350 rub
Journal Highly available systems №2 for 2012 г.
Article in number:
Countermeasures against attacks on TLS protocol
Authors:
S.E. Leontiev, V.O. Popov, S.V. Smyshlyaev
Abstract:
At Ekoparty conference in Argentina in September of 2011 a new work of Duong and Rizzo [5], dedicated to practical implementation of known theoretical attack on SSL/TLS protocol, was presented. That attack had been proposed by Gregory Bard [1] 7 years before Duong and Rizzo. It was based on certain properties of CBC block cipher operation mode in case of chosen plaintext attack when the following initialization vector is known.
Earlier at Eurocrypt 2002 [3] a work by Serge Vaudenay was presented. It was dedicated to another method of constructing attack on TLS protocol, also using certain properties of CBC mode. The idea of constructing such chosen ciphertext attacks when certain modes of block cipher operation and padding algorithms are used was presented earlier at CRYPTO 1998 [2].
The current work is dedicated to countermeasures against attacks on TLS Record Protocol. All observed attacks are based on ideas of Bard and Vaudenay and are possible in models with chosen plaintext or chosen ciphertext attacks.
A short review of most important attacks on TLS protocol is presented. Applicability of such class of attacks to versions 1.0 and 1.1-1.2 of TLS protocol is considered and a new modification of timing attack, which is applicable to versions 1.1 and 1.2, is proposed.
To counteract against timing attacks similar to Vaudenay attack in 6.2.3.2 of RFC 5246 [6] it was recommended to compute MAC even in the case of incorrect padding. In that case it was proposed to compute MAC for the whole message, considering there is no padding.
There was also noted that proposed measures leave behind a certain side channel caused by difference between times of MAC computation in case of correct and incorrect padding.
Consider the task of decrypting block Ci of transmitted ciphertext . We will consider that block lengths of block cipher and MAC are equal to b, 1≤ b ≤ 128, where 256 is a multiple of b.
It is assumed that it is possible for adversary to encrypt plaintext M, which is modified in right of block Mi using the current key; also it is assumed that adversary is able to make requests to an oracle which evaluate padding correctness in decrypted text.
To construct such an oracle one needs to distinguish the following two events: 1) MAC is computed for a message with length of 2b bytes or less; 2) for a message with length of 255 bytes.
The block Mi is restored byte-by-byte, starting from the last one; an average number of 128 evaluations is needed to restore each byte.
With the exception of using stream cipher algorithms (suites TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_MD5), for usage of algorithms that are not vulnerable to described attacks it is proposed to use encryption-with-authentication suites which use GCM [4]:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
For the purpose of counteraction against described attacks the following measures are proposed.
Nopadding. Usage of CNT mode of operation of GOST 28147-89, which does not require any padding, makes any attacks using additional redundancy impossible.
Authentication of messages together with padding. Authenticity of each received message mustbeverified with GOST 28147-89 MAC. It is important to note that in SSL v2 authentication was always made for messages together with padding. Later it was changed that caused appearance of described attacks.
RandomchoiceofIV. It isproposed that before processing of each packet a new unpredictable IV must be generated.
That is, for elimination of vulnerabilities of all described attacks on TLS protocol usage of the following cipher suites is proposed: TLS_GOSTR341094_WITH_28147_CNT_IMIT and TLS_GOSTR341001_WITH_28147_CNT_IMIT.
Pages: 109-115
References
- Bard Gregory V. Vulnerability of SSL to Chosen-Plaintext Attack URL: http://eprint.iacr.org/2004/111.pdf.
- Black J., Urtubia H. Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption. URL: http://www.usenix.org/event/sec02/full_papers/black/black.pdf.
- Bleichenbacher D. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS#1. In Advances in Cryptology CRYPTO-98, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 1462. Springer-Verlag. 1998. Р. 1-12.
- Brumley D. and Boneh D. Remote timing attacks are practical. In Proceedings of the 12th USENIX Security Symposium. 2003.
- Brumley D. and Boneh D. Remote timing attacks are practical. Computer Networks. 2005. V. 48. № 5. Р. 701-716.
- Brumley B.B. and Tuveri N. Remote Timing Attacks are Still Practical. URL: http://eprint.iacr.org/2011/232.pdf.
- Canvel B., Hiltgen A., Vaudenay S. and Vuagnoux M. Password Interception in a SSL/TLS Channel. Advances in Cryptology - CRYPTO 2003. LNCS. V. 2729. 2003.
- Canvel B. Password Interception in a SSL/TLS Channel. URL: http://lasecwww.epfl.ch/memo/memo_ssl.shtml.
- Dai W. An Attack Against SSH2 Protocol, Feb. 2002. Email to the ietf-ssh@netbsd.org email list, 2002.
- Duong T., Rizzo J. Here-Come-the-XOR-Ninjas. URL: http://blog.cfrtechnologies.biz/wp-content/uploads/2011/09/Here-Come-the-XOR-Ninjas.pdf.
- Klima Vlastimil and Rosa Tomas. Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format. URL: http://eprint.iacr.org/2003/098.pdf.
- Krawczyk H. The order of encryption and authentication for protecting communications (or: How secure is SSL?). In Advances in Cryptology CRYPTO 2001. Lecture Notes in Computer Science 1462. 2001 - Springer. P. 310-331.
- Vaudenay S. Security Flaws induced by CBC padding - Applications toSSL, IPSEC, WTLS. In Advances in Cryptology - EUROCRYPT - 02, V. 2332 of Lecture Notes in Computer Science. Р. 534-545. Springer-Verlag, 2002.
- NIST Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication, SP 800-38D, November 2007.
- Hackers break SSL encryption used by millions of sites // The Register. URL: http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
- BEAST: Surprising crypto attack against HTTPS // ekoparty Security Conference 7. URL: http://ekoparty.org/2011/thai-duong.php
- State of SSL //InfoSec World 2011. URL: http://blog.ivanristic.com/Qualys_SSL_Labs-State_of_SSL_InfoSec_World_April_2011.pdf
- Отчет о степени поддержки в браузерах и http-серверах версий SSL/TLS и шифров // OpenNET. URL: http://www.opennet.ru/opennews/art.shtml-num=31839
- RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2 // URL: http://tools.ietf.org/html/rfc5246
- Cipher Suite Mitigation For Beast // PhoneFactor. URL: http://www.phonefactor.com/resources/CipherSuiteMitigationForBeast.pdf