7th Kuwait Info Security Forum 2015

1. SSL, The Ugly Beast!
Dr. Omar Al Ibrahim
Security Consultant & Researcher, omProtect.
oalibrahim@omprotect.com
Website: www.omprotect.com

2. Who am I ?
• Security Researcher & Consultant, omProtect.
• Assistant Professor at Kuwait University.
• Previous: Virtual Security Research (VSR) LLC. , Cigital
Inc. (USA)
• Application Security, Penetration Testing and Vulnerability
Assessment
• Ph.D. in Computer Science from Southern Methodist
University (USA) in 2012, Masters in Computer Science
from Rice University (USA) in 2007
• GIAC Reverse Engineering Malware (GREM) certified
• Associate of ISC2 (CISSP)
• OWASP Lifetime Member

3. Our Services
• Consultancy / Penetration Testing
– Internal/External Network Penetration Testing
– Web Application Penetration Testing
– Enterprise Product Testing
– Architecture Review, Source Code Review
– Digital Forensics, Malware Analysis
• Compliance
– PCI, ISO 27000 series, smart card standards ...
• Training
– Fundamental Security Concepts
– Organizational Security Awareness
– Developer Training

4. WHAT IS SSL?
Part 1: Introduction

5. Unencrypted Traffic
• Suppose you login to the unencrypted KU-Wifi
hotspot and type in your KU account credentials on
the prompted web form.
BY OMAR AL IBRAHIM

6. Unencrypted Traffic
BY OMAR AL IBRAHIM
Wireshark Capture of the Submitted Login Form
Our wifi password in
plaintext!
We need encryption!

7. What is SSL?
• SSL is the protocol used for most secure
transactions over the Internet
• For example, if you want to buy a book at
amazon.com…
– You want to be sure you are dealing with Amazon (authentication)
– Your credit card information must be protected in transit
(confidentiality and/or integrity)
– As long as you have money, Amazon doesn’t care who you are
(authentication need not be mutual)
• Defined in RFC2246, http://www.ietf.org/rfc/
rfc2246.txt
• Open-source implementation at http://
www.openssl.org/

8. SSL / TLS in the Real World

9. SSL History
• Evolved through
– Unreleased v1 (Netscape)
– Flawed-but-useful v2
– Version 3 from scratch
– Standard TLS1.0
• SSL3.0 with minor tweaks, hence Version field is 3.1
– Standard TLS1.1
• Protection against CBC attacks and handling of
padding errors
– Standard TLS1.2
• Enhancements to ciphersuite
BY OMAR AL IBRAHIM

10. SSL HANDSHAKE PROTOCOL
Part 2

11. Technical Description
OFFER CIPHER SUITE
MENU TO SERVER
SELECT A CIPHER SUITE
SEND CERTIFICATE AND
CHAIN TO CA ROOT
CLIENT SIDE SERVER SIDE
SEND PUBLIC KEY TO
ENCRYPT SYMM KEY
SERVER NEGOTIATION
FINISHED
SEND ENCRYPTED
SYMMETRIC KEY
SOURCE: THOMAS, SSL AND TLS ESSENTIALS
ACTIVATE
ENCRYPTION
CLIENT PORTION
DONE
( SERVER CHECKS OPTIONS )
ACTIVATESERVER
ENCRYPTION
SERVER PORTION
DONE
( CLIENT CHECKS OPTIONS )
NOW THE PARTIES CAN USE SYMMETRIC ENCRYPTION
BY OMAR AL IBRAHIM

12. Client Hello - Cipher Suites
INITIAL (NULL) CIPHER SUITE
PUBLIC-KEY
ALGORITHM
SYMMETRIC
ALGORITHM
HASH
ALGORITHM
CIPHER SUITE CODES USED
IN SSL MESSAGES
SSL_NULL_WITH_NULL_NULL = { 0, 0 }
SSL_RSA_WITH_NULL_MD5 = { 0, 1 }
SSL_RSA_WITH_NULL_SHA = { 0, 2 }
SSL_RSA_EXPORT_WITH_RC4_40_MD5 = { 0, 3 }
SSL_RSA_WITH_RC4_128_MD5 = { 0, 4 }
SSL_RSA_WITH_RC4_128_SHA = { 0, 5 }
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0, 6 }
SSL_RSA_WITH_IDEA_CBC_SHA = { 0, 7 }
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0, 8 }
SSL_RSA_WITH_DES_CBC_SHA = { 0, 9 }
SSL_RSA_WITH_3DES_EDE_CBC_SHA = { 0, 10 }
BY OMAR AL IBRAHIM

13. Server Hello
• Version
• Random Number
– Protects against handshake replay
• Session ID
– Provided to the client for later resumption of the session
• Cipher suite
– Usually picks client’s best preference – No obligation
• Compression method
BY OMAR AL IBRAHIM

14. SSL Handshake Capture
Client: 192.168.8.100, Server: 2.19.28.244

15. sslscan
BY OMAR AL IBRAHIM
Tool to scan server-side cipher-suite:
Weak algorithms
Short keys
No encryption

16. Qualys SSL Scan
• Qualys SSL Server Test
https://www.ssllabs.com/ssltest/
• Deep analysis of the
configuration of any
SSL web server on the
public Internet
• Checks for cipher-suite
strength, certificate trust
and resistance to
emerging attacks.
Gives letter
grade rating

17. SSL CERTIFICATES
Part 3

18. SSL Certificate
• Subject. Provides the name of the computer,
user, network device, or service that the CA
issues the certificate to. The subject name is
commonly represented by using an X.500 or
Lightweight Directory Access Protocol
(LDAP) format.
• Serial Number. Provides a unique identifier
for each certificate that a CA issues.
• Issuer. Provides a distinguished name for the
CA that issued the certificate. The issuer
name is commonly represented by using an
X.500 or LDAP format.
• Valid From. Provides the date and time when
the certificate becomes valid.
• Valid To. Provides the date and time when
the certificate is no longer considered valid.
• Public Key. Contains the public key of the
key pair that is associated with the certificate.
BY OMAR AL IBRAHIM

19. Generating SSL Certificates
Using Openssl library
• Generate a private key and a certificate signing request
(CSR):
Omars-MacBook-Pro-2:OpensslTutorial omar$ openssl req -newkey rsa:2048 -nodes -keyout
domain.key -out domain.csr
Generating a 2048 bit RSA private key
...............+++
..............+++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
[…]
-----
Country Name (2 letter code) [AU]:KW
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Kuwait City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:omProtect
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:omprotect.com
Email Address []:oalibrahim@omprotect.com

20. Certificate Authority (CA)
• Entity that issues digital certificates
• CA is a trusted third party – i.e. trusted by both the
owner of the certificate and the party relaying upon it.
• Examples of CAs include Comodo, GlobalSign,
VeriSign, and DigiCert.
BY OMAR AL IBRAHIM

21. Root CAs
• CA can issue multiple
certificates in the form of a
tree.
• Root certificates are the top-
most certificates of the tree.
• Web browsers are equipped
with root certificates that are
self-signed by root CAs.
• Root CAs are considered the
trust anchors of the
certificate chain.
BY OMAR AL IBRAHIM

22. Digital Signature for Certificate
BY OMAR AL IBRAHIM
• A CA uses its private key to digitally
sign each certificate it issues.
• To create the digital signature, the
CA generates a message digest from
the certificate, encrypts using its
private key, and includes the digital
signature as part of the certificate.
• Anyone can use the message digest
function and the CA’s public key to
verify the certificate’s integrity.
• If a certificate becomes corrupted or
someone tampers with it, the message
digest for the altered certificate does
not match the digest in the CA’s
digital signature.
K-(H(Cert))

23. Certificate Chain
BY OMAR AL IBRAHIM
A certificate chain consists of all the certificates needed to certify the subject
identified by the end certificate. In practice this includes the end certificate, the
certificates of intermediate CAs, and the certificate of a root CA trusted by all
parties in the chain.

24. Trusted Certificate

25. Untrusted Certificate!
BY OMAR AL IBRAHIM

26. Validating a Certificate
OwnerA DN
Owner A public
key
Issuer B’s DN
Issuer B’s
Signature
Cert Ext.
Owner B DN
Owner B public
key
Issuer C’s DN
Issuer C’s
Signature
Cert Ext.
Owner A
Owner B
Decrypt
Digest
Equal?
N
Reject
Y
Continue
Validation
Owner C DN
Owner C public
key
Owner C
Signature
Cert Ext.
Owner C (Root)
…..
Certificate Chain A-B-C

27. • Hard-code in the client the certificate known to be
used by the server.
1. Pin the server’s certificate itself
2. Pin the CA certificate used to sign the server’s
certificate
• Advantages: Avoid risks of flaws in certificate
validation checks and threats of rogue or
compromised CA
• Disadvantages: Unscalable, requires provisioning
Certificate Pinning

28. Problems in the certificate chain:
• Compromised CAs issuing fraudulent certificates
• Uncompromised CAs issuing fraudulent certificates (by mistake or
otherwise)
• If a user (or browser vendor) loses trust in a CA, removing the CA from the
browser's list of trusted authorities means losing trust in all the sites which
used that CA.
SSL Convergence
Certificate Authority Market Share
Courtesy of Netcraft, 2013 Survey

29. • Convergence provides a level of redundancy
by having several authorities (so called
notaries) to vouch for a single site.
• A user can choose to trust several notaries and
consults them to decide whether a site should
be trusted or not (as opposed to trusting a
single authority).
SSL Convergence

30. SSL ATTACKS
Part 4

31. • Padding Oracle On Downgraded Legacy
Encryption (CVE-2014-3566)
• Unlike proper negotiations, many TLS clients
implement a protocol downgrade dance to
work around server-side interoperability bugs.
• This allows MitM attacks to confine clients
with SSLv3, from which hackers can exploit
CBC encryption.
POODLE Attack

32. Downgrade Dance

33. • After downgrade, hackers can break the
cryptographic security of SSL 3.0 using
padding oracle attacks.
• To remediate against vulnerability, SSL 3.0
must be disabled or at the very least TLS
implementations should make use of
TLS_FALLBACK_SCSV.
POODLE Attack

34. Heartbleed Bug
• Security bug disclosed in April
2014 in the OpenSSL
cryptography library
(CVE-2014-0160).
• Allows anyone on the Internet to
read the memory of the systems
protected by the vulnerable
versions of the OpenSSL
software.
• Compromises the secret keys used
to identify the service providers
and to encrypt the traffic, the
names and passwords of the users
and the actual content.

35. Heartbleed Example
• Run attack script:
$ python ssltest.py somewebsite.gov.kw
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 58
... received message: type = 22, ver = 0302, length = 4256
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384

36. Heartbleed Example
• Received Heartbleed response:
0170: 2C 2A 3B 71 3D 30 2E 33 0D 0A 43 6F 6F 6B 69 65 ,*;q=0.3..Cookie
0180: 3A 20 4A 53 65 72 76 53 65 73 73 69 6F 6E 49 64 : JServSessionId
0190: 72 6F 6F 74 3D 78 6D 75 66 67 66 62 6D 6A 67 2E root=xmufgfbmjg.
01a0: 6F 52 6A 52 6D 6B 7A 4F 6D 51 58 50 71 42 66 4E oRjRmkzOmQXPqBfN
01b0: 63 41 4C 4A 6D 51 35 47 6F 36 58 4E 72 33 43 4D cALJmQ5Go6XNr3CM
01c0: 62 33 79 4F 3B 20 42 4E 45 53 5F 4A 53 65 72 76 b3yO; BNES_JServ
01d0: 53 65 73 73 69 6F 6E 49 64 72 6F 6F 74 3D 49 4F SessionIdroot=IO
01e0: 76 6A 66 6B 2F 42 2B 6B 58 78 4B 35 32 38 4C 31 vjfk/B+kXxK528L1
01f0: 67 70 47 45 6F 36 31 33 71 38 43 70 43 4C 2B 79 gpGEo613q8CpCL+y
0200: 49 42 71 2F 70 76 47 79 77 4C 34 61 62 59 59 65 IBq/pvGywL4abYYe
0210: 58 76 4C 62 64 30 68 76 5A 64 55 4E 49 54 4E 56 XvLbd0hvZdUNITNV
0220: 41 46 37 57 6E 69 6B 62 6A 71 50 5A 71 4F 35 55 AF7WnikbjqPZqO5U
0230: 33 65 36 65 52 75 73 43 6B 56 39 44 53 50 37 69 3e6eRusCkV9DSP7i
0240: 6F 70 35 57 7A 52 51 51 73 48 46 34 79 46 79 37 op5WzRQQsHF4yFy7
0250: 73 33 63 35 6F 2F 73 4D 47 6C 5A 77 78 59 65 74 s3c5o/sMGlZwxYet
0260: 68 69 61 48 76 69 43 68 5A 42 64 50 69 32 42 36 hiaHviChZBdPi2B6
0270: 72 46 75 41 3D 3D 0D 0A 0D 0A E6 C0 41 C7 A5 32 rFuA==…

37. MAN-IN-THE-MIDDLE
ATTACKS
Part 5

38. • Tool provided by Moxie Marlinspike in 2009
• MITM attack tool that forces a victim's browser
into communicating with an adversary in plaintext
over HTTP, and the adversary proxies the
modified content from an HTTPS server.
• "stripping" https:// URLs and turning them into
http:// URLs
• Uses ARP spoofing to redirect traffic of victim
host at the link-level.
sslstrip

39. Superfish Lenovo Incident
• Lenovo sold laptops that
contained Superfish adware pre-
installed since Dec 2014.
• The adware delivers its web
content through SSL-encrypted
channel using trusted self-signed
certificate.
• The root private key is also
included on all affected systems
which are encrypted with a
guessable password “komodia”
• Allowed for widespread MitM
attacks.

40. • Configure server to choose strong cipher-suite for key exchange,
authentication, bulk ciphers, and message authentication.
– Use sufficiently long key size (e.g. 2048 bits asymmetric, 168 bit
symmetric)
– Avoid null ciphers and RC4
– Give precedence to most secure ciphers first.
• Disable SSL 2.0 and SSL 3.0 to prevent POODLE and calculation of
plaintext by network attackers.
• Disable TLS 1.0 Compression to avoid CRIME attacks.
• Utilize TLSFALLBACKSCSV that seeks to prevent forced SSL
downgrades
• If using openssl library, update to the latest patched version to avoid
heartbleed bug.
Recommendations

41. • Consult a reputable CA to sign your root certificates.
• Avoid self-signed and expired certificates.
• Do not keep certificates trusted for overly-long periods and employ
key rotation.
• When creating certificates use a strong password to guard access to
private key, and keep root keys encrypted and offline.
• Make sure your end user certificates are not signing certificates.
• Make sure your public-private keys are generated with random seed
and proper tools.
• Employ key splitting procedure if necessary.
• Require use of client-certificates for highly-critical systems.
Recommendations

42. Questions
Omar Al Ibrahim, Ph.D. , GREM
Security Researcher & Consultant, omProtect.
oalibrahim@omprotect.com
LinkedIn: http://www.linkedin.com/in/oalibrahim
Website: www.omprotect.com

43. Anything Wrong?