# Bibliography on TLS ###### tags: `bibliography` [toc] # GCM IV reuse attack ## Bitstream Protection in Dynamic Partial Reconfiguration Systems Using Authenticated Encryption (IEICE Trans on Info and Sys. 2013) * [paper](https://www.researchgate.net/publication/258839486_Bitstream_Protection_in_Dynamic_Partial_Reconfiguration_Systems_Using_Authenticated_Encryption) * Sec 4.2: good diagram to describe GCM. ## Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS (WOOT 2016) * [Paper and slides](https://www.usenix.org/conference/woot16/workshop-program/presentation/bock) ## (Github) Attack demo code for WOOT 16 * https://github.com/nonce-disrespect/nonce-disrespect/ * Slides from https://github.com/nonce-disrespect/nonce-disrespect/blob/master/slides/woot/2016-08-Nonce-Disrespect-WOOT.pptx (the slide on TLS attack illustration is good) ## (Github) Forbidden Attack on AES-GCM * https://github.com/ashutosh1206/Crypton/blob/master/Authenticated-Encryption/AES-GCM/Attack-Forbidden/README.md * * Hosting running code for attack * A clear description on three case scenarios: encrypting one block of plaintext, two blocks and multiple blocks. * Illustration of the attack using the first case for simplicity: recovering the authentication key is reduced to solving the quadratic root of a polymial. ## Authentication weaknesses in GCM (2005, Ferguson) * https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/ferguson2.pdf ## Authentication Failures in NIST version of GCM (2006, Joux) * [Comment to NIST](https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/800-38-series-drafts/gcm/joux_comments.pdf) # Invalid curve attack ## Practical Invalid Curve Attacks on TLS-ECDH (ESORICS 2015) * Works on TLS-DH only * Good basics of EC: algorithms for add and double (independent of b). Add algorithm doesn't use a and b. * Two phases: offline phase which involves finding generators of small subgroups and online phase. ## Biehl, I., Meyer, B., M¨uller, V.: Differential fault attacks on elliptic curve cryptosystems (CRYPTO 2000) * https://www.iacr.org/archive/crypto2000/18800131/18800131.pdf * Covers good basics of EC in Sec 2. ## Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. 2003. LNCS, vol. 2567, pp. 211– 223. Springer, Heidelberg (2002) # FREAK ## Taming the Composite State Machines of TLS (IEEE S&P, 2017) * https://www.ieee-security.org/TC/SP2015/papers-archived/6949a535.pdf * Export grade ciphersuites introduced in TLS 1.0 and deprecated in TLS 1.1. # CRIME * https://threatpost.com/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512/76973/ * All SSL/TLS versions are affected * [Compression and Information Leakage of Plaintext](https://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf) # RSA signature forgery attack * https://www.reddit.com/r/netsec/comments/2hd1m8/comment/cksnr02/ * RSA padding for a message M: 0x00||0x01||PS ||0x00||M * https://www.imperialviolet.org/2014/09/26/pkcs1.html (Sep 2014) * Implementation errors in NSS: 1) ASN.1 structure includes an optional parameter. Arbitrary bytes could be inserted as a parameter. 2) An integer overflow in the ASN.1 parser. * Blenchenbacher's original attack uses the extra trailing data * Best practice: comparison, instead of parsing # Papers ## Extending Bleichenbacher's forgery attack (Information and Media Technologies, 2008) * https://www.jstage.jst.go.jp/article/imt/3/4/3_4_780/_pdf/-char/ja * A good illustration of Bleichenbacher's 2006 attack. Table 5 is very good. ## Variants of Bleichenbacher’s Low-Exponent Attack on PKCS#1 RSA Signatures * By Ulrich Kuhn, Andrei Pyshkin, Erik Tews, Ralf-Philipp Weinmann * https://download.hrz.tu-darmstadt.de/pub/FB20/Dekanat/Publikationen/CDC/sigflaw.pdf * e is usually chosen to be of low hamming weight; common public exponents {3, 17, 65537}. * The original Bleichenbacher's forgery attack requires a large module (more than 3000 bits) ## ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication (USENIX Security, 2021) * Paper: https://www.usenix.org/system/files/sec21-brinkmann.pdf * https://alpaca-attack.com/ ## Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E) (USENIX security, 2021) * Paper: https://raccoon-attack.com/RacoonAttack.pdf * Slides: https://iacr.org/submit/files/slides/2021/rwc/rwc2021/11/slides.pdf * Attack code https://github.com/tls-attacker/raccoon-code. * Based on hidden number problem (HNP). An improved solution is given at CRYPTO'09 https://www.iacr.org/archive/crypto2009/56770333/56770333.pdf * TLS 1.2 (and earlier) strips leading zero bytes of the input to the key derivation function * In static-DH cipher suites, the certificate contains a long-lived Diffie-Hellman public key (g, p, g^b mod p). * SHA-256: block size 64 bytes. Each block includes 8 bytes length + 1 byte padding = 9 bytes. Hence, a message of 55 bytes exactly fit one block. A message of 64+55 = 119 exactly fit two blocks. A message of 128 + 55 = 183 bytes. * Key derivation function is based on HMAC. The secret key K * of HMAC must have the same length as hash input block size B. K is obtained by either padding (if < B) or hashing the raw key (if > B). In the case of hashing, the operation can leak timing information. * Hidden number problem. a mod p is a hidden number. We know the k MSB of b = a x t_i mod p for a number of t_i values. We can compute the hidden value a mod p by solving an instance of the Cloest Vector Problem (CVP) in a lattice. ## Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (CCS 2015) * https://weakdh.org/imperfect-forward-secrecy.pdf * The paper presents the logjam attack against "export-grade" Diffie-Hellman. For 512-bit modulus, given a week of pre-computation using number field sieve discrete logarithm method, an attacker can solve the discrete logarithm within this group in 1 minute. * Number field sieve (NFS) is the most efficient discrete logarithm method. It's also called index calculus. It has four stages: polynomial selection, sieving, linear algebra and decent. Only the last stage requires real-time computation, while the first four can be pre-computed. * In ephemeral Diffie-Hellman (DHE), the server is responsible for choosing the group parameters (p,g) and sending the public key g^x mod p. * DHE_EXPORT ciphersuites restricted to group sizes no more than 512 bits. This has been not considered a problem as modern browsers do not offer or accepte DHE_EXPORT. * Modified CADO-NFS for the number field sieve algorithm. * A good demonstration of the attack (including the diagrams): https://www.mitls.org/pages/attacks/Logjam ## Lucky Thirteen: Breaking the TLS and DTLS Record Protocols (IEEE S&P, 2013) * https://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf * Slides: https://www.cl.cam.ac.uk/research/security/seminars/archive/slides/2013-10-15.pdf (good illustration of the attack) * Called "lucky 13" because exactly 13 bytes of header data are incoporated in the MAC calculation. * If badly formatted padding is encountered during decryption, a MAC check should still be performed to prevent the known timing attack. But what data should be used for that calculation? TLS 1.2 states using a zero-length pad. ## [On the security of TLS 1.2 and TLS 1.3 a comparison](2021, Grin Verlag) * By Sarah Syed-Winkler * Explains BEAST and Lucky Thirteen attack * "As of November 2020, Let's Encrypt Inc. served 232 million websites with 144 million active certificates." * Layers. Fig 5: Application layer (http, ftp, telnet, smtp, dns), Presentation layer (SSL/TLS, DTLS), transport layer (TCP, UDP), network layer (IP). (SSL/TLS not in transport layer? double check) * History: SSL 2.0 (1995), SSL 3.0 (1996). 3.1 for TLS 1.0 (1999), 3.2 for TLS 1.1 (2006) and 3.3 for TLS 1.2 (2008). DTLS 1.0 (2006), DTLS 1.2 (2012). TLS 1.3 (2018) * TLS record layer: 1) fragment data; 2) compress; 3) compute MAC; 4) add padding; 5) encrypts the record. The last three steps are called the MAC-Then-Pad-Then-Encrypt approach. * Stream ciphers follow a stateful decryption method, and hence are generally prohbited with DTLS. * DTLS 1.2: server sends HelloVerifyRequest(cookie) and the cliet replies ClientHello(cookie) to prevent DoS attacks. * RFC 7457 summarizes attacks on TLS in 2015 * Table 2: classification of SSL/TLS attacks with CVEs looks informative. # Informal references ## Dancing protocols, POODLEs and other tales from TLS * https://blog.hboeck.de/archives/858-Dancing-protocols,-POODLEs-and-other-tales-from-TLS.html * Protocol dance: the browser tries all old protocols until it can connect to the server. * Bleichenbacher attack: 1) on RSA encryption (1998) and on RSA signature (2006). * BERserk is about 2) BB06. * In BB06, Bleichenbacher proposed a fix: don't use RSA keys with very small exponents e.g., three. Today, almost everyone uses 65537. * PKCS\#1 1.5 is an old standard for RSA encryption and signatures * PKCS\#1 2.1 uses PSS and OAEP