An Internet-Wide Analysis of Diffie-Hellman Key Exchange and X.509 Certificates in TLS

Transport Layer Security (TLS) is a mature cryptographic protocol, but has flexibility during implementation which can introduce exploitable flaws. New vulnerabilities are routinely discovered that affect the security of TLS implementations. We discovered that discrete logarithm implementations have poor parameter validation, and we mathematically constructed a deniable backdoor to exploit this flaw in the finite field Diffie-Hellman key exchange. We described attack vectors an attacker could use to position this backdoor, and outlined a man-in-the-middle attack that exploits the backdoor to force Diffie-Hellman use during the TLS connection. We conducted an Internet-wide survey of ephemeral finite field Diffie-Hellman (DHE) across TLS and STARTTLS, finding hundreds of potentially backdoored DHE parameters and partially recovering the private DHE key in some cases. Disclosures were made to companies using these parameters, resulting in a public security advisory and discussions with the CTO of a billion-dollar company. We conducted a second Internet-wide survey investigating X.509 certificate name mismatch errors, finding approximately 70 million websites invalidated by these errors and additionally discovering over 1000 websites made inaccessible due to a combination of forced HTTPS and mismatch errors. We determined that name mismatch errors occur largely due to certificate mismanagement by web hosting and content delivery network companies. Further research into TLS implementations is necessary to encourage the use of more secure parameters

Multi-ciphersuite security of the Secure Shell (SSH) protocol

The Secure Shell (SSH) protocol is widely used to provide secure remote access to servers, making it among the most important security protocols on the Internet. We show that the signed-Diffie--Hellman SSH ciphersuites of the SSH protocol are secure: each is a secure authenticated and confidential channel establishment (ACCE) protocol, the same security definition now used to describe the security of Transport Layer Security (TLS) ciphersuites. While the ACCE definition suffices to describe the security of individual ciphersuites, it does not cover the case where parties use the same long-term key with many different ciphersuites: it is common in practice for the server to use the same signing key with both finite field and elliptic curve Diffie--Hellman, for example. While TLS is vulnerable to attack in this case, we show that SSH is secure even when the same signing key is used across multiple ciphersuites. We introduce a new generic multi-ciphersuite composition framework to achieve this result in a black-box way

RSA, DH, and DSA in the Wild

This book chapter outlines techniques for breaking cryptography by taking advantage of implementation mistakes made in practice, with a focus on those that exploit the mathematical structure of the most widely used public-key primitives

Measuring small subgroup attacks against Diffie-Hellman

Several recent standards, including NIST SP 800- 56A and RFC 5114, advocate the use of “DSA” parameters for Diffie-Hellman key exchange. While it is possible to use such parameters securely, additional validation checks are necessary to prevent well-known and potentially devastating attacks. In this paper, we observe that many Diffie-Hellman implementations do not properly validate key exchange inputs. Combined with other protocol properties and implementation choices, this can radically decrease security. We measure the prevalence of these parameter choices in the wild for HTTPS, POP3S, SMTP with STARTTLS, SSH, IKEv1, and IKEv2, finding millions of hosts using DSA and other non-“safe” primes for Diffie-Hellman key exchange, many of them in combination with potentially vulnerable behaviors. We examine over 20 open-source cryptographic libraries and applications and observe that until January 2016, not a single one validated subgroup orders by default. We found feasible full or partial key recovery vulnerabilities in OpenSSL, the Exim mail server, the Unbound DNS client, and Amazon’s load balancer, as well as susceptibility to weaker attacks in many other applications

Elliptic Curve Cryptography in Practice

In this paper, we perform a review of elliptic curve cryptography (ECC), as it is used in practice today, in order to reveal unique mistakes and vulnerabilities that arise in implementations of ECC. We study four popular protocols that make use of this type of public-key cryptography: Bitcoin, secure shell (SSH), transport layer security (TLS), and the Austrian e-ID card. We are pleased to observe that about 1 in 10 systems support ECC across the TLS and SSH protocols. However, we find that despite the high stakes of money, access and resources protected by ECC, implementations suffer from vulnerabilities similar to those that plague previous cryptographic systems

Security protocols for networks and Internet: a global vision

This work was supported by the MINECO grant TIN2013-46469-R (SPINY: Security and Privacy in the Internet of You), by the CAM grant S2013/ICE-3095 (CIBERDINE: Cybersecurity, Data, and Risks), which is co-funded by European Funds (FEDER), and by the MINECO grant TIN2016-79095-C2-2-R (SMOG-DEV—Security mechanisms for fog computing: advanced security for devices)

Flexible and Scalable Public Key Security for SSH

A standard tool for secure remote access, the SSH protocol uses public-key cryptography to establish an encrypted and integrity-protected channel with a remote server. However, widely-deployed implementations of the protocol are vulnerable to man-in-the-middle attacks, where an adversary substitutes her public key for the server\u27s. This danger particularly threatens a traveling user Bob borrowing a client machine. Imposing a traditional X.509 PKI on all SSH servers and clients is neither flexible nor scalable nor (in the foreseeable future) practical. Requiring extensive work or an SSL server at Bob\u27s site is also not practical for many users. This paper presents our experiences designing and implementing an alternative scheme that solves the public-key security problem in SSH without requiring such an a priori universal trust structure or extensive sysadmin work--although it does require a modified SSH client. (The code is available for public download.

HYBRID CRYPTOSYSTEMS IN CLIENT-SERVER ARCHITECTURE ON THE APPLICATION LAYER OF THE INTERNET

Uslijed sve šire upotrebe kriptografije u raznim domenama računarstva razvijaju se sve napredniji kriptografski algoritmi, protokoli i sustavi o čijoj ispravnosti ovisi povjerljivost privatne i poslovne komunikacije sve većeg broja ljudi. Povrh kompleksnosti svake od kriptografskih komponenti, moderne klijentsko-poslužiteljske arhitekture zahtijevaju njihove precizno izvedene kombinacije s drugim elementima sustava koji također primjenjuju kriptografiju u različite svrhe. S ciljem boljeg razumijevanja uloge kriptografskih primitiva u suvremenim distribuiranim sustavima, u ovom su radu objedinjene značajke temeljnih kriptografskih metoda zajedno s njihovim primjenama na aplikacijskom sloju Interneta. Na primjerima popularnih hibridnih kriptosustava (Transport Layer Security, Secure Shell, End-to-end Encryption) predstavljene su namjene kriptografije u distribuiranim mrežnim aplikacijama uz sažet opis glavnih ideja koje se koriste pri oblikovanju takvih sustava. Rad ne ulazi u tehničke detalje i implementacije algoritama, već doprinosi jezgrovit pregled navedenih principa i ideja uz praktične primjere relevantne mladim programskim inženjerima.Due to the increasing use of cryptography in various domains of computing, more and more advanced cryptographic algorithms, protocols, and systems are being developed, the correctness of which largely determines the confidentiality of private and business communication of an increasing number of people. In addition to the complexity of each of the cryptographic components, modern client-server architectures require their precisely executed combinations with other elements of the system that also apply cryptography for various purposes. In order to better understand the role of cryptographic primitives in modern distributed systems, this paper combines the features of basic cryptographic methods together with their applications on the application layer of the Internet. Examples of popular hybrid cryptosystems (Transport Layer Security, Secure Shell, End-to-end Encryption) present the purposes of cryptography in distributed network applications with a brief description of the main ideas used in designing such systems. The paper does not go into technical details and implementations of algorithms but contributes a concise overview of these principles and ideas with practical examples relevant to young software engineers