“Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.
-
Upload
max-alliston -
Category
Documents
-
view
219 -
download
0
Transcript of “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.
![Page 1: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/1.jpg)
“Defeating SSL” Impact of Hash
collisions on cyber security
By vaibhav
![Page 2: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/2.jpg)
2
Secure Sockets Layer
![Page 3: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/3.jpg)
3
Objective• Background Information of SSL , MD5 &
“Certificate”\”Public Key” Infrastructure
• Attack scenario on core assumption of SSL i.e. collision resistance of hash function
• Attack scenarios on the specification\ implementation of SSL
![Page 4: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/4.jpg)
4
when in doubt , ask
![Page 5: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/5.jpg)
5
![Page 6: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/6.jpg)
6
Cryptographic Hash • Serves an essential role within a wide range of
security applications. • Like
(a) digital signature generation and verification (b) session key establishment
(c) management of password schemes(d) commitment schemes in cryptographic protocols
![Page 7: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/7.jpg)
7
Hash Functions• Compress an arbitrary finite length m-bit input
message into a fixed n-bit output value called hash.
hash
if h = H(m) then,• h is called the "hash" of m,• m is called a "preimage" of h
DataMessage Digest
![Page 8: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/8.jpg)
8
Properties of (good)Hash Function
• (practicality) computation of hash can be done efficiently
• (preimage resistance) given h, it is hard to compute a preimage of h
• (second preimage resistance) given m, it is hard to compute a second preimage of m
• (collision resistance) it is hard to compute a collision for H
![Page 9: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/9.jpg)
9
Lets talk about SSL first
• Ensures secrecy ,authenticity, and integrity.
• Safeguarding communication from both the passive and active adversaries.
• SSL rely heavily on the x509* certificate structure.
• For SSL protocols , it is the “common name” field in the subject of an x509 certificate that is used to identify entities presenting certificates.
![Page 10: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/10.jpg)
10
X509 ? Digital certificates ? What ?
• ITU-T standard for the public key infrastructure.
• X.509 specifies standard formats for public key certificates
• Public key certificates are structured according to version3 of X.509 specification.
• A public key certificate uses a digital signature to bind a public key with an identity.
![Page 11: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/11.jpg)
11
![Page 12: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/12.jpg)
12
Certification Authorities & Hierarchy
• Browsers ship with a list of trusted CA certificate.o Firefox 3 includes 135 trusted CA certs.
• CAs’ responsibilities:o verify the identity of the requestoro verify domain ownership for SSL certso revoke bad certificates
![Page 13: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/13.jpg)
13
Site NameCN
Check Expiry
Check Signature
Signin CA in trust
store
![Page 14: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/14.jpg)
14
What if …Root CA
Intermediate I CA
Intermediate II CA
Hack.org
Hack.org is a valid certificate issued by intermediate II CA
What if hack.org issues a certificate for richest-bank.com ?
Richest-bank.com
Chain verification algorithm as described before would validate this certificate too.
![Page 15: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/15.jpg)
15
Something must be wrong, but...• All the signatures are valid.• Nothing has expired.• The chain is intact.• The root CA is embedded in the browser and
trusted.
But we just created a valid certificate for Richest-bank, and we're not Richest-bank?
![Page 16: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/16.jpg)
16
X509v3 extensions provide a extension to tackle with this.Basic Constraints: critical CA:FALSE
But …• Most CAs didn't explicitly set basicConstraints:
CA=False• Whether the field was there or not, most SSL
implementations didn't bother to check it.
Hacker moxie marlinspike a tool, sslsniff, to attack this vulnerability.
Eventually Microsoft released a patch to address this issue.
![Page 17: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/17.jpg)
17
Obtaining certificates
Public Key
Domain name
User Identity
User
Public Private Key pair generation
CSR generated
CSR sent to CA
Validates user identity and
domain ownership
Create and signs certificate
User installs private key and certificate on a web server
![Page 18: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/18.jpg)
18
Certificate request format
![Page 19: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/19.jpg)
19
Certificate structure• the "to-be-signed" part, consisting of:
o serial numbero validity period o issuer name o subject o subject public key o "basic constraints" field, containing
• a bit indicating whether this is a CA certificate or a user certificate
• a path length field
• the "signature" part, containing a digital signature, produced by CA`s private key, over the "to-be-signed“ part
![Page 20: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/20.jpg)
20
![Page 21: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/21.jpg)
21
Secure websites and certificates
![Page 22: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/22.jpg)
22
Attack Scenario using Rogue CA certificate
![Page 23: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/23.jpg)
23
![Page 24: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/24.jpg)
24
Revisiting MD5 and MD5 Collision
![Page 25: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/25.jpg)
25
Overview of MD5Hash function MD5 designed in 1991• Iterative design using compression function.
