the dangers of key reuse: practical attacks on …...practical attacks on ipsec ike ... vpns...
TRANSCRIPT
![Page 1: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/1.jpg)
Dennis Felsch 1, Martin Grothe 1, Jörg Schwenk 1, Adam Czubak 2, Marcin Szymanek 2
1: Ruhr University Bochum, Germany 2: University of Opole, Poland
THE DANGERS OF KEY REUSE:PRACTICAL ATTACKS ON IPSEC IKE
27TH USENIX SECURITY SYMPOSIUM 08/16/2018
![Page 2: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/2.jpg)
VPNs (Virtual Private Networks)
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
2
4G/LTE
Internet
Icons from KDE Oxygen theme licensed under GNU LGPLv3, http://www.kde.org/
![Page 3: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/3.jpg)
IPsec (Internet Protocol Security)
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
3THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
Internet
Transport
Network
Access
TCP/UDP
IP
TCP/UDP
IP
IPsec IPsec
Application
integrity authenticity confidentitiality
Data Data
![Page 4: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/4.jpg)
IKE (Internet Key Exchange)
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
4
The handshake protocol of IPsec Standardized in two major versions IKEv1: Published in 1998, declared obsolete by the IETF nevertheless included in all implementations
IKEv2: Published in 2005, current version
![Page 5: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/5.jpg)
IKEv1
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
5THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
5
Internet
Transport
Network
Access
UDP
IP
UDP
IP
Application IKEv1 IKEv1Negotiation
AuthenticationKey Agreement
Key Confirmation
2 msg
2 msg
2 msg
![Page 6: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/6.jpg)
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
6
m1
m2
m1= {proposals}
m3= gx, anc. data
m2 = selected proposal
m4= gy , anc. datam3
m4
1. Key derivation2. Compute MACRm6 = Enc(MACR | data)
3. Decrypt m54. Verify MACI
m5
m6
1. Key derivation2. Compute MACI
m5 = Enc(MACI | data)
3. Decrypt m64. Verify MACR
IKEv1 Protocol FlowInitiator Responder
![Page 7: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/7.jpg)
IKEv1 Authentication Methods
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
7
1. PSK (Pre-Shared-Key)2. Digital Signatures3. Public Key Encryption (PKE)4. Revised Public Key Encryption (RPKE)
Negotiation
AuthenticationKey Agreement
Key Confirmation
2 msg
2 msg
2 msg
![Page 8: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/8.jpg)
m1
m2
m3
m4
m5
m6
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
8
m1= {proposals}
m3= gx, anc. data
m2 = selected proposal
m4= gy , anc. data
1. Key derivation2. Compute MACRm6 = Enc(MACR | data)
3. Decrypt m54. Verify MACI
1. Key derivation2. Compute MACI
m5 = Enc(MACI | data)
3. Decrypt m64. Verify MACR
IKEv1 Protocol Flow With PKE Authentication
m3= gx, Encpk(nI)
m4= gy, Encpk(nR)
Initiator Responder
![Page 9: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/9.jpg)
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
9
What if implementations containedBleichenbacher oracles?
![Page 10: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/10.jpg)
Padding oracle attack RSA PKCS#1 v1.5 encryption padding:
Attack requires oracle that tells if padding is valid
Bleichenbacher‘s Attack In Two Slides
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
10
![Page 11: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/11.jpg)
Bleichenbacher‘s Attack In Two Slides
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
11
mSender Receiver
m'Attacker
valid / invalid
m''
valid / invalid
… Leaks the plaintext of message m to the attacker
![Page 12: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/12.jpg)
m1
m2
m4= EncpkB(nRA), …m3
m6
m5
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
12
Attack Idea On IKEv1 With PKE AuthenticationAttacker Responder BResponder A
Decrypt nRA
Derive Keys
Keep A
waiting
Attacker impersonates Responder B !
![Page 13: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/13.jpg)
Where To Find The PKE And RPKE Modes?
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
13
Cisco includes PKE authentication in IOS Huawei includes RPKE in some security appliances Implementations in Clavister’s cOS and ZyXEL’s
ZyWALL USG devices broken
![Page 14: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/14.jpg)
Where To Find The PKE And RPKE Modes?
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
14
![Page 15: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/15.jpg)
Case Study: Bleichenbacher Oracle In Cisco IOS 1/3
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
15
Test device: Cisco ASR 1001-X router IOS XE 03.16.02.S
![Page 16: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/16.jpg)
Case Study: Bleichenbacher Oracle In Cisco IOS 2/3
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
16
m1
m2
m3
m4
m1= proposal with PKE
m2 = proposal with PKE
Initiator Cisco IOS
m3
m2
m3 with valid padding
wait 1 secondm3 with invalid padding
m2 = proposal with PKE
![Page 17: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/17.jpg)
Case Study: Bleichenbacher Oracle In Cisco IOS 3/3
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
17
IOS cancels IKEv1 handshake after 60 seconds at the latest Public key 1024 bits ⇒ ~850 responses per second 60 ∙ 850 = 51,000 requests per handshake
Empirical study with a simulator:26 % of attacks require less than 51,000 requests
![Page 18: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/18.jpg)
Cisco IOS – Simulator vs. Real Hardware
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
18
Cisco’s IKE handshake implementation is not optimized for throughput
Cryptographic calculations for IKE are done by CPU m1/m2 negotiations take a lot of time
Decryption attack with 19,000 requests took 13 minutes
![Page 19: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/19.jpg)
Cisco IOS – Is An Attack Realistic?
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
19
A too slow attack does not permanently lock out attackers
Still dangerous if the victim has deployed multiple responders sharing one key pair e. g. for load balancing
![Page 20: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/20.jpg)
Bleichenbacher Oracles In (R)PKE Implementations
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
20
Cisco: CVE-2018-0131 Huawei: CVE-2017-17305 Clavister: CVE-2018-8753 ZyXEL: CVE-2018-9129
Patches are available!
![Page 21: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/21.jpg)
Key Reuse
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
21
Maintaining individual key pairs for all variants of IKE? Common practice: A single RSA key pair Actual security depends on cross-ciphersuite, cross-version, and cross-protocol security
![Page 22: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/22.jpg)
Bleichenbacher’s Attack & Signatures
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
22
For RSA: A decryption & creating a signature is the same
operation Bleichenbacher’s attack can forge a signature
![Page 23: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/23.jpg)
Attack Against IKEv2 With Signatures
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
23
Signature Based Authentication Supported by IKEv1 and IKEv2 IKEv2 on Cisco router: 4 minutes time
For Cisco: Simulation succeeds in 22% of attacks Real hardware again lacks performance
![Page 24: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/24.jpg)
Additional Contributions In The Paper
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
24
A dictionary attack against PSK authentication in main mode (CVE-2018-5389)
Message flow diagrams of all IKE variants Description of the oracles in Huawei’s, Clavister’s, and
ZyXEL’s implementations Description of our parallelized Bleichenbacher attacker
![Page 25: THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON …...practical attacks on ipsec ike ... vpns (virtual private networks) the dangers of key reuse: practical attacks on ipsec ike | dennis](https://reader033.vdocument.in/reader033/viewer/2022041803/5e52701bd3580a49da22cf03/html5/thumbnails/25.jpg)
THE DANGERS OF KEY REUSE: PRACTICAL ATTACKS ON IPSEC IKE | DENNIS FELSCH27TH USENIX SECURITY SYMPOSIUM | 08/16/2018
25
Questions?
Dennis Felsch
Ruhr University BochumHorst Görtz Institute for IT-SecurityChair for Network and Data Security
[email protected]@dfelsch
https://web-in-security.blogspot.de