Since the beginning of publications by Edward Snowden last year many of the presumedly exaggerated threat models in cryptography have become reality. When operating sensitive services it's more likely than not that communcation data will be tapped at large carriers as well as internet exchanges and stored indefinitily - this calls for strong and forward-secure encryption.
On the other hand we're faced with the problem that much of the software we're using in the datacenter today is not very secure when it comes to default encryption settings. On top of that, most developers and system administrators are not very fluent in the basic workings of encryption systems.
The talk will give an introduction to SSL/TLS and explain how to check for weaknesses in existing services with tools like nmap, sslscan and sslyze. For common daemons like apache, nginx, exim, postfix and dovecot best practice on improving cryptographic strength will be discussed.
2. Michael Renner
@terrorobe
My name is...
Worked in the IT for the last 15 years
Strong focus on operations
Always interested in security, never took it up professionally
Please take the details with a grain of salt
Tight program, note questions down for the end of the talk
3. Quick poll
Who has Forward Secrecy enabled on their servers?
Who was affected by the heartbleed bug and has already patched it?
Probably can skip the talk, for the rest - let's get started!
4. I.The internet is a
scary place
I expect most people want to communicate in private, be sure that only they and the
intended recipient can read the content.
Be safe from manipulation, trickery, imposters. Since the internet is the culmination of
human society, it didn't take long to have people with malicious intent join the online
communities.
5. They invented SSL
Things were good.
So in 1994...
and everybody rejoiced.
"Safe online shopping"
"Safe online banking"
"Safe exchange of naughty pictures with your signiďŹcant other"
Things were good for some time
7. â˘SSL 2.0: Broken
â˘MD5: Broken
â˘RC4: Broken
â˘SSL 3.0: UnďŹxable ďŹaws
Over the last 20 years quite a few implementations were broken beyond repair and
eventually phased out
8. Along comes TLS
So in 1999
TLS 1.0 standardized as successor to SSL 3.0
Took 5 years of experience in hostile internet environments to ďŹx most glaring issues
And we thought we nailed it
10. So we update openssl
and hope for the best
And all these attacks mean "wait for vendor update, install updated library, _maybe_
restart daemons using those libraries, hope for the best"
11. And then the damn
IPv4 space runs out
we're done installing the updates, and the damn IPv4 space runs out
and people go like "I WOULD REALLY LIKE MY SSL CERTIFICATE ON THIS WEBHOST!1"
12. ...so we get
Server Name Indication
Server Name Indication sends the Hostname the client is interested in to the server, so
he can offer the right certiďŹcate to the client even when using namebased
virtualhosting
Sounds like a good idea, supported since almost 5 years (so even RHEL6 has it)
...and we ask the customer if he has customers using Windows XP
13. ...and we hope that the
browser bar shows a
cute little lock symbol
but in the end we're just interested in the lock symbol in the browser bar
...because that's all that counts.
To hold all those eastern european mobsters and nigerian scammers away.
And we hope that the little lock symbol will hold them at bay
14. Until we read about
APT
and I don't mean the Debian Package Manager there...
15. Advanced Persistent Threat (APT) is a set of
stealthy and continuous hacking processes
often orchestrated by human targeting a speciďŹc
entity. APT usually targets organizations and or
nations for business or political motives.
See http://en.wikipedia.org/wiki/Advanced_persistent_threat
Suddenly our little lock symbol doesn't look so mighty anymore.
16. Baddies, right?
And when reading this we think - that must be real bad people.
We think: "It hast to be the chinese! or maybe russians" - and certainly our network is
most likely not too interesting for the chinese, amirite?
17. But then this guy
comes along
...and tells us that it's probably not the Chinese and Russians we should be worried
the most when it comes to Advanced Persistent Threats...
18. FVEY: Eavesdropping
World Champions
See: http://en.wikipedia.org/wiki/Five_Eyes
...but the people on our side of the former iron curtain!
He worked for a subcontractor of the NSA and took a few documents with him giving
us a few years old progress report.
Turns out the former crown colonies of great britain formed a eavesdropping group
called FVEY, consisting of USA, Canada, Great Britain, Australia and New Zealand
This caused a huge ruckus, lots of ďŹngerpointing, US telling the rest of the world that
they shouldn't get too excited, since the rest of the governments is doing it too!
