Vulnerability-Tolerant Transport Layer Security

SSL/TLS communication channels play a very important role in Internet security, including cloud computing and server infrastructures. There are often concerns about the strength of the encryption mechanisms used in TLS channels. Vulnerabilities can lead to some of the cipher suites once thought to be secure to become insecure and no longer recommended for use or in urgent need of a software update. However, the deprecation/update process is very slow and weeks or months can go by before most web servers and clients are protected, and some servers and clients may never be updated. In the meantime, the communications are at risk of being intercepted and tampered by attackers. In this paper we propose an alternative to TLS to mitigate the problem of secure commu- nication channels being susceptible to attacks due to unexpected vulnerabilities in its mechan- isms. Our solution, called Vulnerability-Tolerant Transport Layer Security (vtTLS), is based on diversity and redundancy of cryptographic mechanisms and certificates to ensure a secure communication even when one or more mechanisms are vulnerable. Our solution relies on a combination of k cipher suites which ensure that even if k ? 1 cipher suites are insecure or vul- nerable, the remaining cipher suite keeps the communication channel secure. The performance and cost of vtTLS were evaluated and compared with OpenSSL, one of the most widely used implementations of TLS

Bitter harvest: Systematically fingerprinting low- and medium-interaction honeypots at internet scale

The current generation of low- and medium interaction honeypots uses off-the-shelf libraries to provide the transport layer. We show that this architecture is fatally flawed because the protocols are implemented subtly differently from the systems being impersonated. We present a generic technique for systematically fingerprinting low- and medium interaction honeypots at Internet scale with just one packet and an ERR (Equal Error Rate) of 0.0183. We conduct Internet-wide scans and identify 7,605 honeypot instances across nine different honeypot implementations for the most important network protocols SSH, Telnet, and HTTP. For SSH honeypots we also determined their patch level and find that they are poorly maintained -- 27% of the honeypots have not been updated within the last 31 months and only 39% incorporate improvements from 7 months ago. We believe our findings to be a 'class break' in that trivial patches cannot address the issue

Cryptanalysis of the Counter mode of operation

International audienceThe counter mode of operation (CTR mode) is nowadays one of the most widely deployed modes of operation due to its simplicity, elegant design and performance. Therefore understanding more about the security of the CTR mode helps us understand the security of many applications used over the modern internet. On the security of the CTR mode, there is a well-known proof of indistinguishability from random outputs up to the birthday bound that is O(2 n/2) encrypted n-bit blocks. This acts as a proof that no attack that can retrieve useful information about the plaintext exists with a lower complexity. In other words, any attack that breaks the confidentiality of the plaintext will require Ω(2 n/2) blocks of ciphertext. Research problem While we have a lower bound on the complexity of a potential attack, it is not well understood how such attack would work and what would be its complexity not only in terms of data but also computationally (time and memory complexities). Most often the CTR mode is combined with the AES block cipher which acts on 128-bits blocks. In that setting, the birthday bound may appear sufficient to guarantee security in most if not all of today's internet applications as 2 128/2 × 128 bits = 256 exbibytes, a comfortable margin. However if used alongside a 64-bits block cipher, like 3DES, the birthday bound stands at 2 64/2 × 64 bits = 32 gibibytes, an amount of data quickly exchanged in today's internet. Moreover, the proof of indistinguishability says nothing at how quickly information on the plaintext is leaked when nearing the birthday bound. The goal of this internship is to devise efficient message recovery attacks under realistic assumptions and study their complexity to gain a better understanding of the security of the CTR mode. Contribution We give a concrete definition of the algorithmic problem naturally posed by the counter mode of operation, the missing difference problem, upon the resolution of which we can recover part of the unknown plaintext. Then we propose two algorithms to recover a block or more of secret plaintext in different settings motivated by real-life attacker models and compare the results with the work done by McGrew [McG12] on that same topic. We improve McGrew's results in two cases : the case where we know half of the secret plaintext, then we achieve time complexity of˜Oof˜ of˜O(2 n/2) compared tõ O(2 3n/4) for McGrew's searching algorithm and the case where we have no prior information on the secret where we achieve˜Oachieve˜ achieve˜O(2 2n/3) in time and query compared to the previous˜Oprevious˜ previous˜O(2 n/2) queries and˜Oand˜ and˜O(2 n) time. This improvement allows better attack on the mode for a realistic attacker model than what had been described so far in the literature. In fact, we found out that the CTR mode does not offer much more security guarantees than the CBC mode as real attacks are of similar complexities. We described these attacks on the CTR mode and could even extend those to some message authentication code (MAC) schemes GMAC and Poly1305 based on the Wegman-Carter style construction. Arguments supporting its validity Not only do we provide some proofs for the asymptotic complexity but also implementations of these algorithms show that they are practical for blocks sizes n 64 bits and so are the associated attacks. These attacks rely on the repeated encryption of a secret under the same key so frequent rekeying will prevent those attacks from happening and thus we encourage any implementation of the CTR mode to force rekeying well before the birthday bound. Summary and future work We formalized an algorithmic problem that is naturally encountered in some cryptographic schemes, we called it the missing difference problem, and developed tools to solve it efficiently. These tools then help the cryptanalysis of different modes of operation and thus help understanding the security of popular real-world protocols. Now we hope to publish these results and make users aware that using CTR is not much more secure than CBC (though CTR still offers other advantages). Especially when coupled with 64-bits block ciphers, it may not offer enough guarantee for most modern uses as 64-bits CBC mode was shown to be insecure in a recent work by Bhargavan and Leurent [BL16]

