Attacks against SSL/TLS – BEAST/CRIME/BREACH

 (a) BEAST (Browser Exploit Against SSL/TLS)

  •  By Juliano Rizzo and Thai Duong, 2011 @ ekoparty Security Conference in Buenos Aires, Argentina
  •  Decrypts secure cookies against CBC mode (i.e AES or 3DES) in TLSv1

<References>
Demo and description: http://vnhacker.blogspot.com/2011/09/beast.html
Paper: http://packetstormsecurity.com/files/download/105499/Beast-SSL.rar/
Proof of Concept with javascript: http://erlend.oftedal.no/blog/beast/

(b) CRIME (Compression Ratio Info-leak Made Easy)

  • By Juliano Rizzo and Thai Duong, 2012 @ ekoparty Security Conference in Buenos Aires, Argentina
  • leverages compression side-channel, recovers the HTTP request headers
  • Injects partial chosen plaintext (CPA) into a victim’s requests + measures the size of encrypted traffic
  • HTTP-level compression: gzip (RFC 1952), defalte (RFC 1951)
  • Mitigated by disabling TLS/SPDY compression

<References>
1. Wiki: http://en.wikipedia.org/wiki/CRIME_(security_exploit)
2. Tor and BEAST: https://blog.torproject.org/blog/tor-and-beast-ssl-attack
3. Schneier’s Article: https://www.schneier.com/blog/archives/2011/09/man-in-the-midd_4.html
4. Generic attacks with compression: http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf

(c) BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext)

  • By Angelo Prado, Neal Harris, and Yoel Gluck, 2013 @ Blackhat 2013
  • CVE-2013-3587
  • leverages compression, takes advantage of HTTP responses
  • Mitigated by:Disabling HTTP compression
    – Separating secrets from user input
    – Randomizing secrets per request
    – Masking secrets (effectively randomizing by XORing with a random secret per request)
    – Protecting vulnerable pages with CSRF
    – Length hiding (by adding random number of bytes to the responses)
    – Rate-limiting the requests

<References>

1. Wiki: http://en.wikipedia.org/wiki/BREACH_(security_exploit)
2. Paper: http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
3. PPT: http://breachattack.com/resources/BREACH%20-%20BH%202013%20-%20PRESENTATION.pdf
4. Source Code: https://github.com/nealharris/BREACH

BGP Security

You can download the slide: BGP Security
(This has been done as a part of homework in CSE508 in SBU CS.)

There are two different kinds of routing protocols: one is for interior purpose – IGP (Interior Gateway Protocol) and the other is for exterior purpose – EGP (Exterior Gateway Protocol). A good example of IGP would be RIP(Routing Information Protocol), OSPF (Open Shortest Path First) which is the most widely used, and EIGRP (Enhanced Interior Gateway Routing Protocol) which is proprietary by Cisco. In EGP, BGP (Border Gateway Protocol) is now de facto standard adapted by the Internet.

First we need to define a couple of terminologies.

1. AS (Autonomous System): A set of computers and routers under a single administration
2. RIB (Routing Information Base): BGP routing entries (Adj-RIB-In, Loc-RIB, and Adj-RIB-Out)
3. BGP Attribute: Types to decide path vector algorithm
(Origin=1, AS_Path=2, Next_Hop=3, MED=4, Local_Pref=5, Atomic_Aggregate=6, Aggregator=7)

As of Feb. 2014, there are more than 500,000 BGP routing tables available. (Check http://bgp.potaroo.net/bgprpts/rva-index.html) You may also want to know current AS summary. (Check http://cidr-report.org/as2.0/) Each BGP speaker uses RIBs and BGP attributes and installs NLRI (or best path) according to the following mechanism. (If the preference ties, then it considers next attribute in order.)

Highest weight →Highest LOCAL-PREF → Originated Source → Shortest AS-PATH → Lowest Origin (IBGP < EBGP < incomplete) → Lowest MED → EBGP over IBGP → Lowest IGP Metric → Lowest Route ID → Lowest Originator ID

The following figure illustrates 4 main BGP messages: OPEN, KEEP-ALIVE, UPDATE, and NOTIFICATION. The communication among BGP speakers maintains unicast over 179/tcp.

bgp1

Now, let’s briefly take a look at BGP vulnerabilities from two perspectives. By running over TCP, listening on port 179, BGP is subject to be vulnerable through all kinds of TCP attacks: IP Spoofing, TCP RST,  TCP RST using ICMP, Session Hijacking, and various denial of service attacks including SYN flooding and so forth. These lead target router to drop the BGP session and both peers withdraw routes, causing disruption of network connection. An attacker takes advantage of eavesdropping, blackholing, and/or traffic analysis by changing routes as well.

bgp2

On top of that, with respect to BGP attacks, fundamental vulnerabilities arise from no mechanism which has specified within BGP in order to (a) validate the authority of an AS and (b) to ensure the authenticity of the path attribute by an AS. This allows an adversary to route manipulation such as message relaying, insertion, deletion, and modification as well as route hijacking. BGP-oriented attacks include:

(1) Route Flapping: repetitive changes rapidly cause the BGP routing table to be withdrawn and then re-advertised
(2) Route Deaggregation: announcing more specific route UPDATE causes a huge number of updates, which makes router crash and shut down
(3) (Unallocated) Route Injection: sending out incorrect routing information or transmitting routes to “bogon” prefixes

bgp3

Lastly, here are BGP attack countermeasures to mitigate corresponding threats above.

1. Use authentication mechanism

  • Use access control list.
  • Use BGP peer authentication: MD5(Routing Advertisement + Shared Key), IPSecif available
  • Configure BGP to allow announcing only designated netblocks
  • Disable BGP version negotiation to provide faster startup
  • Announce only preconfigured list of networks

2. Configure route manipulation protection

  • Use BGP graceful restart
  • Use max prefix limits to avoid filling router tables
  • Filter all bogonprefixes with ingress/egress filtering
  • Do not allow over-specific prefixes
  • Turn off fast external failover, called route flap damping
  • Record peer changes

3. Use secure protocol

  • Only allow peers to connect to port 179 in TCP
  • Randomize sequence number (against spoofing and session hijacking)
  • Consider deploying S-BGP or BGPSec

[References]

RFC 4271 -A Border Gateway Protocol 4 (BGP-4), which obsoletes RFC 1771, 1772
RFC 4272 -BGP Security Vulnerabilities Analysis
RFC 2439 –BGP Route Flap Damping
http://moo.cmcl.cs.cmu.edu/~dwendlan/routing/
http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html

PGP (Pretty Good Privacy)

PGP is a software package that performs cryptographic tasks related with email systems, which stands for Pretty Good Privacy. It is created by Phil Zimmermann in 1991, and now regarded as de facto standard email security. PGP is currently acquired by Symantec Group since 2010, but still the source code is available for peer review. There are many PGP variants available such as OpenPGP, GPG, iPGMail, APG, and so forth.

PGP provides security services and privacy using a series of security techniques including:
(1) Hashing for integrity
(2) Data compression
(3) Symmetric cryptography for confidentiality
(4) Asymmetric cryptography for both authentication and non-repudiation

The following describes the sending/receiving process between Alice and Bob.

a. Sending Process (Sender = Alice)

pgp1

b. Receiving Process (Receiver = Bob)

pgp2

Click here to download the material.
(This has been done as a part of homework in CSE508 in SBU CS.)