Return Of Bleichenbacher’s Oracle Threat (ROBOT)
Transcript of Return Of Bleichenbacher’s Oracle Threat (ROBOT)
![Page 1: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/1.jpg)
Return Of Bleichenbacher’s Oracle Threat (ROBOT)
Hanno Böck
Juraj Somorovsky (Ruhr University Bochum / Hackmanit)
Craig Young (Tripwire VERT)
![Page 2: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/2.jpg)
Recent Attacks on TLS
• CRIME, BEAST, Lucky 13, Heartbleed, Early CCS
• 20 years ago: Bleichenbacher’s attack• Applied to RSA PKCS#1 v1.5 in SSL/TLS• Decrypt SSL/TLS traffic• Implementations applied ad-hoc fixes• Everything is secure, right?
• Return of Bleichenbacher’s Oracle Threat – ROBOT*
* Name idea shamelessly stolen from ROCA
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 2
![Page 3: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/3.jpg)
1. Bleichenbacher’s attack
2. How we started – Attack on Facebook
3. Performing the scans
4. Responsible disclosure
5. Conclusions
Overview
Designed by Ange Albertini
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 3
![Page 4: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/4.jpg)
TLS Protocol (High Level Overview)
1. TLS Handshake• Selection of algorithm, version, extensions
• Key exchange: RSA, (EC)DH, (EC)DHE
2. Encrypted and authenticated data transport
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 4
![Page 5: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/5.jpg)
TLS RSA Handshake
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 5
ClientHello
ServerHello
Certificate
ServerHelloDone
ChangeCipherSpec
(Client-) Finished
ChangeCipherSpec
(Server-) Finished
ClientKeyExchange
RSA encrypted premaster secret
ClientKeyExchange
![Page 6: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/6.jpg)
RSA PKCS#1 v1.5
• Used to pad and encrypt the premaster secret:• To pad it to the RSA key length
• To add randomization
• Example for TLS 1.2:
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 6
00 02 [non-zero padding] 00 03 03 [secret]
Encryption block type
0x00 Delimiter
TLS 1.2 version(Don’t ask why, a different story)
[non-zero padding] [secret]
![Page 7: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/7.jpg)
Bleichenbacher’s Attack
• 1998: Adaptive chosen-ciphertext attack
• Exploits strict RSA PKCS#1 v1.5 padding validation
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 7
C1
valid/invalid
M = Dec(C)
C2
valid/invalid
Ciphertext C
…
Starts with 00 02 ?
![Page 8: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/8.jpg)
Bleichenbacher’s Attack
• The attack needs some math (Not going into details here)
• “Million message attack”
(In general performance depends on the oracle properties)
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 8
![Page 9: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/9.jpg)
Creating Bleichenbacher’s Oracle
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 9
ClientHello
ServerHello
Certificate
ServerHelloDone
ClientKeyExchange’
Server
Decrypt
Error
ChangeCipherSpec
(Client-) Finished:
Bad Record
MAC Alert/
Modified ciphertext
![Page 10: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/10.jpg)
TLS Countermeasure
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 10
ClientHello
ServerHello
Certificate
ServerHelloDone
Alert
ChangeCipherSpec
(Client-) Finished:
If the attacker can distinguish valid /invalid PKCS#1 messages, he wins
ClientKeyExchange’
![Page 11: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/11.jpg)
1. Bleichenbacher’s attack
2. How we started – Attack on Facebook
3. Performing the scans
4. Responsible disclosure
5. Conclusions
Overview
Designed by Ange Albertini
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 11
![Page 12: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/12.jpg)
Hanno Found a Weird Behavior of Facebook
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 12
ClientHello
ServerHello
Certificate
ServerHelloDone
Server
Illegal
Parameter
ChangeCipherSpec
(Client-) Finished:
Bad Record
MAC Alert/
ClientKeyExchange’
![Page 13: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/13.jpg)
Can We Exploit It?
• Idea: It would be funny to sign a message with Facebook’s private key• Yes, signing is possible as well
• Millions of queries needed…would Facebook block us?
• Successful after several tries:
“We hacked Facebook with a
Bleichenbacher Oracle (JS/HB).”
• Facebook fixed
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 13
![Page 14: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/14.jpg)
Facebook: New Attempt
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 14
ClientHello
ServerHello
Certificate
ServerHelloDone
Server
ChangeCipherSpec
(Client-) Finished:
/
ClientKeyExchange’
![Page 15: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/15.jpg)
Facebook Fixed Again
• This is interesting. So how about other servers?
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 15
![Page 16: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/16.jpg)
1. Bleichenbacher’s attack
2. How we started – Attack on Facebook
3. Performing the scans
4. Responsible disclosure
5. Conclusions
Overview
Designed by Ange Albertini
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 16
![Page 17: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/17.jpg)
Let’s Start Scanning
• Careful selection of ClientKeyExchange messages:• Wrong TLS version
• Wrong padding length
• Not starting with 0x00 02
• Full / Shortened TLS handshakes:
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 17
00 02 [non-zero padding] 00 03 03 [secret]
ClientHello
ServerHello
Certificate
ServerHelloDone
ChangeCipherSpec
(Client-) Finished:
ClientKeyExchange’
ClientHello
ServerHello
Certificate
ServerHelloDone
ChangeCipherSpec
(Client-) Finished:
ClientKeyExchange’
![Page 18: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/18.jpg)
Alexa Top 1 Million Scan
• 2,8 % vulnerable
• PayPal, Apple, ebay, Cisco, …
• Different behaviors…different combinations:
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 18
Illegal
Parameter
Bad Record
MAC Alert/
TCP connection resets Timeouts
Different alerts
Duplicate alerts Alert/Alert Alert
Handshake
Failure/ Internal
Error/ /..
![Page 19: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/19.jpg)
1. Bleichenbacher’s attack
2. How we started – Attack on Facebook
3. Performing the scans
4. Responsible disclosure
5. Conclusions
Overview
Designed by Ange Albertini
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 19
![Page 20: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/20.jpg)
Who Is Responsible for These Mistakes?
• Reporting is not always that easy …
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 20
Your server is vulnerable to Bleichenbacher‘s attack.
No worries, we usemillitary grade encryption.
![Page 21: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/21.jpg)
Don’t Fix for Some Vendors … Cisco ACE
• Supports only TLS RSA
• Cisco: We won't fix it, it's out of support for several years
• But there were plenty of webpages still running with these devices
Like cisco.com
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 21
![Page 22: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/22.jpg)
Identified (Most of) Them
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 22
![Page 23: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/23.jpg)
Test Tools
• No easily usable test tool for Bleichenbacher attacks available
• Currently implemented in SSL Labs, testssl.sh, TLS-Attacker, tlsfuzzer
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 23
![Page 24: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/24.jpg)
1. Bleichenbacher’s attack
2. How we started – Attack on Facebook
3. Performing the scans
4. Responsible disclosure
5. Conclusions
Overview
Designed by Ange Albertini
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 24
![Page 25: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/25.jpg)
Future Work
• Timing attacks
• Fingerprinting
• Some servers send certificates or "garbage bytes"• Bleedinbacher? There could be a Heartbleed-style memory disclosure waiting
to be found
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 25
Illegal
Parameter
Bad Record
MAC Alert/ /..
![Page 26: Return Of Bleichenbacher’s Oracle Threat (ROBOT)](https://reader031.fdocuments.in/reader031/viewer/2022012511/6189aad92c95f643c642736e/html5/thumbnails/26.jpg)
Conclusions
• Old 20 year attacks still work
• New side-channels (timeouts, TCP resets, …)
• Crypto attack countermeasures are hard to apply
• Disable TLS_RSA cipher suites (not used in TLS 1.3)
• Stop using RSA PKCS#1 v1.5, use elliptic curves
(or RSA-OAEP if RSA needed)
https://robotattack.org/
Return Of Bleichenbacher’s Oracle Threat (ROBOT). USENIX Security 2018 26