Drown: Breaking TLS using SSLv2

Proceedings of the 25th USENIX Security Symposium

Volumn , Issue , 2016, Pages 689-706

  Aviram, Nimrod ^a   Schinzel, Sebastian ^b   Somorovsky, Juraj ^c   Heninger, Nadia ^d   Dankel, Maik ^b   Steube, Jens ^e   Valenta, Luke ^d   Adrian, David ^f   Halderman, J Alex ^f   Dukhovni, Viktor ^g   Käsper, Emilia ^h   Cohney, Shaanan ^d   Engels, Susanne ^c   Paar, Christof ^c   Shavitt, Yuval ^a  

^a TEL AVIV UNIVERSITY   (Israel)

^b MÜNSTER UNIVERSITY OF APPLIED SCIENCES   (Germany)

^c RUHR UNIVERSITY BOCHUM   (Germany)

^d UNIVERSITY OF PENNSYLVANIA   (United States)

^e Hashcat Project

^f UNIVERSITY OF MICHIGAN   (United States)

^g OpenSSL ^*

^h GOOGLE INC   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ACCIDENTS; CRYPTOGRAPHY; HTTP; NETWORK SECURITY;

AMAZON EC2; CIPHERTEXTS; MAN IN THE MIDDLE ATTACKS; OPEN SSL; PADDING ORACLE ATTACKS; PROTOCOL ATTACKS; PROTOCOL LEVEL; SINGLE CPU;

SEEBECK EFFECT;

EID: 85076479391     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (42)

