Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.

Published byMax Alliston Modified over 9 years ago

Similar presentations

Presentation on theme: "“Defeating SSL” Impact of Hash collisions on cyber security By vaibhav."— Presentation transcript:

1 “Defeating SSL” Impact of Hash collisions on cyber security By vaibhav

2 Secure Sockets Layer 2

3 Objective Background Information of SSL, MD5 & “Certificate”\”Public Key” Infrastructure Attack scenario on core assumption of SSL i.e. collision resistance of hash function Attack scenarios on the specification\ implementation of SSL 3

4 when in doubt, ask 4

5 5

6 Cryptographic Hash Serves an essential role within a wide range of security applications. Like (a) digital signature generation and verification (b) session key establishment (c) management of password schemes (d) commitment schemes in cryptographic protocols 6

7 Hash Functions Compress an arbitrary finite length m-bit input message into a fixed n-bit output value called hash. hash if h = H(m) then, h is called the "hash" of m, m is called a "preimage" of h Data Message Digest 7

8 Properties of (good)Hash Function ( practicality ) computation of hash can be done efficiently ( preimage resistance ) given h, it is hard to compute a preimage of h ( second preimage resistance ) given m, it is hard to compute a second preimage of m ( collision resistance ) it is hard to compute a collision for H 8

9 Lets talk about SSL first Ensures secrecy,authenticity, and integrity. Safeguarding communication from both the passive and active adversaries. SSL rely heavily on the x509* certificate structure. For SSL protocols, it is the “common name” field in the subject of an x509 certificate that is used to identify entities presenting certificates. 9

10 X509 ? Digital certificates ? What ? ITU-T standard for the public key infrastructure. X.509 specifies standard formats for public key certificates Public key certificates are structured according to version3 of X.509 specification. A public key certificate uses a digital signature to bind a public key with an identity. 10

11 11

12 Certification Authorities & Hierarchy Browsers ship with a list of trusted CA certificate. o Firefox 3 includes 135 trusted CA certs. CAs’ responsibilities: o verify the identity of the requestor o verify domain ownership for SSL certs o revoke bad certificates 12

13 Site NameCN Check Expiry Check Signature Signin CA in trust store 13

14 What if … Root CA Intermediate I CA Intermediate II CA Hack.org Hack.org is a valid certificate issued by intermediate II CA What if hack.org issues a certificate for richest-bank.com ? Richest-bank.com Chain verification algorithm as described before would validate this certificate too. 14

15 Something must be wrong, but... All the signatures are valid. Nothing has expired. The chain is intact. The root CA is embedded in the browser and trusted. But we just created a valid certificate for Richest- bank, and we're not Richest-bank? 15

16 X509v3 extensions provide a extension to tackle with this. Basic Constraints: critical CA:FALSE But … Most CAs didn't explicitly set basicConstraints: CA=False Whether the field was there or not, most SSL implementations didn't bother to check it. Hacker moxie marlinspike a tool, sslsniff, to attack this vulnerability. Eventually Microsoft released a patch to address this issue. 16

17 Obtaining certificates Public Key Domain name User Identity User Public Private Key pair generation CSR generated CSR sent to CA Validates user identity and domain ownership Create and signs certificate User installs private key and certificate on a web server 17

18 Certificate request format 18

19 Certificate structure the "to-be-signed" part, consisting of: o serial number o validity period o issuer name o subject o subject public key o "basic constraints" field, containing a bit indicating whether this is a CA certificate or a user certificate a path length field the "signature" part, containing a digital signature, produced by CA`s private key, over the "to-be- signed“ part 19

20 20

21 Secure websites and certificates 21

22 Attack Scenario using Rogue CA certificate 22

23 23

24 Revisiting MD5 and MD5 Collision 24

25 Overview of MD5 Hash function MD5 designed in 1991 Iterative design using compression function. Collision  different messages, same hash 25

26 MD5 Collisions in 2004 2004: First MD5 collision attack Only difference between messages in random looking 128 collision bytes Currently < 1 second on commodity PC MD5( ) = MD5( ) 26

