certificate authorities and ssl/tls/https€¦ · mining your ps and qs • apache ships with a...
TRANSCRIPT
CSE484/CSEM584:ComputerSecurityandPrivacy
CertificateAuthoritiesand
SSL/TLS/HTTPS
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
AuthenticityofPublicKeys
11/2/16 CSE484/CSEM584-Fall2016 2
?
Problem:HowdoesAliceknowthatthepublickeyshereceivedisreallyBob’spublickey?
privatekey
AliceBob
publickey
RSAdecryption
• Basedonfeedbackandinterest,notinlecture
• I’veaddedaslidetolecture12’sslideswhichexplainsit(it’sslide18)
11/2/16 CSE484/CSEM584-Fall2016 4
RSAdecryption
• Ontheinterestscaleof1-5…– ...someoneanswered0– ...someoneanswered6– …someoneansweredπ– …someoneanswered25
11/2/16 CSE484/CSEM584-Fall2016 5
Securitymindsetanecdote–MiningYourPsandQs
• A2012studytitled“MiningyourPsandQs:DetectionofWidespreadWeakKeysinNetworkDevices”
Scannedtheentireinternettolookforweakpublickeys
11/2/16 CSE484/CSEM584-Fall2016 6
MiningYourPsandQs
• TheywereabletodeterminetheRSAprivatekeyfor0.5%ofHTTPSserversand0.03%ofSSHservers
• How?Insufficientrandomness.0.5%ofkeyssharedaporqwithatleastoneotherkey(butnotboth).
11/2/16 CSE484/CSEM584-Fall2016 7
RSACryptosystem[Rivest,Shamir,Adleman1977]
• Keygeneration:– Generaterandomlargeprimesp,q
• Say,1024bitseach– Computen=pqandϕ(n)=(p-1)(q-1)– Choosesmalle,relativelyprimetoϕ(n)
• Typically,e=216+1=65537– Computeuniquedsuchthated=1modϕ(n)
• Modularinverse:d=e-1modϕ(n)
– Publickey=(e,n);privatekey=(d,n)• Encryptionofm:c=memodn• Decryptionofc:cdmodn=(me)dmodn=m
11/2/16 CSE484/CSEM584-Fall2016 8
Certificates
• Public-keycertificate– Signedstatementspecifyingthekeyandidentity• sigCA(“Bob”,PKB)
11/2/16 CSE484/CSEM584-Fall2016 9
Youencounterthiseveryday…
11/2/16 CSE484/CSEM584-Fall2016 11
SSL/TLS:Encryption&authenticationforconnections(Moreonthislater!)
CertificateAuthority
• Trustedorganizationthatverifieswhoownswhatkeysoutofbandandtellseveryoneelsewhosekeysarewhose
11/2/16 CSE484/CSEM584-Fall2016 12
StrawmanCAdesign
1. Youbrowsetowww.cs.washington.edu2. www.cs.washington.edusendsitskeyK3. YourbrowserasksatrustedCA:“hey,keyK
therightkeyforUWCSE?”4. CAreplies“yes”or“no”
Whyisthisabadidea?(Q1)
11/2/16 CSE484/CSEM584-Fall2016 13
RealCAdesign
• Thinkofacertificateasacryptographicallyhard-to-forgepieceofID
11/2/16 CSE484/CSEM584-Fall2016 14
Certificateauthority
(e.g.,VerisignorLet’sEncrypt)
www.cs.washington.edu
<proofthatI’mUWCSEandPKUWCSEismykey>
sigCA(“UWCSE”,PKUWCSE)
HierarchicalApproach
• SingleCAcertifyingeverypublickeyisimpractical
• Instead,oneormoretrustedrootauthorities– Everybodymustknowthepublickeyforverifyingrootauthority’ssignatures
• CAsdelegatetootherauthorities– Whathappensifrootauthorityisevercompromised?
11/2/16 CSE484/CSEM584-Fall2016 18
HierarchicalApproach
• SingleCAcertifyingeverypublickeyisimpractical• Instead,useatrustedrootauthority– Forexample,Verisign– Everybodymustknowthepublickeyforverifyingroot
authority’ssignatures• Rootauthoritysignscertificatesforlower-level
authorities,lower-levelauthoritiessigncertificatesforindividualnetworks,andsoon– Insteadofasinglecertificate,useacertificatechain
• sigVerisign(“AnotherCA”,PKAnotherCA),sigAnotherCA(“Alice”,PKA)
– Whathappensifrootauthorityisevercompromised?
