ProtoMon: Embedded Monitors for Cryptographic Protocol Intrusion Detection and Prevention

Intrusion Detection Systems (IDS) are responsible for monitoring and analyzing host or network activity to detect intrusions in order to protect information from unauthorized access or manipulation. There are two main approaches for intrusion detection: signature-based and anomaly-based. Signature-based detection employs pattern matching to match attack signatures with observed data making it ideal for detecting known attacks. However, it cannot detect unknown attacks for which there is no signature available. Anomaly-based detection uses machine-learning techniques to create a profile of normal system behavior and uses this profile to detect deviations from the normal behavior. Although this technique is effective in detecting unknown attacks, it has a drawback of a high false alarm rate. In this paper, we describe our anomaly-based IDS designed for detecting malicious use of cryptographic and application-level protocols. Our system has several unique characteristics and benefits, such as the ability to monitor cryptographic protocols and application-level protocols embedded in encrypted sessions, a very lightweight monitoring process, and the ability to react to protocol misuse by modifying protocol response directly

Postcards from the post-HTTP world: Amplification of HTTPS vulnerabilities in the web ecosystem

HTTPS aims at securing communication over the Web by providing a cryptographic protection layer that ensures the confidentiality and integrity of communication and enables client/server authentication. However, HTTPS is based on the SSL/TLS protocol suites that have been shown to be vulnerable to various attacks in the years. This has required fixes and mitigations both in the servers and in the browsers, producing a complicated mixture of protocol versions and implementations in the wild, which makes it unclear which attacks are still effective on the modern Web and what is their import on web application security. In this paper, we present the first systematic quantitative evaluation of web application insecurity due to cryptographic vulnerabilities. We specify attack conditions against TLS using attack trees and we crawl the Alexa Top 10k to assess the import of these issues on page integrity, authentication credentials and web tracking. Our results show that the security of a consistent number of websites is severely harmed by cryptographic weaknesses that, in many cases, are due to external or related-domain hosts. This empirically, yet systematically demonstrates how a relatively limited number of exploitable HTTPS vulnerabilities are amplified by the complexity of the web ecosystem

Misuse-Resistant Variants of the OMD Authenticated Encryption Mode

We present two variants of OMD which are robust against nonce misuse. Security of OMD---a CAESAR candidate---relies on the assumption that implementations always ensure correct use of nonce (a.k.a. message number); namely that, the nonce never gets repeated. However, in some application environments, this non-repetitiveness requirement on nonce might be compromised or ignored, yielding to full collapse of the security guaranty. We aim to reach maximal possible level of robustness against repeated nonces, as defined by Rogaway and Shrimpton (FSE 2006) under the name misuse-resistant AE (MRAE). Our first scheme, called misuse-resistant OMD (MR-OMD), is designed to be substantially similar to OMD while achieving stronger security goals; hence, being able to reuse any existing common code/hardware. Our second scheme, called parallelizable misuse-resistant OMD (PMR-OMD), further deviates from the original OMD design in its encryption process, providing a parallelizable algorithm, in contrast with OMD and MR-OMD which have serial encryption/decryption processes. Both MR-OMD and PMR-OMD are single-key mode of operation. It is known that maximally robust MRAE schemes are necessarily two-pass, a price paid compared to a one-pass scheme such as OMD. Nevertheless, in MR-OMD and PMR-OMD, we combine the two passes in a way that minimizes the incurred additional cost: the overhead incurred by the second pass in our two-pass variants is about 50 % of the encryption time for OMD

Identifying Website Users by TLS Traffic Analysis: New Attacks and Effective Countermeasures

Websites commonly use HTTPS to protect their users' private data from network-based attackers. By combining public social network profiles with TLS traffic analysis, we present a new attack that reveals the precise identities of users accessing major websites. As a countermeasure, we propose a novel length-hiding scheme that leverages standard TLS padding to enforce website-specific privacy policies. We present several implementations of this scheme, notably a patch for GnuTLS that offers a rich length-hiding API and an Apache module that uses this API to enforce an anonymity policy for sensitive user files. Our implementations are the first to fully exercise the length-hiding features of TLS and our work uncovers hidden timing assumptions in recent formal proofs of these features. Compared to previous work, we offer the first countermeasure that is standards-based, provably secure, and experimentally effective, yet pragmatic, offering websites a precise trade-off between user privacy and bandwidth efficiency.La vaste majorité des applications web repose sur HTTPS pour protéger, sur le réseau, les données privées de leurs utilisateurs. Nous présentons une nouvelle attaque qui, en combinant les données publiques des réseaux sociaux à une analyse de trafic TLS, permet de révéler l'identité des utilisateurs accédant aux sites web les plus populaires. En réponse à cette attaque, nous proposons un nouveau schéma, qui bien que n'utilisant que des fonctionnalités standards de TLS, permet de dissimuler la taille des données transitant et donc d'aiser l'application des politiques de sécurité. Nous avons intégré notre nouveau schéma de dissimulation de taille à GnuTLS via une API de haut niveau. Nous avons fait usage de cette dernière pour le développement d'un module Apache appliquant notre nouveau schéma à un ensemble de fichiers utilisateurs. Ainsi, nous offrons la première contre-mesure ne reposant que sur des fonctionnalités standards, possédant une preuve de sécurité formelle et efficace en pratique, et qui propose donc un bon compromis entre sécurité des utilisateurs et efficacité en terme de taille des données transitant sur le réseau

How to Securely Release Unverified Plaintext in Authenticated Encryption

Scenarios in which authenticated encryption schemes output decrypted plaintext before successful verification raise many security issues. These situations are sometimes unavoidable in practice, such as when devices have insufficient memory to store an entire plaintext, or when a decrypted plaintext needs early processing due to real-time requirements. We introduce the first formalization of the releasing unverified plaintext (RUP) setting. To achieve privacy, we propose using plaintext awareness (PA) along with IND-CPA. An authenticated encryption scheme is PA if it has a plaintext extractor, which tries to fool adversaries by mimicking the decryption oracle without the secret key. Releasing unverified plaintext then becomes harmless as it is infeasible to distinguish the decryption oracle from the plaintext extractor. We introduce two notions of plaintext awareness in the symmetric-key setting, PA1 and PA2, and show that they expose a new layer of security between IND-CPA and IND-CCA. To achieve integrity of ciphertexts, INT-CTXT in the RUP setting is required, which we refer to as INT-RUP. These new security notions are used to make a classification of symmetric-key schemes in the RUP setting. Furthermore, we re-analyze existing authenticated encryption schemes, and provide solutions to fix insecure schemes

Pseudo Constant Time Implementations of TLS Are Only Pseudo Secure

Today, about 10% of TLS connections are still using CBC-mode cipher suites, despite a long history of attacks and the availability of better options (e.g. AES-GCM). In this work, we present three new types of attack against four popular fully patched implementations of TLS (Amazon\u27s s2n, GnuTLS, mbed TLS and wolfSSL) which elected to use ``pseudo constant time\u27\u27 countermeasures against the Lucky 13 attack on CBC-mode. Our attacks combine several variants of the PRIME+PROBE cache timing technique with a new extension of the original Lucky 13 attack. They apply in a cross-VM attack setting and are capable of recovering most of the plaintext whilst requiring only a moderate number of TLS connections. Along the way, we uncovered additional serious (but easy to patch) bugs in all four of the TLS implementations that we studied; in three cases, these bugs lead to Lucky 13 style attacks that can be mounted remotely with no access to a shared cache. Our work shows that adopting pseudo constant time countermeasures is not sufficient to attain real security in TLS implementations in CBC mode