20. ...and since this
monday
See: http://www.format.at/articles/1414/524/374054/nsa-oesterreich
...and you know, the Austrian cybercrime doctrine ("There is no cybercrime") didn't
work for us either. This monday documents were leaked from our ministry of interior
outlining cooperation agreements between the NSA and Austria
And we should've known better, with all the CEE headquarters and the United Nations
office.
21. So what did we learn?
If you send data over links that
carry a lot of data
or
carry "interesting data"
your communication will be compromised.
22. Program Name
Jeopardy
To give this abstract threat a bit more substance - let's do a quick round of
Intelligence Community eavesdropping program name jeopardy
23. Tempora
Let's start out with tempora
Wiretapping by GCHQ - cooperation with
British Telecom, Interoute, Level 3, Verizon, Global Crossing, Viatel and Vodafone
25. QUANTUM Suite
The QUANTUM suite is a series of tools used to exploit internet users by doing MAN
ON THE SIDE attacks on their computers
26. See: https://ďŹrstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/
Lets assume this guy over here has a browser window to facebook.com open. Most
modern web applications use long-polling techniques to be able to send status
updates to their users.
Since the intelligence community has access to THE INTERNET thanks to Tempora,
they know this.
So what happens is that they're using a program called TRAFFICTHIEF to select
"interesting" users and then send back an answer that looks like it's coming from
facebook, correct source/destination IPs, correct TCP sequence numbers
And put malicious payload in there. Suddenly the user is yours.
27. DISCOROUTE
Whom of you know rancid? Router & Switch conďŹg backup utility.
Turns out if you do a "show running-conďŹg" over an cleartext connection on a
tempora-monitored link, NSA is keeping a backup of your conďŹg as well!
Part of the "I hunt sysadmins" blog post series
28. BULLRUN &
TURMOIL
Bullrun is a program to:
* Break weak encryption
* Introduce Weak encryption in software and products (Routers, Mobile Devices etc.)
Turmoil:
* Steal private keys
* Use these keys to decrypt internet communication
29. See: https://ďŹrstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/
Part of their IPsec busting program
HAMMERSTEIN are router implants to sniff out traffic
Hands traffic of to Turmoil
Turmoil, given that the key has already been stolen or is weak enough, can decrypt
the data and save it away
Or if the agents want to be frisky they can even launch their on MITM attacks from
there, impersonating servers in the VPN
30. are they allowed to
do that?
What we know so far is that intelligence agencies operate within legal frameworks to
do their work. And that they don't give a single fuck about the spirit of the law,
constitution, Grundgesetz, Verfassung, etc.
If they've got access to data via an "official" interface which isn't monitored for usage
& proportionality - consider your data compromised.
31. and we're even paying
them for it!
Since it's all tax payer money and they're on a mission to hunt terrorists, communists,
or whatever the scapegoat du jour is, they're not being stopped any time soon.
They've got lots of time, money and a cozy government job to do all these things
which make our privacy and lives worse.
32. This is bad.
This is bad...
but situation is not entirely hopeless. A repeated occurrence in all the revelations was
that proper crypto is still hard/impossible to break in a feasible manner. So our task
at hand is to improve our cryptographic stance. But for that we need to know...
33. II. Crypto in a
Nutshell
...to know how Cryptography works in the ďŹrst place.
34. What should
Cryptography do for me?
â˘privacy
â˘integrity
â˘identiďŹcation
â˘non-repudiation
If we're taking a high-level look at cryptography we want it to fulďŹll four main tasks
Privacy: Nobody else is listening in
Integrity: Nobody can modify our communication without us knowing
IdentiďŹcation: I know who I am communicating with
non-repudiation: Neither side can deny that communication has taken place
35. Building Blocks
â˘Ciphers (e.g.AES)
â˘Private/Session keys
â˘Key Exchange (e.g. DH)
â˘IdentiďŹcation (e.g. DNS & X509)
â˘Signatures (e.g. RSA)
â˘Hash functions (e.g. SHA1 as HMAC)
...but since we can't just wave a magic wand and hope that the right thing happens we
need to build such systems.
For this reason there're quite a few building blocks you'll ďŹnd in any cryptographic
system, be it kerberos, ipsec or ssh
36. ...in the real world?
SSL = TLS
...so much for theory, how do things look like in the real world?
TLS is the prevalent secure socket communication layer.
Developed as SSL back in 1994 by Netscape, continuously improved over the last
twenty years
Used for most TCP-based applications, e.g. HTTP, SMTP, IMAP, etc. pp.
