Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices
advertisement
IBM Research Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices Homin K. Lee, Tal Malkin, Erich Nahum Columbia University and IBM Research © 2007 IBM Corporation IBM Research Motivation Many Web services (e.g. e-commerce, online banking) require secure servers Web security is handled by the Secure Socket Layer (SSL) protocol SSL relies on cryptographic algorithms A Web service is only truly secure if it uses current best practices in cryptography A weak SSL configuration may indicate a poorly maintained site What crypto is actually used by SSL servers? 2 © 2007 IBM Corporation IBM Research Talk Outline Motivation Brief review of SSL Methodology Results Summary and Conclusions Future Work 3 © 2007 IBM Corporation IBM Research What is SSL/TLS? SSL/TLS is a network protocol – SSL: Secure Socket Layer – TLS: Transport Layer Security Provides end-to-end security: – Authentication of server & client – Encryption/integrity of data History: – Netscape developed versions 1,2 – SSL v3 TLS 1.0 (IETF RFC 2246) – TLS 1.1 RFC out; 1.2 in draft 4 https ssl/tls tcp ip ethernet © 2007 IBM Corporation IBM Research What Security Does SSL Provide? Authentication: Secrecy/Privacy/Confidentiality – Only 2 relevant parties understand messages, prevent eavesdropping – Encrypt using symmetric key ciphers – E.g., RC2, RC4, DES, 3-DES, AES, NULL(!) Integrity: – Message you get/send is the same one they/you sent, detect tampering – Use one-way hash functions: MD5, SHA-1 – Person you’re speaking with is who they say they are, prevent masquerading – RSA, Digital Signature Standard (DSS) Key Exchange: – Two parties who have never met mutually agree on a shared secret – RSA, Diffie-Hellman 5 © 2007 IBM Corporation IBM Research SSL Option Negotiation client Key Part of the SSL/TLS Handshake Client HELLO message: generate nonce & ciphers – Nonce (random + time) generate nonce & choose options TLS1-RSA-EDH-AES256-SHA1; TLS1-DSS-EDH-3DES-MD5; SSL3-RSA-RSA-RC4128-MD5; SSL2-RSA-RSA-DES56-MD5; etc. – Cipher suites server Server HELLO response: – Nonce TLS1-RSA-EDH-AES256-SHA1 – Chosen cipher suite Server Certificate Client verifies certificate time verify certificate 6 © 2007 IBM Corporation IBM Research Talk Outline Motivation Brief review of SSL Methodology Results Summary and Conclusions Future Work 7 © 2007 IBM Corporation IBM Research How to Discover Support client For each cyphersuite j – Make connection to server server generate nonce & ciphers SSL2-RSA-RSA-DES56-MD5; – Advertise only one cyphersuite j – Log success of first part of handshake generate nonce & choose options SSL2-RSA-RSA-DES56-MD5 – Terminate connection time verify certificate 8 © 2007 IBM Corporation IBM Research What is PSST? PSST: The Probing SSL Scanning Tool – Leverages code from openssl & httperf – Modifications to use algorithm Uses a list of over 19,000 SSL servers – Culled from TBIT site, Web100, NLANR, etc. Run algorithm over each server – Takes roughly 3 days – Runs in 11/2006, 6/2006, 08/2005, 02/2005 Wait for angry phone calls/email But none come! 9 © 2007 IBM Corporation IBM Research Talk Outline Motivation Brief review of SSL Methodology Results Summary and Conclusions Future Work 10 © 2007 IBM Corporation IBM Research Questions We’re Asking What versions of SSL/TLS are out there? What kinds of key exchange and site authentication? How strong are the