SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most...
Transcript of SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most...
![Page 1: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/1.jpg)
SSL implementieren –aber sicher!Karlsruher Entwicklertag 201421.05.2014
Dr. Yun Ding
![Page 2: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/2.jpg)
SSL in the news
20142011 2012
BEAST
Compromised CAs
CRIME Lucky 13
RC4 biases
BREACH
DRBG Backdoor
2013
Apple goto fail
GnuTLS goto
OpenSSL HeartBleed
![Page 3: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/3.jpg)
SSL in scientific publications
20132012
“The Most Dangerous Code inthe World: Validating SSLCertificates …”
“Why Eve and Mallory LoveAndroid: An Analysis ofAndroid SSL (In)Security”
“Rethinking SSLDevelopmentin an AppliedWorld”
![Page 4: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/4.jpg)
Apps vulnerable to MITM
14%
iOS Apps
98 out of 697 Apps
8%
Android Apps
1,074 out of 13,500 Apps
![Page 5: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/5.jpg)
Layers of SSL-based applications
Hash Encryption Authentication
CipherSuites
SecureProtocols
Renegotiation Compression
OpenSSLGnuTLS JSSEApple SecureTransport
ApacheHttpClient
cURL PhoneGap MKNetworkKit
RandomNumberGenerators
Banking Shopping Messaging BrowserApplication
Middleware/Wrappers
SSL Libraries
SSL Protocols
CryptographicPrimitives
Human
![Page 6: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/6.jpg)
How does SSL work?
Client Server
Encrypted Data Communication
Handshake: Key Exchange
Copyright: http://openclipart.org/image/800px/svg_to_png/33457/Padlock-gold.pnggvictoria, bigstock.com, [2009] Joerg Habermeier, bigstock.com, Scanrail, bigstock.com
![Page 7: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/7.jpg)
Trick user not to encrypt SSL strippingPredict the key DRBG backdoorTrick user to use attacker’s key Apple goto fail, GnuTLS goto,MITMTrick server to expose keys OpenSSL HeartbleedPerform cryptographic analysis todecrypt
RC4 biases, Lucky13, CRIME,BEAST, Breach
How does SSL break?
Copyright: © 2012 dny3d, bigstock.com, Scanrail, bigstock.com
![Page 8: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/8.jpg)
SSL relies on Trust in Certificates …
Trusted Root CA Cert
Subject: RootCAPublic KeyRootCA
Sub CA Cert
Subject: SubCAPublic KeySubCA
Server Cert
Subject: ServerPublic KeyServer
sign sign
sign
![Page 9: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/9.jpg)
SSL relies on Valid Certificates
1. Make sure certificate validation is not turned off!2. Verify the certificate is valid: not expired, not revoked3. Validate “Chain of Trust”4. Don’t accept self-signed certificates5. Make sure hostname validation is set
![Page 10: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/10.jpg)
What went wrong
w Insecure coding● Skipped or broken certificate validation
w Badly designed APIs● Expose low-level SSL protocol details, complex options● Complex relationship between return values and error
status● Unsafe defaults (+missing warning in API Doc)
w Delegate responsibility to application developers
Human
Application
Middleware/Wrappers
SSL Libraries
SSL Protocols
CryptographicPrimitives
![Page 11: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/11.jpg)
Default behavior in SSL lib. & wrappers
Libraries/Wrappers Chain of Trust Hostname Verification
OpenSSL ✔ ✗
GnuTLS ✔ ✔
CyaSSL ✔ ✗
JSSESSLSocketFactoryHttpsURLConnection
✔✔
✗✔
ApacheHttpClient 3.*HttpClient 4.*
✔✔
✗✔
Pythonssl module ✔ ✗
![Page 12: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/12.jpg)
What went wrong
w Lack of understanding of how SSL works andbreaks
w Misinterpretation of manifold SSL parameters &options
w Delegate responsibility to end users with warningsw “Security gets in the way”
Human
Application
Middleware/Wrappers
SSL Libraries
SSL Protocols
CryptographicPrimitives
![Page 13: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/13.jpg)
When Security gets in the way ...Override (secure) standard certificate validationw disable or break certificate validationw disabled in development & forget to remove in production
![Page 14: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/14.jpg)
Customized Trust Manager in Java
![Page 15: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/15.jpg)
Hostname Verification in HttpClient (4.3)
w Skip hostname verification: communicate with another hostw Customization to skip hostname verification
new SSLConnectionSocketFactory(sslContext, new AllowAllHostnameVerifier())
X509HostnameVerifier
AbstractVerifier
AllowAllHostnameVerifier BrowserCompatHostnameVerifier
org.apache.http.conn.ssl.SSLConnectionSocketFactory
uses
implements
![Page 16: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/16.jpg)
Decouple test and production code
w Don’t hardcode insecure certificate validation (and forget)w Use best practices in software architecture for decoupling
● Abstract Factory Design Pattern● Dependency Injection, configuration instead of programming
![Page 17: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/17.jpg)
Customization for more Security!
