40 research outputs found
An Internet-Wide Analysis of Diffie-Hellman Key Exchange and X.509 Certificates in TLS
Transport Layer Security (TLS) is a mature cryptographic protocol, but has flexibility during implementation which can introduce exploitable flaws. New vulnerabilities are routinely discovered that affect the security of TLS implementations.
We discovered that discrete logarithm implementations have poor parameter validation, and we mathematically constructed a deniable backdoor to exploit this flaw in the finite field Diffie-Hellman key exchange. We described attack vectors an attacker could use to position this backdoor, and outlined a man-in-the-middle attack that exploits the backdoor to force Diffie-Hellman use during the TLS connection.
We conducted an Internet-wide survey of ephemeral finite field Diffie-Hellman (DHE) across TLS and STARTTLS, finding hundreds of potentially backdoored DHE parameters and partially recovering the private DHE key in some cases. Disclosures were made to companies using these parameters, resulting in a public security advisory and discussions with the CTO of a billion-dollar company.
We conducted a second Internet-wide survey investigating X.509 certificate name mismatch errors, finding approximately 70 million websites invalidated by these errors and additionally discovering over 1000 websites made inaccessible due to a combination of forced HTTPS and mismatch errors. We determined that name mismatch errors occur largely due to certificate mismanagement by web hosting and content delivery network companies. Further research into TLS implementations is necessary to encourage the use of more secure parameters
Implementation of an identity based encryption sub-system for secure e-mail and other applications
This thesis describes the requirements for, and design of, a suite of a sub-systems which support the introduction of Identity Based Encryption (IBE) to Intrenet communications.
Current methods for securing Internet transmission are overly complex to users and require expensive and complex supporting infrastructure for distributing credentials such
as certificates or public keys. Identity Based Encryption holds a promise of simplifying the process without compromising the security. In this thesis I will outline the theory behind the cryptography required , give a background to e-M ail and messaging protocols,the current security methods, the infrastructure used, the issues with these methods, and the break through that recent innovations in Identity Based Encryption hopes to deliver.I will describe an implementation of a sub-system that secures e-Mail and other protocolsin desktop platforms with as little impact on the end user as possible
Measuring And Securing Cryptographic Deployments
This dissertation examines security vulnerabilities that arise due to communication failures and incentive mismatches along the path from cryptographic algorithm design to eventual deployment. I present six case studies demonstrating vulnerabilities in real-world cryptographic deployments. I also provide a framework with which to analyze the root cause of cryptographic vulnerabilities by characterizing them as failures in four key stages of the deployment process: algorithm design and cryptanalysis, standardization, implementation, and endpoint deployment. Each stage of this process is error-prone and influenced by various external factors, the incentives of which are not always aligned with security. I validate the framework by applying it to the six presented case studies, tracing each vulnerability back to communication failures or incentive mismatches in the deployment process.
To curate these case studies, I develop novel techniques to measure both existing and new cryptographic attacks, and demonstrate the widespread impact of these attacks on real-world systems through measurement and cryptanalysis. While I do not claim that all cryptographic vulnerabilities can be described with this framework, I present a non-trivial (in fact substantial) number of case studies demonstrating that this framework characterizes the root cause of failures in a diverse set of cryptographic deployments
Indiscreet Logs: Persistent Diffie-Hellman Backdoors in TLS
Software implementations of discrete logarithm based cryptosystems over finite fields typically make the assumption that any domain parameters they are presented with are trustworthy, i.e., the parameters implement cyclic groups where the discrete logarithm problem is assumed to be hard. An informal and widespread justification for this seemingly exists that says validating parameters at run time is too computationally expensive relative to the perceived risk of a server sabotaging the privacy of its own connection. In this paper we explore this trust assumption and examine situations where it may not always be justified.
We conducted an investigation of discrete logarithm domain parameters in use across the Internet and discovered evidence of a multitude of potentially backdoored moduli of unknown order in TLS and STARTTLS spanning numerous countries, organizations, and protocols. Although our disclosures resulted in a number of organizations taking down suspicious parameters, we argue the potential for TLS backdoors is systematic and will persist until either until better parameter hygiene is taken up by the community, or finite field based cryptography is eliminated altogether
Using Large-Scale Empirical Methods to Understand Fragile Cryptographic Ecosystems
Cryptography is a key component of the security of the Internet.
