Beruflich Dokumente
Kultur Dokumente
of TLS Man-in-the-Middle
Attacks in Web Applications
Nikolaos Karapanos and Srdjan Capkun, ETH Zrich
Outline
Background: TLS
Remarks
2
TLS
X.509 certificates
Security services:
Confidentiality
Integrity
Authentication
3
MITM
User
Mallory
Server
GET /api/v1/me
GET /api/v1/me
200 {me.json}
200 {maybe_tampered.json}
User
Mallory
Server
MITM
User
Mallory
Server
GET /
200 {fake login form}
POST /login {credentials}
POST /login {credentials}
200 (user home page;
session cookie)
Notice that by now, the attacker
has gained all privileges.
POST /transfer/
{target account, amount}
200
302 <server domain>/
GET /
200 {real login form}
Users might assume
they mistyped their password.
User
Mallory
Server
TLS Channel ID
BALFANZ, D., AND HAMILTON, R. Transport Layer, Security (TLS) Channel IDs, v01 (IETF Internet-Draft),
http://tools.ietf.org/html/draft-balfanz-tlschannelid-01, 2013.
TLS Channel ID
Auth.)Protocol
Auth.)Protocol
TLS
TLS
Channel)ID)of)the)
browser:
Channel)ID)witnessed)
by)the)server:
,
Attack: MITM-SITB
(Man-in-the-middle Script-in-the-browser)
Attack: MITM-SITB
(Man-in-the-middle Script-in-the-browser)
1. Intercept connection!
2. Push malicious script!
3. Close connection!
4. Gain control
1
HTTP
TLS
2
3
Auth.)Protocol
TLS
Channel)ID)of)the)
browser:
10
Channel)ID)witnessed)
by)the)server:
11
rb
rs
1a
TLS
cidb
rb
1a
2
2a
t1, t2
rs,Verify,
rb
TLS
rs cidb
rs rs
TLS
cidb
2a
rs
t1 = MAC(ks1,1|rb|rs|cidb)
1b
rs, t1, t2
t2 = MAC(ks2,2|rb|rs|cidb)
lookup: rs from [rb, cidb]
2b
(forget t1, t2, rb, rs, cidb)
Init, rb
t1 MAC(ks1,1|rb|rs|cidb)
t2 t2
TLS
cidb
12
2b
t2 = MAC(ks2,2|rb|rs|cidb)
Remarks
Remarks
Auth.)Protocol
TLS
Auth.)Protocol
TLS
Channel)ID)of)the)
browser:
Channel)ID)witnessed)
by)the)server:
,
Remarks
15
Remarks
16