Friday, September 28, 2012

On the (provable) security of TLS: Part 2

This is the second post in a series on the provable security of TLS. If you haven't read the first part, you really should!

The goal of this series is to try to answer an age-old question that is often asked and rarely answered. Namely: is the TLS protocol provably secure?

While I find the question interesting in its own right, I hope to convince you that it's of more than academic interest. TLS is one of the fundamental security protocols on the Internet, and if it breaks lots of other things will too. Worse, it has broken -- repeatedly. Rather than simply patch and hope for the best, it would be fantastic if we could actually prove that the current specification is the right one.

Unfortunately this is easier said than done. In the first part of this series I gave an overview of the issues that crop up when you try to prove TLS secure. They come at you from all different directions, but most stem from TLS's use of ancient, archaic cryptography; gems like, for example, the ongoing use of RSA-PKCS#1v1.5 encryption fourteen years after it was shown to be insecure.

Despite these challenges, cryptographers have managed to come up with a handful of nice security results on portions of the protocol. In the previous post I discussed Jonnson and Kaliski's proof of security for the RSA-based TLS handshake. This is an important and confidence-inspiring result, given that the RSA handshake is used in almost all TLS connections.

In this post we're going to focus on a similarly reassuring finding related to the the TLS record encryption protocol -- and the 'mandatory' ciphersuites used by the record protocol in TLS 1.1 and 1.2 (nb: TLS 1.0 is broken beyond redemption). What this proof tells us is that TLS's CBC mode ciphersuites are secure, assuming... well, a whole bunch of things, really.

The bad news is that the result is extremely fragile, and owes its existence more to a series of happy accidents than from any careful security design. In other words, it's just like TLS itself.

Records and handshakes 

Let's warm up with a quick refresher.

TLS is a layered protocol, with different components that each do a different job. In the previous post I mostly focused on the handshake, which is a beefed-up authenticated key agreement protocol. Although the handshake does several things, its main purpose is to negotiate a shared encryption key between a client and a server -- parties who up until this point may be complete strangers.

The handshake gets lots of attention from cryptographers because it's exciting. Public key crypto! Certificates! But really, this portion of the protocol only lasts for a moment. Once it's done, control heads over to the unglamorous record encryption layer which handles the real business of the protocol: securing application data.

Most kids don't grow up dreaming about a chance to work on the TLS record encryption layer, and that's fine -- they shouldn't have to. All the record encryption layer does is, well, encrypt stuff. In 2012 that should be about as exciting as mailing a package.

And yet TLS record encryption still manages to be a source of endless excitement! In the past year alone we've seen three critical (and exploitable!) vulnerabilities in this part of TLS. Clearly, before we can even talk about the security of record encryption, we have to figure out what's wrong with it.

Welcome to 1995
Development of the SSLv1
record encryption layer

The problem (again) is TLS's penchant for using prehistoric cryptography, usually justified on some pretty shaky 'backwards compatibility' grounds. This excuse is somewhat bogus, since the designers have actually changed the algorithms in ways that break compatibility with previous versions -- and yet retained many of the worst features of the originals.

The most widely-used ciphersuites employ a block cipher configured in CBC mode, along with a MAC to ensure record authenticity. This mode can be used with various ciphers/MAC algorithms, but encryption always involves the following steps:
  1. If both sides support TLS compression, first compress the plaintext.
  2. Next compute a MAC over the plaintext, record type, sequence number and record length. Tack the MAC onto the end of the plaintext.
  3. Pad the result with up to 256 bytes of padding, such that the padded length is a multiple of the cipher's block size. The last byte of the padding should contain the padding length (excluding this byte), and all padding bytes must also contain the same value. A padded example (with AES) might look like:

                0x MM MM MM MM MM MM MM MM MM 06 06 06 06 06 06 06
     
  4. Encrypt the padded message using CBC mode. In TLS 1.0 the last block of the previous ciphertext (called the 'residue') is used as the Initialization Vector. Both TLS 1.1 and 1.2 generate a fresh random IV for each record.
Upon decryption the attacker verifies that the padding is correctly structured, checks the MAC, and outputs an error if either condition fails. 