ELCA: Introducing Enterprise-level Cryptographic Agility for a Post-Quantum Era

Given the importance of cryptography to modern security and privacy solutions, it is surprising how little attention has been given to the problem of \textit{cryptographic agility}, or frameworks enabling the transition from one cryptographic algorithm or implementation to another. In this paper, we argue that traditional notions of cryptographic agility fail to capture the challenges facing modern enterprises that will soon be forced to implement a disruptive migration from today’s public key algorithms (e.g., RSA, ECDH) to quantum-safe alternatives (e.g., CRYSTALS-KYBER). After discussing the challenge of real-world cryptographic transition at scale, we describe our work on enterprise-level cryptographic agility for secure communications based on orchestrated \textit{cryptographic providers}. Our policy-driven approach, prototyped in service mesh, provides a much-needed re-envisioning for cryptographic agility and highlights what’s missing today to enable disruptive cryptographic change at scale

libInterMAC: Beyond Confidentiality and Integrity in Practice

Boldyreva et al. (Eurocrypt 2012) defined a fine-grained security model capturing ciphertext fragmentation attacks against symmetric encryption schemes. The model was extended by Albrecht et al. (CCS 2016) to include an integrity notion. The extended security model encompasses important security goals of SSH that go beyond confidentiality and integrity to include length hiding and denial-of-service resistance properties. Boldyreva et al. also defined and analysed the InterMAC scheme, while Albrecht et al. showed that InterMAC satisfies stronger security notions than all currently available SSH encryption schemes. In this work, we take the InterMAC scheme and make it fully ready for use in practice. This involves several steps. First, we modify the InterMAC scheme to support encryption of arbitrary length plaintexts and we replace the use of Encrypt-then-MAC in InterMAC with modern noncebased authenticated encryption. Second, we describe a reference implementation of the modified InterMAC scheme in the form of the library libInterMAC. We give a performance analysis of libInterMAC. Third, to test the practical performance of libInterMAC, we implement several InterMAC-based encryption schemes in OpenSSH and carry out a performance analysis for the use-case of file transfer using SCP. We measure the data throughput and the data overhead of using InterMAC-based schemes compared to existing schemes in OpenSSH. Our analysis shows that, for some network set-ups, using InterMAC-based schemes in OpenSSH only moderately affects performance whilst providing stronger security guarantees compared to existing schemes

Automated Analysis of Protocols that use Authenticated Encryption: How Subtle AEAD Differences can impact Protocol Security

Many modern security protocols such as TLS, WPA2, WireGuard, and Signal use a cryptographic primitive called Authenticated Encryption (optionally with Authenticated Data), also known as an AEAD scheme. AEAD is a variant of symmetric encryption that additionally provides authentication. While authentication may seem to be a straightforward additional requirement, it has in fact turned out to be complex: many different security notions for AEADs are still being proposed, and several recent protocol-level attacks exploit subtle behaviors that differ among real-world AEAD schemes. We provide the first automated analysis method for protocols that use AEADs that can systematically find attacks that exploit the subtleties of the specific type of AEAD used. This can then be used to analyze specific protocols with a fixed AEAD choice, or to provide guidance on which AEADs might be (in)sufficient to make a protocol design secure. We develop generic symbolic AEAD models, which we instantiate for the Tamarin prover. Our approach can automatically and efficiently discover protocol attacks that could previously only be found using manual inspection, such as the Salamander attack on Facebook’s message franking, and attacks on SFrame and YubiHSM. Furthermore, our analysis reveals undesirable behaviors of several other protocols

Data Is a Stream: Security of Stream-Based Channels

The common approach to defining secure channels in the literature is to consider transportation of discrete messages provided via atomic encryption and decryption interfaces. This, however, ignores that many practical protocols (including TLS, SSH, and QUIC) offer streaming interfaces instead, moreover with the complexity that the network (possibly under adversarial control) may deliver arbitrary fragments of ciphertexts to the receiver. To address this deficiency, we initiate the study of stream-based channels and their security. We present notions of confidentiality and integrity for such channels, akin to the notions for atomic channels, but taking the peculiarities of streams into account. We provide a composition result for our setting, saying that combining chosen-plaintext confidentiality with integrity of the transmitted ciphertext stream lifts confidentiality of the channel to chosen-ciphertext security. Notably, for our proof of this theorem in the streaming setting we need an additional property, called error predictability. We give an AEAD-based construction that achieves our notion of a secure stream-based channel. The construction matches rather well the one used in TLS, providing validation of that protocol\u27s design. Finally, we study how applications that actually aim at transporting atomic messages can do so safely over a stream-based channel. We provide corresponding security notions and a generic and secure \u27encode-then-stream\u27 paradigm