Unfortunately, the process of using cryptography to secure the Internet is
fraught with failure. Cryptography is often fragile, as a single mistake can
have devastating consequences on security, and this fragility is further
complicated by the diverse and distributed nature of the Internet. This
dissertation shows how to use empirical methods in the form of Internet-wide
scanning to study how cryptography is deployed on the Internet, and shows
this methodology can discover vulnerabilities and gain insights into fragile
cryptographic ecosystems that are not possible without an empirical approach.
I introduce improvements to ZMap, the fast Internet-wide scanner, that allow
it to fully utilize a 10 GigE connection, and then use Internet-wide
scanning to measure cryptography on the Internet.
First, I study how Diffie-Hellman is deployed, and show that implementations
are fragile and not resilient to small subgroup attacks. Next, I measure the
prevalence of ``export-grade'' cryptography. Although regulations limiting
the strength of cryptography that could be exported from the United States
were lifted in 1999, Internet-wide scanning shows that support for various
forms of export cryptography remains widespread. I show how purposefully
weakening TLS to comply with these export regulations led to the FREAK,
Logjam, and DROWN vulnerabilities, each of which exploits obsolete
export-grade cryptography to attack modern clients. I conclude by discussing
how empirical cryptography improved protocol design, and I present further
opportunities for empirical research in cryptography.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/149809/1/davadria_1.pd
Recommended from our members
Scaling up VoIP: Transport Protocols and Controlling Unwanted Communication Requests
Millions of people worldwide use voice over IP (VoIP) services not only as cost-effective alternatives to long distance and international calls but also as unified communication tools, such as video conferencing. Owing to the low cost of new user accounts, each person can easily obtain multiple accounts for various purposes. Rich VoIP functions combined with the low cost of new accounts and connections attract many people, resulting in a dramatic increase in the number of active user accounts. Internet telephony service providers (ITSPs), therefore, need to deploy VoIP systems to accommodate this growing demand for VoIP user accounts. Attracted people also include bad actors who make calls that are unwanted to callees. Once ITSPs openly connect with each other, unwanted bulk calls will be at least as serious a problem as email spam. This dissertation studies how we can reduce load both on ITSPs and end users to ensure continuing the success of VoIP services. From ITSPs' perspective, the scalability of VoIP servers is of importance and concern. Scalability depends on server implementation and the transport protocol for SIP, VoIP signaling. We conduct experiments to understand the impact of connection-oriented transport protocols, namely, TCP and SCTP, because of the additional costs of handling connections. Contradicting the negative perception of connection-oriented transport protocols, our experimental results demonstrate that the TCP implementation in Linux can maintain comparable capacity to UDP, which is a lightweight connection-less transport protocol. The use of SCTP, on the other hand, requires improving the Linux implementation since the not-well-tested implementation makes a server less scalable. We establish the maximum number of concurrent TCP or SCTP connections as baseline data and suggest better server configurations to minimize the negative impact of handling a large number of connections. Thus, our experimental analysis will also contribute to the design of other servers with a very large number of TCP or SCTP connections. From the perspective of end users, controlling unwanted calls is vital to preserving the VoIP service utility and value. Prior work on preventing unwanted email or calls has mainly focused on detecting unwanted communication requests, leaving many messages or calls unlabeled since false positives during filtering are unacceptable. Unlike prior work, we explore approaches to identifying a "good" call based on signaling messages rather than content. This is because content-based filtering cannot prevent call spam from disturbing callees since a ringing tone interrupts them before content is sent. Our first approach uses "cross-media relations.'' Calls are unlikely to be unwanted if two parties have been previously communicated with each other through other communication means. Specifically, we propose two mechanisms using cross-media relations. For the first mechanism, a potential caller offers her contact addresses which might be used in future calls to the callee. For the second mechanism, a callee provides a potential caller with weak secret for future use. When the caller makes a call, she conveys the information to be identified as someone the callee contacted before through other means. Our prototype illustrates how these mechanisms work in web-then-call and email-then-call scenarios. In addition, our user study of received email messages, calls, SMS messages demonstrates the potential effectiveness of this idea. Another approach uses caller's attributes, such as organizational affiliation, in the case where two parties have had no prior contact. We introduce a lightweight mechanism for validating user attributes with privacy-awareness and moderate security. Unlike existing mechanisms of asserting user attributes, we design to allow the caller to claim her attributes to callees without needing to prove her identity or her public key. To strike the proper balance between the ease of service deployment and security, our proposed mechanism relies on transitive trust, through an attribute validation server, established over transport layer security. This mechanism uses an attribute reference ID, which limits the lifetime and restricts relying parties. Our prototype demonstrates the simplicity of our concept and the possibility of practical use
