Embed Size (px)
Citation preview
![Page 2: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/2.jpg)
SMACK 作者提供的資訊• Slides from IEEE S&P 2015• Preprint of the paper• OpenSSL state monitor code verified with Frama-C• Proof of transcript injectivity verified in F*• Source code for the flexTLS tool
https://www.smacktls.com/
請自備 8G 記憶體以上的電腦 GG
![Page 3: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/3.jpg)
Outline
• Public key system• Certificate authority (CA)• Diffie–Hellman key exchange• RSA key exchange• Transport Layer Security (TLS)• SMACK: State Machine AttaCKs
![Page 4: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/4.jpg)
Public Key System
• P+ : public key, P- : private key
Sender• P+• P-
Receiver• P+ ( 經 Sender 傳輸 )
P+(P-(Sender’s message) ) = Sender’s message
P+(Receiver’s message)
P-(P+(Receiver’s message) ) = Receiver's message
P+, P-(Sender’s message)
![Page 5: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/5.jpg)
Certificate Authority (CA)
Dick 以為中間人的 Public key 為Tom 的 public key ,所以有 CA是提供一個機制來驗證是不是Tom 的 public key 。
CA certificate public key( 提早就拿好的 )
signature
sign Tom’s public key certificate(CA’s private key)
+
Net 2.0 – cryptographic - functionality is now complete , http://www.nxtgenug.net/Article.aspx?ArticleID=42
![Page 6: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/6.jpg)
https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
Diffie–Hellman Key Exchange
可當作為要交換的key ,例如 : public key system 中, sender 把public key 傳給 receiver 就可以用這個方法傳遞。
![Page 7: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/7.jpg)
RSA Key Exchange
https://technet.microsoft.com/en-us/library/cc962035.aspx
可來自CA
![Page 8: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/8.jpg)
TLS(Transport Layer Security) 使用以上技巧,在閱讀TLS 時,太多 key 一時搞不清楚這些 key 是有哪些不同,拿來幹麻的 ! 有些文件沒提,必須自己想像,好痛苦阿
RSA Key Exchange
Diffie–Hellman Key Exchange
Certificate Authority (CA)
Public Key System
![Page 9: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/9.jpg)
The TLS State Machine
Client/Server 雙方 say hello• 同步他們的狀態• 同意的 session ID• 同意的 ciphersuite• 各自交換的Random numbers(nonces)
![Page 10: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/10.jpg)
The TLS State MachineServerCertificate• CA 概念,所以 client會有個 signature ,server 必須傳 publickey 來給 client 進行server 的認證。
用哪種 key exchange?ciphersuite 決定Server 可當 CA?可
![Page 11: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/11.jpg)
The TLS State Machine
ServerKeyExchange為什麼使用 DH 會比RSA 多ServerKeyExchange?
你還記得它嗎 ?
那使用 RSA , server所用的 public key 不用交換嗎 ?client 可透過 CA 知道。
![Page 12: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/12.jpg)
The TLS State MachineServerHelloDone• 經過 key exchangeclient 會有一把 key 來解signature 。解完signature , client 會有一把 public key ,之後用此 key 傳訊息給server 。之後其實沒有多久,就會在換一把 key 了。
• 當然此時,也會依據Negotiation Parameters ,是否要不要 clinet 認證。
![Page 13: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/13.jpg)
ClientKeyExchange• 剛所提的之後來了,client 會依據 nonces來產生 clien/server之間傳遞訊息的 secreteKey 。
![Page 14: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/14.jpg)
ClientCCS/ServerCCS• Change Cipher Spec(CCS).
靠通訊間所使用的 key又可以改,到底是要改幾次阿 ~“~ 。
![Page 15: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/15.jpg)
上述的 TLS 是基本形式,根據 ciphersuite/ Negotiation Parameters ,你會沒有看過的加密使用方法,超複雜的 ! 而且 key 改那麼多次,到底是怎攻擊的阿 @@?
SMACK: State Machine AttaCKs
![Page 16: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/16.jpg)
Threat ModelKey idea: 中間人想要竊取資訊,有沒有找到一個未預期 TLS state machine ,假裝 client/server ,並可以正常運作。
![Page 17: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/17.jpg)
如何找出 TLS State Machine 未預期的行為• 在 TLS 每階段結束時, client/server 各自送出 illegal message ,並各自等待回• 回傳的訊息會有三種 : correct/ unsupported/ buggy• 在” Protocol state fuzzing of TLS implementations” ,他送的不只 illegal
message ,來找 TLS state machine 的非預期行為。
為了 automated testing發展了 FLEXTLS script (compiler) ~”~
![Page 18: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/18.jpg)
驚人的事發生了
OpenSSL Client and Server State machine for HTTPS configurations. Unexpected transitions: client in red on the right, server in green on the left
你要知道,紅色綠色是 OpenSSL可能會執行的行為
![Page 19: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/19.jpg)
Revealing Unexpected State Machine
• Server-Gated Crypto(SGC)• client 在 ServerHello 階段, 可以重新 handshake
• Early CCS• OpenSSL 允許未初始的 session key 做 session key 的計算• CVE-2014-0224
• DH Certificate (Client impersonation)• OpenSSL 允許 DH 的 public key 來計算 session 的 pre-master secrete ,所以可 skip ClientCertificateVerify• 此流程可以新增假 client 來攻擊, 因為你沒做 client 驗證。
![Page 20: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/20.jpg)
Revealing Unexpected State Machine• Export RSA (skip ServerKeyExchange)
• RSA exchange 是 weak 的• 在 server 送簽證時,要交換 key , 硬是只能用 RSA (downgrade attack)
• Static DH • 假設使用 DH 且要執行 ServerKeyExchnage ,
但是 client 沒有接收到 ServerKeyExchnage ,驗證所需 public key 將會rollback 到 public key of server’s certificate 。 rollback 涵義是 DH 交換的public key 機制比較強。
• RSA 也會有這狀況,從 RSA->RSA_EXPORT ,只是 RSA_EXPORT 的 public key 需要 ServerKeyExchange 來交換,原本的 RSA public key 是 client 事先拿好的。 (FREAK: Downgrade to RSA_EXPORT/ Inject ServerkeyExchange)
Export RSAStatic DH
![Page 21: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/21.jpg)
有了這些 Unexpected 的狀況 ( 其實還不只 ) ,如何來攻擊 ?例子 : FREAK ,其實還很多可參考 ” A Messy State of the Union: Taming the Composite State Machines of TSL“
![Page 22: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/22.jpg)
FREAK: Downgrade to RSA_EXPORT
![Page 23: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/23.jpg)
心得• TLS 他運作超複雜感覺非常強,為什麼可以找出非預期狀況執行,
因為本身考慮到”方便性”,因為有了”方便”,就會是漏洞的開始。
![Page 1: [若渴計畫2015.7.25] SMACK](https://reader036.pdfslide.tips/reader036/viewer/2022081422/55cc59fabb61eb01498b45b4/html5/thumbnails/1.jpg)
![[若渴計畫]64-bit Linux Return-Oriented Programming](https://img.pdfslide.tips/doc/110x75/555c42d2d8b42a0b038b4f68/64-bit-linux-return-oriented-programming.jpg)
![[若渴計畫]CVE 2014-9322, CVE-2015-0235, CVE-2009-3547](https://img.pdfslide.tips/doc/110x75/55ab61d71a28ab5b2f8b479b/cve-2014-9322-cve-2015-0235-cve-2009-3547.jpg)
![[若渴計畫] Studying Concurrency](https://img.pdfslide.tips/doc/110x75/588795b61a28ab5b1a8b5ce1/-studying-concurrency.jpg)
