illusoryTLS: Nobody But Us. Impersonate,Tamper and Exploit

Presented at DeepSec 2015 „DeepSec No. 9“, Nov. 20, 2015, 9 a.m. (50 minutes)

Cryptographic backdoors are a timely topic often debated as a government matter to legislate on. At the same time, they define a space that some entities might have practically explored for intelligence purposes, regardless of the policy framework. The Web Public Key Infrastructure (PKI) we daily rely on provides an appealing target for attack. The entire X.509 PKI security architecture falls apart if a single CA certificate with a secretly embedded backdoor enters the certificate store of trusting parties. Do we have sufficient assurance that this has not happened already? We researched this scenario from a both experimental and speculative point of view. From the experimental standpoint, we submitted an entry to the first Underhanded Crypto Contest, aimed at making a technical point. Aptly named illusoryTLS, the entry is an instance of the Young and Yung elliptic curve asymmetric backdoor in the RSA key generation. The backdoor targets a Certification Authority public-key certificate, imported in the certificate store of a pretty standard HTTPS client and TLS server. The security outcome is the worst possible outcome, because the backdoor completely perverts the security guarantees provided by the TLS protocol, allowing the attacker to impersonate the endpoints (i.e., authentication failure), tamper with their messages (i.e., integrity erosion), and actively eavesdrop on their communications (i.e., confidentiality loss). illusoryTLS backdoor has some noteworthy properties: 1. NOBUS (Nobody But Us): The exploitation requires access to resources not embedded in the backdoor itself. In this case the secret resource is an elliptic-curve private key. 2. Indistinguishability: As long as a computational hardness assumption called Elliptic-Curve Decisional Diffie-Hellman (ECDDH) holds, the illusoryTLS backdoored key pairs appear to all probabilistic polynomial time algorithms like genuine RSA key pairs. Therefore black-box access to the key-generator does not allow detection. 3. Forward Secrecy: If a reverse-engineer breaches the key-generator the previously stolen information remains confidential (secure against reverse-engineering). 4. Reusability: The backdoor can be used multiple times and against multiple targets. In the Internet X.509 PKI the security impact of such a backdoor would extend further; the presence of a single CA certificate with a secretly embedded backdoor in the certificate store renders the entire TLS security illusory. In fact, the current practice of universal implicit cross-certification makes the whole X.509 PKI as weak as its weakest link. Therefore, when dealing with this class of attacks in the context of X.509 PKIs, it might be not sufficient to avoid outsourcing the key generation, but to have assurance about the security of each implementation of vulnerable key-generation algorithms employed by trusted credential issuers. At this time, Mac OS X Yosemite has 211 CA certificates installed. A similar number of certificates is present in the Firefox, Google Chrome, and Microsoft Windows certificate stores. Do we have sufficient assurance about the tens or hundreds CA certificate we daily entrust our business to? We reviewed the key-generation security requirements, set forth in the most relevant protection profiles in the Common Criteria certification processes and demanded by industry organizations and associations (i.e., CA/Browser Forum), and answer in the negative. The conclusion is that, as long as the implementation of algorithms adopted by trusted entities (e.g., CAs) vulnerable to this class of backdoors cannot be audited by relying parties, the assurance provided by illusoryTLS (i.e., none whatsoever) is not any different from the assurance provided by systems relying upon TLS and the Web PKI for origin authentication, confidentiality, and message integrity guarantees.

Presenters:

  • Alfonso De Gregorio - secYOUre
    Alfonso De Gregorio is a security technologist, founder of BeeWise, the first cyber security prediction market, and Principal Consultant at secYOUre. He started his career in information security in the late 1990s. Since then he never stopped contributing his little share to the discussion and practice of security engineering. Among the positions held, he served as Chief Security Architect at an HSM vendor, Expert for the European Commission and Visiting Scholar at the Computer Security and Industrial Cryptography (COSIC) research group, K.U. Leuven. In his career as a public speaker, Alfonso addressed a wide range of audiences across the globe, including industry executives, academics, security practitioners, and hackers, speaking about security economics, software security, intelligence support systems, cryptography engineering and cryptographic backdooring. Alfonso researches solutions for building cybersecurity incentives, tweets @secYOUre, and generally does not speak of himself in the third person.

Links:

Similar Presentations: