idnits 2.17.1 draft-ietf-uta-tls-attacks-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 24, 2014) is 3593 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) == Outdated reference: A later version (-11) exists of draft-ietf-uta-tls-bcp-00 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 uta Y. Sheffer 3 Internet-Draft Porticor 4 Intended status: Informational R. Holz 5 Expires: December 26, 2014 TUM 6 P. Saint-Andre 7 &yet 8 June 24, 2014 10 Summarizing Current Attacks on TLS and DTLS 11 draft-ietf-uta-tls-attacks-01 13 Abstract 15 Over the last few years there have been several serious attacks on 16 TLS, including attacks on its most commonly used ciphers and modes of 17 operation. This document summarizes these attacks, with the goal of 18 motivating generic and protocol-specific recommendations on the usage 19 of TLS and DTLS. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on December 26, 2014. 38 Copyright Notice 40 Copyright (c) 2014 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Attacks on TLS . . . . . . . . . . . . . . . . . . . . . . . 3 57 2.1. SSL Stripping . . . . . . . . . . . . . . . . . . . . . . . 3 58 2.2. BEAST . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.3. Lucky Thirteen . . . . . . . . . . . . . . . . . . . . . . 3 60 2.4. Attacks on RC4 . . . . . . . . . . . . . . . . . . . . . . 3 61 2.5. Compression Attacks: CRIME and BREACH . . . . . . . . . . . 4 62 2.6. Certificate Attacks . . . . . . . . . . . . . . . . . . . . 4 63 2.7. Diffe-Hellman Parameters . . . . . . . . . . . . . . . . . 4 64 2.8. Denial of Service . . . . . . . . . . . . . . . . . . . . . 4 65 3. Security Considerations . . . . . . . . . . . . . . . . . . . 5 66 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 67 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 68 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 69 6.1. Normative References . . . . . . . . . . . . . . . . . . . 5 70 6.2. Informative References . . . . . . . . . . . . . . . . . . 5 71 Appendix A. Appendix: Change Log . . . . . . . . . . . . . . . . 7 72 A.1. draft-ietf-uta-tls-bcp-01 . . . . . . . . . . . . . . . . . 7 73 A.2. draft-ietf-uta-tls-bcp-00 . . . . . . . . . . . . . . . . . 7 74 A.3. draft-sheffer-uta-tls-bcp-00 . . . . . . . . . . . . . . . 7 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 77 1. Introduction 79 Over the last few years there have been several major attacks on TLS 80 [RFC5246], including attacks on its most commonly used ciphers and 81 modes of operation. Details are given in Section 2, but suffice it 82 to say that both AES-CBC and RC4, which together make up for most 83 current usage, have been seriously attacked in the context of TLS. 85 This situation motivated the creation of the UTA working group, which 86 is tasked with the creation of generic and protocol-specific 87 recommendation for the use of TLS and DTLS. 89 "Attacks always get better; they never get worse" (ironically, this 90 saying is attributed to the NSA). This list of attacks describes our 91 knowledge as of this writing. It seems likely that new attacks will 92 be invented in the future. 94 For a more detailed discussion of the attacks listed here, the 95 interested reader is referred to [Attacks-iSec]. 97 2. Attacks on TLS 99 This section lists the attacks that motivated the current 100 recommendations. This is not intended to be an extensive survey of 101 TLS's security. 103 While there are widely deployed mitigations for some of the attacks 104 listed below, we believe that their root causes necessitate a more 105 systemic solution. 107 2.1. SSL Stripping 109 Various attacks attempt to remove the use of SSL/TLS altogether, by 110 modifying HTTP traffic and HTML pages as they pass on the wire. 111 These attacks are known collectively as SSL Stripping, and were first 112 introduced by Moxie Marlinspike [SSL-Stripping]. In the context of 113 Web traffic, these attacks are only effective if the client accesses 114 a Web server using a mixture of HTTP and HTTPS. 116 2.2. BEAST 118 The BEAST attack [BEAST] uses issues with the TLS 1.0 implementation 119 of CBC (that is, the predictable initialization vector) to decrypt 120 parts of a packet, and specifically to decrypt HTTP cookies when HTTP 121 is run over TLS. 123 2.3. Lucky Thirteen 125 A consequence of the MAC-then-encrypt design in all current versions 126 of TLS is the existence of padding oracle attacks [Padding-Oracle]. 127 A recent incarnation of these attacks is the Lucky Thirteen attack 128 [CBC-Attack], a timing side-channel attack that allows the attacker 129 to decrypt arbitrary ciphertext. 131 2.4. Attacks on RC4 133 The RC4 algorithm [RC4] has been used with TLS (and previously, SSL) 134 for many years. RC4 has long been known to have a variety of 135 cryptographic weaknesses, e.g. [RC4-Attack-Pau], [RC4-Attack-Man], 136 [RC4-Attack-FMS]. Recent cryptanalysis results [RC4-Attack-AlF] 137 exploit biases in the RC4 keystream to recover repeatedly encrypted 138 plaintexts. 140 These recent results are on the verge of becoming practically 141 exploitable; currently they require 2^26 sessions or 13x2^30 142 encryptions. As a result, RC4 can no longer be seen as providing a 143 sufficient level of security for TLS sessions. 145 2.5. Compression Attacks: CRIME and BREACH 147 The CRIME attack [CRIME] allows an active attacker to decrypt 148 ciphertext (specifically, cookies) when TLS is used with protocol- 149 level compression. 151 The TIME attack [TIME] and the later BREACH attack [BREACH] both make 152 similar use of HTTP-level compression to decrypt secret data passed 153 in the HTTP response. We note that compression of the HTTP message 154 body is much more prevalent than compression at the TLS level. 156 The former attack can be mitigated by disabling TLS compression, as 157 recommended below. We are not aware of mitigations at the protocol 158 level to the latter attack, and so application-level mitigations are 159 needed (see [BREACH]). For example, implementations of HTTP that use 160 CSRF tokens will need to randomize them even when the recommendations 161 of [I-D.ietf-uta-tls-bcp] are adopted. 163 2.6. Certificate Attacks 165 There have been several practical attacks on TLS when used with RSA 166 certificates (the most common use case). These include 167 [Bleichenbacher98] and [Klima03]. While the Bleichenbacher attack 168 has been mitigated in TLS 1.0, the Klima attack that relies on a 169 version-check oracle is only mitigated by TLS 1.1. 171 The use of RSA certificates often involves exploitable timing issues 172 [Brumley03], unless the implementation takes care to explicitly 173 eliminate them. 175 2.7. Diffe-Hellman Parameters 177 TLS allows to define ephemeral Diffie-Hellman and Elliptic Curve 178 Diffie-Hellman parameters in its respective key exchange modes. This 179 results in an outstanding attack, detailed in [Cross-Protocol]. In 180 addition, clients that do not properly verify the received parameters 181 are exposed to MITM attacks. Unfortunately the TLS protocol does not 182 require this verification, see [RFC6989] for the IPsec analogy. 184 2.8. Denial of Service 186 Server CPU power has progressed over the years so that TLS can now be 187 turned on by default. However the risk of malicious clients and 188 coordinated groups of clients ("botnets") mounting denial of service 189 attacks is still very real. TLS adds another vector for 190 computational attacks, since a client can easily (with little 191 computational effort) force the server to expend relatively large 192 computational work. It is known that such attacks have in fact been 193 mounted. 195 3. Security Considerations 197 This document describes protocol attacks in an informational manner, 198 and in itself does not have any security implications. Its companion 199 documents certainly do. 201 4. IANA Considerations 203 This document requires no IANA actions. 