SSL overview
-
Upload
todd-benson -
Category
Technology
-
view
1.194 -
download
6
description
Transcript of SSL overview
![Page 1: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/1.jpg)
SSL Cipher Suites
SSL Cipher Suites Challenges on Remediation
Recommendations(or Help! It’s ALL broken)
Anthony LeeTodd Benson
![Page 2: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/2.jpg)
Introduction
• SSL communication review• Common SSL vulnerabilities• Remediation recommendations• Testing• Demo
![Page 3: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/3.jpg)
Part 1
SSL Review
![Page 4: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/4.jpg)
Secure Communications
• Using SSL (SC-8, SC-9)• Proper SSL Certificates (SC-17)• Strong SSL Ciphers (SC-13)• Secure implementation of SSL (SC-13)• Forcing SSL for sensitive data and forms (SC-8,
SC-9)• Disallowing mixed mode HTTP and HTTPS
![Page 5: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/5.jpg)
SSL Cipher Suites
• SSL configuration issues appear in Host Assessments, Application Assessments and Validation Reports
• Usually a systems administrators’ issues, not a developer
• Lately there is no clear solution• Pick your poison
![Page 6: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/6.jpg)
SSL Versions
• SSL V1– Never publicly released
• SSL V2– Released 1995– Not secure
• SSL V3– Released 1996– Can almost be made secure– Is not FIPS compliant (FIPS 140-2)
• TLS 1.0– Released 1999– Can almost be made secure– Better than SSL V3
• TLS 1.1– Released 2006– Still thought to be secure
• TLS 1.2– Released in 2008– Still thought to be secure
![Page 7: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/7.jpg)
Handshake
![Page 8: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/8.jpg)
Handshake Details
1. ClientHello• TLS Protocol Version, Random
Number, List of CipherSuites, Suggested Compression Method, sessionID
2. ServerHello• TLS Protocol Version, Random
Number, CipherSuite, Compression method, sessionID
3. Certificate4. ServerHelloDone5. ClientKeyExchange
• PreMasterSecret, public key or nothing
6. ChangeCipherSpec7. ChangeCipherSpec8. Application Data
![Page 9: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/9.jpg)
Cipher Suites
![Page 10: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/10.jpg)
Cipher Suites
• Key exchange/agreement– RSA, Diffie-Hellman, ECDH, SRP, PSK
• Authentication– RSA, DSA, ECDSA
• Bulk Ciphers– RC4, Triple DES, AES, IDEA
• Message Authentication– MD5, SHA, MD4
![Page 11: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/11.jpg)
Part 2
Common SSL Vulnerabilities
![Page 12: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/12.jpg)
ATTACK!
Common vulnerabilities
• Weak Ciphers Suites Supported
– Key length > 128 bits
• TLS Compression
– CRIME
• SSL v3 and TLS v1.0
– BEAST
• RC4 Cipher Suite Supported
– Theoretically broken
• Padding Attacks
– Lucky Thirteen
![Page 13: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/13.jpg)
Ciphers Suites Supported with key lengths less than 128 bits
• Description: SSL ciphers with key lengths of less than less than 128 bits are considered to be easier to exploit than ciphers with key lengths greater than 128 bits.
• Impact: A successful exploit could compromise the confidentiality of user credentials and allow an attacker to gain unauthorized access to the web application.
![Page 14: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/14.jpg)
TLS CRIME Vulnerability
• Description: Compression Ratio Info-leak Made Easy (CRIME) is an attack on SSL/TLS. CRIME is a side-channel attack that can be used to discover session tokens or other secret information based on the compressed size of HTTP requests.
• Impact: An attacker can make the client generate compressed requests that contain attacker-controlled data in the same stream with secret data.
![Page 15: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/15.jpg)
Browser Exploit Against SSL/TLS (aka BEAST)
• Description: BEAST is short for Browser Exploit Against SSL/TLS. This vulnerability is an attack against the confidentiality of a HTTPS connection. That is, it provides a way to extract the unencrypted plaintext from an encrypted session. The initialization vector includes a random string that is XORed with a plaintext message prior to encryption.
• Impact: The BEAST provides an attack vector for stealing user session cookies.
![Page 16: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/16.jpg)
SSL RC4 Cipher Suites Supported
• Description: The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. hundreds of millions) ciphertexts, the attacker may be able to derive the plaintext. The average running time for this attack is on the order of 2000 hours.
• Impact: For an authenticated HTTP session, the unknown value which the attacker is trying to get is the session ID or cookie. This value is preceded by standard HTTP header information. If the cookie value is in the first 256 bytes of plaintext it will be exposed during the attack.
