Problems in Cryptographic Standards and Implementations

[email protected]

1

Overview   Perspective on theory and practice   Vulnerability statistics   Proposal: new security metrics   Case study: Authenticated Encryption   Ideas

2

Ecosystem

Theory

1+ Year

Standards

1+ Year

Implementations

1+ Year

Deployment

3

Number of Units

Technology Adoption

Time

Moore, Crossing the Chasm; Bohlen, Beal and Rogers 4

Number of Units

Technology Adoption

Patents

Time

Moore, Crossing the Chasm; Bohlen, Beal and Rogers 5

Theory Perspective 1995 2000 2005 2010 -

SSL2.0

Wagner, Schneier

SSL3.0

Paulson

TLS1.0 3DES_EDE_CBC_SHA

Krawczyk

Vaudenay

Canetti TLS1.1 3DES_EDE_CBC_SHA TLS1.2

Rizzo,Duong Rizzo,Thai

AES_128_CBC_SHA

Ray, Dispensa

Gajek et al

Paterson, AlFarden 6

Practice Perspective

Cryptography is a well-designed lock 7

Practice Perspective

Cryptography is a well-designed lock, too often installed on a weak system 8

Practice Perspective

Can we improve system security through cryptography? 9

Product Vulnerabilities Methodology Crypto

Non-Crypto

All data taken from Cisco SIO Security Advisories and Responses web pages Some Advisories and Responses contain multiple vulnerabilities, which are counted fractionally

Note: “Vulnerabilities that would be avoided if cryptography was used” might be even larger than the “Crypto” category

Crypto Vulnerabilities: Categories   Parse Flaw Incorrect parsing of message ; in many cases, it is a potential DoS attack.

  Design Flaw Implementation was correct, but design was insufficient to provide security.

  Access Control Flaw Absence of appropriate access control check on certificate, address, username, …

Crypto Vulnerabilities 100% 90%

Design Flaws

80% 70%

Other

60%

Access Control Design Flaws Other

50% 40% 30% 20%

Parse Flaws

Parse Flaws

OpenSSL

Products

10% 0%

Analysis   Many theoretical attacks did not meet the severity threshold to be described as vulnerabilities   Access Control checking is important Could be tested/validated

  Parsing is of prime importance Parsing should be made easy Defense: verify before parsing Parsers should be tested/validated

  If we exclude availability (DoS), then parsing attacks would diminish in importance

What else should we be measuring? Not everything that can be counted counts, and not everything that counts can be counted. – Albert Einstein

What else should we be measuring? Not everything that can be counted counts, and not everything that counts can be counted. – Albert Einstein

  Number of block cipher invocations   Latency   Places where crypto should be used   Implementation Complexity

Complexity Measures

Computational Complexity

Communication Complexity

Protocol A

1

2

Protocol B

2

3

Implementation Complexity An intrinsic property of a protocol or algorithm that measures the likelihood that an implementation of the protocol will be flawed Computational Complexity

Communication Complexity

Implementation Complexity

Protocol A

1

2

5

Protocol B

2

3

1

Implementation Complexity 6 5 4 Computation Communication Implementation

3 2 1 0 Protocol A

Protocol B

Desirable Security Properties   Confidentiality   Mutual Authentication   Forward Security   Identity Protection   Threshold Compromise Resilience   Independence from computational assumption C   …

  C is event that computational assumption is wrong   Protocol A is secure whether or not C occurs   Protocol B is not secure if C occurs   IA is event that an implementation of A is insecure   IB is event that an implementation of B is insecure   P[ A secure] = P[ IAc]   P[ B secure ] = P[ Cc ∧ IBc] = P[ Cc ] P[ IBc]

  Protocol B more secure than Protocol A when P[ Cc ] > P[ IAc ] / P[ IBc ]   Can we find a way to estimate implementation complexity ~ probability implementation failure?   Lines in description   Number of states in state machine   Function point counting   Parsing difficulty   Other?

Authenticated Encryption 1995 2000 2005 2010 -

XCBC AE AEAD, OCB CCM, 802.11i GCM 802.3, IPsec 1619, FC, LTO RFC 5116 An Interface and Algorithms for Authenticated Encryption SIV, TLSv1.2, IKE, XMLsec OCBv3, SSH, SRTP 23

Vulnerabilities Prevented by AEAD   Bellovin, “Problem Areas for the IP Security Protocols”, Usenix Unix Security Symposium, 1996.   Vaudenay, "Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS...", EUROCRYPT 2002.   Bellare, Kohno, Namprempre, "Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then- Encrypt-and-MAC paradigm", ACM Transactions on Information and System Security, May 2004.   Paterson, Yau, “Cryptography in theory and practice: The case of encryption in IPsec”, EUROCRYPT 2006,   Degabriele, Paterson, "Attacking the IPsec Standards in Encryption-only Configurations", IEEE Symposium on Security and Privacy, 2007.   Rizzo, Duong, "Practical Padding Oracle Attacks", Black Hat Europe, 2010.   Jager, Somorovsky, "How To Break XML Encryption", 18th ACM Conference on Computer and Communications Security (CCS), 2011.   Rizzo, Thai, "BEAST: Surprising crypto attack against HTTPS", Ekoparty, 2011.   Paterson, Alfardan, "Plaintext-Recovery Attacks Against Datagram TLS", NDSS 2012.

24

Header

Header

Data

Ciphertext

Tag Pad

Header

Header

Data

Ciphertext

Nonce Generator

Header

Nonce

Data

Header

Nonce

Ciphertext

Nonce Generator

Header

Nonce

Data

Header

Nonce

Ciphertext

Nonce Generator

Header

Nonce

Data

Header

Nonce

Ciphertext

Nonce Generator

Header

Nonce

Ciphertext

Data Chunk 1

Nonce Generator

Header

Nonce

Ciphertext

Data Chunk 1

Data Chunk 2

Nonce Generator

Header

Nonce

Ciphertext

Data Block 1

FAIL

Object Size (Bytes) 802.15 Frame (max)

133

802.3 Frame (max)

1500

Ethernet Jumbo Frame

9000

Disk Block

512

File

1M

Disk

1T

AEAD should only be applied to objects that fit into data buffers

Data

Header Nonce Generator

Header

Nonce

Ciphertext

Recommended IV/Nonce format +-------------------------------+------------------------+! | Fixed | Counter |! +-------------------------------+------------------------+!

1st 2nd 3rd 4th 5th

Fixed Counter! ! 5DAD87F80000000000000001! 5DAD87F80000000000000002! 5DAD87F80000000000000003! 5DAD87F80000000000000004! 5DAD87F80000000000000005!

RFC 5116, draft-mcgrew-iv-gen-01!

Partially implicit IV/Nonce format +--------------+----------------+------------------------+! | Fixed-Common | Fixed-Distinct | Counter |! +--------------+----------------+------------------------+! ! Figure 3:!

1st 2nd 3rd 4th 5th

Fixed Fixed! Common Distinct Counter! ! 5DAD87F81E0E000000000001! 5DAD87F81E0E000000000002! 5DAD87F81E0E000000000003! 5DAD87F81E0E000000000004! 5DAD87F81E0E000000000005!

Unpredictable IV/Nonce format +-----------------+-----------------+! | Fixed | Counter |---+! +-----------------+-----------------+ |! |! +-----------------------------------+ v! | Randomizer |->(+)! +-----------------------------------+ |! |! +-----------------------------------+ |! | Initialization Vector |