To get an idea of what's wrong with the CBC ciphersuite, you can start by looking at the appropriate section of the TLS 1.2 spec -- which reads more like the warning label on a bottle of nitroglycerin than a cryptographic spec. Allow me sum up the problems.

First, there's the compression. It's long been known that compression can leak information about the contents of a plaintext, simply by allowing the adversary to see how well it compresses. The CRIME attack recently showed how nasty this can get, but the problem is not really news. Any analysis of TLS encryption begins with the assumption that compression is turned off.

Next there's the issue of the Initialization Vectors. TLS 1.0 uses the last block of the previous ciphertext, which is absurd, insecure and -- worse -- actively exploitable by the BEAST attack. Once again, the issue has been known for years yet was mostly ignored until it was exploited.

So ok: no TLS 1.0, no compression. Is that all?

Well, we still haven't discussed the TLS MAC, which turns out to be in the wrong place -- it's applied before the message is padded and encrypted. This placement can make the protocol vulnerable to padding oracle attacks, which (amazingly) will even work across handshakes. This last fact is significant, since TLS will abort the connection (and initiate a new handshake) whenever a decryption error occurs in the record layer. It turns out that this countermeasure is not sufficient.

To deal with this, recent versions of TLS have added the following patch: they require implementers to hide the cause of each decryption failure -- i.e., make MAC errors indistinguishable from padding failures. And this isn't just a question of changing your error codes, since clever attackers can learn this information by measuring the time it takes to receive an error. From the TLS 1.2 spec:
In general, the best way to do this is to compute the MAC even if the padding is incorrect, and only then reject the packet. For instance, if the pad appears to be incorrect, the implementation might assume a zero-length pad and then compute the MAC. This leaves a small timing channel, since MAC performance depends to some extent on the size of the data fragment, but it is not believed to be large enough to be exploitable.
To sum up: TLS is insecure if your implementation leaks the cause of a decryption error, but careful implementations can avoid leaking much, although admittedly they probably will leak some -- but hopefully not enough to be exploited. Gagh!

At this point, just take a deep breath and say 'all horses are spherical' three times fast, cause that's the only way we're going to get through this.

Accentuating the positive

Having been through the negatives, we're almost ready to say nice things about TLS. Before we do, let's just take a second to catch our breath and restate some of our basic assumptions:
  1. We're not using TLS 1.0 because it's broken.
  2. We're not using compression because it's broken.
  3. Our TLS implementation is perfect -- i.e., doesn't leak any information about why a decryption failed. This is probably bogus, yet we've decided to look the other way.
  4. Oh yeah: we're using a secure block cipher and MAC (in the PRP and PRF sense respectively).**
And now we can say nice things. In fact, thanks to a recent paper by Kenny Paterson, Thomas Ristenpart and Thomas Shrimpton, we can say a few surprisingly positive things about TLS record encryption.

What Paterson/Ristenpart/Shrimpton show is that TLS record encryption satisfies a notion they call 'length-hiding authenticated encryption', or LHAE. This new (and admittedly made up) notion not only guarantees the confidentiality and authenticity of records, but ensures that the attacker can't tell how long they are. The last point seems a bit extraneous, but it's important in the case of certain TLS libraries like GnuTLS, which actually add random amounts of padding to messages in order to disguise their length.

There's one caveat to this proof: it only works in cases where the MAC has an output size that's greater or equal to the cipher's block size. This is, needless to say, a totally bizarre and fragile condition for the security of a major protocol to hang on. And while the condition does hold for all of the real TLS ciphersuites we use -- yay! -- this is more a happy accident than the result of careful design on anyone's part. It could easily have gone the other way.

So how does the proof work?

Good question. Obviously the best way to understand the proof is to read the paper itself. But I'd like to try to give an intuition.

First of all, we can save a lot of time by starting with the fact that CBC-mode encryption is already known to be IND-CPA secure if implemented with a secure block cipher (PRP). This result tells us only that CBC is secure against passive attackers who can request the encryption of chosen messages. (In fact, a properly-formed CBC mode ciphertext should be indistinguishable from a string of random bits.)

