EXPORTssl原理

Tel+41552144160Fax+41552144161team@csnc.
chwww.
csnc.
chCompassSecuritySchweizAGWerkstrasse20Postfach2038CH-8645JonaSSL/TLSjunglebringinglightintothecipherforestForOWASP.
chDobinRutishauser,dobin.
rutishauser@csnc.
chCompassSecuritySchweizAG–www.
csnc.
ch10.
04.
2014,v1.
1CompassSecuritySchweizAGSlide2www.
csnc.
chAlternativetitle:MyHeartIsBleeding…CompassSecuritySchweizAGSlide3www.
csnc.
chContentSSL/TLSIntroductionSSL/TLSAttacks(BEAST,CRIME,.
.
)PerfectForwardSecrecy(PFS)PRISMHeartbleedTheCAProblemConclusionCompassSecuritySchweizAGSlide4www.
csnc.
chAboutmeDevelopmentofadistributedstealthportscannerforIRCfriendsin2001(dscan)–nuffsaid>3yearsatCompassSecuritySchweizAG.
WebAppHacking,PenetrationTesting,ExploitWriting,LinuxUserSomehowaquiredknowledgeaboutSSLduringCompassauditsCurrentproject:BurpSentinelPluginforBurp,soonZAPtooHelpsfindingvulnerabilitieshttps://github.
com/dobin/BurpSentinelCompassSecuritySchweizAGSlide5www.
csnc.
chWhat'sSSL/TLSCompassSecuritySchweizAGSlide6www.
csnc.
chhttps://ebanking-ch1.
ubs.
com:443/CompassSecuritySchweizAGSlide7www.
csnc.
chWhatdoesSSL/TLSdoProvidessecuretunnelforinsecureprotocolsConfidentialityIntegrityAuthenticityOftenusedwith:HTTPSMTP/IMAP/POP3VPNSIPCompassSecuritySchweizAGSlide8www.
csnc.
chWhereisTLSusedPublicWebsitesOnlineShoppingE-BankingOftenprovidedbyanentryserver/WAF(Airlock,SES,F5,.
.
)AdministrationInterfacesWAFvSphereHPManagementServiceTechnicalCommunicationWebFrontend->Backend(SOAP,REST,…)WLANPEAP-TLSVPNCompassSecuritySchweizAGSlide9www.
csnc.
chSSLHandshakeClientServerClientHeloAvailableCipherListServerHeloSelectedCipherServerCertificateClientKeyExchangeEncrypt_pubkey(sessionkey)Alrighty…CompassSecuritySchweizAGSlide10www.
csnc.
chOpenSSLCiphersSuitesExampleCompassSecuritySchweizAGSlide11www.
csnc.
chSSL/TLSDetailsCompassSecuritySchweizAGSlide12www.
csnc.
chOpenSSLCiphers–Structure$opensslciphers–vSSL/TLSVersionSSLv2,SSLv3,TLS1.
0,TLS1.
1,TLS1.
2KeyExchangeMechanismRSA,DH,DHE/EDH,ECDHE,…AuthenticationMechanismRSA,…EncryptionAlgorithmRC4,DES,AES,IDEA,SEED,…CompassSecuritySchweizAGSlide13www.
csnc.
chOpenSSLCiphers–EncryptionStrengthReallyBadNULL,EXP(EXPORT),ADHLOW:DES-CBCMEDIUM:SEED,IDEA,RC2RC4-MD5High:AES,AES-GCM,DES3CAMELIACompassSecuritySchweizAGSlide14www.
csnc.
chOpenSSLCiphers-KeyExchangeRSAClientencryptssessionkeywithpublickeyofservercertificateDHDiffieHellmankeyexchangeNOREALDHKEYEXCHANGE!
UsesstaticdatafromcertificateforkeyexchangeNoperfectforwardsecrecy(PFS)!
DHE/EDH/ECDHEEphemeralDiffieHellmanProvidesPFSCompassSecuritySchweizAGSlide15www.
csnc.
ch$sslyze–regularebanking-ch1.
ubs.
com:443*TLSV1CipherSuites:PreferredCipherSuite:DHE-RSA-AES256-SHA256bitsAcceptedCipherSuite(s):DHE-RSA-AES256-SHA256bitsAES256-SHA256bitsEDH-RSA-DES-CBC3-SHA168bitsDES-CBC3-SHA168bitsDHE-RSA-AES128-SHA128bitsAES128-SHA128bits*SSLV3CipherSuites:PreferredCipherSuite:DHE-RSA-AES256-SHA256bitsAcceptedCipherSuite(s):DHE-RSA-AES256-SHA256bitsAES256-SHA256bitsEDH-RSA-DES-CBC3-SHA168bits…https://ebanking-ch1.
ubs.
com:443/CompassSecuritySchweizAGSlide16www.
csnc.
chSSLVersions-WeaknessesSSLv2NoNoNo!
