Who’s Talking to Your Browser?

Transcript

1. Who’s talking to your browser? David Evans Professor of Computer

   Science University of Virginia [email protected] https://www.cs.virginia.edu/evans Cybersecurity Awareness 7 December 2016

2. 1

3. 2

4. 3

5. Secure Web Connections 4 Client (Browser) MightBeEvil.org Server

6. Secure Web Connections 5 Client (Browser) MightBeEvil.org Server Image: https://unsplash.com/@brenomachado

7. Secure Web Connections 6 Client (Browser) MightBeEvil.org Server Image: https://unsplash.com/@brenomachado

   How can we know: (1)We are talking to the intended server (2)No one in the middle can observe or alter the content

8. Encryption 7 Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure Channel Key

   Key Symmetric Crypto: channel encrypted with shared secret key. Bob MightBeEvil.org Alice Client (Browser) Server

9. Symmetric Encryption 8 Jefferson’s Cipher Wheel (1802) “on the periphery

   of each, and between the black lines, put all the letters of the alphabet, not in their established order, but jumbled, & without order, so that no two shall be alike.”

10. Modern Symmetric Encryption 9 AES Round 128 or more key

    bits ~1017 J needed for most efficient possible brute force attack Very inexpensive: instructions built in to most processors

11. Modern Symmetric Encryption 10 AES Round 128 or more key

    bits ~1017 J needed for most efficient possible brute force attack Very inexpensive: instructions built in to most processors

12. Secure Web Connections 11 Client (Browser) MightBeEvil.org Server Image: https://unsplash.com/@brenomachado

    How can we know: (1)We are talking to the intended server ü No one in the middle can observe or alter the content

13. Asymmetric (Public Key) Encryption: Confidentiality 12 Encrypt Decrypt Plaintext Ciphertext

    Plaintext Bob’s Public Key Bob’s Private Key Alice Bob Insecure Channel Asymmetric Crypto: Alice obtains Bob’s Public Key, and can send private messages to Bob.

14. 13 Client Server Hello I’m “mightbeevil.org” and my public key

    is Generate random () Decrypt using Secure channel using Super-Simplified TLS Protocol Generates key pair: ,

15. 14 Encrypt Decrypt Plaintext Ciphertext Plaintext Bob’s Public Key Bob’s

    Private Key Alice Bob Insecure Channel Signatures: Bob’s signs a message with his Private Key; Alice verifies signature with Bob’s Public Key. Asymmetric (Public Key) Encryption: Confidentiality Signatures

16. 15 Client Server Hello Sign (“mightbeevil.org” has public key )

    Generate random () Decrypt using Secure channel using Super-Simplified TLS Protocol Generates key pair: , Verify Certificate using

17. goto fail; 16

18. 17 static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t

    *signature, UInt16 signatureLen) { … if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; err = sslRawVerify(ctx, ctx->peerPubKey, dataToSign, dataToSignLen, signature, signatureLen); if(err) { sslErrorLog("SSLDecodeSignedServerKeyExchange: sslRawVerify returned %d\n", (int)err); goto fail; } fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err; } Apple’s Implementation (cleaned up and excerpted)

19. 18 Client Server Hello Sign (“mightbeevil.org” has public key )

    Generate random () Decrypt using Secure channel using Super-Simplified TLS Protocol Generates key pair: , Verify Certificate using How does the server get its certificate?

20. Certificates 19 VarySign.com virginia.edu virginia.edu, Generates key pair: , Sign

    (“virginia.edu” has public key ) $$$

21. 20

22. 21

23. 22

24. 23

25. 24

26. 25 Client Server Hello Sign (“mightbeevil.org”has public key is )

    Generate random () Decrypt using Secure channel using Super-Simplified TLS Protocol Generates key pair: , Verify Certificate using How does the client (browser) get ?

27. 26

28. 27 Client Server Hello Sign (“mightbeevil.org”has public key is )

    Generate random () Decrypt using Secure channel using Super-Simplified TLS Protocol Generates key pair: , Verify Certificate using

29. 28 Client Server Hello, Ciphers: [..., RSA-1024, DHE, …] Sign

    (“mightbeevil.org”has public key is ), Cipher: RSA-1024 Generate random () Decrypt using Secure channel using Slightly Less-Simplified TLS Protocol Generates key pair: , Verify Certificate using Picks ciphers to use

30. 29 Client Server Hello, Ciphers: [..., RSA-1024, …] Sign (“mightbeevil.org”has

    public key is ), Cipher: DH-E Generate random () Decrypt using Secure channel using Slightly Less-Simplified TLS Protocol Generates key pair: , Verify Certificate using Picks ciphers to use

31. Why Weak Ciphers are Supported? 30 Client Hello, Ciphers: [...,

    RSA-1024, …] Sign (“mightbeevil.org”has public key is ), Cipher: DHE-E Hello, Ciphers: [DHE-E, …]

32. 31

33. 32

34. Logjam Attack 33

35. Cause for Hope? 34

36. 35

37. 36 Coming in January!

38. 37 Coming in January!

39. 38 Coming in January!

40. Image from http://www.theregister.co.uk/2015/02/22/lenovo_superfish_removal_tool/ (but I think they stole it from

    Monsters and Aliens) Becoming More Paranoid

41. 40

42. 41 https://www.google.com/#q=chair

43. 42 • Internet explorer connects to a web server on

    port 443 using SSL. The data is encrypted. • Komodia’s SSL hijacker intercepts the communication and redirects it to Komodia’s Redirector. The channel between the SSL hijacker and the Redirector is encrypted. • At this stage, Komodia’s Redirector can shape the traffic, block it, or redirect it to another website. • Communication between the Redirector and the website is encrypted using SSL. • All data received from the website can be again modified and/or blocked. When data manipulation is done, it is forwarded again to Internet explorer. • The browser displays the SSL lock, and the session will not display any “Certificate warnings”. http://www.komodia.com/products/komodias-ssl-decoderdigestor (in archive.org)

44. David Evans [email protected] www.cs.virginia.edu/evans