The problem with plain CBC-mode is that these security results don't hold in cases where the attacker can ask for the decryption of chosen ciphertexts.

This limitation is due to CBC's malleability -- specifically, the fact that an attacker can tamper with a ciphertext, then gain useful information by sending the result to be decrypted. To show that TLS record encryption is secure, what we really want to prove is that tampering gives no useful results. More concretely, we want to show that asking for the decryption of a tampered ciphertext will always produce an error.

We have a few things working in our favor. First, remember that the underlying TLS record has a MAC on it. If the MAC is (PRF) secure, then any ciphertext tampering that results in a change to this record data or its MAC will be immediately detected (and rejected) by the decryptor. This is good.

Unfortunately the TLS MAC doesn't cover the padding. To continue our argument, we need to show that no attacker can produce a legitimate ciphertext, and that includes tampering that messes with the padding section of the message. Here again things look intuitively good for TLS. During decryption, the decryptor checks the last byte of the padded message to see how much padding there is, then verifies that all padding bytes contain the same numeric value. Any tampering that affects this section of the plaintext should either:
  1. Produce inconsistencies in some padding bytes, resulting in a padding error, or
  2. Cause the wrong amount of padding to be stripped off, resulting in a MAC error.
Both of these error conditions will appear the same to the attacker, thanks to the requirement that TLS implementations hide the reason for a decryption failure. Once again, the attacker should learn nothing useful.

This all seems perfectly intuitive, and you can imagine the TLS developers making exactly this argument as they wrote up the spec. However there's one small exception to the rule above, which can turn TLS implementations that add an unnecessarily large amount of padding to the plaintext. (For example, GnuTLS.)

To give an example, let's say the unpadded record + MAC is 15 bytes. If we're using AES, then this plaintext can be padded with a single byte. Of course, if we're inclined to add extra padding, it could also be padded with seventeen bytes -- both are valid padding strings. The two possible paddings are presented below:

If the extra-long padding is used, the attacker could maul the longer ciphertext by truncating it -- throwing away the last 16-byte ciphertext block. Truncation is a viable way to maul CBC ciphertexts, since it has the same effect on the underlying plaintext. The CBC decryption of the truncated ciphertext would yield:


Which not very useful, since the invalid padding would lead to a decryption error. However, the attacker could fix this -- this time, using the fact that TLS can be mauled by flipping bits in the last byte of the Initialization Vector. Such an attack would allow the attacker to convert that trailing 0x10 into an 0x00. This result is now valid ciphertext that will not produce an error on decryption.


So what has the attacker learned by this attack? In practice, not very much. Mostly what they know is the length of the original ciphertext -- so much for GnuTLS's attempt to disguise the length. But more fundamentally: this attacker of 'mauling' the ciphertext totally screws up the nice idea we were going for in our proof.

So the question is: can this attack be used against real TLS? And this is where the funny restriction about MAC size comes into play.

You see, if TLS MACs are always bigger than a ciphertext block, then all messages will obey a strict rule: no padding will ever appear in the first block of the CBC ciphertext.

Since the padding is now guaranteed to start in the second (or later) block of the CBC ciphertext, the attacker cannot 'tweak' it by modifying the IV (this attack only works against the first block of the plaintext). Instead, they would have to tamper with a ciphertext block. And in CBC mode, tampering with ciphertext blocks has consequences! Such a tweak will allow the attacker to change padding bytes, but as a side effect it will cause one entire block of the record or MAC to be randomized when decrypted. And what Paterson/Ristenpart/Shrimpton prove is that this 'damage' will inevitably lead to a MAC error.

This 'lucky break' means that an attacker can't successfully tamper with a CBC-mode TLS ciphertext. And that allows us to push our way to a true proof of the CBC-mode TLS ciphersuites. By contrast, if the MAC was only 80 bits (as it is in some IPSEC configurations), the proof would not be possible. So it goes.

Now I realize this has all been pretty wonky, and that's kind of the point! The moral to the story is that we shouldn't need this proof in the first place! What it illustrates is how fragile and messy the TLS design really is, and how (once again) it achieves security by luck and the skin of its teeth, rather than secure design.