1. ADRIAN, D., BHARGAVAN, K., DURUMERIC, Z., GAUDRY, P., GREEN, M., HALDERMAN, J. A., HENINGER, N., SPRINGALL, D., THOMÉ, E., VALENTA, L., VANDERSLOOT, B., WUSTROW, E., ZANELLA-BÉGUELIN, S., AND ZIMMERMANN, P. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In 22nd ACM Conference on Computer and Communications Security (Oct. 2015).
2. AL FARDAN, N. J., AND PATERSON, K. G. Lucky Thirteen: Breaking the TLS and DTLS record protocols. In IEEE Symposium on Security and Privacy (2013), IEEE, pp. 526–540.
3. ALFARDAN, N. J., BERNSTEIN, D. J., PATERSON, K. G., POETTERING, B., AND SCHULDT, J. C. On the security of RC4 in TLS. In 22nd USENIX Security Symposium (2013), pp. 305–320.
4. BARDOU, R., FOCARDI, R., KAWAMOTO, Y., SIMIONATO, L., STEEL, G., AND TSAY, J.-K. Efficient padding oracle attacks on cryptographic hardware. In Advances in Cryptology–CRYPTO 2012. Springer, 2012, pp. 608–625.
5. BEURDOUCHE, B., BHARGAVAN, K., DELIGNAT-LAVAUD, A., FOURNET, C., KOHLWEISS, M., PIRONTI, A., STRUB, P.-Y., AND ZINZINDOHOUE, J. K. A messy state of the union: Taming the composite state machines of TLS. In IEEE Symposium on Security and Privacy (2015).
6. BHARGAVAN, K., LAVAUD, A. D., FOURNET, C., PIRONTI, A., AND STRUB, P. Y. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In IEEE Symposium on Security and Privacy (2014), IEEE, pp. 98–113.
7. BHARGAVAN, K., AND LEURENT, G. Transcript collision attacks: Breaking authentication in TLS, IKE, and SSH. In Network and Distributed System Security Symposium (Feb. 2016).
8. BLEICHENBACHER, D. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In Advances in Cryptology — CRYPTO’98, vol. 1462 of Lecture Notes in Computer Science. Springer Berlin / Heidelberg, 1998.
9. BREYHA, W., DURVAUX, D., DUSSA, T., KAPLAN, L. A., MENDEL, F., MOCK, C., KOSCHUCH, M., KRIEGISCH, A., PÖSCHL, U., SABET, R., SAN, B., SCHLATTERBECK, R., SCHRECK, T., WÜRSTLEIN, A., ZAUNER, A., AND ZAWODSKY, P. Better crypto – applied crypto hardening, 2016. Available at https://bettercrypto.org/static/applied-crypto-hardening.pdf.
10. CHANG, W.-T., AND LANGLEY, A. QUIC crypto, 2014. https://docs.google.com/document/d/1g5nIXAIkN_Y7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g/edit?pli=1.
11. CVE-2015-0293. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293.
12. DE RUITER, J., AND POLL, E. Protocol state fuzzing of TLS implementations. In 24th USENIX Security Symposium (Washington, D.C., Aug. 2015), USENIX Association.
13. DIERKS, T., AND RESCORLA, E. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), Aug. 2008. Updated by RFCs 5746, 5878.
14. DUONG, T., AND RIZZO, J. Here come the xor ninjas, 2011. http://netifera.com/research/beast/beast_DRAFT_0621.pdf.
15. DURUMERIC, Z., KASTEN, J., ADRIAN, D., HALDERMAN, J. A., BAILEY, M., LI, F., WEAVER, N., AMANN, J., BEEKMAN, J., PAYER, M., AND PAXSON, V. The matter of Heartbleed. In 14th Internet Measurement Conference (New York, NY, USA, 2014), IMC’14, ACM, pp. 475–488.
16. DURUMERIC, Z., WUSTROW, E., AND HALDERMAN, J. A. ZMap: Fast Internet-wide scanning and its security applications. In 22nd USENIX Security Symposium (Aug. 2013).
17. FREIER, A., KARLTON, P., AND KOCHER, P. The secure sockets layer (SSL) protocol version 3.0. RFC 6101, 2011.
18. GREEN, M. Secure protocols in a hostile world. In CHES 2015 (Aug. 2015). https://isi.jhu.edu/~mgreen/CHESPDF.pdf.
19. HAMILTON, R. QUIC discovery. https://docs.google.com/document/d/1i4m7DbrWGgXafHxwl8SwIusY2ELUe8WX258xt2LFxPM/ edit#.
20. Hashcat. http://hashcat.net.
21. HENINGER, N., DURUMERIC, Z., WUSTROW, E., AND HALDERMAN, J. A. Mining your Ps and Qs: Detection of widespread weak keys in network devices. In 21st USENIX Security Symposium (Aug. 2012).
22. HICKMAN, K., AND ELGAMAL, T. The SSL protocol, 1995. https://tools.ietf.org/html/draft-hickman-netscape-ssl-00.
23. HOLZ, R., AMANN, J., MEHANI, O., WACHS, M., AND KAAFAR, M. A. TLS in the wild: An Internet-wide analysis of TLS-based protocols for electronic communication. In Network and Distributed System Security Symposium (Geneva, Switzerland, Feb. 2016), S. Capkun, Ed., Internet Society.
24. JAGER, T., PATERSON, K. G., AND SOMOROVSKY, J. One bad apple: Backwards compatibility attacks on state-of-the-art cryptography. In Network and Distributed System Security Symposium (2013).
25. JAGER, T., SCHINZEL, S., AND SOMOROVSKY, J. Bleichenbacher’s attack strikes again: Breaking PKCS#1 v1.5 in XML encryption. In 17th European Symposium on Research in Computer Security (Berlin, Heidelberg, 2012), Springer Berlin Heidelberg, pp. 752–769.
26. JAGER, T., SCHWENK, J., AND SOMOROVSKY, J. On the security of TLS 1.3 and QUIC against weaknesses in PKCS#1 v1.5 encryption. In 22nd ACM Conference on Computer and Communications Security (New York, NY, USA, 2015), CCS’15, ACM, pp. 1185–1196.
27. KALISKI, B. PKCS #1: RSA Encryption Version 1.5. RFC 2313 (Informational), Mar. 1998. Obsoleted by RFC 2437.
28. KÄSPER, E. Fix reachable assert in SSLv2 servers. OpenSSL patch, Mar. 2015. https://github.com/openssl/openssl/commit/ 86f8fb0e344d62454f8daf3e15236b2b59210756.
29. KLIMA, V., POKORNY , O., AND ROSA, T. Attacking RSA-based sessions in SSL/TLS. In Cryptographic Hardware and Embedded Systems-CHES 2003. Springer, 2003, pp. 426–440.
30. LANGLEY, A., MODADUGU, N., AND MOELLER, B. Transport layer security (TLS) false start. draft-bmoeller-tls-falsestart-00, June 2 (2010).
31. LENSTRA, A. K., LENSTRA, H. W., AND LOVÁSZ, L. Factoring polynomials with rational coefficients. Mathematische Annalen 261 (1982), 515–534. 10.1007/BF01457454.
32. MAVROGIANNOPOULOS, N., VERCAUTEREN, F., VELICHKOV, V., AND PRENEEL, B. A cross-protocol attack on the TLS protocol. In 19th ACM Conference on Computer and Communications Security (New York, NY, USA, 2012), CCS’12, ACM, pp. 62–72.
33. MEYER, C., AND SCHWENK, J. SoK: Lessons learned from SSL/TLS attacks. In 14th International Workshop on Information Security Applications (Berlin, Heidelberg, Aug. 2013), WISA 2013, Springer-Verlag.
34. MEYER, C., SOMOROVSKY, J., WEISS, E., SCHWENK, J., SCHINZEL, S., AND TEWS, E. Revisiting SSL/TLS implementations: New Bleichenbacher side channels and attacks. In 23rd USENIX Security Symposium. USENIX Association, San Diego, CA, Aug. 2014, pp. 733–748.
35. MÖLLER, B., DUONG, T., AND KOTOWICZ, K. This POODLE bites: exploiting the SSL 3.0 fallback, 2014.
36. OPENSSL. Change log. https://www.openssl.org/news/changelog.html#x0.
37. RESCORLA, E., ET AL. The transport layer security (TLS) protocol version 1.3, draft.
38. RIZZO, J., AND DUONG, T. The CRIME attack. EKOparty Security Conference, 2012.
39. ROSKIND, J. QUIC design document, 2013. https://docs.google.com/a/chromium.org/document/d/ 1RNHkx_VvKWyWg6Lr8SZ-saqsQx7rFV-ev2jRFUoVD34.
40. TURNER, S., AND POLK, T. Prohibiting secure sockets layer (SSL) version 2.0. RFC 6176 (Informational), Apr. 2011.
41. WAGNER, D., AND SCHNEIER, B. Analysis of the SSL 3.0 protocol. In 2nd USENIX Workshop on Electronic Commerce (1996).
42. ZHANG, Y., JUELS, A., REITER, M. K., AND RISTENPART, T. Cross-tenant side-channel attacks in PaaS clouds. In 21st ACM Conference on Computer and Communications Security (New York, NY, USA, 2014), CCS’14, ACM, pp. 990–1003.