Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bamboozling Certificate Authorities with BGP

Published by Modified over 5 years ago

Similar presentations

Presentation on theme: "Bamboozling Certificate Authorities with BGP"— Presentation transcript:

1 Bamboozling Certificate Authorities with BGP
Hello. My name is Seunghan Hong. And I’m gonna present about the paper bamboozling certificate authorities with BGP. SEUngHan Hong

2 Introduction USENIX Security 18
Author : Henry Birge-Lee, Yixin Sun, Anne Edmundson, Jennifer Rexford, Prateek Mittal This paper was presented in USENIX Security two thousand eighteen There are 5 authors and they are listed below.

3 Introduction This paper deals with certificate forgery.
Certificate forgery is big problem because two entities can communicate confidentially and secretly only through certificate. So if the certificate can be forged, we can’t communicate through online securely. In other words, Man-in-the-middle attack becomes possible. In this presentation, we’ll first talk about how web sites get digital certificate and then attacks to forge the certificate

4 Overview Domain Control Verification BGP Attacks
Quantifying Vulnerability Countermeasures Conclusion Here is the outline of my presentation The first topic is Domain control verification which is the name of algorithm that certificate authority sign a certificate to web server owner. This is the target system we consider. And the next one is BGP Attacks which is the attack to forge certificate And then we will quantify the vulnerability and countermeasures of the attack Finally I finish my presentation with conclusion

5 Digital Certificate How we can sure that the domain is KAIST?
Before explaining domain control verification, we first talk about digital certificate. Assume that we go to kaist website. How can we make sure that this website is KAIST?

6 Digital Certificate How we can sure that the domain is KAIST?
This is the mark which the domain has digital certificate. You can see this mark if you use google chrome. This mark describes that the website has digital certificate. And if you click this mark, you can see the details of certificate

7 Digital Certificate How we can sure that the domain is KAIST?
This is the mark which the domain has digital certificate. If you use explorer, you see the below one instead. Then, how can the owner of the domain can have certificate?

8 Domain Control Verification
A process to verify the domain owner before signing certificate Certificate Authority (CA) is an organization which signs the certificate CA helps us to create secure connection to a server using Public Key Infrastructure (PKIs) Domain Control Verification (also called Domain Control Validation) is a process to verify the domain owner before signing certificate And Certificate Authority (CA) is an organization which signs the certificate CA helps us to create secure connection to a server using Public Key Infrastructure (PKIs) I’ll explain algorithm how to verify the domain

9 Domain Control Verification
Owner of the domain request a certificate to CA First, the owner of the domain (here the owner of example.com) request a certificate to Certificate Authority

10 Domain Control Verification
CA gives Domain Control Verification Challenge And then, CA gives a challenge to owner which the owner should upload <content> to example.com/verify.html

11 Domain Control Verification
Owner modifies the server So the owner modifies the server by uploading <content> to example.com/verify.html

12 Domain Control Verification
CA check whether the domain has correct answer Next, the owner announce that he did the challenge to CA. After then, CA checks the server using HTTP GET request.

13 Domain Control Verification
If it is correct, CA gives digital certificate to owner If it has the <content>, CA signs a certificate to the owner.

14 Domain Control Verification
If it is correct, CA gives digital certificate to owner Then we can see the certificate to check whether the domain is safe

15 Overview Domain Control Verification BGP Attacks
Quantifying Vulnerability Countermeasures Conclusion Next, I’ll present about BGP attacks which attacks to forge certificate.

16 Border Gateway Protocol (BGP)
BGP is a standardized exterior gateway protocol designed to exchange routing and reachability information among Autonomous System (AS) on the Internet Border Gateway Protocol is a standardized exterior gateway protocol designed to exchange routing and reachability information among Autonomous System (AS) on the Internet Each Autonomous System exchange reachability information when there is change of host.

