SSL overview

SSL Cipher Suites

SSL Cipher Suites Challenges on Remediation

Recommendations(or Help! It’s ALL broken)

Anthony LeeTodd Benson

Introduction

• SSL communication review• Common SSL vulnerabilities• Remediation recommendations• Testing• Demo

Part 1

SSL Review

Secure Communications

• Using SSL (SC-8, SC-9)• Proper SSL Certificates (SC-17)• Strong SSL Ciphers (SC-13)• Secure implementation of SSL (SC-13)• Forcing SSL for sensitive data and forms (SC-8,

SC-9)• Disallowing mixed mode HTTP and HTTPS

SSL Cipher Suites

• SSL configuration issues appear in Host Assessments, Application Assessments and Validation Reports

• Usually a systems administrators’ issues, not a developer

• Lately there is no clear solution• Pick your poison

SSL Versions

• SSL V1– Never publicly released

• SSL V2– Released 1995– Not secure

• SSL V3– Released 1996– Can almost be made secure– Is not FIPS compliant (FIPS 140-2)

• TLS 1.0– Released 1999– Can almost be made secure– Better than SSL V3

• TLS 1.1– Released 2006– Still thought to be secure

• TLS 1.2– Released in 2008– Still thought to be secure

Handshake

Handshake Details

1. ClientHello• TLS Protocol Version, Random

Number, List of CipherSuites, Suggested Compression Method, sessionID

2. ServerHello• TLS Protocol Version, Random

Number, CipherSuite, Compression method, sessionID

3. Certificate4. ServerHelloDone5. ClientKeyExchange

• PreMasterSecret, public key or nothing

6. ChangeCipherSpec7. ChangeCipherSpec8. Application Data

Cipher Suites

Cipher Suites

• Key exchange/agreement– RSA, Diffie-Hellman, ECDH, SRP, PSK

• Authentication– RSA, DSA, ECDSA

• Bulk Ciphers– RC4, Triple DES, AES, IDEA

• Message Authentication– MD5, SHA, MD4

Part 2

Common SSL Vulnerabilities

ATTACK!

Common vulnerabilities

• Weak Ciphers Suites Supported

– Key length > 128 bits

• TLS Compression

– CRIME

• SSL v3 and TLS v1.0

– BEAST

• RC4 Cipher Suite Supported

– Theoretically broken

• Padding Attacks

– Lucky Thirteen

Ciphers Suites Supported with key lengths less than 128 bits

• Description: SSL ciphers with key lengths of less than less than 128 bits are considered to be easier to exploit than ciphers with key lengths greater than 128 bits.

• Impact: A successful exploit could compromise the confidentiality of user credentials and allow an attacker to gain unauthorized access to the web application.

TLS CRIME Vulnerability

• Description: Compression Ratio Info-leak Made Easy (CRIME) is an attack on SSL/TLS. CRIME is a side-channel attack that can be used to discover session tokens or other secret information based on the compressed size of HTTP requests.

• Impact: An attacker can make the client generate compressed requests that contain attacker-controlled data in the same stream with secret data.

Browser Exploit Against SSL/TLS (aka BEAST)

• Description: BEAST is short for Browser Exploit Against SSL/TLS. This vulnerability is an attack against the confidentiality of a HTTPS connection. That is, it provides a way to extract the unencrypted plaintext from an encrypted session. The initialization vector includes a random string that is XORed with a plaintext message prior to encryption.

• Impact: The BEAST provides an attack vector for stealing user session cookies.

SSL RC4 Cipher Suites Supported

• Description: The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. hundreds of millions) ciphertexts, the attacker may be able to derive the plaintext. The average running time for this attack is on the order of 2000 hours.

• Impact: For an authenticated HTTP session, the unknown value which the attacker is trying to get is the session ID or cookie. This value is preceded by standard HTTP header information. If the cookie value is in the first 256 bytes of plaintext it will be exposed during the attack.

Padding Attacks: Lucky Thirteen

• Description: A cryptographic timing attack against MAC to break the CBC algorithm. Affects all versions of TLS at the time of it’s release (February 2013).

• Impact: This is a highly complex attack that does not require authentication. It would allow for unauthorized disclosure of information.

Part 3

Remediation Recommendations

Remediation: Weak Cipher Suites

• Weak Ciphers Suites Supported – Disable Cipher Suites with keys < 128 bits, NULL, Export keys

and Anonymous Diffie-Hellman• Set Apache directive SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!

LOW

Remediation: CRIME

• TLS Compression (CRIME)– Disable Compression• Set Apache (2.2.4) directive SSLCompression off

Remediation: BEAST

• SSL v3 and TLS v1.0 (BEAST)– Enable Cipher Suite Ordering• Add Apache directive SSLHonorCipherOrder On

– Negotiate RC4 Cipher Suite first • Set Apache directive SSLCipherSuite RC4-SHA:ALL:!

ADH:!EXPORT:!SSLv2:!LOW

Remediation: RC4

• Weak RC4 Cipher Suite Supported – Disable RC4 Cipher Suites• Set Apache directive SSLCipherSuite ALL:!ADH:!

EXPORT:!SSLv2:!LOW:-RC4-SHA:-RC4-MD5

Remediation: Lucky Thirteen

• Padding Oracle Attacks– Switch to using RC4 CipherSuites• Set Apache directive SSLCipherSuite RC4-SHA:ALL:!

ADH:!EXPORT:!SSLv2:!LOW

– Dude, seriously, WTF???

TLS Browser Support

Browser TLS 1.0 TLS 1.1 TLS 1.2

Chrome 0–21 Yes No No

Chrome 22–current Yes Yes NoChrome 29 (dev) Yes Yes YesFirefox 2–current Yes Disabled NoIE 6 Disabled No NoIE 7–8 Yes No NoIE 8–9 Yes Disabled DisabledIE 9 Yes No NoIE 10 Yes Disabled DisabledOpera 5–7 Yes No No

Opera 8–9 Yes Disabled No

Opera 10–current Yes Disabled Disabled

Safari 4 Yes No No

Safari 5 Yes No NoSafari 5–current Yes Yes Yes

Part 4

Testing

Testing

NMAP!!!!

And Nessus too, of course

nmap –sV <IPADDRESS>nmap --script ssl-enum-ciphers -p <PORT> <IPADDRESS>

Test Cases for developers

• How developers can test for it– Ciphers on the client

openssl ciphers|sed ‘s/:/\n\r/g|sort

– CipherSuites./cipher.sh | grep YES

– Compressionopenssl s_client -connect 156.132.142.11:12321 -tls1

– Protocoluse browser and enable TLS 1.1 and TLS 1.2

Part 5: And now…

Demo Time!!!!!!!

Overview

When testing SSL-TLS• Test that SSLv2 is disabled• Test that SSLv3 is disabled (And Possibly TLS

1.0)• Test that compression is disabled• Test that cipher suites with key lengths of less

that 128 bytes, ADH, NULL or EXP are disabled• Test that MD5 hash is disabled

Questions?

What’s coming up?

• Sept 24: SAR writing examples - Ryan• Oct 8: Benchmark Wizardry - Eric• Oct 22: Python for pentesting- Philip• Nov 5: All your ssh are belong to us, pwning with

proxychains - Anthony & Frank• Nov 19: Application context & discovering XSS

without <script> - Todd• Dec 3: Vulnerability database solutions - Derek• Dec 17: Clickjacking

References• http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/• http://en.wikipedia.org/wiki/Cipher_suite• https://en.wikipedia.org/wiki/Transport_Layer_Security• http://help.mysonicwall.com/sw/eng/6005/ui2/25201/Firewall_scSslControlView.html• http://www.pierobon.org/ssl/ch2/detail.htm• https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)• www.isecpartners.com/media/106031/ssl_attacks_survey.pdf