Professional Documents
Culture Documents
Crypto 9
Crypto 9
Change
Handshake Alert HTTP, other
Cipher Spec
Protocol Protocol apps
(TLS <= 1.2)
Record Protocol
TCP
SIMPLIFIED VIEW OF TLS
Client Server
Handshake Protocol
Record Protocol
• RSA, DSA, • Data structures • Alerts & errors • OpenSSL • Web browsers:
goto fail;
ECDSA • Key derivation • Certification / • LibreSSL, Chrome, Firefox,
BERserk
• Diffie–Hellman, • Encryption revocation BoringSSL IE/Edge, Safari
• Negotiation • NSS • Web servers:
Lucky13
Frankencert
Triple
Triple handshake
handshake • Application
CA breaches
SHA-2 resumption • Java JSSE
attack
• DES, 3DES, • Key reuse • Everest / miTLS SDKs
s
RC4, AES • Compression • s2n • Certificates
• Export grade • State machine • Protocols
• HTTP, IMAP, ..
Sweet32
It typically targets SSL/TLS encrypted data that uses a block cipher mode.
Once the attacker can guess the message, they can intercept and decrypt it,
potentially gaining access to sensitive information like passwords or credit
card details.
BEAST – LESSONS LEARNED
Result: TLS 1.1 and 1.2 use random Ivs (initialization vectors)
CRIME ATTACK
The CRIME attack is based on a weak spot in a special feature in TLS 1.0. Once
they had the cookie, Rizzo and Duong could return to whatever site the user was
visiting and log in using her credentials. HTTPS should prevent this type of
session hijacking because it encrypts session cookies while in transit or when
stored in the browser. But the new attack, devised by security researchers
Juliano Rizzo and Thai Duong, is able to decrypt them.
The CRIME attack code, known as an agent, needs to be loaded inside the
victim's browser. This can be done either by tricking the victim into visiting a
rogue website or, if the attacker has control over the victim's network, by
injecting the attack code into an existing HTTP connection.
CRIME – LESSONS LEARNED
MAC
Encrypt
HDR Ciphertext
IV R1 R2 Ct-1 Ct
dK dK dK dK
Pt
Produces valid
patterns “00”,
OR bad pad.
TLS AND PADDING ORACLES
Problem: Each bad trial causes an error and terminates the TLS session
Pad-MAC-Encrypt or Pad-Encrypt-MAC?
Switch to TLS 1.2+
Support for AES-GCM and AES-CCM
Was not widely supported by browsers or servers at that time
Switch to RC4
Recommended by many people (again)
Is it a good idea?
Attacks on RC4
TLS RECORD PROTOCOL: RC4-128 (STREAM CIPHER)
MAC
Encrypt
HDR Ciphertext
• Use of RC4 in the wild: ≈ 50% of TLS connections protected by RC4 (2013) Problem:
RC4 is known to have statistical weaknesses
WAIT,WHAT’S GOING ON HERE?
Why were people still using RC4 in half of all TLS connections when we already
knew it was a weak stream cipher?
“The biases are only in the first bytes and they don’t encrypt anything interesting in TLS.”
“RC4 is fast.”
“I’m worried about BEAST on CBC mode. Experts say ’use RC4’.”
The new 2010 Intel® Core processor family (code name Westmere) includes a set of new instructions, Intel® Advanced
Encryption Standard (AES) New Instructions (AES-NI). The instructions were designed to implement some of the complex and
performance intensive steps of the AES algorithm using hardware and thus accelerating the execution of the AES algorithms.
AES-NI can be used to accelerate the performance of an implementation of AES by 3 to 10x over a completely software
implementation.
CURRENT STATUS CONT.
New AE algorithms
Important for environments where AES is not available in hardware
www.cryptopp.com/wiki/Salsa20
www.poly1305.com
CURRENT DEVELOPMENTS
TLS 1.3 was released in August 2018
SHA-1, MD5
DES, 3DES, RC4, AES-CBC
Compression (CRIME)
Handshake improvements