What about stream ciphers?

The good news -- to some extent -- is that none of the above problems apply to stream ciphers, which don't attempt to hide the record length, and don't use padding in the first place. So the security of these modes is much 'easier' to argue.

Of course, this is only 'good news' if you believe that the stream ciphers included with TLS are good in the first place. The problem, of course, is that the major supported stream cipher is RC4. I will leave it to the reader to decide if that's a worthwhile tradeoff.

In conclusion

There's probably a lot more that can be said about TLS record encryption, but really... I think this post is probably more than anyone (outside of the academic community and a few TLS obsessives) has ever wanted to read on the subject. 

In the next posts I'm going to come back to the much more exciting Diffie-Hellman handshake and then try to address the $1 million and $10 million questions respectively. First: does anyone really implement TLS securely? And second: when can we replace this thing?

Notes:

* One thing I don't mention in this post is the TLS 1.0 'empty fragment' defense, which actually works against BEAST and has been deployed in OpenSSL for several years. The basic idea is to encrypt an empty record of length 0 before each record goes over the wire. In practice, this results in a full record structure with a MAC, and prevents attackers from exploiting the residue bug. Although nobody I know of has ever proven it secure, the proof is relatively simple and can be arrived at using standard techniques.

** The typical security definition for a MACs is SUF-CMA (strongly unforgeable under chosen message attack). This result uses the stronger -- but also reasonable -- assumption that the MAC is actually a PRF.  

8 comments:

  1. Thank you for this TLS-series, it's really entertaining (and enlightening). I've also read the Paterson et al. paper, which is really nice, however, you write:

    "So how does the proof work?

    Good question. Obviously the best way to understand it is to read the paper itself."

    The problem is: the paper you linked to does not contain any proof! In particular, their main result is Theorem 2, for which the authors provide any proof, only a reference to it in the full paper. So where is this full paper? I've tried searching for it, but to no avail :( Do you know where I could find it? I've love to get it, since I'm a sucker for the gory details of these kinds of proofs :-D

    ReplyDelete
    Replies
    1. The paper has a critical portion of the proof, the part that says it's hard to find a 'collision' in the ciphertext -- but it's not complete. I haven't found a full version, and this is definitely a problem.

      Delete
  2. There is no such thing as SSLv1. You mean SSLv3?

    ReplyDelete
    Replies
    1. It was a proprietary protocol used only in Netscape products.

      Delete
  3. TLS/SSL seems quite messy and fragile, and gnutls & openssl most likely still contain some hidden bugs. Inventing your own cryptographic protocols is almost certain to go wrong also.

    Is there any "sure bet" if you want a "TLS done right" style of protocol?

    ReplyDelete
    Replies
    1. There are a few academically vetted key establishment protocols, but I'm not aware of a formally verified protocol that does all the things TLS does.

      Delete
  4. "the attacker can't tell how long they are. The last point seems a bit extraneous, but it's important in the case of certain TLS libraries like GnuTLS, which actually add random amounts of padding to messages in order to disguise their length."

    It is worth noting that transferring formal results to running implementations can be quite tricky. For example, the length-hiding result of Paterson/Ristenpart/Shrimpton length-hiding does *not* in fact apply to the GnuTLS API, even if GnuTLS was one of their motivations.

    Informally, if the same plaintext fragment is sent multiple times using GnuTLS, the random padding added to each fragment amounts to noise that can be effectively removed (see http://web.cecs.pdx.edu/~teshrim/tmAnotherLook.pdf). Just take the smallest fragment and you get a pretty good estimate of the plaintext length.

    More formally, the LHAE game of Paterson/Ristenpart/Shrimptononly guarantees length-indistinguishability for two plaintexts and for a given target ciphertext length, it says nothing about plaintexts with different (random) target ciphertext lengths, so the result does not really apply to GnuTLS (for details, see Section 5.2 of http://hal.inria.fr/hal-00732449).

    ReplyDelete
  5. excellent article. I waiting for another another one.
    Feel curisity to visit Business security systems


    ReplyDelete