Scribd Logo
Hochladen

Willkommen bei Scribd!

  • COMPSCI 726 Lecture 25a Zong Chen

    Hochgeladen von

    Teererai Marange
    29 Ansichten16 Seiten
    Presentation

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    Presentation

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    29 Ansichten16 Seiten

    COMPSCI 726 Lecture 25a Zong Chen

    Hochgeladen von

    Teererai Marange
    Presentation

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 16

    On the Effective Prevention

    of TLS Man-in-the-Middle
    Attacks in Web Applications
    Nikolaos Karapanos and Srdjan Capkun, ETH Zrich

    Presented by: Xuzong Chen

    Outline

    Background: TLS

    Problem definition: MITM

    An existing solution: TLS Channel ID

    An attack on Channel ID: MITM-SITB

    The proposed solution: SISCA

    Remarks
    2

    TLS

    Transport Layer Security

    X.509 certificates

    Security services:

    Confidentiality

    Integrity

    Authentication
    3

    MITM
    User

    Mallory

    Server

    GET /api/v1/me
    GET /api/v1/me
    200 {me.json}
    200 {maybe_tampered.json}
    User

    Mallory

    Server

    MITM

    Impersonating the server to the user

    (Assumed to be already achieved by the


    attacker.)

    Impersonating the user to the server

    (Considered to be being attempted by the


    attacker.)

    User

    Mallory

    Server

    GET /
    200 {fake login form}
    POST /login {credentials}
    POST /login {credentials}
    200 (user home page;
    session cookie)
    Notice that by now, the attacker
    has gained all privileges.
    POST /transfer/
    {target account, amount}
    200
    302 <server domain>/
    GET /
    200 {real login form}
    Users might assume
    they mistyped their password.
    User

    Mallory

    Server

    TLS Channel ID
    BALFANZ, D., AND HAMILTON, R. Transport Layer, Security (TLS) Channel IDs, v01 (IETF Internet-Draft),
    http://tools.ietf.org/html/draft-balfanz-tlschannelid-01, 2013.

    Strong Client Authentication (SCA)

    Server authenticates client

    A Channel ID is the public key of a key pair generated


    by the browser.

    Each Channel ID identifies a TLS connection.

    Strong credentials (i.e. not transmitted through


    network)
    7

    TLS Channel ID
    Auth.)Protocol

    Auth.)Protocol

    TLS

    TLS
    Channel)ID)of)the)
    browser:

    Channel)ID)witnessed)
    by)the)server:
    ,

    : TLS Channel IDs

    Figure 1: PhoneAuth and FIDO U2F; leveraging Channel IDs

    Attack: MITM-SITB
    (Man-in-the-middle Script-in-the-browser)

    An attacker can communicate to server, on behalf


    of the user.

    Attacker intercepts users request, injects malicious


    script, then allows user through to legitimate server.

    Attack: MITM-SITB
    (Man-in-the-middle Script-in-the-browser)
    1. Intercept connection!
    2. Push malicious script!
    3. Close connection!
    4. Gain control

    1
    HTTP
    TLS

    2
    3

    Auth.)Protocol
    TLS

    Channel)ID)of)the)
    browser:

    10

    Channel)ID)witnessed)
    by)the)server:

    Proposed solution: SISCA

    Server Invariance with Strong Client


    Authentication

    Ensure that the user is only communicating with


    one server.

    Server establishes information about each client,


    which other servers wont know.

    11

    Proposed solution: SISCA


    1. Initialization! 1a, 2a: First HTTP request!
    2. Verication 1b, 2b: First HTTP response

    rb
    rs

    1a

    TLS

    cidb

    Init, r1.b Initialization! 1a,


    rs 2a: First HTTP request!
    2b: First
    2. Verication 1b,
    store:
    [rb,HTTP
    cidb,response
    r s]
    1b
    rs
    1

    rb

    1a

    2
    2a

    t1, t2
    rs,Verify,
    rb
    TLS

    rs cidb

    rs rs
    TLS

    cidb

    2a

    rs
    t1 = MAC(ks1,1|rb|rs|cidb)
    1b
    rs, t1, t2
    t2 = MAC(ks2,2|rb|rs|cidb)
    lookup: rs from [rb, cidb]
    2b
    (forget t1, t2, rb, rs, cidb)
    Init, rb

    t1 MAC(ks1,1|rb|rs|cidb)

    Verify, rb, rs, t1


    t2

    t2 t2

    Keys ks1, ks2

    TLS

    cidb
    12

    2b

    t2 = MAC(ks2,2|rb|rs|cidb)

    Remarks

    Unclear notion of strong credentials

    Using a strong second factor authentication device?

    strong second factor authentication device, as in PhoneAuth


    [13] and FIDO Universal 2nd Factor (U2F) [22] protocols

    Credentials that are not sent through network?

    Such credentials are considered weak; they are transmitted


    over the network and are susceptible to theft and abuse,
    unless protected by TLS.
    13

    Remarks

    Insufficient description of Channel ID, which this


    paper strongly depends on.

    Auth.)Protocol
    TLS

    Auth.)Protocol
    TLS

    Channel)ID)of)the)
    browser:

    Channel)ID)witnessed)
    by)the)server:
    ,

    : TLS Channel IDs

    14 U2F; leveraging Channel IDs


    Figure 1: PhoneAuth and FIDO

    Remarks

    Doesnt help prevent server-impersonation

    User may see content from an attacker in


    response to a request made to the server.

    15

    Remarks

    Requires lots of changes to existing systems

    the server sends a list of all the involved domains and


    all their public keys to the browser

    For the protocol to be secure, on the client side this


    header is controlled solely by the browser. It cannot be
    created or accessed programmatically via scripts

    16

    Das könnte Ihnen auch gefallen