17 Border Gateway Protocol (BGP)
For example the AS containing /23 announce that he owns /23. Then AS1 announce that it can reach to /23 by 1 hop For example the AS containing /23 announce that he owns /23. Then AS1 announce that it can reach to /23 within 1 hop (AS /23) Then AS3 announce that it can reach to /23 within 2 hops (AS3 AS /23) Etc If the connection between AS1 and /23 is broken, Then AS1 announce that it can reach to /23 by 3 hops (AS1 to AS3 to AS4 to example.com)

18 High Level Idea: BGP Attack
Man in the middle attack Attacks when CA calls HTTP GET example.com/verify.html BGP attack is a kind of man in the middle attack And it hijack the HTTP GET request to forge the certificate. Here the Adversary lies to Certificate Authority that he is the owner of the example.com. When the CA make http request to check verify.html, this request is hijacked to the server owned by the adversary. If this is possible, the attacker can get certificate for example.com. In other words, the attacker can forge certificate for example.com.

19 BGP Attack Normal procedure CA reach to correct server
I’ll explain the specific algorithm. When there is no attack, the request of the CA reach to correct server.

20 BGP Attack Simplest Attack (sub-prefix attack)
Use the same IP address to capture the victim’s traffic This is the simplest attack. Adversary use the same IP address Here we should know about Longest prefix matching Each autonomous system send request to autonomous system which has the most fine-grained information Here 24 is longer than 23 so 24 has more information then 23. So adversary gets the request.

21 BGP Attack Routers prefer more specific announcement
Broken connectivity Highly viable Not stealthy HTTP GET request goes to adversary Viability is a binary indication of whether the adversary is capable of launching the attack. stealthiness is measured through the number of ASes whose connectivity to a victim’s domain is disrupted during an attack. This attack breaks connectivity and is highly viable and not stealthy because all traffic from any AS on the internet is routed to the adversary.

22 BGP Attack A local (equally-specific prefix) attack
Aim to increase stealthiness This is an another attack which aim to increase stealthiness It use same IP address /23 instead of /24

23 BGP Attack Equally specific announcement compete for traffic
Announcement localized Local broken connectivity Potentially stealthy Because It has the same prefix, each autonomous system sends request on their own. In this case, lower portions are hijacked and above portions are not affected. Because Certificate authority is in hijacked portion, adversary can hijack the request. So in this case, connectivity is locally broken and potentially stealthy because parts of the internet will not hear the adversary’s announcement

24 BGP Attack Can not hijack in this case (unaffected portion)
But in this case, Certificate Authority is in unaffected portion. So adversary can’t hijack the request

25 BGP Attack AS Path poisoning
To maintain a valid route to the victim’s domain This attack is called AS path poisoning and is a method to prevent a router from sending packets through a route that has become invalid within computer networks.

26 BGP Attack Almost any AS can perform Connectivity preserved
Very stealthy Almost any Autonomous system can perform this attack. Connectivity is preserved and very stealthy because there is no connectivity issue.

27 The stealthy and viability of BGP attacks
Effective against /24 prefixes Evades origin change detection Internet topology location required Sub-prefix hijack No Any location Equally-specific prefix hijack Yes Many location As-path poisoning attack The point of the BGP attack was stealthy and viability. And the author summarize the characteristic of each attack in a table. effective against /24 prefixes and internet topology location required are part of viability And evades origin change detection is stealthy

28 BGP Attack in real worlds
Need some Ethical framework for launching real-world attacks Hijack only our own prefixes Domains run on our own prefixes No real users attacked Approached trusted CAs for certificates When author apply BGP attack in real world, it can harm the real web sites. So, authors need some ethical framework for launching real-world attacks. Authors attack only their own prefixes so no real users attacked. And approach trusted Cas for certificate

29 BGP Attack in real worlds: Summary
Let’s Encrypt GoDaddy Comodo Symantec GlobalSign Time to issue certificate 35s <10min 51s 6min 4min Human Interaction No Multiple Vantage Points Validation Method Attacked HTTP This is the table summarizing the BGP attacks authors applied. And this table says that All studied CAs were vulnerable Adversary can forge certificate within 10min without human interaction. Here Multiple Vantage Point is a countermeasure of BGP Attack. And the table says there is no countermeasure of the attack implemented.

