Anda di halaman 1dari 38

Securing Wireless Channels

(Or the Case for Certificate


and Public Key Pinning)

What is OWASP?
The Open Web Application Security
Project
Not just web anymore

Mission Driven
World wide, nonprofit, unbiased organization

Community Driven

30,000 Mail List Participants


200 Active Chapters in 70 countries
1600+ Members, 56 Corporate Supporters
69 Academic Supporters

Around the World

200 Chapters, ~1600 Members, 30000+ Builders, Breakers and Defenders

About Me

Jeffrey Walton
Roles include
Mobile Security Architect
Senior Consultant
Security Engineer

Secure Coding Evangelist


Live and die by SDLCs

Agenda and Topics

Background
Architectures
Expectations

VPN/SSL/TLS Issues
Past Problems
Current Issues

Shared Secret
PSK
SRP

Pinning
Certificate
Public Key

Futures
Pinning (IETF)
Sovereign Keys
Convergence
Wrap Up
Questions

Its All About the Data

Data is the only thing that matters


Who owns it
Who controls it
Who accesses it

Share data with appropriate parties


Must determine identity of parties

Cant determine identity?


Dont share data

Data Attributes

Data Sensitivity
Low
Public Information
Contact Information

Medium
Social Security
Number
Bank Account
Single Sign On?

High
Pending Litigation,
M&A
FERPA, HIPPA, GLBA,

Data States
Data at Rest
Server/Desktop/Devi
ce
Remote and Local

Data on Display
View/Read/Write/Edit
Local

Data in Transit
Secure Channel
Local Remote

Expectations

User Expectations?
End-to-end security

Web Applications
Padlocks tell me its secure
Green Bars tell me its secure
Marketing tells me its secure

How can {VPN|SSL|TLS} not be secure?


When did that happen?

Training (Conditioning?)

Padlock looks secure


Green bar looks secure
$1,500,000 is a lot of money
It looks secure
It must be secure

Two Architectures

Two architectures in play


Employee Organization
VPN

Individual Service Provider


SSL/TLS

Security Boundaries
Sometimes Trust Zones
How many are traversed?

Architecture (Enterprise,
VPN)

Architecture (Mobile,
SSL/TLS)

Comes down to

Infrastructure
Domain Name System (DNS)
Public Key Infrastructure (PKI{X})
Certificate Authorities (CAs)

Employee Organization
Organization

Individual Service Provider


Individual, Provider

Whats Gone Wrong (1)?

Governments Want/Require Interception


Certified Lies: Detecting and Defeating Government Interception Attacks
Against SSL, cryptome.org/ssl-mitm.pdf
http://www.dailymail.co.uk/indiahome/indianews/article-2126277/Nosecrets-Blackberry-Security-services-intercept-data-government-getsway-messenger-service.html

Governments Engage in Interception


http://www.thetechherald.com/articles/Tunisian-government-harvestingusernames-and-passwords/12429/

Vendors Provide Interception Taps


http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html

Governments Use Interception Taps


https://www.eff.org/nsa-spying

Mobile Interception is Patented


Lawful interception for targets in a proxy mobile internet protocol
network, http://www.google.com/patents/EP2332309A1

Whats Gone Wrong (2)?

Handset manufactures add trusted roots


http://gaurangkp.wordpress.com/tag/nokias-man-in-the-middle-attack/

Carriers can add trusted roots


No reference yet, but
http://www.theregister.co.uk/2011/12/15/carrier_iq_privacy_latest/

CAs can become compromised


http://isc.sans.edu/diary.html?storyid=11500

Researchers can create Rogue CAs


http://www.win.tue.nl/hashclash/rogue-ca/

DNS can become compromised


http://forums.theregister.co.uk/forum/2/2011/09/05/dns_hijack_service_updated/

Physical plant can become compromised


http://www.pcworld.com/article/119851/paris_hilton_victim_of_tmobiles_web_fla
ws.html

Its easy to set up an AP or Base Station (Chris Paget's IMSI Catcher)

http://www.wired.com/threatlevel/2010/07/intercepting-cell-phone-calls/

Whats Gone Wrong (3)?

