Extended Subset

Caught the last few minutes of this talk at Black Hat DC yesterday.

Computerworld has a nice summary article with some quotes and an explanation of the scope of the break.

But really, this once sentence captures it:

“Tarnovsky’s examination process involved subtle use of hardware-based liquid chemical and gas technologies in a lab setting to probe with specialized needles to build tungsten bridges.”

The reverse engineer always wins.

I also spoke with someone who knows about the technology in the new DVDs. It seems the rippers usually crack the decryption within a few weeks of each major release. At best, the encryption buys some time for disc sales to make their initial profit. This industry has learned by now not to attempt the impossible (selling millions of discs of data for special-purpose computers without it also ending up on general-purpose computers). Instead, their strategy seems to be to structure the pace of their defeat well enough for it to be economically discounted. I think this is very wise.

Consider this the next time someone proposes a DRM solution to restore the economics of scarcity to a blob of computer data!

Impervia has released an interesting study of 32M user passwords obtained incidental to a data breach. We’re used to this kind of thing by now, I suppose. But in any case it appears that only 0.2% of user accounts had passwords meeting their minimum criteria for a “strong” password:

• Eight or more characters
• Some mixture of the basic character classes: upper- and lower-case, digits, and symbols.

We’ve been hearing this advice for years. In fact, it’s now recommended practice for new password entry text fields to enforce some minimal complexity requirements. Looking at the “top 20″ list of common passwords, anything would be an improvement.

But are mechanical complexity requirements always enhance security? More importantly, is it possible that they could actually decrease security for careful and conscientious users who choose reasonable passwords in the first place?

Consider Schneier’s example password from the report. Distilled from a pass phrase, it comes out as “tlpWENT2m”. For most systems, I like to use the pwgen utility to generate reasonably good passwords. For example, it just suggested the password “Aisah4ahw7″ (I agree they should be written down and managed with careful physical security).

These example passwords have 9 or 10 characters with apparently good probabilities of encountering capital letters and digits. The upper- and lower-case letters and digits amount to 62 possibilities for each character, putting a hard upper limit on the entropy of about 6 bits per character. At 10 characters in length, we could theoretically approach 60 bits of total entropy in our password! “Good enough for government work” as they say. Or at least it used to be.

So what happens when a well-intentioned user interface rejects our thoughtfully-chosen password on the basis that “it must contain a symbol”? Assume that the user has already chosen the password they want to use and has written it down, and it’s otherwise a good one. Perhaps also the UI enforces the recommendation (the report attributes this to NASA) that “if there is only one letter or special character, it should not be either the first or last character in the password.” My guess is that most users at this point get out the eraser and replace one of the characters with a symbol in order to satisfy the rule.

But herein lies a problem: On my (typical US) keyboard there are only 32 choices for symbol characters. In addition, UI text fields have a reputation for rejecting (or silently munging) quote-like or escape-like characters which probably rules out some of the more interesting choices. We have just reduced the maximum entropy contributed by that character from 6 to 5 bits!

But you forgot to consider … Yes, there are a number of holes with this theory.  Lacking any more interesting rhetorical device at the moment, I’ll pretend to discuss them with myself. Here are a few I can think of:

• Those example passwords were derived from rules for English text in one way or another. They won’t be anywhere close to theoretical maximum entropy. - True, but neither will the replacement symbol. More than likely the user will simply replace an ‘a’ with an ‘@’ or some such change. Note the sample characters in the recommendation: !@#$%^&*,;” Even those authors seem to like to type “123456″!
• The user has some freedom to choose which of the characters he will replace with the symbol. - Applying all the “best practices” to the ten character password leaves eight options. Potentially, this could represent three bits of added entropy and in fact push the symbol requirement into a net gain.
• The user could add or change more than one symbol. - Sure, the user has just been required to type one digit, one uppercase letter, one lowercase letter, and five other chars. How much more tricky typing are they likely to be in the mood to add? Oh, and they have to type it perfectly twice in a row right now, and an indefinite number of times in the future.

So this analysis is largely inconclusive. Adding a new password complexity requirement may increase the effective entropy somewhat, but there may even be cases where it decreases it. What is clear though is that there is no set of practical, enforceable requirements that can magically take the users from dictionary words to that perfect, even distribution over the 94^10 = 5e19 possible passwords.

But above all, look out for the law of unintended consequences. Especially when feeling the urge to subject us humans to new sets of rigid mechanical rules, however great they might seem on paper.

DReaM-Cache: Distributed Real-Time Transaction Memory Cache to Support Two-Factor Authentication Services and its Reliability

Here’s a paper we (PhoneFactor and UMKC) will be presenting at IEEE NOMS 2010 in April.

It gives an overview and an in-depth reliability analysis of a distributed real-time transactional data store we developed in support of the PhoneFactor back-end systems. It’s superficially similar to memcached, except that it’s highly available rather than scalable.

We originally called the system “cloud” internally, and still do. Unfortunately though that term has been so hyped-up in the last few years (for something else entirely) that we had to come up with another name for the paper.

• SteveD has posted an experimental patch for GNUTLS
• Unfortunately, it appears that D-Link routers implement a protocol which allows router reconfiguration via SOAP and don’t authenticate it properly. Mix in a little DNS rebinding and this likely results in a remote-MitM vulnerability.

The IESG has approved a fix for TLS! The accepted proposal is substantially the same as that proposed by the Sept. 29 meeting of the Project Mogul activity.

Over the coming weeks, the document itself navigates the RFC Editor publication process picking up an RFC number, normative references, and review along the way. But no further technical changes are expected at this point.

Vendors may now deliver to their customers patches which implement the fix blessed by the IETF.

Most vendors have had the details of the fix (with only minor differences) for over three months now. Some are known to have working (and interoperable) implementations internally, so I expect we will see some patches shipping shortly. Since vendors are no longer “blocking on the IETF”, now is when we get to find out which of them are the most responsive when it comes to keeping their customers secure. In all fairness, this has been a rather difficult security problem to address and larger vendors with many products to support have disproportionately more work to do, particularly in the testing process.

One aspect of this fix is that both the client and the server must be patched in order to restore the full security guarantees advertised by TLS. This obviously will not happen tomorrow, but eventually clients and servers will have to start refusing connections with unpatched endpoints (just like they do with ancient versions of SSL today). I.e., their configuration needs to go from “insecure/compatible mode” to “secure/strict mode”. Unfortunately, as long as there is a single unpatched client and a single compatible-mode server in the world (or a compatible-mode client and an unpatched server) there exists a potential vulnerability. Note that some attacks do not require the victim client and server to be expecting to talk the same protocol on the same port!

To this end, in the coming months we will need client applications to begin warning users if they are connecting to an unpatched server. After all, wouldn’t you expect your browser to warn you if your connection could be hijacked because the (supposedly) secure site to which you were connecting was not maintained well enough to apply critical security patches on a regular basis?

In related news:

• IEEE Internet Computing has a nice article on the bug.
• Steve and I will be speaking at Shmoocon 2010 and TROOPERS10 about both the technical aspects of the bug and the some of the meta-disclosure issues we’ve encountered along the way.

Ben Laurie enlightens us about the nature of Extended Subsets.
Turns out my blog’s name is…well, read the paper.

• Alun Jones has some nice posts on the SSL/TLS issue in general and how it relates to FTPS in particular.
• Would you rather your country fare poorly in a “cyber war“, or a conventional one?
• One of my favorite descriptions of C++ language elements is Scott McPeak’s C++ Entities and Relationships. Those two diagrams are some of my favorite technical diagrams, at least in part because they provide a view into the language that I have not seen anywhere else. I made an implementation of most of that model in Ruby, not for parsing C++, but for generating it. Had I to do it over, I would do it in a language that fully supports multiple inheritance.
• Those who do not understand C++ runtime exceptions are doomed to unhandle them.
• Schneier has written about the SSL/TLS bug, or at least the meta-issues it raises. While uncovering the bug, I found Wagner’s and Schneier’s analysis of SSL very informative. I’m not so sure about his recommendations though, his number one being “Install an antivirus program”. That won’t help you at all with this one. A far more useful recommendation is “don’t access anything important (e.g. online banking) over free wifi”.

November turned out to be quite a month! A few updates to catch us up:

• Several people have done good write-ups on the SSL/TLS bug.
  • Eric Rescorla
  • Thierry Zoller
  • Frank Breedijk
  • Anil Kurmus
• I’ve started with Twitter. https://twitter.com/marshray
• Nasko has set up a nice test for client-initiated renegotiation on his blog. This is probably the most pervasive, and simplest to exploit, form of the SSL/TLS vulnerability for web sites. Two teeny tiny little limitations with it:
  • When it can’t connect to the site it says “Failed to connect/renegotiate, site doesn’t seem vulnerable.” Seems to me like these two conditions are important to distinguish
  • When it correctly determines that the site does not support client-initiated renegotiation it also says “site doesn’t seem vulnerable”. This is a pretty common oversimplification, the site can still be vulnerable to server-initiated renegotiation. Proving that negative (the server will never request renegotiation) can be quite difficult and often requires inspection of the actual server code and/or detailed configuration.
• The SSL/TLS attack has nothing to do with EV “Extended Validation” certificates. Lack of EV is not the cause of this problem, nor does EV offer any solution to it. In my opinion, some articles in the supposedly “mainstream” industry press read as if someone’s getting paid to promote EV as the solution to everything.
• The IETF has put the proposed TLS protocol fix to “In Last Call” state. My understanding is that this will allow the IANA to set aside the numbers for the two protocol elements needed for the proposal. However, the true picture may be significantly more complicated.
• Leviathan Security came up with a way to use an HTTP redirect to turn the limited plaintext injection capability into an sslstrip scenario (or to drive the user to a phishing site with a valid cert).
• At PhoneFactor we’re trying to keep the Status of Patches page up-to-date. Drop me an email if you have any info to add, it can be as general as “we’re working on some code”.
• I really hope the fix for renegotiation is available soon enough that people don’t end up patching everything to disable it (and inspecting firewalls to shoot it down on sight). It is extremely useful for HTTPS client certificates, it would be a shame if it ended up on the Island of Lost Toys along with IP source routing and half of ICMP.
• My prediction is that the HTTP TRACE verb can be used to take the limited blind plaintext prefix injection of the SSL/TLS attack and leverage it to full arbitrary script execution with the origin of the secure site. If so, it’s game over for that user. The good news is that IIS disables TRACE by default. The bad news is that Apache enables it by default (apparently they like it that way). Stay tuned, probably more will be written about this.