30 Additional Attacks More targets
Authoritative DNS servers Mail servers Reverse (victim domain -> CA) traffic is also vulnerable There are more attacks using BGP attack which can target Authoritative DNS servers and mail servers. And also, the reverse traffic which is sent from victim domain to certificate authority is also vulnerable

31 Overview Domain Control Verification BGP Attacks
Quantifying Vulnerability Countermeasures Conclusion Here is the end of BGP attacks and I’m gonna present about Quantifying Vulnerabilities, in other words, detailed evaluation of the attack.

32 Quantifying Vulnerability
How many domains are vulnerable? How many adversaries can launch attacks? There are two criteria which can quantify vulnerability First one, how many domains are vulnerable And the last one, how many adversaries can launch attacks

33 Vulnerability of domains: sub-prefix attacks
Authors first look at the vulnerability of domains of sub-prefix attacks.

34 Vulnerability of domains: sub-prefix attacks
Any AS can launch Only prefix lengths less than /24 vulnerable As explained previously, any Autonomous system can launch the sub-prefix attack. And only prefix lengths less than /24 is vulnerable since 24 should be the longest prefix

35 Vulnerability of domains: sub-prefix attacks
Any AS can launch Only prefix lengths less than /24 vulnerable So 28% of domains are unaffected And 72% fo domains are vulnerable

36 Resilience to equally-specific prefix attacks
Next we’ll look at the vulnerability of domains of equally-specific prefix attacks When Certificate Authority is in unaffected portion, it has resilience to attack.

37 Resilience to equally-specific prefix attacks
However, if the Certificate Authority is in hijacked portion, adversary can forge the certificate.

38 Resilience of domains assuming random CA
This graph shows the average resilience of the domains over top ten Certificate authorities. The median resilience is 57% which means 43% chance of attack viability.

39 Choosing affected CA However this should be complicated with the fact that there actually about 100 Certificate authorities And anyone can sign the certificate for any domain So given that an adversary can choose the CA in affected portion of the internet, the attack viability will be much bigger

40 Vulnerability of Domains: Equally-specific attacks
The yellow line is the original one, and the blue line is the graph which adversary selects the Certificate Authority.

41 Vulnerability of Domains: Equally-specific attacks
And this cause the median resilience drops from 57% to 25% So adversary has 75% chance of attack viability.

42 Overview Domain Control Verification BGP Attacks
Quantifying Vulnerability Countermeasures Conclusion Next I’m gonna present countermeasures of BGP attacks.

43 Countermeasures CA Vantage Point Domains BGP Monitoring
CA prefix length Domains CAA DNS Records DNSSEC There are many countermeasures to resist to BGP attacks We’ll look at the first two countermeasures that can be performed by Certificate Authorities prefix length 24 is secure to sub-prefix attack, and countermeasure of domains are related work of BGP attacks They are not covered in this paper

44 Multiple Vantage Points
First one is called Multiple vantage points.

45 Multiple Vantage Points
Certificate Authority set remote vantage point which is apart from itself.

46 Multiple Vantage Points
CA sign certificate only if all vantage points and CA agree average resilience of domains attack chance of success One vantage point 61% 39% two vantage points 85% 15% Three vantage points >90% <10% Then, CA sign certificate only if all vantage points and CA agree. So, all those points should be in hijacked portion to success attack When there is no vantage points, average resilience of domains was 53% The table shows that one vantage points makes average resilience of domains 61%. (attack chance of success 39%) 2 vantage points makes average resilience of domains 85%. (attack chance of success 15%) 3 vantage points makes average resilience of domains at least 90%. (attack chance of success less than 10%)

47 BGP Monitoring Monitoring suspicious route
CA computes each route’s age CA signs a certificate for routes which have sufficient age. Then network operator have time to react (tradeoff) false positive <-> minimum time The next countermeasure is BGP monitoring. CA continuously computes each route’s age. And the route is too new, CA doesn’t sign a certificate until it has sufficient age. Then network operator have time to react. So there is tradeoff between legitimate users that are unnecessarily delayed and this minimum time threshold.

48 Related Work Using BGP attack is effective at deanonymizing TOR users
Sun el al. Raptor: Routing attacks on privacy in Tor, USENIX Security Symposium (2015) Using BGP attack on hijacking bitcoin Apostolaki et al. Hijacking bitcoin: Routing attacks on cryptocurrencies, In IEEE Symposium on Security and Privacy (SP) (May 2017) Using BGP attack to bypass US surveillance laws Arnbak et al. Loopholes for circumventing the constitution: Unrestricted bulk surveillance on americans by collecting network traffic abroad, Mich. Telecomm. & Tech. L. Rev. 21 (2014) There are many related works using BGP attack. Here are examples which we can use BGP attacks in real-world. By using BGP attack, adversary can deanonymize TOR users, hijack bitcoin, bypass US surveillance laws

49 Related Work Using BGP attacks with strategically poisoned AS paths
Pilosov and Kapela, Stealing the Internet: An Internet-scale man in the middle attack, NANOG-44, Los Angeles, October (2008) Using BGP attacks on peering links Madory, Use protection if peering promiscuously. peering-promiscuously/, Nov 2014. Also there are so many paper of BGP Attacks and Defenses Here are two BGP attack papers First one use poisoned AS paths to BGP attack which is not included this paper. And the other\ is applying BGP attack on peering links

50 Related Work outline a well-known system to detect traditional BGP attacks Lad et al, PHAS: A prefix hijack alert system, In USENIX Security Symposium (2006) generate route filters to prevent BGP attacks Bush et al, The resource public key infrastructure (RPKI) to router protocol, RFC 6810, RFC Editor, January 2013 BGPsec cryptographically assures the validity of BGP paths Lepinski et al, BGPsec protocol specification, RFC 8205, RFC Editor, September 2017 SCION presents a clean slate architecture that would prevent BGP hijacks Zhang et al, An analysis of BGP multiple origin AS (MOAS) conflicts. In ACM SIGCOMM Workshop on Internet Measurement (New York, NY, USA, 2001) And there are so many defense papers preventing BGP attacks and here are four of them. BGPsec and SCION is the representative countermeasures of BGP attacks.

51 Future Work Arnold et al, Controlling Real Cloud Experiments from BGP to the server, Proceedings of the ACM SIGCOMM 2018 Conference this is the follow-up paper. This paper implements an experimental environment which supports both control and realism. Since author need some Ethical framework for launching real-world attacks, he attacks his own prefixes. So it would be different from real-world. So, re-experiment on this environment is necessary.

52 Conclusion CAs assures trust on the internet through digital certificates The Majority of domains and CAs are vulnerable CAs must implement countermeasures soon Secure routing (BGPsec, RPKI, SCION) is still important even with end-to-end encryption In conclusion, CAs assures trust on the internet through digital certificates Since domains and CAs are vulnerable, CAs must implement countermeasures as soon as possible Secure routing (BGPsec, RPKI, SCION) which prevents BGP attacks is also important

53 Any Question? Thank you for listening. Any question?

Download ppt "Bamboozling Certificate Authorities with BGP"

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.
Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.

Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.

Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
Unicast Routing Protocols  A routing protocol is a combination of rules and procedures that lets routers in the internet inform each other of changes.

Unicast Routing Protocols  A routing protocol is a combination of rules and procedures that lets routers in the internet inform each other of changes.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.

1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.

How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk

BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.

Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
Securing BGP Bruce Maggs. BGP Primer AT&T 7018 12/8 Sprint 1239 144.223/16 CMU 9 128.2/16 bmm.pc.cs.cmu.edu 128.2.205.42 Autonomous System Number Prefix.

Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.

Similar presentations

Ads by Google