27 27

28 MD5 Collisions in 2007 2007: Stronger collision attack Chosen-Prefix Collisions Messages can differ freely up to the random looking 716 collision bytes Currently approx. 1 day on PS3+PC MD5( ) = MD5( ) 28

29 29

30 Generating Colliding Certificates 30

31 History of colliding certificates Certificates with colliding to-be-signed parts generate a pair of certificates sign the legitimate certificate copy the signature into the rogue cert Previous work Different RSA public keys in 2005 o using 2004 collision attack Different identities in 2006 o using chosen-prefix collisions o the theory is well known since 2007 31

32 Colliding certificates in 2006 32

33 Rogue CA certificate CA bit 33

34 Action Items for generating hash colliding certificates Find CA which issues MD5 signed certificate Predict the Validity and Serial Number Construct structure and content rogue Certificate such that real certificate( constructed by CA) and rouge CA cert(Constructed by Hackers) are perfectly aligned. Compute the collision blocks Create RSA key pair such that it includes collision block in it. Construct CSR and send it to CA for signing Detailed view 34

35 Why RapidSSL? Out of 9000 MD5 certificates collected 97% of those were issued by RapidSSL. RapidSSL issues exactly 6 seconds after “accept” button is clicked and expires in one year. RapidSSL uses sequential serial numbers and on weekend approximately 1000 certificates are issued. 35

36 Predicting the serial number Get the serial number S on Friday Predict the value for time T on Sunday to be S+1000 Generate the collision bits Shortly before time T buy enough certs to increment the counter to S+999 Send colliding request at time T and get serial number S+1000 36

37 Collision generation and RSA keys Based on the 2007 chosen- prefix collisions paper with new improvements 1-2 days on a cluster of 200 PlayStation 3’s Equivalent to 8000 desktop CPU cores or $20,000 on Amazon EC2 takes couple of minutes to calculate RSA key pair such as it contains collision blocks 37

38 Another Attack on SSL 38

39 Background As mentioned earlier SSL handshake uses “common name” of certificate and compares with site name. Before year 2000 actual people were involved while dealing with certificate request. Entities are validated based on proof of ownership of the domain listed in the “common name” field. Now a days a simple lookup in WHOIS database for the root domain listed and sending a confirmation mail would complete the verification part. 39

40 ASN1.0 and Certificates Certificates are formatted using ASN1.0 notation. Supports different type of strings, all represented as PASCAL strings. Represented in memory by the length of the string followed by the string data. NULL character has no special meaning, like C strings Example : 0x05 (length) 0x44 ( D )0x41 (A )0x00 (NULL) 0x54 ( T )0x41 ( A ) 40

41 Malformed Request One can create a certificate request with common name as www.richest-bank.com\0www.hack.comwww.richest-bank.com\0www.hack.com CA for verification would do WHOIS issues the certificate with embedded NULL to the owner of hack.com. Spoof www.richest-bank.com and use NULL embedded certificatewww.richest-bank.com 41

42 Defeating SSL This is how comparison function would be implemented for CN verification. char *destination = getDomainWeAreConnectingTo(); char *commonName = getCommonNameFromCertificate(); Bool everythingIsOk = (strcmp(destination, commonName) == 0); char *commonName char *destination string match www.bank.com/0www www.bank.com 42

43 Question ? 43

44 References http://www.win.tue.nl/hashclash/rogue-ca/ http://conf.isi.qut.edu.au/auscert/proceedings/200 6/gauravaram06collision.pdf http://conf.isi.qut.edu.au/auscert/proceedings/200 6/gauravaram06collision.pdf https://www.blackhat.com/presentations/bh-dc- 09/Marlinspike/BlackHat-DC-09-Marlinspike- Defeating-SSL.pdf https://www.blackhat.com/presentations/bh-dc- 09/Marlinspike/BlackHat-DC-09-Marlinspike- Defeating-SSL.pdf 44

Download ppt "“Defeating SSL” Impact of Hash collisions on cyber security By vaibhav."

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSLstrip Stepan Shykerynets 23.03.2013.

SSLstrip Stepan Shykerynets
Cryptography and Network Security

Cryptography and Network Security
More Trick For Defeating SSL

More Trick For Defeating SSL
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Similar presentations

Ads by Google