1. SSL, The Ugly Beast!
Dr. Omar Al Ibrahim
Security Consultant & Researcher, omProtect.
oalibrahim@omprotect.com
Website: www.omprotect.com
2. Who am I ?
• Security Researcher & Consultant, omProtect.
• Assistant Professor at Kuwait University.
• Previous: Virtual Security Research (VSR) LLC. , Cigital
Inc. (USA)
• Application Security, Penetration Testing and Vulnerability
Assessment
• Ph.D. in Computer Science from Southern Methodist
University (USA) in 2012, Masters in Computer Science
from Rice University (USA) in 2007
• GIAC Reverse Engineering Malware (GREM) certified
• Associate of ISC2 (CISSP)
• OWASP Lifetime Member
3. Our Services
• Consultancy / Penetration Testing
– Internal/External Network Penetration Testing
– Web Application Penetration Testing
– Enterprise Product Testing
– Architecture Review, Source Code Review
– Digital Forensics, Malware Analysis
• Compliance
– PCI, ISO 27000 series, smart card standards ...
• Training
– Fundamental Security Concepts
– Organizational Security Awareness
– Developer Training
5. Unencrypted Traffic
• Suppose you login to the unencrypted KU-Wifi
hotspot and type in your KU account credentials on
the prompted web form.
BY OMAR AL IBRAHIM
6. Unencrypted Traffic
BY OMAR AL IBRAHIM
Wireshark Capture of the Submitted Login Form
Our wifi password in
plaintext!
We need encryption!
7. What is SSL?
• SSL is the protocol used for most secure
transactions over the Internet
• For example, if you want to buy a book at
amazon.com…
– You want to be sure you are dealing with Amazon (authentication)
– Your credit card information must be protected in transit
(confidentiality and/or integrity)
– As long as you have money, Amazon doesn’t care who you are
(authentication need not be mutual)
• Defined in RFC2246, http://www.ietf.org/rfc/
rfc2246.txt
• Open-source implementation at http://
www.openssl.org/
9. SSL History
• Evolved through
– Unreleased v1 (Netscape)
– Flawed-but-useful v2
– Version 3 from scratch
– Standard TLS1.0
• SSL3.0 with minor tweaks, hence Version field is 3.1
– Standard TLS1.1
• Protection against CBC attacks and handling of
padding errors
– Standard TLS1.2
• Enhancements to ciphersuite
BY OMAR AL IBRAHIM
11. Technical Description
OFFER CIPHER SUITE
MENU TO SERVER
SELECT A CIPHER SUITE
SEND CERTIFICATE AND
CHAIN TO CA ROOT
CLIENT SIDE SERVER SIDE
SEND PUBLIC KEY TO
ENCRYPT SYMM KEY
SERVER NEGOTIATION
FINISHED
SEND ENCRYPTED
SYMMETRIC KEY
SOURCE: THOMAS, SSL AND TLS ESSENTIALS
ACTIVATE
ENCRYPTION
CLIENT PORTION
DONE
( SERVER CHECKS OPTIONS )
ACTIVATESERVER
ENCRYPTION
SERVER PORTION
DONE
( CLIENT CHECKS OPTIONS )
NOW THE PARTIES CAN USE SYMMETRIC ENCRYPTION
BY OMAR AL IBRAHIM
13. Server Hello
• Version
• Random Number
– Protects against handshake replay
• Session ID
– Provided to the client for later resumption of the session
• Cipher suite
– Usually picks client’s best preference – No obligation
• Compression method
BY OMAR AL IBRAHIM
15. sslscan
BY OMAR AL IBRAHIM
Tool to scan server-side cipher-suite:
Weak algorithms
Short keys
No encryption
16. Qualys SSL Scan
• Qualys SSL Server Test
https://www.ssllabs.com/ssltest/
• Deep analysis of the
configuration of any
SSL web server on the
public Internet
• Checks for cipher-suite
strength, certificate trust
and resistance to
emerging attacks.
Gives letter
grade rating
18. SSL Certificate
• Subject. Provides the name of the computer,
user, network device, or service that the CA
issues the certificate to. The subject name is
commonly represented by using an X.500 or
Lightweight Directory Access Protocol
(LDAP) format.
• Serial Number. Provides a unique identifier
for each certificate that a CA issues.
• Issuer. Provides a distinguished name for the
CA that issued the certificate. The issuer
name is commonly represented by using an
X.500 or LDAP format.
• Valid From. Provides the date and time when
the certificate becomes valid.
• Valid To. Provides the date and time when
the certificate is no longer considered valid.
• Public Key. Contains the public key of the
key pair that is associated with the certificate.
BY OMAR AL IBRAHIM
19. Generating SSL Certificates
Using Openssl library
• Generate a private key and a certificate signing request
(CSR):
Omars-MacBook-Pro-2:OpensslTutorial omar$ openssl req -newkey rsa:2048 -nodes -keyout
domain.key -out domain.csr
Generating a 2048 bit RSA private key
...............+++
..............+++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
[…]
-----
Country Name (2 letter code) [AU]:KW
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Kuwait City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:omProtect
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:omprotect.com
Email Address []:oalibrahim@omprotect.com
20. Certificate Authority (CA)
• Entity that issues digital certificates
• CA is a trusted third party – i.e. trusted by both the
owner of the certificate and the party relaying upon it.
• Examples of CAs include Comodo, GlobalSign,
VeriSign, and DigiCert.
BY OMAR AL IBRAHIM
21. Root CAs
• CA can issue multiple
certificates in the form of a
tree.
• Root certificates are the top-
most certificates of the tree.
• Web browsers are equipped
with root certificates that are
self-signed by root CAs.
• Root CAs are considered the
trust anchors of the
certificate chain.
BY OMAR AL IBRAHIM
22. Digital Signature for Certificate
BY OMAR AL IBRAHIM
• A CA uses its private key to digitally
sign each certificate it issues.
• To create the digital signature, the
CA generates a message digest from
the certificate, encrypts using its
private key, and includes the digital
signature as part of the certificate.
• Anyone can use the message digest
function and the CA’s public key to
verify the certificate’s integrity.
• If a certificate becomes corrupted or
someone tampers with it, the message
digest for the altered certificate does
not match the digest in the CA’s
digital signature.
K-(H(Cert))
23. Certificate Chain
BY OMAR AL IBRAHIM
A certificate chain consists of all the certificates needed to certify the subject
identified by the end certificate. In practice this includes the end certificate, the
certificates of intermediate CAs, and the certificate of a root CA trusted by all
parties in the chain.
26. Validating a Certificate
OwnerA DN
Owner A public
key
Issuer B’s DN
Issuer B’s
Signature
Cert Ext.
Owner B DN
Owner B public
key
Issuer C’s DN
Issuer C’s
Signature
Cert Ext.
Owner A
Owner B
Decrypt
Digest
Equal?
N
Reject
Y
Continue
Validation
Owner C DN
Owner C public
key
Owner C
Signature
Cert Ext.
Owner C (Root)
…..
Certificate Chain A-B-C
27. • Hard-code in the client the certificate known to be
used by the server.
1. Pin the server’s certificate itself
2. Pin the CA certificate used to sign the server’s
certificate
• Advantages: Avoid risks of flaws in certificate
validation checks and threats of rogue or
compromised CA
• Disadvantages: Unscalable, requires provisioning
Certificate Pinning
28. Problems in the certificate chain:
• Compromised CAs issuing fraudulent certificates
• Uncompromised CAs issuing fraudulent certificates (by mistake or
otherwise)
• If a user (or browser vendor) loses trust in a CA, removing the CA from the
browser's list of trusted authorities means losing trust in all the sites which
used that CA.
SSL Convergence
Certificate Authority Market Share
Courtesy of Netcraft, 2013 Survey
29. • Convergence provides a level of redundancy
by having several authorities (so called
notaries) to vouch for a single site.
• A user can choose to trust several notaries and
consults them to decide whether a site should
be trusted or not (as opposed to trusting a
single authority).
SSL Convergence
31. • Padding Oracle On Downgraded Legacy
Encryption (CVE-2014-3566)
• Unlike proper negotiations, many TLS clients
implement a protocol downgrade dance to
work around server-side interoperability bugs.
• This allows MitM attacks to confine clients
with SSLv3, from which hackers can exploit
CBC encryption.
POODLE Attack
33. • After downgrade, hackers can break the
cryptographic security of SSL 3.0 using
padding oracle attacks.
• To remediate against vulnerability, SSL 3.0
must be disabled or at the very least TLS
implementations should make use of
TLS_FALLBACK_SCSV.
POODLE Attack
34. Heartbleed Bug
• Security bug disclosed in April
2014 in the OpenSSL
cryptography library
(CVE-2014-0160).
• Allows anyone on the Internet to
read the memory of the systems
protected by the vulnerable
versions of the OpenSSL
software.
• Compromises the secret keys used
to identify the service providers
and to encrypt the traffic, the
names and passwords of the users
and the actual content.
35. Heartbleed Example
• Run attack script:
$ python ssltest.py somewebsite.gov.kw
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 58
... received message: type = 22, ver = 0302, length = 4256
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
38. • Tool provided by Moxie Marlinspike in 2009
• MITM attack tool that forces a victim's browser
into communicating with an adversary in plaintext
over HTTP, and the adversary proxies the
modified content from an HTTPS server.
• "stripping" https:// URLs and turning them into
http:// URLs
• Uses ARP spoofing to redirect traffic of victim
host at the link-level.
sslstrip
39. Superfish Lenovo Incident
• Lenovo sold laptops that
contained Superfish adware pre-
installed since Dec 2014.
• The adware delivers its web
content through SSL-encrypted
channel using trusted self-signed
certificate.
• The root private key is also
included on all affected systems
which are encrypted with a
guessable password “komodia”
• Allowed for widespread MitM
attacks.
40. • Configure server to choose strong cipher-suite for key exchange,
authentication, bulk ciphers, and message authentication.
– Use sufficiently long key size (e.g. 2048 bits asymmetric, 168 bit
symmetric)
– Avoid null ciphers and RC4
– Give precedence to most secure ciphers first.
• Disable SSL 2.0 and SSL 3.0 to prevent POODLE and calculation of
plaintext by network attackers.
• Disable TLS 1.0 Compression to avoid CRIME attacks.
• Utilize TLSFALLBACKSCSV that seeks to prevent forced SSL
downgrades
• If using openssl library, update to the latest patched version to avoid
heartbleed bug.
Recommendations
41. • Consult a reputable CA to sign your root certificates.
• Avoid self-signed and expired certificates.
• Do not keep certificates trusted for overly-long periods and employ
key rotation.
• When creating certificates use a strong password to guard access to
private key, and keep root keys encrypted and offline.
• Make sure your end user certificates are not signing certificates.
• Make sure your public-private keys are generated with random seed
and proper tools.
• Employ key splitting procedure if necessary.
• Require use of client-certificates for highly-critical systems.
Recommendations