2016 TLS 1.3 - NDSS SymposiumRSA1 RSA2 Bleichenbacher‘s Agack The difficulty of prevenng such...
Transcript of 2016 TLS 1.3 - NDSS SymposiumRSA1 RSA2 Bleichenbacher‘s Agack The difficulty of prevenng such...
OntheSecurityofTLS1.3(andQUIC)AgainstWeaknessesinPKCS#1v1.5EncrypHon
TiborJager,JörgSchwenk,JurajSomorovskyHorstGörtzInsHtuteforITSecurity
Ruhr-UniversityBochum
TRON1.0Workshop201621February2016SanDiego,CA,USA
RSA-PKCS#1v1.5EncrypHon
• MostfrequentlyusedkeytransportmechanisminTLSbeforev1.3– “Textbook-RSAencrypHon”withaddiHonalrandomizedpadding
– Aciphertextis“valid”,ifitcontainsacorrectlypaddedmessage
2
RSA-PKCS#1v1.5EncrypHon
• MostfrequentlyusedkeytransportmechanisminTLSbeforev1.3– “Textbook-RSAencrypHon”withaddiHonalrandomizedpadding
– Aciphertextis“valid”,ifitcontainsacorrectlypaddedmessage
• DeprecatedinTLS1.3– Vulnerable:Bleichenbacher’sa?ack(CRYPTO`98)– Sufficienttoprotectagainstitsweaknesses?
3
Bleichenbacher’sAgack(CRYPTO1998)
4
C‘
„valid“/„invalid“C‘‘
„valid“/„invalid“...
PKCS-CiphertextC
PlaintextM
Bleichenbacher’sAgack(CRYPTO1998)
• Oracleusuallyprovidedbyaserver:– Errormessageifciphertextisinvalid– Othersidechannels,likeGming
• AllowstoperformRSAsecretkeyoperaGon– DecryptRSA-PKCS#1v1.5ciphertexts– ComputedigitalRSAsignatures 5
C‘
„valid“/„invalid“C‘‘
„valid“/„invalid“...
PKCS-CiphertextC
PlaintextM
Bleichenbacher’sAgack(CRYPTO1998)
• Oracleusuallyprovidedbyaserver:– Errormessageifciphertextisinvalid– Othersidechannels,likeGming
• AllowstoperformRSAsecretkeyoperaGon– DecryptRSA-PKCS#1v1.5ciphertexts– ComputedigitalRSAsignatures 6
C‘
„valid“/„invalid“C‘‘
„valid“/„invalid“...
PKCS-CiphertextC
PlaintextM
Bleichenbacheragacksoverandover• Bleichenbacher(CRYPTO1998)• Klimaetal.(CHES2003)• Jageretal.(ESORICS2012)• Degabrieleetal.(CT-RSA2012)• Bardouetal.(CRYPTO2012)• Zhangetal.(ACMCCS2014)• Meyeretal.(USENIXSecurity2014)• … AssumpGon:Bleichenbacher-likeagacksremain
arealisHcthreat7
Manydifferenttechniquestoconstructtherequiredoracle
TypicaluseofTLS1.3inpracHce
8
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
TLS1.0
TLS1.3
TypicaluseofTLS1.3inpracHce
9
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
TLS1.0
TLS1.3
AssumpHon
Secure?
High-levelAgackDescripHon
10
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
High-levelAgackDescripHon
11
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
High-levelAgackDescripHon
12
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
CertVerify
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
High-levelAgackDescripHon
13
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
Bleichenbacher‘sAgack
CertVerify
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
High-levelAgackDescripHon
14
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
Bleichenbacher‘sAgack
CertVerify
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
S-Finished C-Finished
High-levelAgackDescripHon
15
TLS1.3
ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA
Bleichenbacher‘sAgack
CertVerify
SKeyShare
ServerHello
ClientHello
Certificate
ClientKeyShare
S-Finished C-Finished
TLS1.3maybevulnerabletoBleichenbacher‘sagack,eventhoughPKCS#1v1.5encrypGonisnotused!
PracHcalImpact
16
• PracHcalimpactonTLS1.3isratherlimited– TypicalBleichenbacher-agackstakehoursordays– WouldLisawaitthatlong?– Machine-to-machinecommunicaHon?
PracHcalImpact
17
• PracHcalimpactonTLS1.3isratherlimited– TypicalBleichenbacher-agackstakehoursordays– WouldLisawaitthatlong?– Machine-to-machinecommunicaHon?
• Nevertheless:– BackwardscompaGbilitymustbeconsidered
• Cf.Jager,Paterson,Somorovsky(NDSS2013)
– FutureimprovementsofBleichenbacher’sagack?
AgackontheQUICprotocol
ServerS
QUIC
TLS1.0
RSA
QUICBleichenbacher‘s
Agack
FullQUICprotocol
AgackerA
AgackontheQUICprotocol
ServerS
QUIC
TLS1.0
RSA
QUICBleichenbacher‘s
Agack
FullQUICprotocol
• AcanrunBleichenbacher’sagackbeforeLisaconnectstoS• OnesignatureisequivalenttothesecretkeyofS• PracGcal,evenifagacktakesweeks!
AgackerA
LimitedImpactonTLS1.3
TLS1.3
CertVerify
ServerS
TLS1.3
TLS1.0
RSA
Bleichenbacher‘sAgack
• AcanimpersonateSonlyinasingleTLSsession• OnlypracHcalwithveryfastBleichenbacheragack
“Hello”
“Finished”
AgackerA
ThedifficultyofprevenHngsuchagacks(example)
21
TLS1.3ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA1
RSA2
ThedifficultyofprevenHngsuchagacks(example)
22
TLS1.3 RSA1 ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA1
RSA2
Bleichenbacher‘sAgack
ThedifficultyofprevenHngsuchagacks(example)
23
TLS1.3 RSA2 ServerS
TLS1.3
TLS1.0(BackwardscompaHbility)
RSA1
RSA2• X.509cerHficatesdonotcontainprotocolversion
Bleichenbacher‘sAgack
FurtherdifficulHes
• KeyseparaHonnotsupportedbymajorserverimplementaHons
• CerHficatescostmoney(extendedvalidaHon)• X.509supports“sign/encrypt-only”certs
– “Sign-only”keysforTLS>=1.3– “Encrypt-only”keysforTLS<=1.2
• NoForwardSecrecyforversions<=1.2L
– Dobrowsersreallycheckthis?
SummaryandrecommendaHons
• RemovingRSA-PKCS#1v1.5fromTLSisanexcellentdecision– Notsufficienttoprotectcompletelyagainstweakness
• TLS1.3ismore“robust”thanQUIC– Butnotimmune– Signingephemeralvaluesisagoodidea
• RecommendaHonforfutureTLSversions:promotekeyseparaGon– TalktoX.509andsozwaredevelopers
25