Lengthextensionattacks,truncationattacks,downgradeattacks,vulnerabletoMan-in-the-Middleattacks,…Patched-outinUbuntu(withoutupdatingmanpage)SSLv3Releasedin1996…WeakerkeyderivationthanTLS1.
0CannotbevalidatedunderFIPS140-2TherehavebeenvariousattacksonSSLv3implementationsVulnerabletocertainprotocoldowngradeattacksCompassSecuritySchweizAGSlide17www.
csnc.
chTLSVersion-AdvantagesTLS1.
0Releasedin1999(!
!
)CannotdowngradetoSSL3.
0UsesMD5ANDSHA1atthesametimeTLS1.
1AddedprotectionagainstCBCattacksTLS1.
2Enhancementofclientsidepreferredhash/signalgorithmnsSupportGCMandCCMciphersSupportedbyallmodernbrowsers!
CompassSecuritySchweizAGSlide18www.
csnc.
chhttps://ebanking-ch1.
ubs.
com:443/*SSLV3CipherSuites:PreferredCipherSuite:DHE-RSA-AES256-SHA256bits[…]*TLSV1CipherSuites:PreferredCipherSuite:DHE-RSA-AES256-SHA256bits[…]*TLSV1_1CipherSuites:PreferredCipherSuite:NoneAcceptedCipherSuite(s):None*TLSV1_2CipherSuites:PreferredCipherSuite:NoneAcceptedCipherSuite(s):NoneCompassSecuritySchweizAGSlide19www.
csnc.
chhttps://ebanking-ch1.
ubs.
com:443/CompassSecuritySchweizAGSlide20www.
csnc.
chTLSSupportinBrowsersCompassSecuritySchweizAGSlide21www.
csnc.
chSSL/TLSBrowserSupport1/2http://en.
wikipedia.
org/wiki/Transport_Layer_SecurityCompassSecuritySchweizAGSlide22www.
csnc.
chSSL/TLSBrowserSupport2/2http://en.
wikipedia.
org/wiki/Transport_Layer_SecurityCompassSecuritySchweizAGSlide23www.
csnc.
chComparisonbetweenRC4and3DESBrowserswithoutAESOldbrowsersmaynotsupportAESLikeIE6onXPRC4or3DESshouldalwaysbeofferedbytheServerRC4+NotvulnerabletoBEAST-Somesay,canbebrokeninrealtimebyNSA-Microsoftrecommendsdeveloperstonotuseitanymore-Severalvulnerabilities…(brokenin2^24connections)3DES+Old(1977)–butstillstrong-Butonly112bits.
No!
Only108bits…-CBC,sopossiblevulnerableagainstLucky13attacksCompassSecuritySchweizAGSlide24www.
csnc.
chCipherSecurityhttp://en.
wikipedia.
org/wiki/Transport_Layer_SecurityCompassSecuritySchweizAGSlide25www.
csnc.
chAttacksonTLS/SSLCompassSecuritySchweizAGSlide26www.
csnc.
chSSLAttacksBEAST(2011)InTLSDoSIndependantofeachother!
CompassSecuritySchweizAGSlide33www.
csnc.
chhttps://ebanking-ch1.
ubs.
com:443/$sslyze–-regularebanking-ch1.
ubs.
com:443*SessionRenegotiation:Client-initiatedRenegotiations:RejectedSecureRenegotiation:Supported*Compression:CompressionSupport:DisabledCompassSecuritySchweizAGSlide34www.
csnc.
chOtherSSLVulnerabilities…BrowserTLS->SSLdowngradefallbacksTLS1.
2->TLS1.
1->TLS1.
0->SSLv3!
JustneedsmanintheMiddleFixFakeCiphersNotreallyimplementedrightnowCompassSecuritySchweizAGSlide35www.
csnc.
chPRISMCompassSecuritySchweizAGSlide36www.
csnc.
chHowtothwarttheNSATheymaybeabletobreak:Export,NULL,LowCiphersMediumCiphers(RC2,RC4,IDEA,.
.
)andCAMELIA(HIGH,butwhoknows…)Butnot:CipherstheyusethemselfupandwithTOPSECRETAESorsecuredalongtimeago,andusedbybanks:DESCompassSecuritySchweizAGSlide37www.
csnc.
chHowtothwarttheNSAWhatiftheystealyourprivatekeysUsePFSSecureyourkeys!
(chmodo-r*.
key)WhatiftheydowngradeyoutoSSLv3DisableitWhatiftheydowngradeyoutoHTTPUseHSTSheaderTellbrowsertoonlyuseHTTPSforthisstie!
InsertyoursiteintobrowserHSTSlist!
WhatiftheyissueafakecertificateUsecertificatepinningCompassSecuritySchweizAGSlide38www.
csnc.
chHowtothwarttheNSABestAttackVector:ImplementationerrorsPastimplementationerros:Apple'sGotoFailTripleHandshakeGNUTLSCertificateChainValidationErrorHeartbleedThat'sjustfrom2014…ThiswillnotstopCompassSecuritySchweizAGSlide39www.
csnc.
chHeartbleedOpenSSL1.
0.
1*Remotelyexploitable64kb(!
)InformationDisclosureCanberepeatedindefinetlyDiscloses:SensitiveUserDataCookiesPrivateKeysPFSSessionKeys…ExploitispublicHeapFengShuiCodeData/HeapApache+OpenSSLProcessCompassSecuritySchweizAGSlide40www.
csnc.
chHeartbleedCompassSecuritySchweizAGSlide41www.
csnc.
chHeartbleedCompassSecuritySchweizAGSlide42www.
csnc.
chHeartbleedPopularsiteswhichexhibitsupportfortheTLSheartbeatextensionincludeTwitter,GitHub,Yahoo,Tumblr,Steam,DropBox,HypoVereinsbank,PostFinance,RegentsBank,CommonwealthBankofAustralia,andtheanonymoussearchengineDuckDuckGo.
CompassSecuritySchweizAGSlide43www.
csnc.
chHeartbleedCompassSecuritySchweizAGSlide44www.
csnc.
chHeartbleedCompassSecuritySchweizAGSlide45www.
csnc.
chHeartbleedCompassSecuritySchweizAGSlide46www.
csnc.
chHeartbleedFix:Apacheno-threads,forkforeveryconnectionNomoredataofotherusersDowngradetoOpenSSL1.
0.
0,0.
9.
8UpgradetoOpenSSL1.
0.
1gUpdateallyourkeysPFShelpsabitCompileOpenSSLwith-DOPENSSL_NO_HEARTBEATSHSM(HardwareSecurityModule–doesnotleakprivatekey)thereareXbadSSLlibrariesLetswriteAGOODSSLlibraryNow,thereareX+1badSSLlibrariesSource:OpenSSLisOpenSourcePullRequestForHeartbeatSupportNoconsequentpeerreviewCompassSecuritySchweizAGSlide47www.
csnc.
chTheCAProblemCompassSecuritySchweizAGSlide48www.
csnc.
chTheCAProblemCompassSecuritySchweizAGSlide49www.
csnc.
chTheCAProblemSource:SSLinderPraxis,sicher(AchimHoffmann)CompassSecuritySchweizAGSlide50www.
csnc.
chTheCAProblemHowtocheckforrevokedcertificatesCRLOfflineListReplayAttacksDNSSpoofing…OCSPLifecheckWhatifserverisnotreachableDNSSpoofing…CompassSecuritySchweizAGSlide51www.
csnc.
chTheCAProblemUsecertificatepinning!
Ignorethesignaturehierarchy!
Checkhashofpublic-keyinformationofthecertificateSubjectPublicKeyInfoOr,checktheissuerCA(alwaysshouldbeissuedbyVerisign,forexample)InBrowser:Chrome,IE,FFSendthemanemailtoincludeyoursiteinpinningmechanismNoofficalprocessInWindows:EMETInApps:Doityourself!
Veryeasy!
DontforgettopushnewversionbeforerenewalofcertificateCompassSecuritySchweizAGSlide52www.
csnc.
chConclusionCompassSecuritySchweizAGSlide53www.
csnc.
chConclusionDisableSSLv3(TLSonly)UseEphemeralCiphers(forPFS)UseAESCiphersDonotuseRC4DisableSSLandHTTPCompressionDisableClientandinsecureRenegotiationUpdateupdateupdate!
CompassSecuritySchweizAGSlide54www.
csnc.
chConclusion–WebPagesUsetrustworthyCANowildcardcertificatesEVcertificateWhynot…Forward:80->:443DeliverEVERYTHINGwithHTTPSUsesecureflagoncookiesUseHSTSheaderUseCertificatePinningCompassSecuritySchweizAGSlide55www.
csnc.
chReferencesSSLinderPraxis,sicherachim@owasp.
orghttps://www.
owasp.
org/images/5/55/SSL-in-der-Praxis_OWASP-Stammtisch-Muenchen.
pdfSSLCERTIFICATEGOODPRACTICEGUIDE,Portcullishttps://labs.
portcullis.
co.
uk/whitepapers/ssl-certificate-good-practice-guide/SSL/TLSDeploymentBestPractices,QualysSSLLABShttps://www.
ssllabs.
com/projects/best-practices/ImperialViolet(GoogleChromeDeveloperBlog)https://www.
imperialviolet.
org/Thispresentationisbasedonthefollowingblogentry:http://blog.
csnc.
ch/2013/11/compass-ssltls-recommendations/CompassSecuritySchweizAGSlide56www.
csnc.
chRant:BrowserIndicatorsCompassSecuritySchweizAGSlide57www.
csnc.
chRant:BrowserIndicatorsCompassSecuritySchweizAGSlide58www.
csnc.
chRant:BrowserIndicatorsCompassSecuritySchweizAGSlide59www.
csnc.
chRant:BrowserIndicators