TLS Handshake is done before application data can be transmitted, almost completely
invisible to underlying application
37. On Cipher suites
â˘DHE-RSA-AES256-SHA256
â˘Key exchange protocol: DHE
â˘Authentication: RSA
â˘Cipher:AES256
â˘MAC: SHA256
and when dealing with crypto most people have seen a cipher suite at least once
deďŹnes which building blocks are going to be used for the speciďŹc communication
When we look at this we notice four components
Key Exchange: Used to establish a Session key
Authentication: Used to authenticate the remote server
Cipher: What's actually used to encrypt the data on the wire
MAC: Message authentication - ensures that the data hasn't been modiďŹed
both server and client need to agree on a cipher suite to be able to communicate
38. and to do that there's a TLS handshake
ClientHello: Sends wanted TLS version and suggested CipherSuites
ServerHello: Sends selected TLS version & Ciphersuite. Sends back CertiďŹcate. Cert
contains public key of server
ClientKeyExchange: Client sends required key material to server
ChangeCipherSpec: Everything beyond this message is authenticated & encrypted by
chosen CipherSuite
Finished: Is authenticated & encrypted, ďŹnalizes TLS handshake
39. On X.509 certiďŹcates
X509 CertiďŹcates are issued & signed by a certiďŹcate authority.
They bind a public key to an "Common Name" & other attributes
CAs can be nested, but TLS client has to trust the respective root CA, otherwise raises
an TLS alert
Usually managed by your Browser and OS vendor
40. Typical example of a certiďŹcate
Has one intermediate CA which is signed by StartCom - operator of startssl.com
Public Key of this server valid for CN www.bettercrypto.org and aaron@lo-res.org
Those are mostly legacy
Additional DNS alternative names further down in the certiďŹcate, e.g. bettercrypto.org
41. Extensions Galore
â˘Server Name Indication
â˘To offer proper TLSVirtualHosting
â˘Secure Renegotiation
â˘Mitigates implementation ďŹaws
â˘New cipher suites
â˘AES-GCM, Camellia, etc.
TLS also offers lots of extensions, here's a list of a few notable ones
42. Resumed TLS
Handshakes
â˘Session IDs
â˘TLS state saved on server
â˘Session Tickets
â˘TLS state on client, encrypted by server
key
Allow for faster TLS connection establishment
HTTP examples
Comparison:
Unencrypted: One roundtrip to send HTTP request
W/ resuming: Two roundtrips to send HTTP request
W/o resuming: Three roundtrips to send HTTP request
...and that's it for the details
44. So the situation is not
only horrible..
...but also horribly complex
45. Fortunately we are
not alone
But luckily we aren't alone in this, around the globe there've been many people who
were as outraged as we were when they learnt about this new situation
46. High level papers
â˘Hallam-Baker: PRISM-Proof Security
Considerations
â˘Farell,Tschofenigg: Pervasive Monitoring
is an Attack
Drafts by IETF and others, stating that constant monitoring of traffic is an attack on
the internet, which needs to be adressed in protocol design
47. Lots of work on
protocols
â˘TLS 1.3
â˘Gets rid of all insecure Ciphers
â˘XMPP
â˘Mandatory encryption of all data
â˘STARTTLS vulnerabilities
â˘IMAP, XMPP, etc.
Tightening up of protocols
48. Lots of research &
audits
â˘projectbullrun.org
â˘Government-independent crypto
competitions
â˘e.g. http://competitions.cr.yp.to/
â˘Critical errors ďŹxed in 2014:
â˘gnutls, Apple OS X & iOS, curl...
â˘heartbleed anyone?
And the science community was also active.
We've got Project Bullrun which documents the attempts of NSA to subvert random
number generators
Dan Bernstein is doing lots of work organizing state-sponsor free crypto contests
And there's lots of focus on implementations, in the last 6 months we had major ďŹaws
ďŹxed in gnutls, OS X, curl etc.
49. The X.509 PKI model
is doomed
On a side note:
I'd like to mention that the x.509 PKI model is not secure against government actors
and will need to be augmented or replaced.
50. From: "You Won't Be Needing These Any More: On Removing
Unused CertiďŹcates From Trust Stores"
Analyzed which certiďŹcates were in the trust stores of OS and browsers
Looked how many of those were unused
Analyzed two months of Campus TLS traffic as well as did a ZMAP scan of the Internet
to see which CA were in use
Of the 431 unique CAs present in all systems 148 were completely unused. Of those
148, 140 were not present in _ALL_ trust stores. The remaining 8 were installed in all
systems but no certiďŹcate was ever seen.
51. X.509 Alternatives &
Supplements
â˘DANE: DNS distributed & DNSSEC
authenticated CertiďŹcates
â˘TACK(.io): Key pinning extension for TLS
â˘CertiďŹcate Transparency projects
Luckily there are a few alternatives or extensions of the current PKI model
DANE uses DNS data to basically say "these certiďŹcate ďŹngerprints are ďŹne for this
domain" or "this CA is ďŹne for this domain", DNSSEC authenticates this information.
Still a government-operated PKI
TACK wants to get rid of PKI eventually, allowing authenticated TLS servers to hand
out TACKs authoritatively stating which private keys are valid for this speciďŹc
hostname.
And then there're the certiďŹcate transparency project which tries to address "rogue"
certiďŹcates. For example - Google collects a list of "valid" public certiďŹcates in a long
list, website operators can then send out pointers to that list for browsers to verify
52. IV. Doing your part
So these are the things other people are doing for you
but you also need to get moving to make sure that you provide a safe communication
environment
53. 1. Use TLS in the
ďŹrst place
We've learned that it's not only reckless but dangerous to use plaintext
communication
Programs like the QUANTUM attack suite as well as DISCOROUTE show that DPI is part
of the adversaries toolbelt
If you use secure encryption you make their lives much much harder
54. 2. Use not only
maintained but
recent software
To be able to use the strongest available ciphers you need to have fresh software.
Just because your RHEL4 system is still maintained doesn't mean that it's actually a
secure platform.
55. 3. Use sufďŹciently
sized keys and
hashes
Thirdly - use sufficiently large keys and hash sizes
The best cipher is pointless when the key used is far too small - which was the base
of the US crypto export embargo 15 years ago
56. Source: http://keylength.com
Unfortunately "right size" is a hot topic when it comes to cryptography
Many people setting different standards, keylength.com aggregates all of these in a
nice table.
This list was created with "safe by 2020" in mind
In a nutshell:
Symmetric Ciphers: 128 bit
Asymmetric Ciphers (SSL Certs et al): 2048 bit
Hashes: 256 bit
57. 4. Use clients that
only accept strong
cipher suites
Recent browsers are mostly ďŹne, lots of focus on them.
Mail Clients, CLI tools like wget get much less attention.
Custom applications and URL libraries? All bets are off.
urllib2 for python for example does no validation at all
ruby ssl allowed cipher suites that were unauthenticated -> MITM
58. 5. ConďŹgure servers
so that they only offer
strong cipher suites
Because if you only offer strong crypto, older/broken clients can't talk to you,
preventing information leaks
Best orient on the guidelines on bettercrypto.org - have got a few examples later one
59. 6. Use forward
secure cipher suites
were possible
And last but not least - use forward secure cipher suites
60. â˘EDH/DHE or ECDHE Key Exchange
â˘Implies "Ephemeral" session key
â˘Forward Secrecy
Source: http://www.wired.com/2013/10/lavabit_unsealed/
These are cipher suites where the actual cipher doesn't use a key derived from the
private key of the server but a completely ephemeral one, created individually for each
TLS session.
With non-forward secure cipher suites you can decrypt all recorded traffic if you get
ahold of the private key of the server. Forward secure ciphers prevent that.
A notable example was lavabit, mail provider of edward snowden.
61. Considerations for
daemons
And if you adhere to these six rules, you shouldn't have to worry too much about
anybody intercepting your communication.
I've prepared a few examples based around real world daemons, all based off.
