8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

1/16

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

2/16

Outline• Background: TLS

• Problem denition: MITM

• An existing solution: TLS Channel ID

• An attack on Channel ID: MITM-SITB

• The proposed solution: SISCA

• Remarks

2

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

3/16

TLS• Transport Layer Security

• X.509 certicates

• Security services:

• Condentiality

• Integrity

• Authentication

3

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

4/16

MITM

4

!"#$

!"#$

%&''($)

%&''($)

*#$+#$

*#$+#$

,-. 0&120+304#

,-. 0&120+304#

566 74#89"(:;

566 74&)&41#$#?89"(:;

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

5/16

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

6/16

6

!"#$

!"#$

%&''($)

%&''($)

*#$+#$

*#$+#$

,-. 0

122 34&5# '(678 4($9:

;(9&78M0

,-. 0

122 3$#&' '(678 4($9:

!"#$" 976B? &""A9#?B#) 97"?)C#> ?B#7$ C&""H($>J

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

7/16

TLS Channel ID

7

BALFANZ, D., AND HAMILTON, R. Transport Layer, “Security (TLS) Channel IDs, v01 (IETF Internet-Draft)”,http://tools.ietf.org/html/draft-balfanz-tlschannelid-01, 2013.

• “Strong Client Authentication” (SCA)

•Server authenticates client

• A “Channel ID” is the public key of a key pair generatedby the browser.

• Each Channel ID identies a TLS connection.

• “Strong” credentials (i.e. not transmitted throughnetwork)

http://tools.ietf.org/html/draft-balfanz-tlschannelid-01

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

8/16

TLS Channel ID

8

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

9/16

Attack: MITM-SITB(“Man-in-the-middle Script-in-the-browser”)

9

• An attacker can communicate to server, on behalfof the user.

• Attacker intercepts user’s request, injects maliciousscript, then allows user through to legitimate server.

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

10/16

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

11/16

Proposed solution: SISCA

• “Server Invariance with Strong Client

Authentication”• Ensure that the user is only communicating with

one server.

• Server establishes information about each client,which other servers won’t know.

11

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

12/16

Proposed solution: SISCA

12

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

13/16

Remarks• Unclear notion of “strong” credentials

• Using a strong second factor authentication device?

• “strong second factor authentication device, as in PhoneAuth[13] and FIDO Universal 2nd Factor (U2F) [22] protocols”

• Credentials that are not sent through network?

• “Such credentials are considered weak ; they are transmittedover the network and are susceptible to theft and abuse,unless protected by TLS.”

13

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

14/16

Remarks• Insufcient description of Channel ID, which this

paper strongly depends on.

14

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

15/16

Remarks

• Doesn’t help prevent server-impersonation

• User may see content from an attacker inresponse to a request made to the server.

15

8/17/2019 COMPSCI 726 Lecture 25a Zong Chen

16/16

Remarks

• Requires lots of changes to existing systems

• “the server sends a list of all the involved domains andall their public keys to the browser”

• “For the protocol to be secure, on the client side thisheader is controlled solely by the browser. It cannot becreated or accessed programmatically via scripts”

16