w SSL Certificate or Public Key Pinning● Whitelist expected Certificates or Public Keys● Pre-existing binding between the server and its certificate/public key
Sample code available on OWASPhttps://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#Examples_of_Pinning
![Page 18: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/18.jpg)
Secure SSL configuration
w Use secure protocols: TLS v1.2, TLS v1.1, TLS v1.0w Use secure cipher suites
● Support authentication & encryption ≥ 128 bit Avoid● Use ECDHE for forward secrecy● Avoid anonymous DH, null cipher, RC4, 3DES
w RSA and DSA key must be ≥ 2048 bitsw Disable client-initiated Renegotiationw Disable TLS compression
![Page 19: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/19.jpg)
Secure SSL configuration
w Avoid mixed TLS and non-TLS contentw Secure cookiesw Deploy HTTP Strict Transport Security (HSTS)w Prevent caching of sensitive content
“SSL/TLS Deployment Best Practices” of Qualys SSL Labshttps://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf
OWASP “Transport Layer Protection Cheat Sheet”https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
Human
Application
Middleware/Wrappers
SSL Libraries
SSL Protocols
CryptographicPrimitives
![Page 20: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/20.jpg)
Test SSL
w Perform adversarial testing: abnormal certificates, MITMattacking tools (sslsniff, mitmproxy)
w Testing for SSL/TLS ciphers, protocols, keys and knowvulnerabilities (e.g., BEAST, CRIME, Heartbleed)
• https://www.owasp.org/index.php/Testing_for_Weak_SSL/TSL_Ciphers,_Insufficient_Transport_Layer_Protection_%28OWASP-EN-002%29
• http://thoughtcrime.org/software/sslsniff/• http://mitmproxy.org/
![Page 21: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/21.jpg)
Tools: Creating Keys and Certs
w Java Keytoolw OpenSSL: powerful, but complexw Xca: http://sourceforge.net/projects/xca/
● Based on OpenSSL● Provides a Graphical User Interface (GUI)
w gnoMint: http://gnomint.sourceforge.net● Based on GnuTLS● Provides GUI and command line support
![Page 22: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/22.jpg)
Tools: Creating Keys and Certs with xca
![Page 23: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/23.jpg)
Securely implement SSL!
w Understand how SSL works and breaksw Use SSL libraries and middleware securely
● Don’t rely on default settings of SSL libraries and middleware/wrappers● Look out for badly designed SSL API (return value, error status)
w Perform certificate validation properly● Verify the certificate is valid: not expired, not revoked● Validate “Chain of Trust”● Don’t accept self-signed certificates● Make sure hostname validation is set
w Decouple insecure customized certificate handling fromproduction code
w Test for insecure SSL configurations
![Page 24: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/24.jpg)
Engineering SSL isSystem Security Engineering
usability
psychology
secure coding
open sourcepolicies
![Page 25: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/25.jpg)
References
w M. Georgiev, S. Iyengar, S. Jana et al., “The Most Dangerous Code in the World:Validating SSL Certificates in Non-Browser Software”, 2012,http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
w S. Fahl, M. Harbach, L. Baumgaertner and B. Freisleben, “Why Eve and Mallory LoveAndroid: An Analysis of Android SSL (In)Security”, 2012, http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
w S. Fahl, M. Harbach, H. Perl et al., “Rethinking SSL Development in an Applied World”,2013, http://android-ssl.org/files/p49.pdf
w Comparison of TLS implementationshttp://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
![Page 26: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/26.jpg)
Copyright: © Kotist, bigstock.com
![Page 27: SSL implementieren – aber sicher! › karlsruhe › 2014 › sites › ... · “The Most Dangerous Code in the World: Validating SSL Certificates …” “Why Eve and Mallory](https://reader034.fdocuments.in/reader034/viewer/2022042403/5f17c79d7e458a57131f2945/html5/thumbnails/27.jpg)
Secorvo Security Consulting GmbHEttlinger Straße 12-1476137 Karlsruhe
Tel. +49 721 255171-0Fax +49 721 [email protected]