Recommended from our members
Scaling up VoIP: Transport Protocols and Controlling Unwanted Communication Requests
Millions of people worldwide use voice over IP (VoIP) services not only as cost-effective alternatives to long distance and international calls but also as unified communication tools, such as video conferencing. Owing to the low cost of new user accounts, each person can easily obtain multiple accounts for various purposes. Rich VoIP functions combined with the low cost of new accounts and connections attract many people, resulting in a dramatic increase in the number of active user accounts. Internet telephony service providers (ITSPs), therefore, need to deploy VoIP systems to accommodate this growing demand for VoIP user accounts. Attracted people also include bad actors who make calls that are unwanted to callees. Once ITSPs openly connect with each other, unwanted bulk calls will be at least as serious a problem as email spam. This dissertation studies how we can reduce load both on ITSPs and end users to ensure continuing the success of VoIP services. From ITSPs' perspective, the scalability of VoIP servers is of importance and concern. Scalability depends on server implementation and the transport protocol for SIP, VoIP signaling. We conduct experiments to understand the impact of connection-oriented transport protocols, namely, TCP and SCTP, because of the additional costs of handling connections. Contradicting the negative perception of connection-oriented transport protocols, our experimental results demonstrate that the TCP implementation in Linux can maintain comparable capacity to UDP, which is a lightweight connection-less transport protocol. The use of SCTP, on the other hand, requires improving the Linux implementation since the not-well-tested implementation makes a server less scalable. We establish the maximum number of concurrent TCP or SCTP connections as baseline data and suggest better server configurations to minimize the negative impact of handling a large number of connections. Thus, our experimental analysis will also contribute to the design of other servers with a very large number of TCP or SCTP connections. From the perspective of end users, controlling unwanted calls is vital to preserving the VoIP service utility and value. Prior work on preventing unwanted email or calls has mainly focused on detecting unwanted communication requests, leaving many messages or calls unlabeled since false positives during filtering are unacceptable. Unlike prior work, we explore approaches to identifying a "good" call based on signaling messages rather than content. This is because content-based filtering cannot prevent call spam from disturbing callees since a ringing tone interrupts them before content is sent. Our first approach uses "cross-media relations.'' Calls are unlikely to be unwanted if two parties have been previously communicated with each other through other communication means. Specifically, we propose two mechanisms using cross-media relations. For the first mechanism, a potential caller offers her contact addresses which might be used in future calls to the callee. For the second mechanism, a callee provides a potential caller with weak secret for future use. When the caller makes a call, she conveys the information to be identified as someone the callee contacted before through other means. Our prototype illustrates how these mechanisms work in web-then-call and email-then-call scenarios. In addition, our user study of received email messages, calls, SMS messages demonstrates the potential effectiveness of this idea. Another approach uses caller's attributes, such as organizational affiliation, in the case where two parties have had no prior contact. We introduce a lightweight mechanism for validating user attributes with privacy-awareness and moderate security. Unlike existing mechanisms of asserting user attributes, we design to allow the caller to claim her attributes to callees without needing to prove her identity or her public key. To strike the proper balance between the ease of service deployment and security, our proposed mechanism relies on transitive trust, through an attribute validation server, established over transport layer security. This mechanism uses an attribute reference ID, which limits the lifetime and restricts relying parties. Our prototype demonstrates the simplicity of our concept and the possibility of practical use
Scaling Up Delay Tolerant Networking
Delay Tolerant Networks (DTN) introduce a networking paradigm based on store, carry and forward. This makes DTN ideal for situations where nodes experience intermittent connectivity due to movement, less than ideal infrastructure, sparse networks or other challenging environmental conditions. Standardization efforts focused around the Bundle Protoocol (BP) (RFC 5050) aim to provide a generic set of protocols and technologies to build DTNs.
However, there are several challenges when trying to apply the BP to the Internet as a whole that are tackled in this thesis: There is no DTN routing mechanism that can work in Internet-scale networks. Similarly, available discovery mechanisms for opportunistic contacts do not scale to the Internet. This work presents a solution offering pull-based name resolution that is able to represent the flat unstructured BP namespace in a distributed data structure and leaves routing through the Internet to the underlying IP layer. A second challenge is the large amount of data stored by DTN nodes in large-scale applications. Reconciling two large sets of data during an opportunistic contact without any previous state in a space efficient manner is a non-trivial problem. This thesis will present a very robust solution that is almost as efficient as Bloom filters while being able to avoid false positives that would prevent full reconciliation of the sets. Lastly, when designing networks that are based on agents willing to carry information, incentives are an important factor.
This thesis proposes a financially sustainable system to incentive users to participate in a DTN with their private smartphones. A user study is conducted to get a lead on the main motivational factors that let people participate in a DTN. The study gives some insight under what conditions relying on continuous motivation and cooperation from private users is a reasonable assumption when designing a DTN.Delay Tolerant Networks (DTN) sind ein Konzept für Netzwerke, das auf der Idee beruht, Datenpakete bei Bedarf längere Zeit zu speichern und vor der Weiterleitung an einen anderen Knoten physikalisch zu transportieren. Diese Vorgehensweise erlaubt den Einsatz von DTN in Netzen, die häufige Unterbrechungen aufweisen. Mit dem Bundle Protocol (BP) (RFC 5050) wird ein Satz von Standardprotokollen für DTNs entwickelt.
Wenn man das BP im Internet einsetzen möchte ergeben sich einige Herausforderungen: Es existiert kein DTN Routingverfahren, das skalierbar genug ist um im Internet eingesetzt zu werden. Das Gleiche trifft auf verfügbare Discovery Mechanismen für opportunistische Netze zu. In dieser Arbeit wird ein verteilter, reaktiver Mechanismus zur Namensauflösung im DTN vorgestellt, der den flachen, unstrukturierten Namensraum des BP abbilden kann und es ermöglicht das Routing komplett der IP Schicht zu überlassen. Eine weitere Herausforderung ist die große Menge an Nachrichten, die Knoten puffern müssen. Die effiziente Synchronisierung von zwei Datensets während eines opportunistischen Kontaktes, ohne Zustandsinformationen, ist ein komplexes Problem. Diese Arbeit schlägt einen robusten Algorithmus vor, der die Effizienz eines Bloom Filters hat, dabei jedoch die False Positives vermeidet, die normalerweise eine komplette Synchronisation verhindern würden.
Ein DTN basiert darauf, dass Teilnehmer Daten puffern und transportieren. Wenn diese Teilnehmer z.B. private User mit Smarpthones sind, ist es essentiell diese Benutzer zu einer dauerhaften Teilnahme am Netzwerk zu motivieren. In dieser Arbeit wird ein finanziell tragfähiges System entwickelt, welches Benutzer für eine Teilnahme am DTN belohnt. Eine Benutzerstudie wurde durchgeführt, um herauszufinden, welche Faktoren Benutzer motivieren und unter welchen Umständen davon auszugehen ist, dass Benutzer wenn man das BP im Internet einsetzen möchte dauerhaft in einem DTN kooperieren und Resourcen zur Verfügung stellen
Un nouveau modèle de correspondance pour un service de messagerie électronique avancée
The ease of use and efficiency of the email service contributed to its widespread adoption. It became an essential service and authorizing multiples and various uses (private, professional, administrative, governmental, military ...). However, all existing systems are technically reduced to the implementation of global policies, compiling in a static way a limited set of features. These approaches prevent differentiated adaptations of the system to the uses. The rigid and monolithic nature of these policies can moreover lead to unnecessary execution of expensive treatments or to the inability to simultaneously satisfy conflicting requirements. We address this problem of the evolution of e-mail in the general context of interpersonal communication of a sender to a receiver. We identify the sender's intention of communication, as a key parameter of any interpersonal communication, insofar as it allows to finely discriminate the successful communications, between all the ones that are understood. A second parameter which is orthogonal to the first, defined as the context of the sender, is important because it allows to determine the successful aspect of an interpersonal communication. The declination of these two parameters in the electronic mail led us to define the concept of electronic correspondence. This one is a generalization of the email the implementation of which provides a sufficient condition of qualification successful exchanges via this medium. A correspondence allows taking into account for each message, the intention of communication and context of its sender. Its implementation requires in certain points of the network, the enforcement of specific policies depending of an administrative domain and which take as argument the intention of communication and the current context of the sender. A second benefit provided by this concept concerns the level of customization of messaging reaching a maximum granularity, because it can be applied in a differentiated way, to each message instance. These works led to the description of a representative architecture and the definition of three extensions to existing standards (SUBMISSION, IMF and S/MIME). Our approach has been illustrated through two main use cases, compliant with recommended specifications for administration (RGS - Référentiel Général de Sécurité) and military (MMHS - Military Message Handling System) domains.Le service de courrier électronique en raison de sa simplicité d'utilisation combinée à son efficacité, a constitué l'un des principaux vecteurs de popularisation d'Internet. Il est devenu un service incontournable dont la richesse s'exprime au travers des usages variés et multiples qu'il autorise (privé, professionnel, administratif, officiel, militaire...). Cependant, toutes les réalisations existantes se réduisent techniquement à la mise en oeuvre de politiques globales, compilant de façon statique un ensemble limité de fonctionnalités. Ces approches ne permettent pas au système de s'adapter de façon différenciée aux usages. De plus, le caractère rigide et monolithique de ces politiques peut parfois conduire à l'exécution inutile de traitements coûteux ou à l'impossibilité de satisfaire simultanément des exigences contradictoires. Nous abordons cette problématique de l'évolution de la messagerie électronique dans le cadre général de la communication interpersonnelle d'un locuteur vers un interlocuteur. Nous identifions l'intention de communication du locuteur, comme un paramètre clé de toute communication interpersonnelle, dans la mesure où il permet de discriminer finement les communications réussies, parmi toutes celles qui sont comprises. Un second paramètre orthogonal au premier, défini comme le contexte du locuteur, s'avère déterminant lorsqu'il s'agit d'aborder la réalisation concrète des communications interpersonnelles réussies. La déclinaison de ces deux paramètres dans le cadre de la messagerie électronique nous conduit à concevoir la notion de correspondance. Cette dernière constitue une généralisation du courrier électronique dont la mise en oeuvre offre une condition suffisante de qualification des échanges réussis, via ce média. Une correspondance permet de prendre en compte pour chaque message, l'intention de communication et le contexte de son émetteur. Sa mise en oeuvre impose l'application en certains points du réseau, de politiques spécifiques au domaine administratif de référence, qui prennent en argument l'intention de communication et le contexte courant de l'émetteur. Un second bénéfice apporté par ce concept concerne le niveau de personnalisation du service de messagerie qui atteint une granularité de finesse maximale, du fait qu'il peut s'appliquer de façon différenciée, à chaque occurrence de message. Ces travaux ont abouti à la description d'une architecture représentative accompagnée de la définition de trois extensions de standards existants (SUBMISSION, IMF et S/MIME). Notre approche a été illustrée à travers deux cas d'usages importants, conformes à des spécifications recommandées pour les domaines administratif (RGS- référentiel général de sécurité) et militaire (MMHS - Military Message Handling System)