Defeating SSL and

Download Report

Transcript Defeating SSL and 

“Defeating SSL”
Impact of Hash
collisions on cyber
security
By vaibhav
Secure Sockets Layer
2
Objective
• Background Information of SSL , MD5 &
“Certificate”\”Public Key” Infrastructure
• Attack scenario on core assumption of SSL i.e.
collision resistance of hash function
• Attack scenarios on the specification\
implementation of SSL
3
when in doubt , ask
4
5
Cryptographic Hash
• Serves an essential role within a wide range of
security applications.
• Like
(a) digital signature generation and verification
(b) session key establishment
(c) management of password schemes
(d) commitment schemes in cryptographic
protocols
6
Hash Functions
• Compress an arbitrary finite length m-bit input
message into a fixed n-bit output value called hash.
hash
Data
Message
Digest
if h = H(m) then,
• h is called the "hash" of m,
• m is called a "preimage" of h
7
Properties of (good)Hash
Function
• (practicality) computation of hash can be done
efficiently
• (preimage resistance) given h, it is hard to compute
a preimage of h
• (second preimage resistance) given m, it is hard to
compute a second preimage of m
• (collision resistance) it is hard to compute a collision
for H
8
Lets talk about SSL first
• Ensures secrecy ,authenticity, and integrity.
• Safeguarding communication from both the
passive and active adversaries.
• SSL rely heavily on the x509* certificate structure.
• For SSL protocols , it is the “common name” field in
the subject of an x509 certificate that is used to
identify entities presenting certificates.
9
X509 ? Digital certificates ?
What ?
• ITU-T standard for the public key infrastructure.
• X.509 specifies standard formats for public key
certificates
• Public key certificates are structured according to
version3 of X.509 specification.
• A public key certificate uses a digital signature to
bind a public key with an identity.
10
11
Certification Authorities & Hierarchy
• Browsers ship with a list of trusted CA certificate.
o Firefox 3 includes 135 trusted CA certs.
• CAs’ responsibilities:
o verify the identity of the requestor
o verify domain ownership for SSL certs
o revoke bad certificates
12
Check
Signature
Signin CA in
trust store
Check
Expiry
CN
Site Name
13
What if …
Hack.org is a valid
certificate issued by
intermediate II CA
Root CA
What if hack.org
issues a certificate for
richest-bank.com ?
Intermediate I
CA
Chain verification
algorithm as
described before
would validate this
certificate too.
Intermediate
II CA
Hack.org
Richest-bank.com
14
Something must be wrong, but...
•
•
•
•
All the signatures are valid.
Nothing has expired.
The chain is intact.
The root CA is embedded in the browser and
trusted.
But we just created a valid certificate for Richestbank, and we're not Richest-bank?
15
X509v3 extensions provide a extension to tackle with this.
Basic Constraints: critical CA:FALSE
But …
• Most CAs didn't explicitly set basicConstraints: CA=False
• Whether the field was there or not, most SSL
implementations didn't bother to check it.
Hacker moxie marlinspike a tool, sslsniff, to attack this
vulnerability.
Eventually Microsoft released a patch to address this issue.
16
Obtaining certificates
User
User installs private key and
certificate on a web server
Public Private
Key pair
generation
User Identity
Domain
name
Public Key
CSR
generated
Create and signs
certificate
Validates user
identity and
domain
ownership
CSR sent to CA
17
Certificate request format
18
Certificate structure
• the "to-be-signed" part, consisting of:
o
o
o
o
o
o
serial number
validity period
issuer name
subject
subject public key
"basic constraints" field, containing
• a bit indicating whether this is a CA certificate or a user
certificate
• a path length field
• the "signature" part, containing a digital signature,
produced by CA`s private key, over the "to-besigned“ part
19
20
Secure websites and
certificates
21
Attack Scenario using Rogue
CA certificate
22
23
Revisiting MD5 and MD5
Collision
24
Overview of MD5
Hash function MD5 designed in 1991
• Iterative design using compression function.
• Collision  different messages , same hash
25
MD5 Collisions in 2004
2004: First MD5 collision attack
• Only difference between messages in random
looking 128 collision bytes
• Currently < 1 second on commodity PC
MD5(
) = MD5(
)
26
27
MD5 Collisions in 2007
2007: Stronger collision attack
• Chosen-Prefix Collisions
• Messages can differ freely up to the random
looking 716 collision bytes
• Currently approx. 1 day on PS3+PC
MD5(
) = MD5(
)
28
29
Generating Colliding
Certificates
30
History of colliding
certificates
Certificates with colliding to-be-signed parts
• generate a pair of certificates
• sign the legitimate certificate
• copy the signature into the rogue cert
Previous work
• Different RSA public keys in 2005
o using 2004 collision attack
• Different identities in 2006
o using chosen-prefix collisions
o the theory is well known since 2007
31
Colliding certificates in 2006
32
Rogue CA certificate
CA bit
33
Action Items for generating
hash colliding certificates
• Find CA which issues MD5 signed certificate
• Predict the Validity and Serial Number
• Construct structure and content rogue Certificate such that
real certificate( constructed by CA) and rouge CA
cert(Constructed by Hackers) are perfectly aligned.
• Compute the collision blocks
• Create RSA key pair such that it includes collision block in it.
• Construct CSR and send it to CA for signing
Detailed view
34
Why RapidSSL?
• Out of 9000 MD5 certificates collected 97% of those
were issued by RapidSSL.
• RapidSSL issues exactly 6 seconds after “accept”
button is clicked and expires in one year.
• RapidSSL uses sequential serial numbers and on
weekend approximately 1000 certificates are
issued.
35
Predicting the serial number
• Get the serial number S on Friday
• Predict the value for time T on Sunday to be S+1000
• Generate the collision bits
• Shortly before time T buy enough certs to increment
the counter to S+999
• Send colliding request at time T and get serial
number S+1000
36
Collision generation and
RSA keys
• Based on the 2007 chosenprefix collisions paper with new
improvements
• 1-2 days on a cluster of 200
PlayStation 3’s
• Equivalent to 8000 desktop CPU
cores or $20,000 on Amazon
EC2
• takes couple of minutes to
calculate RSA key pair such as
it contains collision blocks
37
Another Attack on SSL
38
Background
• As mentioned earlier SSL handshake uses “common
name” of certificate and compares with site name.
• Before year 2000 actual people were involved while
dealing with certificate request.
• Entities are validated based on proof of ownership
of the domain listed in the “common name” field.
• Now a days a simple lookup in WHOIS database for
the root domain listed and sending a confirmation
mail would complete the verification part.
39
ASN1.0 and Certificates
• Certificates are formatted using ASN1.0 notation.
• Supports different type of strings, all represented as
PASCAL strings.
• Represented in memory by the length of the string
followed by the string data.
• NULL character has no special meaning, like C
strings
Example :
0x05
(length)
0x44 ( D )
0x41 (A )
0x00
(NULL)
0x54 ( T )
0x41 ( A )
40
Malformed Request
• One can create a certificate request with common
name as www.richest-bank.com\0www.hack.com
• CA for verification would do WHOIS
• issues the certificate with embedded NULL to the
owner of hack.com.
• Spoof www.richest-bank.com and use NULL
embedded certificate
41
Defeating SSL
• This is how comparison function would be
implemented for CN verification.
char *destination = getDomainWeAreConnectingTo();
char *commonName = getCommonNameFromCertificate();
Bool everythingIsOk = (strcmp(destination, commonName) == 0);
char *commonName
w
w
w
.
b
a
n
k
.
c
char *destination
w
w
w
.
b
o
m
/0
w
w
w
string match
a
n
k
.
c
o
m
/0
42
Question ?
43
References
• http://www.win.tue.nl/hashclash/rogue-ca/
• http://conf.isi.qut.edu.au/auscert/proceedings/200
6/gauravaram06collision.pdf
• https://www.blackhat.com/presentations/bh-dc09/Marlinspike/BlackHat-DC-09-MarlinspikeDefeating-SSL.pdf
44