draft-ietf-uta-tls-attacks-00.txt | draft-ietf-uta-tls-attacks-01.txt | |||
---|---|---|---|---|
uta Y. Sheffer | uta Y. Sheffer | |||
Internet-Draft Porticor | Internet-Draft Porticor | |||
Intended status: Informational R. Holz | Intended status: Informational R. Holz | |||
Expires: September 28, 2014 TUM | Expires: December 26, 2014 TUM | |||
P. Saint-Andre | P. Saint-Andre | |||
&yet | &yet | |||
March 27, 2014 | June 24, 2014 | |||
Summarizing Current Attacks on TLS and DTLS | Summarizing Current Attacks on TLS and DTLS | |||
draft-ietf-uta-tls-attacks-00 | draft-ietf-uta-tls-attacks-01 | |||
Abstract | Abstract | |||
Over the last few years there have been several serious attacks on | Over the last few years there have been several serious attacks on | |||
TLS, including attacks on its most commonly used ciphers and modes of | TLS, including attacks on its most commonly used ciphers and modes of | |||
operation. This document summarizes these attacks, with the goal of | operation. This document summarizes these attacks, with the goal of | |||
motivating generic and protocol-specific recommendations on the usage | motivating generic and protocol-specific recommendations on the usage | |||
of TLS and DTLS. | of TLS and DTLS. | |||
Status of This Memo | Status of This Memo | |||
skipping to change at page 1, line 37 | skipping to change at page 1, line 37 | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on September 28, 2014. | This Internet-Draft will expire on December 26, 2014. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
described in the Simplified BSD License. | described in the Simplified BSD License. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
2. Attacks on TLS . . . . . . . . . . . . . . . . . . . . . . . 2 | 2. Attacks on TLS . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2.1. BEAST . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. SSL Stripping . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2.2. Lucky Thirteen . . . . . . . . . . . . . . . . . . . . . . 3 | 2.2. BEAST . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2.3. Attacks on RC4 . . . . . . . . . . . . . . . . . . . . . . 3 | 2.3. Lucky Thirteen . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2.4. Compression Attacks: CRIME and BREACH . . . . . . . . . . . 3 | 2.4. Attacks on RC4 . . . . . . . . . . . . . . . . . . . . . . 3 | |||
3. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 2.5. Compression Attacks: CRIME and BREACH . . . . . . . . . . . 4 | |||
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 2.6. Certificate Attacks . . . . . . . . . . . . . . . . . . . . 4 | |||
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 | 2.7. Diffe-Hellman Parameters . . . . . . . . . . . . . . . . . 4 | |||
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2.8. Denial of Service . . . . . . . . . . . . . . . . . . . . . 4 | |||
6.1. Normative References . . . . . . . . . . . . . . . . . . . 4 | 3. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
6.2. Informative References . . . . . . . . . . . . . . . . . . 4 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
Appendix A. Appendix: Change Log . . . . . . . . . . . . . . . . 5 | 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 | |||
A.1. draft-ietf-uta-tls-bcp-00 . . . . . . . . . . . . . . . . . 5 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
A.2. draft-sheffer-uta-tls-bcp-00 . . . . . . . . . . . . . . . 6 | 6.1. Normative References . . . . . . . . . . . . . . . . . . . 5 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | 6.2. Informative References . . . . . . . . . . . . . . . . . . 5 | |||
Appendix A. Appendix: Change Log . . . . . . . . . . . . . . . . 7 | ||||
A.1. draft-ietf-uta-tls-bcp-01 . . . . . . . . . . . . . . . . . 7 | ||||
A.2. draft-ietf-uta-tls-bcp-00 . . . . . . . . . . . . . . . . . 7 | ||||
A.3. draft-sheffer-uta-tls-bcp-00 . . . . . . . . . . . . . . . 7 | ||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | ||||
1. Introduction | 1. Introduction | |||
Over the last few years there have been several major attacks on TLS | Over the last few years there have been several major attacks on TLS | |||
[RFC5246], including attacks on its most commonly used ciphers and | [RFC5246], including attacks on its most commonly used ciphers and | |||
modes of operation. Details are given in Section 2, but suffice it | modes of operation. Details are given in Section 2, but suffice it | |||
to say that both AES-CBC and RC4, which together make up for most | to say that both AES-CBC and RC4, which together make up for most | |||
current usage, have been seriously attacked in the context of TLS. | current usage, have been seriously attacked in the context of TLS. | |||
This situation motivated the creation of the UTA working group, which | This situation motivated the creation of the UTA working group, which | |||
skipping to change at page 3, line 9 | skipping to change at page 3, line 15 | |||
2. Attacks on TLS | 2. Attacks on TLS | |||
This section lists the attacks that motivated the current | This section lists the attacks that motivated the current | |||
recommendations. This is not intended to be an extensive survey of | recommendations. This is not intended to be an extensive survey of | |||
TLS's security. | TLS's security. | |||
While there are widely deployed mitigations for some of the attacks | While there are widely deployed mitigations for some of the attacks | |||
listed below, we believe that their root causes necessitate a more | listed below, we believe that their root causes necessitate a more | |||
systemic solution. | systemic solution. | |||
2.1. BEAST | 2.1. SSL Stripping | |||
Various attacks attempt to remove the use of SSL/TLS altogether, by | ||||
modifying HTTP traffic and HTML pages as they pass on the wire. | ||||
These attacks are known collectively as SSL Stripping, and were first | ||||
introduced by Moxie Marlinspike [SSL-Stripping]. In the context of | ||||
Web traffic, these attacks are only effective if the client accesses | ||||
a Web server using a mixture of HTTP and HTTPS. | ||||
2.2. BEAST | ||||
The BEAST attack [BEAST] uses issues with the TLS 1.0 implementation | The BEAST attack [BEAST] uses issues with the TLS 1.0 implementation | |||
of CBC (that is, the predictable initialization vector) to decrypt | of CBC (that is, the predictable initialization vector) to decrypt | |||
parts of a packet, and specifically shows how this can be used to | parts of a packet, and specifically to decrypt HTTP cookies when HTTP | |||
decrypt HTTP cookies when run over TLS. | is run over TLS. | |||
2.2. Lucky Thirteen | 2.3. Lucky Thirteen | |||
A consequence of the MAC-then-encrypt design in all current versions | A consequence of the MAC-then-encrypt design in all current versions | |||
of TLS is the existence of padding oracle attacks [Padding-Oracle]. | of TLS is the existence of padding oracle attacks [Padding-Oracle]. | |||
A recent incarnation of these attacks is the Lucky Thirteen attack | A recent incarnation of these attacks is the Lucky Thirteen attack | |||
[CBC-Attack], a timing side-channel attack that allows the attacker | [CBC-Attack], a timing side-channel attack that allows the attacker | |||
to decrypt arbitrary ciphertext. | to decrypt arbitrary ciphertext. | |||
2.3. Attacks on RC4 | 2.4. Attacks on RC4 | |||
The RC4 algorithm [RC4] has been used with TLS (and previously, SSL) | The RC4 algorithm [RC4] has been used with TLS (and previously, SSL) | |||
for many years. Attacks have also been known for a long time, e.g. | for many years. RC4 has long been known to have a variety of | |||
[RC4-Attack-FMS]. But recent attacks ([RC4-Attack], | cryptographic weaknesses, e.g. [RC4-Attack-Pau], [RC4-Attack-Man], | |||
[RC4-Attack-AlF]) have weakened this algorithm even more. See | [RC4-Attack-FMS]. Recent cryptanalysis results [RC4-Attack-AlF] | |||
[I-D.popov-tls-prohibiting-rc4] for more details. | exploit biases in the RC4 keystream to recover repeatedly encrypted | |||
plaintexts. | ||||
2.4. Compression Attacks: CRIME and BREACH | These recent results are on the verge of becoming practically | |||
exploitable; currently they require 2^26 sessions or 13x2^30 | ||||
encryptions. As a result, RC4 can no longer be seen as providing a | ||||
sufficient level of security for TLS sessions. | ||||
2.5. Compression Attacks: CRIME and BREACH | ||||
The CRIME attack [CRIME] allows an active attacker to decrypt | The CRIME attack [CRIME] allows an active attacker to decrypt | |||
cyphertext (specifically, cookies) when TLS is used with protocol- | ciphertext (specifically, cookies) when TLS is used with protocol- | |||
level compression. | level compression. | |||
The TIME attack [TIME] and the later BREACH attack [BREACH] both make | The TIME attack [TIME] and the later BREACH attack [BREACH] both make | |||
similar use of HTTP-level compression to decrypt secret data passed | similar use of HTTP-level compression to decrypt secret data passed | |||
in the HTTP response. We note that compression of the HTTP message | in the HTTP response. We note that compression of the HTTP message | |||
body is much more prevalent than compression at the TLS level. | body is much more prevalent than compression at the TLS level. | |||
The former attack can be mitigated by disabling TLS compression, as | The former attack can be mitigated by disabling TLS compression, as | |||
recommended below. We are not aware of mitigations at the protocol | recommended below. We are not aware of mitigations at the protocol | |||
level to the latter attack, and so application-level mitigations are | level to the latter attack, and so application-level mitigations are | |||
needed (see [BREACH]). For example, implementations of HTTP that use | needed (see [BREACH]). For example, implementations of HTTP that use | |||
CSRF tokens will need to randomize them even when the recommendations | CSRF tokens will need to randomize them even when the recommendations | |||
of [I-D.ietf-uta-tls-bcp] are adopted. | of [I-D.ietf-uta-tls-bcp] are adopted. | |||
2.6. Certificate Attacks | ||||
There have been several practical attacks on TLS when used with RSA | ||||
certificates (the most common use case). These include | ||||
[Bleichenbacher98] and [Klima03]. While the Bleichenbacher attack | ||||
has been mitigated in TLS 1.0, the Klima attack that relies on a | ||||
version-check oracle is only mitigated by TLS 1.1. | ||||
The use of RSA certificates often involves exploitable timing issues | ||||
[Brumley03], unless the implementation takes care to explicitly | ||||
eliminate them. | ||||
2.7. Diffe-Hellman Parameters | ||||
TLS allows to define ephemeral Diffie-Hellman and Elliptic Curve | ||||
Diffie-Hellman parameters in its respective key exchange modes. This | ||||
results in an outstanding attack, detailed in [Cross-Protocol]. In | ||||
addition, clients that do not properly verify the received parameters | ||||
are exposed to MITM attacks. Unfortunately the TLS protocol does not | ||||
require this verification, see [RFC6989] for the IPsec analogy. | ||||
2.8. Denial of Service | ||||
Server CPU power has progressed over the years so that TLS can now be | ||||
turned on by default. However the risk of malicious clients and | ||||
coordinated groups of clients ("botnets") mounting denial of service | ||||
attacks is still very real. TLS adds another vector for | ||||
computational attacks, since a client can easily (with little | ||||
computational effort) force the server to expend relatively large | ||||
computational work. It is known that such attacks have in fact been | ||||
mounted. | ||||
3. Security Considerations | 3. Security Considerations | |||
This document describes protocol attacks in an informational manner, | This document describes protocol attacks in an informational manner, | |||
and in itself does not have any security implications. Its companion | and in itself does not have any security implications. Its companion | |||
documents certainly do. | documents certainly do. | |||
4. IANA Considerations | 4. IANA Considerations | |||
This document requires no IANA actions. | This document requires no IANA actions. | |||
5. Acknowledgements | 5. Acknowledgements | |||
We would like to thank Stephen Farrell, Simon Josefsson, Yoav Nir, | We would like to thank Stephen Farrell, Simon Josefsson, Yoav Nir, | |||
Kenny Paterson, Patrick Pelletier, and Rich Salz for their review of | Kenny Paterson, Patrick Pelletier, Tom Ritter and Rich Salz for their | |||
a previous version of this document. | review of this document. We thank Andrei Popov for contributing text | |||
on RC4. | ||||
The document was prepared using the lyx2rfc tool, created by Nico | The document was prepared using the lyx2rfc tool, created by Nico | |||
Williams. | Williams. | |||
6. References | 6. References | |||
6.1. Normative References | 6.1. Normative References | |||
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
(TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
6.2. Informative References | 6.2. Informative References | |||
[I-D.ietf-uta-tls-bcp] | [I-D.ietf-uta-tls-bcp] | |||
Sheffer, Y., Holz, R., and P. Saint-Andre, | Sheffer, Y., Holz, R., and P. Saint-Andre, | |||
"Recommendations for Secure Use of TLS and DTLS", draft- | "Recommendations for Secure Use of TLS and DTLS", draft- | |||
ietf-uta-tls-bcp-00 (work in progress), March 2014. | ietf-uta-tls-bcp-00 (work in progress), March 2014. | |||
[I-D.popov-tls-prohibiting-rc4] | [RFC6989] Sheffer, Y. and S. Fluhrer, "Additional Diffie-Hellman | |||
Popov, A., "Prohibiting RC4 Cipher Suites", draft-popov- | Tests for the Internet Key Exchange Protocol Version 2 | |||
tls-prohibiting-rc4-01 (work in progress), October 2013. | (IKEv2)", RFC 6989, July 2013. | |||
[CBC-Attack] | [CBC-Attack] | |||
AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking | AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking | |||
the TLS and DTLS Record Protocols", IEEE Symposium on | the TLS and DTLS Record Protocols", IEEE Symposium on | |||
Security and Privacy , 2013. | Security and Privacy , 2013. | |||
[BEAST] Rizzo, J. and T. Duong, "Browser Exploit Against SSL/TLS", | [BEAST] Rizzo, J. and T. Duong, "Browser Exploit Against SSL/TLS", | |||
2011, <http://packetstormsecurity.com/files/105499/ | 2011, <http://packetstormsecurity.com/files/105499/ | |||
Browser-Exploit-Against-SSL-TLS.html>. | Browser-Exploit-Against-SSL-TLS.html>. | |||
[CRIME] Rizzo, J. and T. Duong, "The CRIME Attack", EKOparty | [CRIME] Rizzo, J. and T. Duong, "The CRIME Attack", EKOparty | |||
Security Conference 2012, 2012. | Security Conference 2012, 2012. | |||
[BREACH] Prado, A., Harris, N., and Y. Gluck, "The BREACH Attack", | [BREACH] Prado, A., Harris, N., and Y. Gluck, "The BREACH Attack", | |||
2013, <http://breachattack.com/>. | 2013, <http://breachattack.com/>. | |||
[TIME] Be'ery, T. and A. Shulman, "A Perfect CRIME? Only TIME | [TIME] Be'ery, T. and A. Shulman, "A Perfect CRIME? Only TIME | |||
Will Tell", Black Hat Europe 2013, 2013, <https:// | Will Tell", Black Hat Europe 2013, 2013, | |||
media.blackhat.com/eu-13/briefings/Beery/bh-eu-13-a | <https://media.blackhat.com/eu-13/briefings/Beery/bh- | |||
-perfect-crime-beery-wp.pdf>. | eu-13-a-perfect-crime-beery-wp.pdf>. | |||
[RC4] Schneier, B., "Applied Cryptography: Protocols, | [RC4] Schneier, B., "Applied Cryptography: Protocols, | |||
Algorithms, and Source Code in C, 2nd Ed.", 1996. | Algorithms, and Source Code in C, 2nd Ed.", 1996. | |||
[RC4-Attack-FMS] | [RC4-Attack-FMS] | |||
Fluhrer, S., Mantin, I., and A. Shamir, "Weaknesses in the | Fluhrer, S., Mantin, I., and A. Shamir, "Weaknesses in the | |||
Key Scheduling Algorithm of RC4", Selected Areas in | Key Scheduling Algorithm of RC4", Selected Areas in | |||
Cryptography , 2001. | Cryptography , 2001. | |||
[RC4-Attack] | ||||
ISOBE, T., OHIGASHI, T., WATANABE, Y., and M. MORII, "Full | ||||
Plaintext Recovery Attack on Broadcast RC4", International | ||||
Workshop on Fast Software Encryption , 2013. | ||||
[RC4-Attack-AlF] | [RC4-Attack-AlF] | |||
AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., | AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., | |||
and J. Schuldt, "On the Security of RC4 in TLS", Usenix | and J. Schuldt, "On the Security of RC4 in TLS", Usenix | |||
Security Symposium 2013, 2013, <https://www.usenix.org/ | Security Symposium 2013, 2013, <https://www.usenix.org/ | |||
conference/usenixsecurity13/security-rc4-tls>. | conference/usenixsecurity13/security-rc4-tls>. | |||
[Attacks-iSec] | [Attacks-iSec] | |||
Sarkar, P. and S. Fitzgerald, "Attacks on SSL, a | Sarkar, P. and S. Fitzgerald, "Attacks on SSL, a | |||
comprehensive study of BEAST, CRIME, TIME, BREACH, Lucky13 | comprehensive study of BEAST, CRIME, TIME, BREACH, Lucky13 | |||
and RC4 biases", 8 2013, <https://www.isecpartners.com/ | and RC4 biases", 8 2013, <https://www.isecpartners.com/ | |||
media/106031/ssl_attacks_survey.pdf>. | media/106031/ssl_attacks_survey.pdf>. | |||
[Padding-Oracle] | [Padding-Oracle] | |||
Vaudenay, S., "Security Flaws Induced by CBC Padding | Vaudenay, S., "Security Flaws Induced by CBC Padding | |||
Applications to SSL, IPSEC, WTLS...", EUROCRYPT 2002, | Applications to SSL, IPSEC, WTLS...", EUROCRYPT 2002, | |||
2002, <http://www.iacr.org/cryptodb/archive/2002/EUROCRYPT | 2002, <http://www.iacr.org/cryptodb/archive/2002/ | |||
/2850/2850.pdf>. | EUROCRYPT/2850/2850.pdf>. | |||
[Cross-Protocol] | ||||
Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., and | ||||
B. Preneel, "A cross-protocol attack on the TLS protocol", | ||||
2012, <http://doi.acm.org/10.1145/2382196.2382206>. | ||||
[RC4-Attack-Pau] | ||||
Paul, G. and S. Maitra, "Permutation after RC4 key | ||||
scheduling reveals the secret key.", 2007, | ||||
<http://dblp.uni-trier.de/db/conf/sacrypt/ | ||||
sacrypt2007.html#PaulM07>. | ||||
[RC4-Attack-Man] | ||||
Mantin, I. and A. Shamir, "A practical attack on broadcast | ||||
RC4", 2001. | ||||
[SSL-Stripping] | ||||
Marlinspike, M., "SSL Stripping", February 2009, | ||||
<http://www.thoughtcrime.org/software/sslstrip/>. | ||||
[Bleichenbacher98] | ||||
Bleichenbacher, D., "Chosen ciphertext attacks against | ||||
protocols based on the RSA encryption standard pkcs1", | ||||
1998. | ||||
[Klima03] Klima, V., Pokorny, O., and T. Rosa, "Attacking RSA-based | ||||
sessions in SSL/TLS", 2003. | ||||
[Brumley03] | ||||
Brumley, D. and D. Boneh, "Remote timing attacks are | ||||
practical", 2003. | ||||
Appendix A. Appendix: Change Log | Appendix A. Appendix: Change Log | |||
Note to RFC Editor: please remove this section before publication. | Note to RFC Editor: please remove this section before publication. | |||
A.1. draft-ietf-uta-tls-bcp-00 | A.1. draft-ietf-uta-tls-bcp-01 | |||
o Added SSL Stripping, attacks related to certificates, Diffie | ||||
Hellman parameters and denial of service. | ||||
o Expanded on RC4 attacks, thanks to Andrei Popov. | ||||
A.2. draft-ietf-uta-tls-bcp-00 | ||||
o Initial WG version, with only updated references. | o Initial WG version, with only updated references. | |||
A.2. draft-sheffer-uta-tls-bcp-00 | A.3. draft-sheffer-uta-tls-bcp-00 | |||
o Initial version, extracted from draft-sheffer-tls-bcp-01. | o Initial version, extracted from draft-sheffer-tls-bcp-01. | |||
Authors' Addresses | Authors' Addresses | |||
Yaron Sheffer | Yaron Sheffer | |||
Porticor | Porticor | |||
29 HaHarash St. | 29 HaHarash St. | |||
Hod HaSharon 4501303 | Hod HaSharon 4501303 | |||
Israel | Israel | |||
End of changes. 20 change blocks. | ||||
47 lines changed or deleted | 133 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |