40 research outputs found

    An Internet-Wide Analysis of Diffie-Hellman Key Exchange and X.509 Certificates in TLS

    Get PDF
    Transport Layer Security (TLS) is a mature cryptographic protocol, but has flexibility during implementation which can introduce exploitable flaws. New vulnerabilities are routinely discovered that affect the security of TLS implementations. We discovered that discrete logarithm implementations have poor parameter validation, and we mathematically constructed a deniable backdoor to exploit this flaw in the finite field Diffie-Hellman key exchange. We described attack vectors an attacker could use to position this backdoor, and outlined a man-in-the-middle attack that exploits the backdoor to force Diffie-Hellman use during the TLS connection. We conducted an Internet-wide survey of ephemeral finite field Diffie-Hellman (DHE) across TLS and STARTTLS, finding hundreds of potentially backdoored DHE parameters and partially recovering the private DHE key in some cases. Disclosures were made to companies using these parameters, resulting in a public security advisory and discussions with the CTO of a billion-dollar company. We conducted a second Internet-wide survey investigating X.509 certificate name mismatch errors, finding approximately 70 million websites invalidated by these errors and additionally discovering over 1000 websites made inaccessible due to a combination of forced HTTPS and mismatch errors. We determined that name mismatch errors occur largely due to certificate mismanagement by web hosting and content delivery network companies. Further research into TLS implementations is necessary to encourage the use of more secure parameters

    Implementation of an identity based encryption sub-system for secure e-mail and other applications

    Get PDF
    This thesis describes the requirements for, and design of, a suite of a sub-systems which support the introduction of Identity Based Encryption (IBE) to Intrenet communications. Current methods for securing Internet transmission are overly complex to users and require expensive and complex supporting infrastructure for distributing credentials such as certificates or public keys. Identity Based Encryption holds a promise of simplifying the process without compromising the security. In this thesis I will outline the theory behind the cryptography required , give a background to e-M ail and messaging protocols,the current security methods, the infrastructure used, the issues with these methods, and the break through that recent innovations in Identity Based Encryption hopes to deliver.I will describe an implementation of a sub-system that secures e-Mail and other protocolsin desktop platforms with as little impact on the end user as possible

    Measuring And Securing Cryptographic Deployments

    Get PDF
    This dissertation examines security vulnerabilities that arise due to communication failures and incentive mismatches along the path from cryptographic algorithm design to eventual deployment. I present six case studies demonstrating vulnerabilities in real-world cryptographic deployments. I also provide a framework with which to analyze the root cause of cryptographic vulnerabilities by characterizing them as failures in four key stages of the deployment process: algorithm design and cryptanalysis, standardization, implementation, and endpoint deployment. Each stage of this process is error-prone and influenced by various external factors, the incentives of which are not always aligned with security. I validate the framework by applying it to the six presented case studies, tracing each vulnerability back to communication failures or incentive mismatches in the deployment process. To curate these case studies, I develop novel techniques to measure both existing and new cryptographic attacks, and demonstrate the widespread impact of these attacks on real-world systems through measurement and cryptanalysis. While I do not claim that all cryptographic vulnerabilities can be described with this framework, I present a non-trivial (in fact substantial) number of case studies demonstrating that this framework characterizes the root cause of failures in a diverse set of cryptographic deployments

    Indiscreet Logs: Persistent Diffie-Hellman Backdoors in TLS

    Get PDF
    Software implementations of discrete logarithm based cryptosystems over finite fields typically make the assumption that any domain parameters they are presented with are trustworthy, i.e., the parameters implement cyclic groups where the discrete logarithm problem is assumed to be hard. An informal and widespread justification for this seemingly exists that says validating parameters at run time is too computationally expensive relative to the perceived risk of a server sabotaging the privacy of its own connection. In this paper we explore this trust assumption and examine situations where it may not always be justified. We conducted an investigation of discrete logarithm domain parameters in use across the Internet and discovered evidence of a multitude of potentially backdoored moduli of unknown order in TLS and STARTTLS spanning numerous countries, organizations, and protocols. Although our disclosures resulted in a number of organizations taking down suspicious parameters, we argue the potential for TLS backdoors is systematic and will persist until either until better parameter hygiene is taken up by the community, or finite field based cryptography is eliminated altogether

    Using Large-Scale Empirical Methods to Understand Fragile Cryptographic Ecosystems

    Full text link
    Cryptography is a key component of the security of the Internet. Unfortunately, the process of using cryptography to secure the Internet is fraught with failure. Cryptography is often fragile, as a single mistake can have devastating consequences on security, and this fragility is further complicated by the diverse and distributed nature of the Internet. This dissertation shows how to use empirical methods in the form of Internet-wide scanning to study how cryptography is deployed on the Internet, and shows this methodology can discover vulnerabilities and gain insights into fragile cryptographic ecosystems that are not possible without an empirical approach. I introduce improvements to ZMap, the fast Internet-wide scanner, that allow it to fully utilize a 10 GigE connection, and then use Internet-wide scanning to measure cryptography on the Internet. First, I study how Diffie-Hellman is deployed, and show that implementations are fragile and not resilient to small subgroup attacks. Next, I measure the prevalence of ``export-grade'' cryptography. Although regulations limiting the strength of cryptography that could be exported from the United States were lifted in 1999, Internet-wide scanning shows that support for various forms of export cryptography remains widespread. I show how purposefully weakening TLS to comply with these export regulations led to the FREAK, Logjam, and DROWN vulnerabilities, each of which exploits obsolete export-grade cryptography to attack modern clients. I conclude by discussing how empirical cryptography improved protocol design, and I present further opportunities for empirical research in cryptography.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/149809/1/davadria_1.pd

    Scaling Up Delay Tolerant Networking

    Get PDF
    Delay Tolerant Networks (DTN) introduce a networking paradigm based on store, carry and forward. This makes DTN ideal for situations where nodes experience intermittent connectivity due to movement, less than ideal infrastructure, sparse networks or other challenging environmental conditions. Standardization efforts focused around the Bundle Protoocol (BP) (RFC 5050) aim to provide a generic set of protocols and technologies to build DTNs. However, there are several challenges when trying to apply the BP to the Internet as a whole that are tackled in this thesis: There is no DTN routing mechanism that can work in Internet-scale networks. Similarly, available discovery mechanisms for opportunistic contacts do not scale to the Internet. This work presents a solution offering pull-based name resolution that is able to represent the flat unstructured BP namespace in a distributed data structure and leaves routing through the Internet to the underlying IP layer. A second challenge is the large amount of data stored by DTN nodes in large-scale applications. Reconciling two large sets of data during an opportunistic contact without any previous state in a space efficient manner is a non-trivial problem. This thesis will present a very robust solution that is almost as efficient as Bloom filters while being able to avoid false positives that would prevent full reconciliation of the sets. Lastly, when designing networks that are based on agents willing to carry information, incentives are an important factor. This thesis proposes a financially sustainable system to incentive users to participate in a DTN with their private smartphones. A user study is conducted to get a lead on the main motivational factors that let people participate in a DTN. The study gives some insight under what conditions relying on continuous motivation and cooperation from private users is a reasonable assumption when designing a DTN.Delay Tolerant Networks (DTN) sind ein Konzept für Netzwerke, das auf der Idee beruht, Datenpakete bei Bedarf längere Zeit zu speichern und vor der Weiterleitung an einen anderen Knoten physikalisch zu transportieren. Diese Vorgehensweise erlaubt den Einsatz von DTN in Netzen, die häufige Unterbrechungen aufweisen. Mit dem Bundle Protocol (BP) (RFC 5050) wird ein Satz von Standardprotokollen für DTNs entwickelt. Wenn man das BP im Internet einsetzen möchte ergeben sich einige Herausforderungen: Es existiert kein DTN Routingverfahren, das skalierbar genug ist um im Internet eingesetzt zu werden. Das Gleiche trifft auf verfügbare Discovery Mechanismen für opportunistische Netze zu. In dieser Arbeit wird ein verteilter, reaktiver Mechanismus zur Namensauflösung im DTN vorgestellt, der den flachen, unstrukturierten Namensraum des BP abbilden kann und es ermöglicht das Routing komplett der IP Schicht zu überlassen. Eine weitere Herausforderung ist die große Menge an Nachrichten, die Knoten puffern müssen. Die effiziente Synchronisierung von zwei Datensets während eines opportunistischen Kontaktes, ohne Zustandsinformationen, ist ein komplexes Problem. Diese Arbeit schlägt einen robusten Algorithmus vor, der die Effizienz eines Bloom Filters hat, dabei jedoch die False Positives vermeidet, die normalerweise eine komplette Synchronisation verhindern würden. Ein DTN basiert darauf, dass Teilnehmer Daten puffern und transportieren. Wenn diese Teilnehmer z.B. private User mit Smarpthones sind, ist es essentiell diese Benutzer zu einer dauerhaften Teilnahme am Netzwerk zu motivieren. In dieser Arbeit wird ein finanziell tragfähiges System entwickelt, welches Benutzer für eine Teilnahme am DTN belohnt. Eine Benutzerstudie wurde durchgeführt, um herauszufinden, welche Faktoren Benutzer motivieren und unter welchen Umständen davon auszugehen ist, dass Benutzer wenn man das BP im Internet einsetzen möchte dauerhaft in einem DTN kooperieren und Resourcen zur Verfügung stellen

    Un nouveau modèle de correspondance pour un service de messagerie électronique avancée

    Get PDF
    The ease of use and efficiency of the email service contributed to its widespread adoption. It became an essential service and authorizing multiples and various uses (private, professional, administrative, governmental, military ...). However, all existing systems are technically reduced to the implementation of global policies, compiling in a static way a limited set of features. These approaches prevent differentiated adaptations of the system to the uses. The rigid and monolithic nature of these policies can moreover lead to unnecessary execution of expensive treatments or to the inability to simultaneously satisfy conflicting requirements. We address this problem of the evolution of e-mail in the general context of interpersonal communication of a sender to a receiver. We identify the sender's intention of communication, as a key parameter of any interpersonal communication, insofar as it allows to finely discriminate the successful communications, between all the ones that are understood. A second parameter which is orthogonal to the first, defined as the context of the sender, is important because it allows to determine the successful aspect of an interpersonal communication. The declination of these two parameters in the electronic mail led us to define the concept of electronic correspondence. This one is a generalization of the email the implementation of which provides a sufficient condition of qualification successful exchanges via this medium. A correspondence allows taking into account for each message, the intention of communication and context of its sender. Its implementation requires in certain points of the network, the enforcement of specific policies depending of an administrative domain and which take as argument the intention of communication and the current context of the sender. A second benefit provided by this concept concerns the level of customization of messaging reaching a maximum granularity, because it can be applied in a differentiated way, to each message instance. These works led to the description of a representative architecture and the definition of three extensions to existing standards (SUBMISSION, IMF and S/MIME). Our approach has been illustrated through two main use cases, compliant with recommended specifications for administration (RGS - Référentiel Général de Sécurité) and military (MMHS - Military Message Handling System) domains.Le service de courrier électronique en raison de sa simplicité d'utilisation combinée à son efficacité, a constitué l'un des principaux vecteurs de popularisation d'Internet. Il est devenu un service incontournable dont la richesse s'exprime au travers des usages variés et multiples qu'il autorise (privé, professionnel, administratif, officiel, militaire...). Cependant, toutes les réalisations existantes se réduisent techniquement à la mise en oeuvre de politiques globales, compilant de façon statique un ensemble limité de fonctionnalités. Ces approches ne permettent pas au système de s'adapter de façon différenciée aux usages. De plus, le caractère rigide et monolithique de ces politiques peut parfois conduire à l'exécution inutile de traitements coûteux ou à l'impossibilité de satisfaire simultanément des exigences contradictoires. Nous abordons cette problématique de l'évolution de la messagerie électronique dans le cadre général de la communication interpersonnelle d'un locuteur vers un interlocuteur. Nous identifions l'intention de communication du locuteur, comme un paramètre clé de toute communication interpersonnelle, dans la mesure où il permet de discriminer finement les communications réussies, parmi toutes celles qui sont comprises. Un second paramètre orthogonal au premier, défini comme le contexte du locuteur, s'avère déterminant lorsqu'il s'agit d'aborder la réalisation concrète des communications interpersonnelles réussies. La déclinaison de ces deux paramètres dans le cadre de la messagerie électronique nous conduit à concevoir la notion de correspondance. Cette dernière constitue une généralisation du courrier électronique dont la mise en oeuvre offre une condition suffisante de qualification des échanges réussis, via ce média. Une correspondance permet de prendre en compte pour chaque message, l'intention de communication et le contexte de son émetteur. Sa mise en oeuvre impose l'application en certains points du réseau, de politiques spécifiques au domaine administratif de référence, qui prennent en argument l'intention de communication et le contexte courant de l'émetteur. Un second bénéfice apporté par ce concept concerne le niveau de personnalisation du service de messagerie qui atteint une granularité de finesse maximale, du fait qu'il peut s'appliquer de façon différenciée, à chaque occurrence de message. Ces travaux ont abouti à la description d'une architecture représentative accompagnée de la définition de trois extensions de standards existants (SUBMISSION, IMF et S/MIME). Notre approche a été illustrée à travers deux cas d'usages importants, conformes à des spécifications recommandées pour les domaines administratif (RGS- référentiel général de sécurité) et militaire (MMHS - Military Message Handling System)
    corecore