Can't trust some CAs they will sell you out and issue subordinate CAs for
money
http://www.net-security.org/secworld.php?id=12369
http://www.zdnet.com/trustwave-sold-root-certificate-for-surveillance-3040095011/

Can't trust some browsers they will sell you out and elide their responsibility
https://bugzilla.mozilla.org/show_bug.cgi?id=724929

Can't trust some browsers they include questionable certificates out of the box
https://bugzilla.mozilla.org/show_bug.cgi?id=542689

Can't override some browser's CA list


http://my.opera.com/community/forums/topic.dml?id=1580452

Can't override OS's CA list


http://support.google.com/android/bin/answer.py?hl=en&answer=1649774

CRL/OCSP does not work as expected/intended


http://blog.spiderlabs.com/2011/04/certificate-revocation-behavior-in-modernbrowsers.html
https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-webbrowser-collusion

Whats Gone Wrong (4)?

User will break it too (not just bad guys)


http://www.esecurityplanet.com/mobile-security/hacker-bypasses-applesios-in-app-purchases.html
http://www.h-online.com/security/news/item/Apps-for-Windows-8-easilyhacked-1767839.html

Interception proxies add additional risk


http://blog.cryptographyengineering.com/2012/03/how-do-interceptionproxies-fail.html

HTTPS is broken
http://www.thoughtcrime.org/software/sslstrip/

PKI is broken
www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf

The Internet is Broken :)


http://blog.cryptographyengineering.com/2012/02/how-to-fixinternet.html

Decisions, Decisions

Remediation

Stop Conferring Trust!


Cut-out the middle men
Harden the Channel!
Leverage the pre-existing relationship
Verify the Host
Password Authenticated Key Exchange
Shared secret

Public Key Cryptography


Public/Private key pair

Secure Remote Password


(SRP)

Secure Remote Password (SRP)


Thomas Wu, RFC 5054

User knows the password


Client hashes before use

Server knows the verifier


Similar to Unix passwd file

Diffie-Hellman based
Discrete logs (hard problem)
gab g{(salt + password)|verifier} + nonces

Pre Shared Key (PSK)

Pre Shared Key (PSK)


RFC 4279

Three Flavors
PSK Key Exchange
Secret used as Premaster Secret, use only symmetric
key algorithms

DHE_PSK Key Exchange


PSK authenticates Diffie-Hellman exchange

RSA_PSK Key Exchange


combines public-key-based server authentication with
mutual authentication using a PSK

Public Key Cryptography

All we need is a signing key for identity


RSA, DSA, ECDSA

and an ephemeral exchange


DHE, ECDHE, MQV, HMQV, FHMQV, etc

SSH got it right


StrictHostKeyChecking option
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

General Idea

Whitelist expected Certificates or Public


keys
Theres a pre-existing relationship
Or, make a note during first connect
Side step the key distribution problem

Certificate or Public Key Pinning


Libraries offer OnConnect callback
In the callback, inspect certificate or
public key

Bad Cases

Good case
Server is identified by expected cert or key

Bad case
Adversary is using a different public key
Not expected, so fail

Adversary is advertising expected public key


Cant decrypt communications

Really Bad Case


Adversary is using expected public key
Can decrypt communications pwnd

Certificate or Public Key?

X509 Certificate
Binds public key to entity
Version 3 information
Certificate may be rotated

Public Key
Must be static, cannot change
May violate some key rotation policies
Does not depend on certificate

Sample Code

Sample Code
Windows/.Net
Android/Java
iOS/Objective C
OpenSSL/C

Futures

Public Key Pinning Extension for HTTP


draft-ietf-websec-key-pinning-04
http://www.ietf.org/id/draft-ietf-websec-keypinning-04.txt

Sovereign Keys Project


http://www.eff.org/sovereign-keys
DNSSEC to distribute certificates and keys

Convergence
http://convergence.io
Redundant view of sites and certificates/keys

Does It Work?

Wrap Up

Data is all that matters


Identify parties, then share data

PSK, SRP and Pinning


Does not confer trust
Dont care about answers from DNS or CAs
Leverages pre-existing relationship

Sovereign Keys and Convergence


Does confer trust
Still getting answers from others
Useful if no pre-existing relationship

Wrap Up

Questions?
Hopefully useful Answers

Jeffrey Walton
jeffrey.waltn@softwareintegrit
y.cm