不能相信的相信我之術: 網路連線雙方驗證時,那些意想不到的坑
Don't bieleve "Believe me"
the pitfalls of authentication
郭學聰 Hsueh-Tsung Kuo
Sat, 15 Oct 2022
CC BY-SA 4.0
Who am I?
Someone (who?) said:
a game programmer should be able to draw cute anime character(?)
- A programmer from game company in Taiwan.
- Backend (and temporary frontend) engineer.
- Usually develop something related to my work in Python, Ruby, ECMAScript, Golang, C#.
- ECMAScript hater since Netscape is dead.
- Built CDN-aware game asset update system.
- Business large passenger vehicle driver.
- Draw cute anime character in spare time.
Outline
- Introduction
- Encrypted data exchanging
- Trusted data exchanging
- Trusted data exchanging
- User
- Password
- One-time password
- MFA
- OAuth 1/2
- Signature
- HMAC
- RSA
- User
- Trusted data exchanging
- Service
- SSL
- TLS
- Public key certificate
- RSA
- ECC: ECDSA/EdDSA/Ed25519
- CA
- Chain of trust
- Peer to peer
- Centralized
- Distributed
- Service
- When trust is broken…
- User
- Online account recovering
- Offline
- Server
- Cert revoke
- CRL
- OCSP & OCSP Stapling
- The real world - revoking might not work
- DV/OV/EV
- Client: Chrome/Edge,Firefox,Safari,IE,Android
- Cert revoke
- User
- Conclusion
- Resource
- Q&A
Introduction
Encrypted data exchanging
- To ensure that only connection peer can understand the content.
- Man in the middle could knows they exchange something.
- Contents might be guessed.
Trusted data exchanging
- To ensure that the connection target is really the target.
Trusted data exchanging
"How to know that connection target is really the target?"
Trusted data exchanging
- User
- Service
- Peer to peer
User
- Password
- One-time password
- MFA
- OAuth 1/2
- Signature
Password
- A secret data used to confirm a user's identity.
- Typically a string of characters.
- Example:
- "qawsedrftgyhujikolp"
- "qawsedrftgyhujikolp"
One-time password
- A password that is valid for only one login session or transaction.
- Example:
- SMS OTP
- e-mail OTP
- Security token for online game
Security token
MFA
- Multi-factor authentication
- Subset: Two-factor authentication.
- Successfully presenting two or more pieces of evidence.
- Ex: password + one-time code
OAuth 1/2
- "Open Authorization"
- Grant websites or apps access to personal information on other websites without giving private evidence.
Signature
- Verify the authenticity of digital data by asymmetric cryptography.
- Signer
- Calculate hash of digital data.
- Encrypt hash using private key.
- Verifier
- Calculate hash of digital data.
- Verify hash using public key.
- Signer
Signature
- Only specific key owner can produce the content.
- Own the specific key indicates who it is.
- Suitable for bot
service. - Example:
- HMAC
- Amazon S3
- RSA
- Google Cloud Storage
- HMAC
Signature
- HMAC
- Peers share the same key.
- RSA
- Service provider owns public key.
- Service user owns private key.
Service
- SSL/TLS
- Handshake by asymmetric cryptography.
- Tell client it is genuine and integrity.
- By public key certificate.
- Exchange symmetric key.
- Tell client it is genuine and integrity.
- Transfer data by symmetric cryptography.
- Handshake by asymmetric cryptography.
SSL
- Secure Sockets Layer
- Introduced by Netscape.
- SSL 1.0 2.0 3.0
TLS
- Transport Layer Security
- IETF refines from SSL 3.0 and standardizes it.
- TLS 1.0 1.1 1.2 1.3
Public key certificate
- Identity document with signature.
- To prove it and its key are genuine.
- Issue
- Self-signed
- Sign by CA
Public key certificate
- Format
- X.509
- ITU standard
- The format of public key certificates.
- X.509
- Signature Algorithm
DSA(too weak)- RSA
- ECDSA/EdDSA/Ed25519
RSA
- Based on modulus & factorization.
- Encryption
- Encrypt using public key.
- Decrypt using private key.
- Signature
- Sign using private key.
- Verify using public key.
ECC (Elliptic Curve Cryptography)
- Based on modulus & elliptic curve.
- Less calculation & memory cost.
- Harder to guess.
- Implementation: ECDSA/EdDSA/Ed25519
CA
- Certificate Authority
- Sign certificate for websites.
- The certificate which represents CA is self-signed.
- Distribute certificates with browsers.
- Browser should be downloaded from trusted origins.
- Distribute certificates with browsers.
Chain of trust
- The root certificate tell that ends are genuine.
- Clients validate public key from the end entity up to the root certificate.
Peer to peer
- Centralized
- Distributed
Centralized
- Certificate signed by CA
- Example:
- VPN using certificates signed by CA
Distributed
- Pre-shared key or certificate
- Offline acquired
- Online acquired
- Based on trusted and secured connections.
- Example:
- Various types of VPN protocols
- Blockchain (cryptocurrencies, NFT)
- BitTorrent(!?)
When trust is broken…
Case study:
https://techcrunch.com/2021/11/15/hpe-aruba-data-breach/
User
- Online account recovering
- Offline
Online account recovering
- Detected
- Temporarily deactivate account.
- Then wait for account restoring.
- Temporarily deactivate account.
- Stolen
- Call customer service.
- The account might be stolen forever.
- Call customer service.
Offline
- Go to the counter and show your ID card.
Server
- Cert expired
- Cert revoke
Cert revoke
- CRL
- OCSP
- OCSP Stapling
CRL
- Certificate Revocation List
- A black list of certificates published from CA.
OCSP
- Online Certificate Status Protocol
- Send request to obtain the revocation status of an X.509 certificate.
- Impact connection performance.
- Leak privacy (others know who accessed something).
OCSP Stapling
- Cache OCSP result and integrate it in TLS handshake.
client->server: client hello
note right of server: valid OCSP response?
note right of server: Y -> use cached OCSP response
server->CA: N -> OCSP request
CA->server: OCSP response
server->client: server hello
note left of server: certificate/certificate status
note left of client: valid certificate?
client->server: Y -> complete handshake
client->server: N -> abort handshake
The real world - revoking might not work
- Browsers might not ask revocation status from CRL/OCSP.
- Browsers maintain their own certificate revoke list or behavior.
- To initialize connection faster.
- Browsers maintain their own certificate revoke list or behavior.
DV/OV/EV
- Domain Validation
- Control the domain
- Organization Validation
- Registered organization
- Extended Validation
- Business detail (accountant, etc)
VIP
Client
| Browser | Cert DV | Cert EV | Comment |
|---|---|---|---|
| Chrome/Edge (Windows) |  |
(?) |
always ignored(?) |
| Firefox (OCSP on (default)) |  |
|
OneCRL |
| Firefox (OCSP off) | |
|
OneCRL |
| Safari | |
|
 |
| Chrome/Edge (MacOS) | |
|
based on MacOS |
| IE | |
|
very strict |
| Android | |
|
always ignored |
Conclusion
Experience
- Authentication is not as strict as you think.
- When handling authentication, doubt it first.
Slogan
質疑是資安的根本
郭學聰 Hsueh-Tsung Kuo2022_10_15
Resource
Reference
- How Do Browsers Handle Revoked SSL/TLS Certificates?
- No, don't enable revocation checking (19 Apr 2014)
- OCSP & CRL 介紹
Q&A
不能相信的相信我之術: 網路連線雙方驗證時,那些意想不到的坑 Don't bieleve "Believe me" the pitfalls of authentication 郭學聰 Hsueh-Tsung Kuo Sat, 15 Oct 2022 CC BY-SA 4.0
{"metaMigratedAt":"2023-06-17T05:31:30.890Z","metaMigratedFrom":"YAML","breaks":true,"description":"View the slide with \"Slide Mode\".","slideOptions":"{\"spotlight\":{\"enabled\":false},\"allottedMinutes\":40}","title":"Don't bieleve \"Believe me\" - the pitfalls of authentication","contributors":"[{\"id\":\"ea27dcd7-a3f2-47c2-b25e-6760e7936c38\",\"add\":35692,\"del\":15273}]"}