More to come as I get a chance.

OK, so the blog is back. Just for reference, here’s the content from the temporary static page:

Renegotiating TLS

Marsh Ray

Steve Dispensa

PhoneFactor, Inc.

v1.1 November 4, 2009

Summary

Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities. In particular, practical attacks against HTTPS client certificate authentication have been demonstrated against recent versions of both Microsoft IIS and Apache httpd on a variety of platforms and in conjunction with a variety of client applications. Cases not involving client certificates have been demonstrated as well. Although this research has focused on the implications specifically for HTTP as the application protocol, the research is ongoing and many of these attacks are expected to generalize well to other protocols layered on TLS.

There are three general attacks against HTTPS discussed here, each with slightly different characteristics, all of which yield the same result: the attacker is able to execute an HTTP transaction of his choice, authenticated by a legitimate user (the victim of the MITM attack). Some attacks result in the attacker-supplied request generating a response document which is then presented to the client without any certificate warning or other indication to the user. Other techniques allow the attacker to forward or re-purpose client certificate authentication credentials.

Notes

2009-11-06 15:25 -600 Michael D’Errico has an implementation of draft-rescorla-tls-renegotiate at https://www.mikestoolbox.net . Interop test!

2009-11-06 12:08 -600 I’ve finally gotten around to registering on Twitter. Status updates are happening faster, will be putting them there (and possibly here, too).

2009-11-05 18:24 -600 Eric Rescorla has posted the text for an Internet Draft that we are proposing as a fix: msg03963.html

2009-11-05 17:56 -600 Client certificate authentication is not required for vulnerabilities to be present.

The full document in pdf format: Renegotiating_TLS.pdf

Some helpful protocol diagrams: Renegotiating_TLS_pd.pdf

Packet captures: renegotiating_tls_20091104_pub.zip

The SSL 3.0+ and TLS 1.0+ protocols are vulnerable to a set of related attacks which allow a man-in-the-middle (MITM) operating at or below the TCP layer to inject a chosen plaintext prefix into the encrypted data stream, often without detection by either end of the connection. This is possible because an “authentication gap” exists during the renegotiation process at which the MitM may splice together disparate TLS connections in a completely standards-compliant way. This represents a serious security defect for many or all protocols which run on top of TLS, including HTTPS.

I first began to suspect the existence of this category of bug in related software while doing code review on some third-party software in support of the solution we provide at my work, PhoneFactor. That was early August. Many late nights and weekends later, I had enough evidence to talk about, and at the beginning of September, I had a working exploit and demoed it to Steve Dispensa (PhoneFactor CTO).

We realized this situation needed to be handled with a good measure of care. Over the first part of September, 2009, we began disclosing the initial group of independent security consultants for independent verification and advice on how to proceed. An initial group of vendors, which included members of ICASI, the IETF, and multiple open-source SSL implementations were disclosed with technical details over the week of September 21 - 25. A meeting was held at a helpful company’s headquarters in Mountain View, CA on September 29, where tentative agreement was reached on a preliminary solution in the form of a protocol extension. The remediation efforts for this bug have been conducted under the code name “Project Mogul”.

At that meeting, it was pointed out that the proposed solution had many similarities with work being done in the IETF TLS Channel Bindings working group. Indeed, over the coming weeks while vendors made their preparations, we followed the discussions on the IETF mailing list to see how close they might come to uncovering the problem there.

Today, an MitM attack on TLS was proposed by Martin Rex in the public forum. Martin’s early proposal may differ in a few details and lack the research time and working exploit that Steve and I had developed, but it clearly identifies the core problem and effectively represents public knowledge of the bug.  Noted security researcher HD Moore tweeted about the possible attack, and it was quickly re-tweeted by 10 others. Vendors (e.g. PhoneFactor) and security researchers began to get independent requests for more information.

For these reasons, Steve and I feel that public disclosure has now occurred, and the results of our research should be available to all interested parties. I expect some other announcements shortly, including an Internet Draft proposal for the fix.

Technical details are in the attached .zip archive.

renegotiating_tls_20091104_pub.zip

More posts to come on this topic, and I’ll try to be available for whatever questions arise.

I’ll be posting contact info for the multi-vendor coordination efforts as well.