Transcript Collision Attacks - NDSS Symposium · 2017-09-01 · – Even if the client and server...
Transcript of Transcript Collision Attacks - NDSS Symposium · 2017-09-01 · – Even if the client and server...
TranscriptCollisionAttacks:BreakingAuthenticationinTLS,IKEandSSH
or: MD5MUSTDIE
Karthikeyan BhargavanGaëtan Leurent
http://sloth-attack.org
Cryptoprotocolsandapplicationsevolve
Agility:gracefultransitionfromoldtonew
Whatcangowrong?
• Downgradeattacks:POODLE,LOGJAM,SLOTH
AuthenticatedDHwithNegotiation
Version/Group/CipherParameters
SignedTranscript
WhatTranscripttoSign?• Signthefullmessagetrace– sign(skB,hash(m1 |m2))– Example:TLS1.3,SSH-2,TLS1.2clientauth
• Signyourephemerals,MACthetranscript– sign(skB,hash(nonceA |nonceB |g|p|gy))– Example:TLS1.2serverauth
• SignyourownmessagesandMACed identity– sign(skA,hash(m1|mac(k,A)))– sign(skB,hash(m2|mac(k,B)))– Example:IKEv2initiator,responder,EAPauth
UsingWeakHashFunctions
• Signthefulltranscript– sign(skB,hash(m1 |m2))– Example:TLS1.3,SSH-2,TLS1.2clientauth
• Howweakcanthehash functionbe?– doweneedcollisionresistance?– doweonlyneed2nd preimage resistance?– IsitstillsafetouseMD5,SHA-1inTLS,IKE,SSH?– Disagreement:cryptographersvs.practitioners
(seeSchneier vs.Hoffman,RFC4270)
SLOTH:TranscriptCollisionAttacks
ServerImpersonation
ClientImpersonation
ParameterDowngrade
Man-in-the-Middle:networkattacker/maliciousserver
ComputingaTranscriptCollision
hash(m1 |m’2) =hash(m’1 |m2)
• Weneedtocomputeacollision,notapreimage– Attackercontrolspartsofbothtranscripts– Ifweknowtheblackbits, canwecomputethered bits?– Thisisusuallycalledagenericcollision
• Ifwe’relucky,wecansetupashortcut collision– Common-prefix:collisionafterasharedtranscriptprefix– Chosen-prefix:collisionafterattacker-controlledprefixes
PrimeronHashCollisionComplexity
• MD5:knownattackcomplexities– MD5secondpreimage 2128hashes– MD5 genericcollision: 264hashes
(birthday)– MD5chosen-prefixcollision: 239hashes (1hour)– MD5 common-prefixcollision: 216hashes (seconds)
• SHA1:estimatedattackcomplexities– SHA1secondpreimage 2160hashes– SHA1 genericcollision: 280 hashes
(birthday)– SHA1chosen-prefixcollision: 277 hashes (?)
CompositeHashConstructions
• Whenusedastranscripthashfunctionsmanyconstructionsarenotcollisionresistant– MD5(x)|SHA1(x)notmuchbetterthanSHA1
– HMAC-MD5(k,x)notmuchbetterthanMD5
– HMAC-SHA256(k,MD5(x))notmuchbetterthanMD5
– TruncatedHMAC-SHA256(k,x)toNbitsnotmuchbetterthanaNbithashfunction
hashhash
ComputingTranscriptCollisions
len1gx
paramsA
len1’gx’
params’A
len2gy
paramsB
len2’gy’
params’B
A BMitM
m1 m1’
m2m2’
GenericTranscriptCollisions
len1gx
nonceA
len1’gx’
nonce1len2gstatic
nonceA
len2’gy’
nonce1
A BMitMhash hash
len2’gy’
nonce2
len1’gx’
nonce2
len1’gx’
nonceNlen2’gy’
nonceN
Predictable:StaticDHkey,nofreshnonce
Tryrandomnoncesuntilcollision
N=2|hash|/2MD5:264SHA-1:280
HMAC/96:248
Chosen-PrefixTranscriptCollisions
len1gx
blobAlen2gy
blobB
A BMitM
Knownlength,ephemeralDHkey,arbitraryBLOB
m1
m2
len1gx
blobA
len2gy
blobB
len2’gy’
C1
A BMitM
len1’gx’
00000000
0000000000000000
C2len2gy
blobB
hash hash
blobA’
blobB’
FindChosen-PrefixCollisionC1,C2
m1 m1’
m2m2’
Merkle-Damgardhashextension
N=2CPC(hash)MD5:239SHA-1:277
HMAC/96:n/a
SLOTH:AttackingTLS1.2ClientAuth• TLS1.2upgradedhashfunctionsusedinTLS– SHA-256forallhandshakeconstructions– Newsignaturealgorithmsextension:SHA-256/384/512
• TLS1.2addedsupportforMD5-basedsignatures!– EveniftheclientandserverpreferRSA-SHA256,theconnectioncanbedowngradedtoRSA-MD5!
• TranscriptcollisionsbreakTLS1.2clientsignatures– Chosenprefixcollisionattackusingflexibleformats– Demo:Takes1hour/connectionona48-coreworkstation– Notverypractical:connectionmustbeliveduringattack
SLOTH:AttackingTLSServerAuth
• TLS1.2serversignaturesarehardertobreak– Irony:theweaknessthatenablesLogjamblocksSLOTH– Needs2Xpriorconnections+2128-Xhashes/connection– Notpracticalforacademics,asfarasweknow
• TLS1.3serversignaturesispotentiallyvulnerable– New:MD5,SHA-1sigsnowexplicitlyforbiddeninTLS1.3
OtherSLOTHVulnerabilities
• ReducedsecurityforTLS1.*,IKEv1,IKEv2,SSH– ImpersonationattackonTLSchannelbindings– Exploitdowngrades+transcriptcollisions– Theseareprotocolflaws,notimplementationbugs–Mainmitigationistodisableweakhashfunctions
FinalThoughts
• Legacycryptoisstrangelyhardtogetridof,butwehavetokeeptryingtokillbrokenprimitives
(MD5MUSTDIE)• KeyexchangesinInternetprotocolsdo relyoncollisionresistance,questionanyonewhotellsyouotherwise!
• Future:newdowngraderesilientprotocols,collision-resistantauthenticationmechanisms
• Moredetails,papers,demosareat:http://sloth-attack.org