205 5. Acknowledgements 207 We would like to thank Stephen Farrell, Simon Josefsson, Yoav Nir, 208 Kenny Paterson, Patrick Pelletier, Tom Ritter and Rich Salz for their 209 review of this document. We thank Andrei Popov for contributing text 210 on RC4. 212 The document was prepared using the lyx2rfc tool, created by Nico 213 Williams. 215 6. References 217 6.1. Normative References 219 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 220 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 222 6.2. Informative References 224 [I-D.ietf-uta-tls-bcp] 225 Sheffer, Y., Holz, R., and P. Saint-Andre, 226 "Recommendations for Secure Use of TLS and DTLS", draft- 227 ietf-uta-tls-bcp-00 (work in progress), March 2014. 229 [RFC6989] Sheffer, Y. and S. Fluhrer, "Additional Diffie-Hellman 230 Tests for the Internet Key Exchange Protocol Version 2 231 (IKEv2)", RFC 6989, July 2013. 233 [CBC-Attack] 234 AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking 235 the TLS and DTLS Record Protocols", IEEE Symposium on 236 Security and Privacy , 2013. 238 [BEAST] Rizzo, J. and T. Duong, "Browser Exploit Against SSL/TLS", 239 2011, . 242 [CRIME] Rizzo, J. and T. Duong, "The CRIME Attack", EKOparty 243 Security Conference 2012, 2012. 245 [BREACH] Prado, A., Harris, N., and Y. Gluck, "The BREACH Attack", 246 2013, . 248 [TIME] Be'ery, T. and A. Shulman, "A Perfect CRIME? Only TIME 249 Will Tell", Black Hat Europe 2013, 2013, 250 . 253 [RC4] Schneier, B., "Applied Cryptography: Protocols, 254 Algorithms, and Source Code in C, 2nd Ed.", 1996. 256 [RC4-Attack-FMS] 257 Fluhrer, S., Mantin, I., and A. Shamir, "Weaknesses in the 258 Key Scheduling Algorithm of RC4", Selected Areas in 259 Cryptography , 2001. 261 [RC4-Attack-AlF] 262 AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., 263 and J. Schuldt, "On the Security of RC4 in TLS", Usenix 264 Security Symposium 2013, 2013, . 267 [Attacks-iSec] 268 Sarkar, P. and S. Fitzgerald, "Attacks on SSL, a 269 comprehensive study of BEAST, CRIME, TIME, BREACH, Lucky13 270 and RC4 biases", 8 2013, . 273 [Padding-Oracle] 274 Vaudenay, S., "Security Flaws Induced by CBC Padding 275 Applications to SSL, IPSEC, WTLS...", EUROCRYPT 2002, 276 2002, . 279 [Cross-Protocol] 280 Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., and 281 B. Preneel, "A cross-protocol attack on the TLS protocol", 282 2012, . 284 [RC4-Attack-Pau] 285 Paul, G. and S. Maitra, "Permutation after RC4 key 286 scheduling reveals the secret key.", 2007, 287 . 290 [RC4-Attack-Man] 291 Mantin, I. and A. Shamir, "A practical attack on broadcast 292 RC4", 2001. 294 [SSL-Stripping] 295 Marlinspike, M., "SSL Stripping", February 2009, 296 . 298 [Bleichenbacher98] 299 Bleichenbacher, D., "Chosen ciphertext attacks against 300 protocols based on the RSA encryption standard pkcs1", 301 1998. 303 [Klima03] Klima, V., Pokorny, O., and T. Rosa, "Attacking RSA-based 304 sessions in SSL/TLS", 2003. 306 [Brumley03] 307 Brumley, D. and D. Boneh, "Remote timing attacks are 308 practical", 2003. 310 Appendix A. Appendix: Change Log 312 Note to RFC Editor: please remove this section before publication. 314 A.1. draft-ietf-uta-tls-bcp-01 316 o Added SSL Stripping, attacks related to certificates, Diffie 317 Hellman parameters and denial of service. 319 o Expanded on RC4 attacks, thanks to Andrei Popov. 321 A.2. draft-ietf-uta-tls-bcp-00 323 o Initial WG version, with only updated references. 325 A.3. draft-sheffer-uta-tls-bcp-00 327 o Initial version, extracted from draft-sheffer-tls-bcp-01. 329 Authors' Addresses 331 Yaron Sheffer 332 Porticor 333 29 HaHarash St. 334 Hod HaSharon 4501303 335 Israel 337 Email: yaronf.ietf@gmail.com 339 Ralph Holz 340 Technische Universitaet Muenchen 341 Boltzmannstr. 3 342 Garching 85748 343 Germany 345 Email: holz@net.in.tum.de 347 Peter Saint-Andre 348 &yet 350 Email: ietf@stpeter.im