62. bettercrypto.org
⢠Gathers best practices
⢠Peer reviewed by cryptographers, sysadmins
and software maintainers
⢠DeďŹned "Cipher String B"
⢠Focuses on strongest available ciphers on
common set of platforms
⢠Does not support Windows XP and Java6
clients
off bettercrypto.org
63. apache
SSLCertificateFile server.crt
SSLCertificateKeyFile server.key
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off
# Add six earth month HSTS header for all users...
Header add Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
# Strict-Transport-Security: max-age=15768000 ; includeSubDomains
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRS
A+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LO
W:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA
128-SHA:AES128-SHA'
honor cipher order: SSLv3 and TLSv1: Client chooses cipher
Compression: Prevents CRIME and BREACH attacks
HSTS: Instructs browsers to _ALWAYS_ use HTTPS for speciďŹc domains. Prevents
HTTPS stripping attacks where MITM offers HTTPS site over HTTP
64. PostďŹxmain.cf:
smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_key_file = /etc/postfix/server.key
# review smtp(d)_tls_loglevel settings
# enable opportunistic TLS support in the SMTP server and client
smtpd_tls_security_level = may
smtp_tls_security_level = may
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes
# if supported by all clients
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:[..]
master.cf:
587 inet n - - - - smtpd -o smtpd_tls_security_level=encrypt
-o tls_preempt_cipherlist=yes
MSA (Mail Submission Agent) your mailserver receives mail from your clients MUAs
MTA (Mail Transmission Agent, MX)
sending MTA (SMTP client)
MSA:
⢠listen on submission port 587 w/ mandatory TLS
⢠enforce SMTP AUTH even for local networks
⢠do not allow SMTP AUTH on unencrypted connections
⢠optionally use the recommended cipher suites if supported by all clients
MTA:
* use opportunistic encryption (If available - use it)
* do not use self-signed certiďŹcates
65. dovecot
#dovecot defaults already require TLS and prohibit plaintext
authentication over insecure links
ssl_cipher_list = 'EDH+CAMELLIA:EDH+aRSA:[..]'
...another important part when validating security of your network is to see if you've
missed any services
66. Scanning for services
$ nmap -sV example.org
[..]
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.4a
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u1 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd
143/tcp open imap Dovecot imapd
443/tcp open ssl/http Apache httpd
587/tcp open smtp Postfix smtpd
993/tcp open ssl/imap Dovecot imapd
unfortunately there's no comprehensive scanner suite
nmap is a good start - it comes with scripting support, and somebody already
implemented Protocol scanning
Lists SSL for implicit TLS only, no STARTTLS support yet
67. SSLyze
â˘Python based SSL scanner
â˘Project from iSECPartners
â˘Supports XML output for automation
â˘GPLv2
sslyze is a great python based ssl scanner
comes with bundled openssl
68. $ ./sslyze.py --regular example.org:443
SCAN RESULTS FOR EXAMPLE.ORG:443
---------------------------------------------------------------------
* Compression :
DEFLATE Compression: Disabled
* Session Renegotiation :
Client-initiated Renegotiations: Rejected
Secure Renegotiation: Supported
* TLSV1_2 Cipher Suites :
Rejected Cipher Suite(s): Hidden
Preferred Cipher Suite:
DHE-RSA-AES256-GCM-SHA384 256 bits HTTP 200 OK
Accepted Cipher Suite(s):
DHE-RSA-CAMELLIA256-SHA 256 bits HTTP 200 OK
DHE-RSA-AES256-SHA256 256 bits HTTP 200 OK
DHE-RSA-AES256-SHA 256 bits HTTP 200 OK
DHE-RSA-AES256-GCM-SHA384 256 bits HTTP 200 OK
CAMELLIA256-SHA 256 bits HTTP 200 OK
AES256-SHA 256 bits HTTP 200 OK
DHE-RSA-CAMELLIA128-SHA 128 bits HTTP 200 OK
DHE-RSA-AES128-SHA256 128 bits HTTP 200 OK
DHE-RSA-AES128-SHA 128 bits HTTP 200 OK
DHE-RSA-AES128-GCM-SHA256 128 bits HTTP 200 OK
CAMELLIA128-SHA 128 bits HTTP 200 OK
AES128-SHA 128 bits HTTP 200 OK
[..]
Typical output for a sslyze run...
69. Web Services Galore
â˘HTTP: https://www.ssllabs.com/ssltest
â˘XMPP: https://xmpp.net/
â˘SMTP: https://checktls.com/
â˘Browser: https://www.howsmyssl.com/
There are also various webservices which help with auditing
70. Unfortunately there's
no modern ssldump
Would be nice to have tool to run at network edges
sniffs out all TLS handshakes
complains when weak cipher suites are offered or chosen.
71. Thanks to
â˘The bettercrypto.org team
â˘Aaron Zauner - @a_z_e_tÂ
â˘All the people devoting their time to
security research
â˘You, for listening
And that's it for the material I prepared...
I'd like to say thanks to...