public keys? What types of bulk transfer authentication? What kinds of symmetric key encryption? How strong are the symmetric keys? Do sites choose the best crypto possible? How has behavior changed over time? 11 © 2007 IBM Corporation IBM Research SSL/TLS Protocol Version SSL 2.0 has many flaws: – Vulnerable to manin-the-middle attacks – Uses MD5 exclusively SSL Type SSL 2.0 SSL 3.0 TLS1 Number 16,587 19,025 19,111 Percent 85.37 % 97.92 % 98.36 % – Uses a weak MAC – Uses same key for authentication and encryption 12 © 2007 IBM Corporation IBM Research SSL/TLS Protocol Breakdown SSL 2.0 SSL 3.0 TLS Number 24 Percent 0.12 % 146 0.75 % 148 0.76 % 211 1.09 % 169 0.87 % 2,485 12.79 % 16,246 83.62 % 13 © 2007 IBM Corporation IBM Research Key Exchange & Authentication KeyEx + Auth EDH + DSS EDH + RSA RSA + RSA Number 4 11,185 19,401 Percentage 0.02 % 57.57 % 99.86 % EDH, DSS, and RSA give comparable levels of security for equal key sizes. 14 © 2007 IBM Corporation IBM Research Public Key Sizes 512 bits factored in 1999 NIST, RSA, NESSIE: Public key sizes should be at least 1024 bits for the recommended 80-bit level of security. Key Size Number 512 765 Percent 3.94 % 768 1024 1280 275 17,166 1 1.42 % 88.35 % 0.01 % 2048 4096 1,192 36 6.14 % 0.19 % Old export laws used to forbid sizes greater than 512 bits. 15 © 2007 IBM Corporation IBM Research Hash Functions MAC MD5 SHA-1 Number 19,201 19,326 Percentage 98.83 % 99.47 % MD5 has a family of collisions – Only option for SSL 2.0, but 79 servers use SSL 3.0 or TLS and only support MD5 SHA-1 is also recently in trouble SHA-256, SHA-512 are also available 16 © 2007 IBM Corporation IBM Research Symmetric Key Encryption Cipher AES DES RC2 RC4 Number 11,107 19,168 17,931 19,241 Percent 57.17 % 98.66 % 92.29 % 99.03 % Nearly all servers support DES, RC2, and RC4 Over 50% of the servers support the new AES standard 17 © 2007 IBM Corporation IBM Research DES Cipher DES-40 Number 12,930 Percent 66.55 % DES-56 12,102 62.29 % DES-64 18,162 93.48 % 3-DES 18,943 97.50 % Maximum DES strength 18 Cipher DES-40 DES-56 DES-64 3-DES Number 25 35 165 18,943 DES support Percent 0.13 % 0.18 % 0.85 % 97.50 % © 2007 IBM Corporation IBM Research RC2 Cipher RC2-40 RC2-56 RC2-128 Number 17,546 7,360 Percent 90.31 % 37.88 % 16,278 83.78 % Maximum RC2 Strength Cipher Number Percent RC2-40 790 4.07 % RC2-56 863 4.44 % 16,278 83.78 % RC2-128 19 RC2 Support © 2007 IBM Corporation IBM Research RC4 Cipher RC4-40 Number 17,827 Percent 91.75 % RC4-56 12,173 62.65 % RC4-64 11,030 56.77 % RC4-128 19,154 98.58 % Cipher RC4-40 Maximum RC4 strength 20 RC4-56 RC4-64 RC4-128 RC4 Support Number 48 Percent 0.25 % 38 1 19,154 0.20 % 0.01 % 98.58 % © 2007 IBM Corporation IBM Research AES AES-128 AES-256 Number Percentage 154 0.79 % 10,709 55.12 % 244 1.26 % AES support 21 © 2007 IBM Corporation IBM Research Default Choice of Full Cipher Suite Cipher Suite 22 Number Percent AES-256 SHA-1 RC4-128 MD5 3-DES SHA-1 RC4-128 SHA-1 10,135 5,611 2,837 259 53.69 % 29.72 % 15.02 % 1.37 % 3-DES MD5 RC4-40 MD5 AES-128 SHA-1 12 9 6 0.06 % 0.05 % 0.03 % RC4-56 MD5 3 0.02 % DES-64 SHA-1 DES-56 SHA-1 3 2 0.02 % 0.01 % © 2007 IBM Corporation IBM Research Really Bad Choices Bad Decision Num Percent 657 6.00 % Support SSL3, choose SSL2 3 0.01 % Choose weaker public key than available 4 0.01 % Support AES, choose something weaker 23 © 2007 IBM Corporation IBM Research Changes in SSL Version Support over Time