11/2/16 CSE484/CSEM584-Fall2016 19
ManyChallenges…
• CAsmakeseriousmistakes– Badsecuritypractices,badoperationalpractices
• Revocationishard…• Usersdon’tnoticewhenattackshappen– We’lltalkmoreaboutthislater
11/2/16 CSE484/CSEM584-Fall2016 20
MiningYourPsandQs
• Apacheshipswitha“snake-oil”certificate--anexamplecertificatefordemonstratinghowtosetupHTTPS
• Astudyfound>85khostsontheinternet(0.66%ofallTLShostsontheinternet)activelyusingthesekeys!
• 22hostshadcertificatesusingthesekeysTHATWERESIGNEDBYACA!
11/2/16 CSE484/CSEM584-Fall2016 21
11/2/16 CSE484/CSEM584-Fall2016 22
AttackingCAsSecurityofDigiNotarservers:• Allcorecertificate
serverscontrolledbyasingleadminpassword(Pr0d@dm1n)
• Softwareonpublic-facingserversoutofdate,unpatched
• Noanti-virus(couldhavedetectedattack)
CollidingCertificates
11/2/16 CSE484/CSEM584-Fall2016 23
serialnumber
validityperiod
realcertdomainname
realcertRSAkey
X.509extensions
signatureidenticalbytes
(copiedfromrealcert)
collisionbits(computed)
chosenprefix(difference)
serialnumber
validityperiod
roguecertdomainname
???
X.509extensions
signature
setbytheCA
HashtothesameMD5value!
Validforbothcertificates!
[Sotirovetal.“RogueCertificates”]
ConsequencesofHackingaCA
• Attackermakesthemselfafakecertificateforasite(say,mail.yahoo.com): fakeCert=sigCA(“Yahoo”,<attacker’skey>)
11/2/16 CSE484/CSEM584-Fall2016 24
ConsequencesofHackingaCA
• Attackermakesthemselvesafakecertificateforasite(say,mail.yahoo.com): fakeCert=sigCA(“Yahoo”,<attacker’skey>)
• Anattackercanpretendtobeanyrealsite– Forexample,useDNStopoisonthemappingof
mail.yahoo.comtoanIPaddress
• …“authenticate”astherealsite• …decryptalldatasentbyusers– Email,phoneconversations,Webbrowsing
11/2/16 CSE484/CSEM584-Fall2016 26
MoreRogueCerts
• InJan2013,arogue*.google.comcertificatewasissuedbyanintermediateCAthatgaineditsauthorityfromtheTurkishrootCATurkTrust– TurkTrustaccidentallyissuedintermediateCAcertsto
customerswhorequestedregularcertificates– Ankaratransitauthorityuseditscertificatetoissueafake
*.google.comcertificateinordertofilterSSLtrafficfromitsnetwork
• Thisrogue*.google.comcertificatewastrustedbyeverybrowserintheworld
11/2/16 CSE484/CSEM584-Fall2016 27
ManyChallenges…
• CAsmakeseriousmistakes– Badsecuritypractices,badoperationalpractices
• Revocationishard…• Usersdon’tnoticewhenattackshappen– We’lltalkmoreaboutthislater
11/2/16 CSE484/CSEM584-Fall2016 28
CertificateRevocation
• Revocationisveryimportant• Manyvalidreasonstorevokeacertificate– Privatekeycorrespondingtothecertifiedpublickeyhas
beencompromised– UserstoppedpayingtheircertificationfeetothisCAand
CAnolongerwishestocertifyhim– CA’sprivatekeyhasbeencompromised!
• Expirationisaformofrevocation,too– Manydeployedsystemsdon’tbotherwithrevocation– Re-issuanceofcertificatesisabigrevenuesourcefor
certificateauthorities
11/2/16 CSE484/CSEM584-Fall2016 30
CertificateRevocationMechanisms
• Certificaterevocationlist(CRL)– CAperiodicallyissuesasignedlistofrevokedcertificates• Creditcardcompaniesusedtoissuethickbooksofcanceledcreditcardnumbers
– Canissuea“deltaCRL”containingonlyupdates• Onlinerevocationservice– Whenacertificateispresented,recipientgoestoaspecialonlineservicetoverifywhetheritisstillvalid• Likeamerchantdialingupthecreditcardprocessor
11/2/16 CSE484/CSEM584-Fall2016 31
Keybase
• Basicidea:– Relyonexistingtrustofaperson’sownershipofother
accounts(e.g.,Twitter,GitHub,website)– Eachuserpublishessignedproofstotheirlinkedaccount
https://keybase.io/
11/2/16 CSE484/CSEM584-Fall2016 32
SSL/TLS
• SecureSocketsLayerandTransportLayerSecurity– Sameprotocol,newversion(TLSiscurrent)
• DefactostandardforInternetsecurity– “TheprimarygoaloftheTLSprotocolistoprovide
privacyanddataintegritybetweentwocommunicatingapplications”
• DeployedineveryWebbrowser;alsoVoIP,paymentsystems,distributedsystems,etc.
11/2/16 CSE484/CSEM584-Fall2016 33
SSL/TLS
• TLSistypicallyusedontopofaTCPconnection
TLS
• Canbeusedoverothertransportprotocols
11/2/16 CSE484/CSEM584-Fall2016 34
TLSBasics
• TLSconsistsoftwoprotocols– Familiarpatternforkeyexchangeprotocols
• Handshakeprotocol– Usepublic-keycryptographytoestablishasharedsecretkeybetweentheclientandtheserver
• Recordprotocol– Usethesecretsymmetrickeyestablishedinthehandshakeprotocoltoprotectcommunicationbetweentheclientandtheserver
11/2/16 CSE484/CSEM584-Fall2016 35
BasicHandshakeProtocol
11/2/16 CSE484/CSEM584-Fall2016 36
C
ClientHello
S
Clientannounces(inplaintext):• Protocolversionitisrunning• Cryptographicalgorithmsitsupports• Fresh,randomnumber
BasicHandshakeProtocol
11/2/16 CSE484/CSEM584-Fall2016 37
C
C,versionc,suitesc,Nc
ServerHello
SServerresponds(inplaintext)with:• Highestprotocolversionsupportedby
boththeclientandtheserver• Strongestcryptographicsuiteselected
fromthoseofferedbytheclient• Fresh,randomnumber
BasicHandshakeProtocol
11/2/16 CSE484/CSEM584-Fall2016 38
C
versions,suites,Ns,ServerKeyExchange
SServersendshispublic-keycertificatecontainingeitherhisRSA,orhisDiffie-Hellmanpublickey(dependingonchosencryptosuite)
C,versionc,suitesc,Nc
BasicHandshakeProtocol
11/2/16 CSE484/CSEM584-Fall2016 39
C
versions,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc,suitesc,Nc
ClientKeyExchange
Theclientgeneratessecretkeymaterialandsendsittotheserverencryptedwiththeserver’spublickey(ifusingRSA)
BasicHandshakeProtocol
11/2/16 CSE484/CSEM584-Fall2016 40
C
versions,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc,suitesc,Nc
{Secretc}PKsifusingRSA
switchtokeysderivedfromsecretc,Nc,Ns
CandSsharesecretkeymaterial(secretc)atthispoint
switchtokeysderivedfromsecretc,Nc,Ns
FinishedFinished
Recordofallsentandreceivedhandshakemessages
“Core”SSL3.0Handshake(NotTLS)
11/2/16 CSE484/CSEM584-Fall2016 41
C
versions=3.0,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc=3.0,suitesc,Nc
{Secretc}PKsifusingRSA
switchtokeysderivedfromsecretc,Nc,Ns
CandSsharesecretkeymaterial(secretc)atthispoint
switchtokeysderivedfromsecretc,Nc,Ns
FinishedFinished
VersionRollbackAttack
11/2/16 CSE484/CSEM584-Fall2016 42
C
Versions=2.0,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc=2.0,suitesc,Nc
{Secretc}PKsifusingRSA
CandSendupcommunicatingusingSSL2.0(weakerearlierversionoftheprotocolthat
doesnotinclude“Finished”messages)
ServerisfooledintothinkingheiscommunicatingwithaclientwhosupportsonlySSL2.0
“Chosen-Protocol”Attacks
• Whydopeoplereleasenewversionsofsecurityprotocols?Becausetheoldversiongotbroken!
• Newversionmustbebackward-compatible– Noteverybodyupgradesrightaway
• Attackercanfoolsomeoneintousingtheold,brokenversionandexploitknownvulnerability– Similar:foolvictimintousingweakcryptoalgorithms
• Defenseishard:mustauthenticateversioninearlydesigns• Manyprotocolshad“versionrollback”attacks
– SSL,SSH,GSM(cellphones)
11/2/16 CSE484/CSEM584-Fall2016 43
VersionCheckinSSL3.0
11/2/16 CSE484/CSEM584-Fall2016 44
C
versions=3.0,suites,Ns,certificateforPKs,“ServerHelloDone”
S
C,versionc=3.0,suitesc,Nc
{versionc,secretc}PKs
CandSsharesecretkeymaterialsecretcatthispoint
“Embed”versionnumberintosecret
CheckthatreceivedversionisequaltotheversioninClientHello
switchtokeyderivedfromsecretc,Nc,Ns
switchtokeyderivedfromsecretc,Nc,Ns