| draft-ietf-uta-tls-attacks-03.txt | draft-ietf-uta-tls-attacks-04.txt | |||
|---|---|---|---|---|
| uta Y. Sheffer | uta Y. Sheffer | |||
| Internet-Draft Porticor | Internet-Draft Porticor | |||
| Intended status: Informational R. Holz | Intended status: Informational R. Holz | |||
| Expires: March 13, 2015 TUM | Expires: April 1, 2015 TUM | |||
| P. Saint-Andre | P. Saint-Andre | |||
| &yet | &yet | |||
| September 9, 2014 | September 28, 2014 | |||
| Summarizing Current Attacks on TLS and DTLS | Summarizing Current Attacks on TLS and DTLS | |||
| draft-ietf-uta-tls-attacks-03 | draft-ietf-uta-tls-attacks-04 | |||
| Abstract | Abstract | |||
| Over the last few years there have been several serious attacks on | Over the last few years there have been several serious attacks on | |||
| TLS, including attacks on its most commonly used ciphers and modes of | TLS, including attacks on its most commonly used ciphers and modes of | |||
| operation. This document summarizes these attacks, with the goal of | operation. This document summarizes these attacks, with the goal of | |||
| motivating generic and protocol-specific recommendations on the usage | motivating generic and protocol-specific recommendations on the usage | |||
| of TLS and DTLS. | of TLS and DTLS. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 37 | skipping to change at page 1, line 37 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 13, 2015. | This Internet-Draft will expire on April 1, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 14 | skipping to change at page 2, line 14 | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Attacks on TLS . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Attacks on TLS . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. SSL Stripping . . . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. SSL Stripping . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.2. STARTTLS Command Injection Attack (CVE-2011-0411) . . . . . 3 | 2.2. STARTTLS Command Injection Attack (CVE-2011-0411) . . . . . 3 | |||
| 2.3. BEAST (CVE-2011-3389) . . . . . . . . . . . . . . . . . . . 3 | 2.3. BEAST (CVE-2011-3389) . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.4. Lucky Thirteen (CVE-2013-0169) . . . . . . . . . . . . . . 4 | 2.4. Lucky Thirteen (CVE-2013-0169) . . . . . . . . . . . . . . 4 | |||
| 2.5. Attacks on RC4 . . . . . . . . . . . . . . . . . . . . . . 4 | 2.5. Attacks on RC4 . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.6. Compression Attacks: CRIME, TIME and BREACH . . . . . . . . 4 | 2.6. Compression Attacks: CRIME, TIME and BREACH . . . . . . . . 4 | |||
| 2.7. Certificate Attacks . . . . . . . . . . . . . . . . . . . . 5 | 2.7. Certificate Attacks . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.8. Diffie-Hellman Parameters . . . . . . . . . . . . . . . . . 5 | 2.8. Diffie-Hellman Parameters . . . . . . . . . . . . . . . . . 5 | |||
| 2.9. Renegotiation (CVE-2009-3555) . . . . . . . . . . . . . . . 5 | 2.9. Renegotiation (CVE-2009-3555) . . . . . . . . . . . . . . . 5 | |||
| 2.10. Triple Handshake (CVE-2014-1295) . . . . . . . . . . . . . 5 | 2.10. Triple Handshake (CVE-2014-1295) . . . . . . . . . . . . . 5 | |||
| 2.11. Virtual Host Confusion . . . . . . . . . . . . . . . . . . 5 | 2.11. Virtual Host Confusion . . . . . . . . . . . . . . . . . . 6 | |||
| 2.12. Denial of Service . . . . . . . . . . . . . . . . . . . . . 6 | 2.12. Denial of Service . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.13. Implementation Issues . . . . . . . . . . . . . . . . . . . 6 | 2.13. Implementation Issues . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. Applicability to DTLS . . . . . . . . . . . . . . . . . . . . 6 | 3. Applicability to DTLS . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 | 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7. Informative References . . . . . . . . . . . . . . . . . . . 7 | 7. Informative References . . . . . . . . . . . . . . . . . . . 7 | |||
| Appendix A. Appendix: Change Log . . . . . . . . . . . . . . . . 10 | Appendix A. Appendix: Change Log . . . . . . . . . . . . . . . . 10 | |||
| A.1. draft-ietf-uta-tls-attacks-03 . . . . . . . . . . . . . . . 10 | A.1. draft-ietf-uta-tls-attacks-04 . . . . . . . . . . . . . . . 10 | |||
| A.2. draft-ietf-uta-tls-attacks-02 . . . . . . . . . . . . . . . 10 | A.2. draft-ietf-uta-tls-attacks-03 . . . . . . . . . . . . . . . 10 | |||
| A.3. draft-ietf-uta-tls-attacks-01 . . . . . . . . . . . . . . . 10 | A.3. draft-ietf-uta-tls-attacks-02 . . . . . . . . . . . . . . . 11 | |||
| A.4. draft-ietf-uta-tls-attacks-00 . . . . . . . . . . . . . . . 11 | A.4. draft-ietf-uta-tls-attacks-01 . . . . . . . . . . . . . . . 11 | |||
| A.5. draft-ietf-uta-tls-attacks-00 . . . . . . . . . . . . . . . 11 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 1. Introduction | 1. Introduction | |||
| Over the last few years there have been several major attacks on TLS | Over the last few years there have been several major attacks on TLS | |||
| [RFC5246], including attacks on its most commonly used ciphers and | [RFC5246], including attacks on its most commonly used ciphers and | |||
| modes of operation. Details are given in Section 2, but suffice it | modes of operation. Details are given in Section 2, but suffice it | |||
| to say that both AES-CBC and RC4, which together make up for most | to say that both AES-CBC and RC4, which together make up for most | |||
| current usage, have been seriously attacked in the context of TLS. | current usage, have been seriously attacked in the context of TLS. | |||
| This situation motivated the creation of the UTA working group, which | This situation was one of the motivations for the creation of the UTA | |||
| is tasked with the creation of generic and protocol-specific | working group, which is tasked with the creation of generic and | |||
| recommendations for the use of TLS and DTLS. | protocol-specific recommendations for the use of TLS and DTLS. | |||
| "Attacks always get better; they never get worse" (ironically, this | "Attacks always get better; they never get worse" (ironically, this | |||
| saying is attributed to the NSA). This list of attacks describes our | saying is attributed to the NSA). This list of attacks describes our | |||
| knowledge as of this writing. It seems likely that new attacks will | knowledge as of this writing. It seems likely that new attacks will | |||
| be invented in the future. | be invented in the future. | |||
| For a more detailed discussion of the attacks listed here, the | For a more detailed discussion of the attacks listed here, the | |||
| interested reader is referred to [Attacks-iSec]. | interested reader is referred to [Attacks-iSec]. | |||
| 2. Attacks on TLS | 2. Attacks on TLS | |||
| This section lists the attacks that motivated the current | This section lists the attacks that motivated the current | |||
| recommendations. This is not intended to be an extensive survey of | recommendations. This is not intended to be an extensive survey of | |||
| TLS's security. | TLS's security. | |||
| While there are widely deployed mitigations for some of the attacks | While there are widely deployed mitigations for some of the attacks | |||
| listed below, we believe that their root causes necessitate a more | listed below, we believe that their root causes necessitate a more | |||
| systemic solution. | systemic solution. | |||
| When such an identifier exists for an attack, we have included its | ||||
| CVE (Common Vulnerabilities and Exposures) ID. CVE [CVE] is an | ||||
| extensive, industry-wide database of software vulnerabilities. | ||||
| 2.1. SSL Stripping | 2.1. SSL Stripping | |||
| Various attacks attempt to remove the use of SSL/TLS altogether, by | Various attacks attempt to remove the use of SSL/TLS altogether, by | |||
| modifying unencrypted protocols that request the use of TLS, | modifying unencrypted protocols that request the use of TLS, | |||
| specifically modifying HTTP traffic and HTML pages as they pass on | specifically modifying HTTP traffic and HTML pages as they pass on | |||
| the wire. These attacks are known collectively as SSL Stripping and | the wire. These attacks are known collectively as SSL Stripping and | |||
| were first introduced by Moxie Marlinspike [SSL-Stripping]. In the | were first introduced by Moxie Marlinspike [SSL-Stripping]. In the | |||
| context of Web traffic, these attacks are only effective if the | context of Web traffic, these attacks are only effective if the | |||
| client initially accesses a Web server using HTTP. A commonly used | client initially accesses a Web server using HTTP. A commonly used | |||
| mitigation is HTTP Strict Transport Security (HSTS) [RFC6797]. | mitigation is HTTP Strict Transport Security (HSTS) [RFC6797]. | |||
| skipping to change at page 5, line 23 | skipping to change at page 5, line 30 | |||
| The use of RSA certificates often involves exploitable timing issues | The use of RSA certificates often involves exploitable timing issues | |||
| [Brumley03] (CVE-2003-0147), unless the implementation takes care to | [Brumley03] (CVE-2003-0147), unless the implementation takes care to | |||
| explicitly eliminate them. | explicitly eliminate them. | |||
| A recent certificate fuzzing tool [Brubaker2014using] uncovered | A recent certificate fuzzing tool [Brubaker2014using] uncovered | |||
| numerous vulnerabilities in different TLS libraries, related to | numerous vulnerabilities in different TLS libraries, related to | |||
| certificate validation. | certificate validation. | |||
| 2.8. Diffie-Hellman Parameters | 2.8. Diffie-Hellman Parameters | |||
| TLS allows to define ephemeral Diffie-Hellman and Elliptic Curve | TLS allows the definition of ephemeral Diffie-Hellman and Elliptic | |||
| Diffie-Hellman parameters in its respective key exchange modes. This | Curve Diffie-Hellman parameters in its respective key exchange modes. | |||
| results in an attack detailed in [Cross-Protocol]. In addition, | This results in an attack detailed in [Cross-Protocol]. In addition, | |||
| clients that do not properly verify the received parameters are | clients that do not properly verify the received parameters are | |||
| exposed to man in the middle (MITM) attacks. Unfortunately the TLS | exposed to man in the middle (MITM) attacks. Unfortunately the TLS | |||
| protocol does not require this verification, see [RFC6989] for the | protocol does not require this verification, see [RFC6989] for the | |||
| IPsec analogy. | IPsec analogy. | |||
| 2.9. Renegotiation (CVE-2009-3555) | 2.9. Renegotiation (CVE-2009-3555) | |||
| A major attack on the TLS renegotiation mechanism applies to all | A major attack on the TLS renegotiation mechanism applies to all | |||
| current versions of the protocol. The attack and the TLS extension | current versions of the protocol. The attack and the TLS extension | |||
| that resolves it are described in [RFC5746]. | that resolves it are described in [RFC5746]. | |||
| skipping to change at page 6, line 18 | skipping to change at page 6, line 27 | |||
| turned on by default. However the risk of malicious clients and | turned on by default. However the risk of malicious clients and | |||
| coordinated groups of clients ("botnets") mounting denial of service | coordinated groups of clients ("botnets") mounting denial of service | |||
| attacks is still very real. TLS adds another vector for | attacks is still very real. TLS adds another vector for | |||
| computational attacks, since a client can easily (with little | computational attacks, since a client can easily (with little | |||
| computational effort) force the server to expend relatively large | computational effort) force the server to expend relatively large | |||
| computational work. It is known that such attacks have in fact been | computational work. It is known that such attacks have in fact been | |||
| mounted. | mounted. | |||
| 2.13. Implementation Issues | 2.13. Implementation Issues | |||
| Even when the protocol is fully specified, the are very common issues | Even when the protocol is fully specified, there are very common | |||
| that often plague implementations. In particular, the integration of | issues that often plague implementations. In particular, when | |||
| higher-level protocols, TLS and its PKI-based authentication is the | integrating into higher-level protocols, TLS and its PKI-based | |||
| source of misunderstandings and implementation "shortcuts". An | authentication are sometimes the source of misunderstandings and | |||
| extensive survey of these issues can be found in [Georgiev2012]. | implementation "shortcuts". An extensive survey of these issues can | |||
| be found in [Georgiev2012]. | ||||
| o Implementations may omit validation of the server certificate | o Implementations may omit validation of the server certificate | |||
| altogether. For example, this is true of the default | altogether. For example, this is true of the default | |||
| implementation of HTTP client libraries in Python 2 (see e.g. | implementation of HTTP client libraries in Python 2 (see e.g. | |||
| CVE-2013-2191). | CVE-2013-2191). | |||
| o Implementations may not validate the server identity. This | o Implementations may not validate the server identity. This | |||
| validation typically amounts to matching the protocol-level server | validation typically amounts to matching the protocol-level server | |||
| name with the certificate's Subject Alternative Name field. Note: | name with the certificate's Subject Alternative Name field. Note: | |||
| historically, although incorrect, this information is also often | historically, although incorrect, this information is also often | |||
| skipping to change at page 8, line 23 | skipping to change at page 8, line 36 | |||
| [I-D.ietf-tls-prohibiting-rc4] | [I-D.ietf-tls-prohibiting-rc4] | |||
| Popov, A., "Prohibiting RC4 Cipher Suites", draft-ietf- | Popov, A., "Prohibiting RC4 Cipher Suites", draft-ietf- | |||
| tls-prohibiting-rc4-00 (work in progress), July 2014. | tls-prohibiting-rc4-00 (work in progress), July 2014. | |||
| [I-D.ietf-tls-encrypt-then-mac] | [I-D.ietf-tls-encrypt-then-mac] | |||
| Gutmann, P., "Encrypt-then-MAC for TLS and DTLS", draft- | Gutmann, P., "Encrypt-then-MAC for TLS and DTLS", draft- | |||
| ietf-tls-encrypt-then-mac-03 (work in progress), July | ietf-tls-encrypt-then-mac-03 (work in progress), July | |||
| 2014. | 2014. | |||
| [CVE] MITRE, , "Common Vulnerabilities and Exposures", | ||||
| <https://cve.mitre.org/>. | ||||
| [CBC-Attack] | [CBC-Attack] | |||
| AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking | AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking | |||
| the TLS and DTLS Record Protocols", IEEE Symposium on | the TLS and DTLS Record Protocols", IEEE Symposium on | |||
| Security and Privacy , 2013. | Security and Privacy , 2013. | |||
| [BEAST] Rizzo, J. and T. Duong, "Browser Exploit Against SSL/TLS", | [BEAST] Rizzo, J. and T. Duong, "Browser Exploit Against SSL/TLS", | |||
| 2011, <http://packetstormsecurity.com/files/105499/ | 2011, <http://packetstormsecurity.com/files/105499/ | |||
| Browser-Exploit-Against-SSL-TLS.html>. | Browser-Exploit-Against-SSL-TLS.html>. | |||
| [CRIME] Rizzo, J. and T. Duong, "The CRIME Attack", EKOparty | [CRIME] Rizzo, J. and T. Duong, "The CRIME Attack", EKOparty | |||
| skipping to change at page 10, line 26 | skipping to change at page 10, line 39 | |||
| implementations", 2014. | implementations", 2014. | |||
| [Delignat14] | [Delignat14] | |||
| Delignat-Lavaud, A. and K. Bhargavan, "Virtual Host | Delignat-Lavaud, A. and K. Bhargavan, "Virtual Host | |||
| Confusion: Weaknesses and Exploits", Black Hat 2014, 2014. | Confusion: Weaknesses and Exploits", Black Hat 2014, 2014. | |||
| Appendix A. Appendix: Change Log | Appendix A. Appendix: Change Log | |||
| Note to RFC Editor: please remove this section before publication. | Note to RFC Editor: please remove this section before publication. | |||
| A.1. draft-ietf-uta-tls-attacks-03 | A.1. draft-ietf-uta-tls-attacks-04 | |||
| o Implemented AD review comments. | ||||
| A.2. draft-ietf-uta-tls-attacks-03 | ||||
| o Implemented WG Last Call comments. | o Implemented WG Last Call comments. | |||
| o Virtual host confusion. | o Virtual host confusion. | |||
| o STARTTLS command injection. | o STARTTLS command injection. | |||
| o Added CVE numbers. | o Added CVE numbers. | |||
| A.2. draft-ietf-uta-tls-attacks-02 | A.3. draft-ietf-uta-tls-attacks-02 | |||
| o Added implementation issues ("most dangerous code"), | o Added implementation issues ("most dangerous code"), | |||
| renegotiation, triple handshake. | renegotiation, triple handshake. | |||
| o Added text re: mitigation of Lucky13. | o Added text re: mitigation of Lucky13. | |||
| o Added applicability to DTLS. | o Added applicability to DTLS. | |||
| A.3. draft-ietf-uta-tls-attacks-01 | A.4. draft-ietf-uta-tls-attacks-01 | |||
| o Added SSL Stripping, attacks related to certificates, Diffie | o Added SSL Stripping, attacks related to certificates, Diffie | |||
| Hellman parameters and denial of service. | Hellman parameters and denial of service. | |||
| o Expanded on RC4 attacks, thanks to Andrei Popov. | o Expanded on RC4 attacks, thanks to Andrei Popov. | |||
| A.4. draft-ietf-uta-tls-attacks-00 | A.5. draft-ietf-uta-tls-attacks-00 | |||
| o Initial version, extracted from draft-sheffer-tls-bcp-01. | o Initial version, extracted from draft-sheffer-tls-bcp-01. | |||
| Authors' Addresses | Authors' Addresses | |||
| Yaron Sheffer | Yaron Sheffer | |||
| Porticor | Porticor | |||
| 29 HaHarash St. | 29 HaHarash St. | |||
| Hod HaSharon 4501303 | Hod HaSharon 4501303 | |||
| Israel | Israel | |||
| skipping to change at page 11, line 29 | skipping to change at page 11, line 45 | |||
| Ralph Holz | Ralph Holz | |||
| Technische Universitaet Muenchen | Technische Universitaet Muenchen | |||
| Boltzmannstr. 3 | Boltzmannstr. 3 | |||
| Garching 85748 | Garching 85748 | |||
| Germany | Germany | |||
| Email: holz@net.in.tum.de | Email: holz@net.in.tum.de | |||
| Peter Saint-Andre | Peter Saint-Andre | |||
| &yet | &yet | |||
| P.O. Box 787 | ||||
| Parker, CO 80134 | ||||
| USA | ||||
| Email: ietf@stpeter.im | Email: peter@andyet.com | |||
| End of changes. 19 change blocks. | ||||
| 27 lines changed or deleted | 43 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||