SSL Type 02 / 2005 08 / 2005 06 / 2006 11 / 2006 SSL 2.0 94.49 93.23 87.95 85.37 SSL 3.0 97.96 98.30 98.16 97.92 TLS 1.0 97.51 98.32 98.28 98.36 SSL Version Support (Percentage) Situation is improving, but not quickly enough 24 © 2007 IBM Corporation IBM Research Changes in Cipher Support over Time Cipher 02 / 2005 08 / 2005 06 / 2006 11 / 2006 AES 41.26 48.29 55.18 57.17 DES 99.13 99.28 98.81 98.66 Weak DES 97.32 97.00 94.63 93.48 RC2 96.52 96.20 93.63 92.29 RC4 99.50 99.57 99.18 99.03 Cipher Support (Percentage) 25 © 2007 IBM Corporation IBM Research Changes in Public Key Size over Time Key Size 512 768 1024 1048 1280 1536 1568 2048 4096 02 / 2005 5.01 1.93 88.46 0.01 0.00 0.01 0.01 4.51 0.12 08 / 2005 5.32 1.84 87.80 0.01 0.00 0.00 0.01 4.96 0.15 06 / 2006 4.17 1.54 88.33 0.00 0.01 0.00 0.01 5.91 0.17 11 / 2006 3.94 1.42 88.35 0.00 0.01 0.00 0.00 6.14 0.19 Key Size Support (Percentage) 26 © 2007 IBM Corporation IBM Research Summary and Conclusions Most servers support reasonable cryptography – 57% support the new AES standard – 95% have strong public keys Most servers also support weak cryptography – E.g., SSL2, 40-bit & 64 bit RC2/RC4/DES – Clients should not be allowed to use them • e.g., Firefox changing to disable SSL2 Some servers have serious weaknesses – 5% of servers support breakable public keys – 24 servers only support SSL2 – 8% support only weak RC2 – 87 support only weak RC4 – 225 support only weak DES 27 © 2007 IBM Corporation IBM Research Summary and Conclusions (cont) We see some sites that make bad choices – Choose RC4 or DES over AES – Choose weaker symmetric keys than are supported – Choose SSL2 over SSL3 We also see some strange birds – A few that do not support RSA – Some bizarre public key sizes (1048,1568,2560) – A few sites that support AES-128 or 256 but not both – Sites with inconsistent choices (behind a L4/L7 switch) 28 © 2007 IBM Corporation IBM Research Future Work Shorter term: – Categorize servers by industry – Categorize server strengths – Check certificates (expired, self-signed, revoked) Longer Term: – Scan random (or routable) IPs rather than list – Measure SSH server crypto strength – Measure crypto used by clients 29 © 2007 IBM Corporation IBM Research Security Is Limited By The Weakest Link 30 © 2007 IBM Corporation IBM Research Q&A Thank you! 31 © 2007 IBM Corporation IBM Research Backup © 2007 IBM Corporation IBM Research Related Work Murray 2001 Study (USENIX Security 2001) – Tested 8081 servers – Found many more weak SSL sites (using 2001 defs) – Didn’t study choice of cipher, AES, etc. NetCraft, SecuritySpace – Both sell subscription service testing SSL sites – Look at coarser-grain information (“strong”, “weak”) – SecuritySpace checks self-signed certificates (~9%) Other Scanning Tools – E.g., IBM’s NSA, NMAP, ssh-scan (Michigan) – Look at different class of vulnerabilities (open ports, SSH version, etc.) 33 © 2007 IBM Corporation IBM Research Default Choice of Symmetric Encryption Cipher AES DES RC2 RC4 Number 10,141 2,845 0 Percent 53.72 % 15.12 % 0.00 % 5,882 31.16 % Most sites choose wisely 34 © 2007 IBM Corporation IBM Research Key Strengths Bits of security 40 56 64 Private Key RC2, RC4, DES RC2, RC4, DES RC4, DES Public Key 80 112 128 256 3DES RC2, AES RC4, AES 1024 2048 3072 15360 Length (bits) NIST suggests that the 80-bit level will be appropriate until 2015, and the 112- bit level until 2035. 35 © 2007 IBM Corporation
