • If using openssl library, update to the latest patched version to avoid
heartbleed bug.
Recommendations
• Consult a reputable CA to sign your root certificates. • Avoid self-signed and expired certificates. • Do not keep certificates trusted for overly-long periods and employ
key rotation. • When creating certificates use a strong password to guard access to
private key, and keep root keys encrypted and offline. • Make sure your end user certificates are not signing certificates. • Make sure your public-private keys are generated with random seed
and proper tools. • Employ key splitting procedure if necessary. • Require use of client-certificates for highly-critical systems.
Recommendations
Questions
Omar Al Ibrahim, Ph.D. , GREM Security Researcher & Consultant, omProtect. [email protected] LinkedIn: http://www.linkedin.com/in/oalibrahim Website: www.omprotect.com