• Collision different messages , same hash
![Page 26: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/26.jpg)
26
MD5 Collisions in 2004
2004: First MD5 collision attack• Only difference between messages in random
looking 128 collision bytes• Currently < 1 second on commodity PC
MD5( ) = MD5( )
![Page 27: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/27.jpg)
27
![Page 28: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/28.jpg)
28
MD5 Collisions in 2007
2007: Stronger collision attack• Chosen-Prefix Collisions• Messages can differ freely up to the random
looking 716 collision bytes• Currently approx. 1 day on PS3+PC
MD5( ) = MD5( )
![Page 29: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/29.jpg)
29
![Page 30: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/30.jpg)
30
Generating Colliding Certificates
![Page 31: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/31.jpg)
31
History of colliding certificates
Certificates with colliding to-be-signed parts• generate a pair of certificates• sign the legitimate certificate• copy the signature into the rogue certPrevious work• Different RSA public keys in 2005
o using 2004 collision attack
• Different identities in 2006o using chosen-prefix collisionso the theory is well known since 2007
![Page 32: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/32.jpg)
32
Colliding certificates in 2006
![Page 33: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/33.jpg)
33
Rogue CA certificate
CA bit
![Page 34: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/34.jpg)
34
Action Items for generating hash colliding
certificates• Find CA which issues MD5 signed certificate
• Predict the Validity and Serial Number
• Construct structure and content rogue Certificate such that real certificate( constructed by CA) and rouge CA cert(Constructed by Hackers) are perfectly aligned.
• Compute the collision blocks
• Create RSA key pair such that it includes collision block in it.
• Construct CSR and send it to CA for signing
Detailed view
![Page 35: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/35.jpg)
35
Why RapidSSL?• Out of 9000 MD5 certificates collected 97% of
those were issued by RapidSSL.
• RapidSSL issues exactly 6 seconds after “accept” button is clicked and expires in one year.
• RapidSSL uses sequential serial numbers and on weekend approximately 1000 certificates are issued.
![Page 36: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/36.jpg)
36
Predicting the serial number
• Get the serial number S on Friday
• Predict the value for time T on Sunday to be S+1000
• Generate the collision bits
• Shortly before time T buy enough certs to increment the counter to S+999
• Send colliding request at time T and get serial number S+1000
![Page 37: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/37.jpg)
37
Collision generation and RSA keys
• Based on the 2007 chosen-prefix collisions paper with new improvements
• 1-2 days on a cluster of 200 PlayStation 3’s
• Equivalent to 8000 desktop CPU cores or $20,000 on Amazon EC2
• takes couple of minutes to calculate RSA key pair such as it contains collision blocks
![Page 38: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/38.jpg)
38
Another Attack on SSL
![Page 39: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/39.jpg)
39
Background• As mentioned earlier SSL handshake uses “common
name” of certificate and compares with site name.
• Before year 2000 actual people were involved while dealing with certificate request.
• Entities are validated based on proof of ownership of the domain listed in the “common name” field.
• Now a days a simple lookup in WHOIS database for the root domain listed and sending a confirmation mail would complete the verification part.
![Page 40: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/40.jpg)
40
ASN1.0 and Certificates
• Certificates are formatted using ASN1.0 notation.• Supports different type of strings, all represented
as PASCAL strings.• Represented in memory by the length of the
string followed by the string data.• NULL character has no special meaning, like C
strings
Example :
0x05 (length)
0x44 ( D )
0x41 (A )
0x00 (NULL)
0x54 ( T )
0x41 ( A )
![Page 41: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/41.jpg)
41
Malformed Request• One can create a certificate request with common
name as www.richest-bank.com\0www.hack.com
• CA for verification would do WHOIS
• issues the certificate with embedded NULL to the owner of hack.com.
• Spoof www.richest-bank.com and use NULL embedded certificate
![Page 42: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/42.jpg)
42
Defeating SSL• This is how comparison function would be
implemented for CN verification.char *destination = getDomainWeAreConnectingTo();char *commonName = getCommonNameFromCertificate();Bool everythingIsOk = (strcmp(destination, commonName) == 0);
char *commonName
char *destination string match
w w w . b a n k . c o m /0 w w w
w w w . b a n k . c o m /0
![Page 43: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/43.jpg)
43
Question ?
![Page 44: “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649ca45503460f94965531/html5/thumbnails/44.jpg)
44
References• http://www.win.tue.nl/hashclash/rogue-ca/• http://
conf.isi.qut.edu.au/auscert/proceedings/2006/gauravaram06collision.pdf
• https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf