Click here to load reader

SSL overview

  • View

  • Download

Embed Size (px)


A quick overview of SSL cipher suites, common vulnerabilities associated with them and how to remediate.

Text of SSL overview

  • 1. SSL Cipher Suites

2. Introduction SSL communication review Common SSL vulnerabilities Remediation recommendations Testing Demo 3. Part 1SSL Review 4. Secure Communications Using SSL (SC-8, SC-9) Proper SSL Certificates (SC-17) Strong SSL Ciphers (SC-13) Secure implementation of SSL (SC-13) Forcing SSL for sensitive data and forms (SC-8, SC-9) Disallowing mixed mode HTTP and HTTPS 5. SSL Cipher Suites SSL configuration issues appear in Host Assessments, Application Assessments and Validation Reports Usually a systems administrators issues, not a developer Lately there is no clear solution Pick your poison 6. SSL Versions SSL V1 Never publicly releasedSSL V2 Released 1995 Not secureSSL V3 Released 1996 Can almost be made secure Is not FIPS compliant (FIPS 140-2)TLS 1.0 Released 1999 Can almost be made secure Better than SSL V3TLS 1.1 Released 2006 Still thought to be secureTLS 1.2 Released in 2008 Still thought to be secure 7. Handshake 8. Handshake Details 1. ClientHello TLS Protocol Version, Random Number, List of CipherSuites, Suggested Compression Method, sessionID 2. ServerHello TLS Protocol Version, Random Number, CipherSuite, Compression method, sessionID 3. Certificate 4. ServerHelloDone 5. ClientKeyExchange PreMasterSecret, public key or nothing 6. ChangeCipherSpec 7. ChangeCipherSpec 8. Application Data 9. Cipher Suites 10. Cipher Suites Key exchange/agreement RSA, Diffie-Hellman, ECDH, SRP, PSK Authentication RSA, DSA, ECDSA Bulk Ciphers RC4, Triple DES, AES, IDEA Message Authentication MD5, SHA, MD4 11. Part 2Common SSL Vulnerabilities 12. ATTACK! Common vulnerabilities Weak Ciphers Suites Supported Key length > 128 bitsTLS Compression CRIMESSL v3 and TLS v1.0 BEASTRC4 Cipher Suite Supported Theoretically brokenPadding Attacks Lucky Thirteen 13. Ciphers Suites Supported with key lengths less than 128 bits Description: SSL ciphers with key lengths of less than less than 128 bits are considered to be easier to exploit than ciphers with key lengths greater than 128 bits. Impact: A successful exploit could compromise the confidentiality of user credentials and allow an attacker to gain unauthorized access to the web application. 14. TLS CRIME Vulnerability Description: Compression Ratio Info-leak Made Easy (CRIME) is an attack on SSL/TLS. CRIME is a side-channel attack that can be used to discover session tokens or other secret information based on the compressed size of HTTP requests. Impact: An attacker can make the client generate compressedrequests that contain attacker-controlled data in the same stream with secret data. 15. Browser Exploit Against SSL/TLS (aka BEAST) Description: BEAST is short for Browser Exploit Against SSL/TLS.This vulnerability is an attack against the confidentiality of a HTTPS connection. That is, it provides a way to extract the unencrypted plaintext from an encrypted session. The initialization vector includes a random string that is XORed with a plaintext message prior to encryption. Impact: The BEAST provides an attack vector for stealing usersession cookies. 16. SSL RC4 Cipher Suites Supported Description: The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. hundreds of millions) ciphertexts, the attacker may be able to derive the plaintext. The average running time for thisattack is on the order of 2000 hours. Impact: For an authenticated HTTP session, the unknown value which the attacker is trying to get is the session ID or cookie. This value is preceded by standard HTTP header information. If the cookie value is in the first 256 bytes of plaintext it will be exposed during the attack. 17. Padding Attacks: Lucky Thirteen Description: A cryptographic timing attack against MAC to break the CBC algorithm. Affects all versions of TLS at the time of its release (February 2013). Impact: This is a highly complex attack that does not require authentication. It would allow for unauthorized disclosure of information. 18. Part 3Remediation Recommendations 19. Remediation: Weak Cipher Suites Weak Ciphers Suites Supported Disable Cipher Suites with keys < 128 bits, NULL, Export keys and Anonymous Diffie-Hellman Set Apache directive SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!LOW 20. Remediation: CRIME TLS Compression (CRIME) Disable Compression Set Apache (2.2.4) directive SSLCompression off 21. Remediation: BEAST SSL v3 and TLS v1.0 (BEAST) Enable Cipher Suite Ordering Add Apache directive SSLHonorCipherOrder On Negotiate RC4 Cipher Suite first Set Apache directive SSLCipherSuite RC4SHA:ALL:!ADH:!EXPORT:!SSLv2:!LOW 22. Remediation: RC4 Weak RC4 Cipher Suite Supported Disable RC4 Cipher Suites Set Apache directive SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!LOW:-RC4-SHA:-RC4-MD5 23. Remediation: Lucky Thirteen Padding Oracle Attacks Switch to using RC4 CipherSuites Set Apache directive SSLCipherSuite RC4SHA:ALL:!ADH:!EXPORT:!SSLv2:!LOW Dude, seriously, WTF??? 24. TLS Browser Support BrowserTLS 1.0TLS 1.1TLS 1.2Chrome 021YesNoNoChrome 22currentYesYesNoChrome 29 (dev)YesYesYesFirefox 2current IE 6 IE 78 IE 89 IE 9 IE 10Yes Disabled Yes Yes Yes YesDisabled No No Disabled No DisabledNo No No Disabled No DisabledOpera 57YesNoNoOpera 89YesDisabledNoOpera 10currentYesDisabledDisabledSafari 4YesNoNoSafari 5YesNoNoSafari 5currentYesYesYes 25. Part 4Testing 26. TestingNMAP!!!!nmap sV nmap --script ssl-enum-ciphers -p And Nessus too, of course 27. Test Cases for developers How developers can test for it Ciphers on the client openssl ciphers|sed s/:/nr/g|sort CipherSuites ./ | grep YES Compression openssl s_client -connect -tls1 Protocol use browser and enable TLS 1.1 and TLS 1.2 28. Part 5: And nowDemo Time!!!!!!! 29. OverviewWhen testing SSL-TLS Test that SSLv2 is disabled Test that SSLv3 is disabled (And Possibly TLS 1.0) Test that compression is disabled Test that cipher suites with key lengths of less that 128 bytes, ADH, NULL or EXP are disabled Test that MD5 hash is disabled 30. Questions? 31. Whats coming up? Sept 24: SAR writing examples - Ryan Oct 8: Benchmark Wizardry - Eric Oct 22: Python for pentesting- Philip Nov 5: All your ssh are belong to us, pwning with proxychains - Anthony & Frank Nov 19: Application context & discovering XSS without

Search related