Download - COMPSCI 726 Lecture 25a Zong Chen
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
1/16
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
2/16
Outline• Background: TLS
• Problem denition: MITM
• An existing solution: TLS Channel ID
• An attack on Channel ID: MITM-SITB
• The proposed solution: SISCA
• Remarks
2
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
3/16
TLS• Transport Layer Security
• X.509 certicates
• Security services:
• Condentiality
• Integrity
• Authentication
3
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
4/16
MITM
4
!"#$
!"#$
%&''($)
%&''($)
*#$+#$
*#$+#$
,-. 0&120+304#
,-. 0&120+304#
566 74#89"(:;
566 74&)&41#$#?89"(:;
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
5/16
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
6/16
6
!"#$
!"#$
%&''($)
%&''($)
*#$+#$
*#$+#$
,-. 0
122 34&5# '(678 4($9:
;(9&78M0
,-. 0
122 3$#&' '(678 4($9:
!"#$" 976B? &""A9#?B#) 97"?)C#> ?B#7$ C&""H($>J
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
7/16
TLS Channel ID
7
BALFANZ, D., AND HAMILTON, R. Transport Layer, “Security (TLS) Channel IDs, v01 (IETF Internet-Draft)”,http://tools.ietf.org/html/draft-balfanz-tlschannelid-01, 2013.
• “Strong Client Authentication” (SCA)
•Server authenticates client
• A “Channel ID” is the public key of a key pair generatedby the browser.
• Each Channel ID identies a TLS connection.
• “Strong” credentials (i.e. not transmitted throughnetwork)
http://tools.ietf.org/html/draft-balfanz-tlschannelid-01
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
8/16
TLS Channel ID
8
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
9/16
Attack: MITM-SITB(“Man-in-the-middle Script-in-the-browser”)
9
• An attacker can communicate to server, on behalfof the user.
• Attacker intercepts user’s request, injects maliciousscript, then allows user through to legitimate server.
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
10/16
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
11/16
Proposed solution: SISCA
• “Server Invariance with Strong Client
Authentication”• Ensure that the user is only communicating with
one server.
• Server establishes information about each client,which other servers won’t know.
11
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
12/16
Proposed solution: SISCA
12
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
13/16
Remarks• Unclear notion of “strong” credentials
• Using a strong second factor authentication device?
• “strong second factor authentication device, as in PhoneAuth[13] and FIDO Universal 2nd Factor (U2F) [22] protocols”
• Credentials that are not sent through network?
• “Such credentials are considered weak ; they are transmittedover the network and are susceptible to theft and abuse,unless protected by TLS.”
13
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
14/16
Remarks• Insufcient description of Channel ID, which this
paper strongly depends on.
14
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
15/16
Remarks
• Doesn’t help prevent server-impersonation
• User may see content from an attacker inresponse to a request made to the server.
15
-
8/17/2019 COMPSCI 726 Lecture 25a Zong Chen
16/16
Remarks
• Requires lots of changes to existing systems
• “the server sends a list of all the involved domains andall their public keys to the browser”
• “For the protocol to be secure, on the client side thisheader is controlled solely by the browser. It cannot becreated or accessed programmatically via scripts”
16