Securing Wireless Channels
(Or the Case for Certificate
and Public Key Pinning)
What is OWASP?
• The Open Web Application Security Project
– Not just web anymore
• Mission Driven
– World wide, nonprofit, unbiased organization
• Community Driven
–
–
–
–
30,000 Mail List Participants
200 Active Chapters in 70 countries
1600+ Members, 56 Corporate Supporters
69 Academic Supporters
Around the World
200 Chapters, ~1600 Members, 30000+ Builders, Breakers and Defenders
About Me
• Jeffrey Walton
–Roles include
• Mobile Security Architect
• Senior Consultant
• Security Engineer
–Secure Coding Evangelist
• Live and die by SDLCs
Agenda and Topics
• Background
– Architectures
– Expectations
• VPN/SSL/TLS Issues
– Past Problems
– Current Issues
• Shared Secret
– PSK
– SRP
• Pinning
– Certificate
– Public Key
• Futures
– Pinning (IETF)
– Sovereign Keys
– Convergence
• Wrap Up
– Questions
It’s All About the Data
• Data is the only thing that matters
– Who owns it
– Who controls it
– Who accesses it
• Share data with appropriate parties
– Must determine identity of parties
• Can’t determine identity?
– Don’t share data
Data Attributes
• Data Sensitivity
– Low
• Public Information
• Contact Information
– Medium
• Social Security Number
• Bank Account
• Single Sign On?
– High
• Pending Litigation, M&A
• FERPA, HIPPA, GLBA, etc
• Data States
– Data at Rest
• Server/Desktop/Device
• Remote and Local
– Data on Display
• View/Read/Write/Edit
• Local
– Data in Transit
• Secure Channel
• Local ↔ Remote
Expectations
• User Expectations?
– End-to-end security
• Web Applications
– Padlocks tell me its secure
– Green Bars tell me its secure
– Marketing tells me its secure
• How can {VPN|SSL|TLS} not be secure?
– When did that happen?
Training (Conditioning?)
•
•
•
•
•
Padlock looks secure
Green bar looks secure
$1,500,000 is a lot of money
It looks secure
It must be secure
Two Architectures
• Two architectures in play
– Employee ↔ Organization
• VPN
– Individual ↔ Service Provider
• SSL/TLS
• Security Boundaries
– Sometimes Trust Zones
– How many are traversed?
Architecture (Enterprise, VPN)
Architecture (Mobile, SSL/TLS)
Comes down to…
• Infrastructure
– Domain Name System (DNS)
– Public Key Infrastructure (PKI{X})
– Certificate Authorities (CAs)
• Employee ↔ Organization
– Organization 
• Individual ↔ Service Provider
– Individual, Provider 
What’s Gone Wrong (1)?
•
Governments Want/Require Interception
– Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL,
cryptome.org/ssl-mitm.pdf
– http://www.dailymail.co.uk/indiahome/indianews/article-2126277/No-secretsBlackberry-Security-services-intercept-data-government-gets-way-messengerservice.html
•
Governments Engage in Interception
– http://www.thetechherald.com/articles/Tunisian-government-harvesting-usernamesand-passwords/12429/
•
Vendors Provide Interception Taps
– http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html
•
Governments Use Interception Taps
– https://www.eff.org/nsa-spying
•
Mobile Interception is Patented
– Lawful interception for targets in a proxy mobile internet protocol network,
http://www.google.com/patents/EP2332309A1
What’s Gone Wrong (2)?
•
Handset manufactures add trusted roots
– http://gaurangkp.wordpress.com/tag/nokias-man-in-the-middle-attack/
•
Carriers can add trusted roots
– No reference yet, but
http://www.theregister.co.uk/2011/12/15/carrier_iq_privacy_latest/
•
CAs can become compromised
– http://isc.sans.edu/diary.html?storyid=11500
•
Researchers can create Rogue CAs
– http://www.win.tue.nl/hashclash/rogue-ca/
•
DNS can become compromised
– http://forums.theregister.co.uk/forum/2/2011/09/05/dns_hijack_service_updated/
•
Physical plant can become compromised
– http://www.pcworld.com/article/119851/paris_hilton_victim_of_tmobiles_web_flaws.h
tml
•
Its easy to set up an AP or Base Station (Chris Paget's IMSI Catcher)
–
http://www.wired.com/threatlevel/2010/07/intercepting-cell-phone-calls/
What’s Gone Wrong (3)?
