Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Who’s Talking to Your Browser?

40e37c08199ed4d3866ce6e1ff0be06d?s=47 David Evans
December 07, 2016

Who’s Talking to Your Browser?

Cybersecurity Awareness at UVA
Commonwealth Room
Charlottesville, VA
7 December 2016

40e37c08199ed4d3866ce6e1ff0be06d?s=128

David Evans

December 07, 2016
Tweet

Transcript

  1. Who’s talking to your browser? David Evans Professor of Computer

    Science University of Virginia evans@virginia.edu https://www.cs.virginia.edu/evans Cybersecurity Awareness 7 December 2016
  2. 1

  3. 2

  4. 3

  5. Secure Web Connections 4 Client (Browser) MightBeEvil.org Server

  6. Secure Web Connections 5 Client (Browser) MightBeEvil.org Server Image: https://unsplash.com/@brenomachado

  7. Secure Web Connections 6 Client (Browser) MightBeEvil.org Server Image: https://unsplash.com/@brenomachado

    How can we know: (1)We are talking to the intended server (2)No one in the middle can observe or alter the content
  8. Encryption 7 Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure Channel Key

    Key Symmetric Crypto: channel encrypted with shared secret key. Bob MightBeEvil.org Alice Client (Browser) Server
  9. Symmetric Encryption 8 Jefferson’s Cipher Wheel (1802) “on the periphery

    of each, and between the black lines, put all the letters of the alphabet, not in their established order, but jumbled, & without order, so that no two shall be alike.”
  10. Modern Symmetric Encryption 9 AES Round 128 or more key

    bits ~1017 J needed for most efficient possible brute force attack Very inexpensive: instructions built in to most processors
  11. Modern Symmetric Encryption 10 AES Round 128 or more key

    bits ~1017 J needed for most efficient possible brute force attack Very inexpensive: instructions built in to most processors
  12. Secure Web Connections 11 Client (Browser) MightBeEvil.org Server Image: https://unsplash.com/@brenomachado

    How can we know: (1)We are talking to the intended server ü No one in the middle can observe or alter the content
  13. Asymmetric (Public Key) Encryption: Confidentiality 12 Encrypt Decrypt Plaintext Ciphertext

    Plaintext Bob’s Public Key Bob’s Private Key Alice Bob Insecure Channel Asymmetric Crypto: Alice obtains Bob’s Public Key, and can send private messages to Bob.
  14. 13 Client Server Hello I’m “mightbeevil.org” and my public key

    is Generate random () Decrypt using Secure channel using Super-Simplified TLS Protocol Generates key pair: ,
  15. 14 Encrypt Decrypt Plaintext Ciphertext Plaintext Bob’s Public Key Bob’s

    Private Key Alice Bob Insecure Channel Signatures: Bob’s signs a message with his Private Key; Alice verifies signature with Bob’s Public Key. Asymmetric (Public Key) Encryption: Confidentiality Signatures
  16. 15 Client Server Hello Sign (“mightbeevil.org” has public key )

    Generate random () Decrypt using Secure channel using Super-Simplified TLS Protocol Generates key pair: , Verify Certificate using
  17. goto fail; 16

  18. 17 static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t

    *signature, UInt16 signatureLen) { … if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; err = sslRawVerify(ctx, ctx->peerPubKey, dataToSign, dataToSignLen, signature, signatureLen); if(err) { sslErrorLog("SSLDecodeSignedServerKeyExchange: sslRawVerify returned %d\n", (int)err); goto fail; } fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err; } Apple’s Implementation (cleaned up and excerpted)
  19. 18 Client Server Hello Sign (“mightbeevil.org” has public key )

    Generate random () Decrypt using Secure channel using Super-Simplified TLS Protocol Generates key pair: , Verify Certificate using How does the server get its certificate?
  20. Certificates 19 VarySign.com virginia.edu virginia.edu, Generates key pair: , Sign

    (“virginia.edu” has public key ) $$$
  21. 20

  22. 21

  23. 22

  24. 23

  25. 24

  26. 25 Client Server Hello Sign (“mightbeevil.org”has public key is )

    Generate random () Decrypt using Secure channel using Super-Simplified TLS Protocol Generates key pair: , Verify Certificate using How does the client (browser) get ?
  27. 26

  28. 27 Client Server Hello Sign (“mightbeevil.org”has public key is )

    Generate random () Decrypt using Secure channel using Super-Simplified TLS Protocol Generates key pair: , Verify Certificate using
  29. 28 Client Server Hello, Ciphers: [..., RSA-1024, DHE, …] Sign

    (“mightbeevil.org”has public key is ), Cipher: RSA-1024 Generate random () Decrypt using Secure channel using Slightly Less-Simplified TLS Protocol Generates key pair: , Verify Certificate using Picks ciphers to use
  30. 29 Client Server Hello, Ciphers: [..., RSA-1024, …] Sign (“mightbeevil.org”has

    public key is ), Cipher: DH-E Generate random () Decrypt using Secure channel using Slightly Less-Simplified TLS Protocol Generates key pair: , Verify Certificate using Picks ciphers to use
  31. Why Weak Ciphers are Supported? 30 Client Hello, Ciphers: [...,

    RSA-1024, …] Sign (“mightbeevil.org”has public key is ), Cipher: DHE-E Hello, Ciphers: [DHE-E, …]
  32. 31

  33. 32

  34. Logjam Attack 33

  35. Cause for Hope? 34

  36. 35

  37. 36 Coming in January!

  38. 37 Coming in January!

  39. 38 Coming in January!

  40. Image from http://www.theregister.co.uk/2015/02/22/lenovo_superfish_removal_tool/ (but I think they stole it from

    Monsters and Aliens) Becoming More Paranoid
  41. 40

  42. 41 https://www.google.com/#q=chair

  43. 42 • Internet explorer connects to a web server on

    port 443 using SSL. The data is encrypted. • Komodia’s SSL hijacker intercepts the communication and redirects it to Komodia’s Redirector. The channel between the SSL hijacker and the Redirector is encrypted. • At this stage, Komodia’s Redirector can shape the traffic, block it, or redirect it to another website. • Communication between the Redirector and the website is encrypted using SSL. • All data received from the website can be again modified and/or blocked. When data manipulation is done, it is forwarded again to Internet explorer. • The browser displays the SSL lock, and the session will not display any “Certificate warnings”. http://www.komodia.com/products/komodias-ssl-decoderdigestor (in archive.org)
  44. David Evans evans@virginia.edu www.cs.virginia.edu/evans