Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Cross-Protocol Attack on the TLSProtocol Nikos Mavrogiannopoulos, Frederik Vercauteren, VesselinVelichkov, Bart Preneel. Presented by: Nitin Subramanian.

Published byRudolf Roberts Modified over 8 years ago

Similar presentations

Presentation on theme: "A Cross-Protocol Attack on the TLSProtocol Nikos Mavrogiannopoulos, Frederik Vercauteren, VesselinVelichkov, Bart Preneel. Presented by: Nitin Subramanian."— Presentation transcript:

1 A Cross-Protocol Attack on the TLSProtocol Nikos Mavrogiannopoulos, Frederik Vercauteren, VesselinVelichkov, Bart Preneel. Presented by: Nitin Subramanian (Slides Courtesy: Lin WangUSF lwang20@usfca.edulwang20@usfca.edu)

2 TLS p rotocol SAFE or Not??

3 Overview TLS protocol The Wagner and Schneier Attack. A New Cross-Protocol Attack Attack Assumptions Feasibility of the Attack Possible Fix

4 TLSprotocol Transport Layer Security protocol TLS is one of the major secure communications protocols on the Internet, used by a variety of applications such as web browsers, electronic mail, voice over-IP and more. Ciphersuite: determines the symmetric encryption cipher with its operational mode, the key exchange method and the message authentication algorithm.

5 The Wagner and Schneier Attack Wagner and Schneier attack is a cross-protocol attack based on the observation that the digital signature in a DH key exchange does not cover any identifier of the negotiated ciphersuite. The attack deceives a client who advertises a ‘TLS - RSA EXPORT’ ciphersuite and expects temporary RSA parameters in the ‘ServerKeyExchange’ message, into receiving DH parameters from a ‘TLS DHE RSA’ ciphersuite.

6 Contents of the ServerKeyExchange m essage

7 Process of Wagner and Schneier attack Attack 1.Client verifies the signature, reads the RSA modulus m, which corresponds to the prime of the DH group p, and then reads the RSA exponent e field which corresponds to the group generator g. 2.Client encrypts the pre- master secret k as k^g mod p and includes it in its ‘ClientKeyExchange’ message. Since p is a prime number and g is known, it is very easy to compute the gth root of kg to recover k.

8 MeaningofThe Wagner and Schneier Attack Careful examination of the TLS packet parsing reveals that the failure of the attack is due to the serialized way TLS packets need to be parsed. Even though the Wagner and Schneier attack fails, it demonstrates the idea of a cross-protocol attack utilizing two of the SSL 3.0 key exchange methods, the DH key exchange and the RSA-EXPORT key exchange.

9 A NewCross-Protocol Attack A server impersonation attack on clients that support the DH key exchange and wish to connect to a server that supports, among others, the ECDH method. The attack requires the server to support the explicit prime curve option, and the client to support the plain DH method. Because the only common signature algorithm in the ECDH and DH key exchanges is RSA, the server is also required to possess an RSA signing key.

10 Contrast ServerKey Exchange message In the explicit prime curve option, the server includes in its signed ‘ServerKeyExchange’ message the parameters of its elliptic curve and an ephemeral public key to be used for this session.

11 Process of A New Cross- Protocol Attack ECDH ‘ServerKeyExchange’ need satisfies two properties. 1.The message can be interpreted as a valid DH ‘Server Key Exchange’ message. 2.The adversary can recover the exchanged DH key.

12 A NewCross-Protocol Attack Probability of valid key exchange message Length requirements on key exchange parameters. Probability estimate. Recovering the session key Computing x. Computing pre-master secret. Attack success probability 2^40

13 Attack Assumptions The client software supports one of the ‘TLS DHE - RSA’ ciphersuites and a DH public key (Ys) with value 1 is accepted. The server software supports one of the ‘TLS ECDHE - RSA’ ciphersuites, with the ‘arbitrary explicit prime curve’ option, has selected a curve of size between 300 and 400 bits and uses RSA as the signing algorithm.

14 Feasibility ofthe Attack Attacking a specific client Attacking a random client

15 PossibleFix The authors propose to modify the signature of the ‘ServerKeyExchange’ to include, in addition to explicit identifiers of the algorithms, all the previously exchanged messages. Our proposed signature for a ‘ServerKeyExchange’ messageis shown in Fig.6.

16 Q&A Any questions?

Download ppt "A Cross-Protocol Attack on the TLSProtocol Nikos Mavrogiannopoulos, Frederik Vercauteren, VesselinVelichkov, Bart Preneel. Presented by: Nitin Subramanian."

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)

Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Web security: SSL and TLS

Web security: SSL and TLS
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Similar presentations

Ads by Google