•
Can't trust some CAs – they will sell you out and issue subordinate CAs for money
– http://www.net-security.org/secworld.php?id=12369
– http://www.zdnet.com/trustwave-sold-root-certificate-for-surveillance-3040095011/
•
Can't trust some browsers – they will sell you out and elide their responsibility
– https://bugzilla.mozilla.org/show_bug.cgi?id=724929
•
Can't trust some browsers – they include questionable certificates out of the box
– https://bugzilla.mozilla.org/show_bug.cgi?id=542689
•
Can't override some browser's CA list
– http://my.opera.com/community/forums/topic.dml?id=1580452
•
Can't override OS's CA list
– http://support.google.com/android/bin/answer.py?hl=en&answer=1649774
•
CRL/OCSP does not work as expected/intended
– http://blog.spiderlabs.com/2011/04/certificate-revocation-behavior-in-modernbrowsers.html
– https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-webbrowser-collusion
What’s Gone Wrong (4)?
• User will break it too (not just bad guys)
– http://www.esecurityplanet.com/mobile-security/hacker-bypasses-apples-ios-in-apppurchases.html
– http://www.h-online.com/security/news/item/Apps-for-Windows-8-easily-hacked1767839.html
• Interception proxies add additional risk
– http://blog.cryptographyengineering.com/2012/03/how-do-interception-proxiesfail.html
• HTTPS is broken
– http://www.thoughtcrime.org/software/sslstrip/
• PKI is broken
– www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf
• The Internet is Broken :)
– http://blog.cryptographyengineering.com/2012/02/how-to-fix-internet.html
Decisions, Decisions…
Remediation
• Stop Conferring Trust!
• Cut-out the middle men
• Harden the Channel!
• Leverage the pre-existing relationship
• Verify the Host
• Password Authenticated Key Exchange
– Shared secret
• Public Key Cryptography
– Public/Private key pair
Secure Remote Password (SRP)
• Secure Remote Password (SRP)
– Thomas Wu, RFC 5054
• User knows the password
– Client hashes before use
• Server knows the verifier
– Similar to Unix passwd file
• Diffie-Hellman based
– Discrete logs (hard problem)
– gab → g{(salt + password)|verifier} + nonces
Pre Shared Key (PSK)
• Pre Shared Key (PSK)
– RFC 4279
• Three Flavors
– PSK Key Exchange
• Secret used as Premaster Secret, use only symmetric key
algorithms
– DHE_PSK Key Exchange
• PSK authenticates Diffie-Hellman exchange
– RSA_PSK Key Exchange
• combines public-key-based server authentication with mutual
authentication using a PSK
Public Key Cryptography
• All we need is a signing key for identity…
– RSA, DSA, ECDSA
• … and an ephemeral exchange
– DHE, ECDHE, MQV, HMQV, FHMQV, etc
• SSH got it right
– StrictHostKeyChecking option
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
General Idea
• Whitelist expected Certificates or Public keys
– There’s a pre-existing relationship
– Or, make a note during first connect
– Side step the “key distribution” problem
• Certificate or Public Key Pinning
– Libraries offer ‘OnConnect’ callback
– In the callback, inspect certificate or public key
Bad Cases
• Good case
– Server is identified by expected cert or key
• Bad case
– Adversary is using a different public key
• Not expected, so fail
– Adversary is advertising expected public key
• Can’t decrypt communications
• Really Bad Case
– Adversary is using expected public key
• Can decrypt communications – pwn’d
Certificate or Public Key?
• X509 Certificate
– Binds public key to entity
– Version 3 information
– Certificate may be rotated
• Public Key
– Must be static, cannot change
– May violate some key rotation policies
– Does not depend on certificate
Sample Code
• Sample Code
–Windows/.Net
–Android/Java
–iOS/Objective C
–OpenSSL/C
Futures
• Public Key Pinning Extension for HTTP
– draft-ietf-websec-key-pinning-04
– http://www.ietf.org/id/draft-ietf-websec-key-pinning04.txt
• Sovereign Keys Project
– http://www.eff.org/sovereign-keys
– DNSSEC to distribute certificates and keys
• Convergence
– http://convergence.io
– Redundant view of sites and certificates/keys
Does It Work?
Wrap Up
• Data is all that matters
– Identify parties, then share data
• PSK, SRP and Pinning
– Does not confer trust
– Don’t care about answers from DNS or CAs
– Leverages pre-existing relationship
• Sovereign Keys and Convergence
– Does confer trust
– Still getting answers from others
– Useful if no pre-existing relationship
Wrap Up
• Questions?
–Hopefully useful Answers
• Jeffrey Walton
–jeffrey.waltοn@softwareintegrity.cοm