![Page 17: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/17.jpg)
Padding Attacks: Lucky Thirteen
• Description: A cryptographic timing attack against MAC to break the CBC algorithm. Affects all versions of TLS at the time of it’s release (February 2013).
• Impact: This is a highly complex attack that does not require authentication. It would allow for unauthorized disclosure of information.
![Page 18: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/18.jpg)
Part 3
Remediation Recommendations
![Page 19: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/19.jpg)
Remediation: Weak Cipher Suites
• Weak Ciphers Suites Supported – Disable Cipher Suites with keys < 128 bits, NULL, Export keys
and Anonymous Diffie-Hellman• Set Apache directive SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!
LOW
![Page 20: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/20.jpg)
Remediation: CRIME
• TLS Compression (CRIME)– Disable Compression• Set Apache (2.2.4) directive SSLCompression off
![Page 21: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/21.jpg)
Remediation: BEAST
• SSL v3 and TLS v1.0 (BEAST)– Enable Cipher Suite Ordering• Add Apache directive SSLHonorCipherOrder On
– Negotiate RC4 Cipher Suite first • Set Apache directive SSLCipherSuite RC4-SHA:ALL:!
ADH:!EXPORT:!SSLv2:!LOW
![Page 22: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/22.jpg)
Remediation: RC4
• Weak RC4 Cipher Suite Supported – Disable RC4 Cipher Suites• Set Apache directive SSLCipherSuite ALL:!ADH:!
EXPORT:!SSLv2:!LOW:-RC4-SHA:-RC4-MD5
![Page 23: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/23.jpg)
Remediation: Lucky Thirteen
• Padding Oracle Attacks– Switch to using RC4 CipherSuites• Set Apache directive SSLCipherSuite RC4-SHA:ALL:!
ADH:!EXPORT:!SSLv2:!LOW
– Dude, seriously, WTF???
![Page 24: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/24.jpg)
TLS Browser Support
Browser TLS 1.0 TLS 1.1 TLS 1.2
Chrome 0–21 Yes No No
Chrome 22–current Yes Yes NoChrome 29 (dev) Yes Yes YesFirefox 2–current Yes Disabled NoIE 6 Disabled No NoIE 7–8 Yes No NoIE 8–9 Yes Disabled DisabledIE 9 Yes No NoIE 10 Yes Disabled DisabledOpera 5–7 Yes No No
Opera 8–9 Yes Disabled No
Opera 10–current Yes Disabled Disabled
Safari 4 Yes No No
Safari 5 Yes No NoSafari 5–current Yes Yes Yes
![Page 25: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/25.jpg)
Part 4
Testing
![Page 26: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/26.jpg)
Testing
NMAP!!!!
And Nessus too, of course
nmap –sV <IPADDRESS>nmap --script ssl-enum-ciphers -p <PORT> <IPADDRESS>
![Page 27: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/27.jpg)
Test Cases for developers
• How developers can test for it– Ciphers on the client
openssl ciphers|sed ‘s/:/\n\r/g|sort
– CipherSuites./cipher.sh | grep YES
– Compressionopenssl s_client -connect 156.132.142.11:12321 -tls1
– Protocoluse browser and enable TLS 1.1 and TLS 1.2
![Page 28: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/28.jpg)
Part 5: And now…
Demo Time!!!!!!!
![Page 29: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/29.jpg)
Overview
When testing SSL-TLS• Test that SSLv2 is disabled• Test that SSLv3 is disabled (And Possibly TLS
1.0)• Test that compression is disabled• Test that cipher suites with key lengths of less
that 128 bytes, ADH, NULL or EXP are disabled• Test that MD5 hash is disabled
![Page 30: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/30.jpg)
Questions?
![Page 31: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/31.jpg)
What’s coming up?
• Sept 24: SAR writing examples - Ryan• Oct 8: Benchmark Wizardry - Eric• Oct 22: Python for pentesting- Philip• Nov 5: All your ssh are belong to us, pwning with
proxychains - Anthony & Frank• Nov 19: Application context & discovering XSS
without <script> - Todd• Dec 3: Vulnerability database solutions - Derek• Dec 17: Clickjacking
![Page 32: SSL overview](https://reader033.fdocuments.in/reader033/viewer/2022061206/5482a88db4af9fd97c8b4583/html5/thumbnails/32.jpg)
References• http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/• http://en.wikipedia.org/wiki/Cipher_suite• https://en.wikipedia.org/wiki/Transport_Layer_Security• http://help.mysonicwall.com/sw/eng/6005/ui2/25201/Firewall_scSslControlView.html• http://www.pierobon.org/ssl/ch2/detail.htm• https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)• www.isecpartners.com/media/106031/ssl_attacks_survey.pdf