[es] - Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN

bachi
Vladimir Vučićević
System administrator
Beograd, Srbija

Član broj: 17912
Poruke: 5360

Sajt: www.bachi.in.rs

+2836 Profil

Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN

^{03.09.2016. u 10:48 - pre 105 meseci}

EliteSecurity forum, a od ove vesti ni traga ni glasa.

Citat:

Cryptographic protocols like TLS, SSH, IPsec, and OpenVPN commonly use block cipher algorithms, such as AES, Triple-DES, and Blowfish, to encrypt data between clients and servers. To use such algorithms, the data is broken into fixed-length chunks, called blocks, and each block is encrypted separately according to a mode of operation. Older block ciphers, such as Triple-DES and Blowfish use a block size of 64 bits, whereas AES uses a block size of 128 bits.

It is well-known in the cryptographic community that a short block size makes a block cipher vulnerable to birthday attacks, even if there are no cryptographic attacks against the block cipher itself. We observe that such attacks have now become practical for the common usage of 64-bit block ciphers in popular protocols like TLS and OpenVPN. Still, such ciphers are widely enabled on the Internet. Blowfish is currently the default cipher in OpenVPN, and Triple-DES is supported by nearly all HTTPS web servers, and currently used for roughly 1-2% of HTTPS connections between mainstream browsers and web servers.

We show that a network attacker who can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic. In our proof-of-concept demo, this attack currently takes less than two days, using malicious Javascript to generate traffic. Keeping a web connection alive for two days may not seem very practical, but it worked easily in the lab. In terms of computational complexity, this attack is comparable to the recent attacks on RC4. We also demonstrate a similar attack on VPNs that use 64-bit ciphers, such as OpenVPN, where long-lived Blowfish connections are the norm.

Countermeasures are currently being implemented by browser vendors, OpenSSL, and the OpenVPN team, and we advise users to update to the latest available versions.

Our results will appear in the following technical paper at ACM CCS 2016:

https://sweet32.info/

E sad konkretno pitanje u vezi VPNa... Na par lokacija koristim Blowfish-CBC i ako sam dobro razumeo, a nadam se da jesam, " In our demo, it took 18.6 hours and 705 GB, and we successfully recovered the 16-byte authentication token".

Ovo znači da je potrebno oko 705GB podataka da bi se provalio OpenVPN tunel? Kako je upload 6 - 10Mb u sekundi na pojedinim lokacijama i sa tim se može ostvariti 2 - 4GB protoka tokom sat vremena, a kako se u OpenVPNu novi ključ menja po defaultu na svakih sat vremena, samim tim bi trebalo za sada da takve tunele čini imunim na ovaj napad?

... Vladimir Vučićević aka. Bachi
~~~ www.bachi.in.rs <<<<>>>> vladimir@vucicevic.in.rs
>>> It's nice to be important, but it's more important to be nice...

Odgovor na temu

mmix
Miljan Mitrović
Chief Software Architect
Financial Intelligence Software Ltd.
Passau, Deutschland

SuperModerator
Član broj: 17944
Poruke: 6050

+4631 Profil

Re: Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN

^{03.09.2016. u 12:32 - pre 105 meseci}

Ovaj napad je i dalje u domenu matematike, u zivotu nije jos uvek primenljiv.

Sta vise, bar po onome koliko ja razumem pricu, ovaj "napad" nije ni primenljiv osim ako ne koristis ECB. CBC propagira ciphertext kao deo kljuca za sledecu iteraciju tako da ne vidim kako bi Birthday attack bio primenljiv ako nemas pristup plaintextu

Sloba je za 12 godina promenio antropološki kod srpskog naroda. On je od jednog
naroda koji je bio veseo, pomalo površan, od jednog naroda koji je bio znatiželjan, koji
je voleo da vidi, da putuje, da upozna,
od naroda koji je bio kosmopolitski napravio narod koji je namršten, mrzovoljan,
sumnjicav, zaplašen, narod koji se stalno nešto žali, kome je stalno neko kriv - Z.Đinđić

Odgovor na temu

bachi
Vladimir Vučićević
System administrator
Beograd, Srbija

Član broj: 17912
Poruke: 5360

Sajt: www.bachi.in.rs

+2836 Profil

Re: Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN

^{03.09.2016. u 12:37 - pre 105 meseci}

Buni me što sam OpenVPN preporučuje sledeće stvari:

https://community.openvpn.net/openvpn/wiki/SWEET32

Citat:

1. Change to a larger block cipher

The best mitigation is to transition away from small-block ciphers. This requires editting the cipher setting in all server and client configs (or upgrading to our experimental branch, see below).

Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.

2. Renegotiate more often

If changing the cipher is not possible, for example because you don't control the server, or can not update all client configs on a short notice, you can renegotiate new keys more often. For example, add --reneg-bytes 64000 to your config to renegatiate after every 64 megabytes.

Note that if you're using two-factor authentication, or username-password authentication, this might require users to re-enter their 2FA token or usernamne and password. To avoid this, do not use --auth-nocache, and use the auth-token option (see below) in the client-connect and auth-user-pass-verify scripts on the server side to ask for 2FA once per session only.

The (undocumented) auth-token option can be pushed by a client-connect script (running on the server) to instruct the connecting client to return this token as the password during the next authentication. The auth-user-pass-verify script (running on the server) should accept this token during the next authentication sessions, until the token expires.

The following client-connect and auth-user-pass-verify scripts illustrate how these options can be used. Note that these scripts are examples for auth-token usage only, and should be adapted to your own needs before using them. These scripts should not be used as-is'''

3. Enable cipher negotiation (experimental!)

OpenVPN 2.4 and newer will support cipher negotiation. If both peers (client and server) support cipher negotiation, OpenVPN will default to using AES-GCM. The bad news is that OpenVPN 2.4 is not available yet, we're still fixing bugs and working our way to the first alpha release. Nevertheless, the code is pretty stable. Most bugs are hiding in seldomly-used corner cases. If you're brave enough, check out the master branch of our git repo [2], and build your own OpenVPN-with-cipher-negotiation support.

E stavka 2 je ono što me buni. Dakle, sada se promena ključa vrši na svakih sat vremena (to je podrazumevana opcija), a oni preporučuju da ako se zadržava Blowfish, da se promena ključa menja posle svaka 64MB protoka u tunelu.

Mislim, zašto tako mala vrednost, ako je potrebno 705GB podataka bez promene ključa?

Ok, AES je lepa stvar, super ovo ono, ali je dosta sporiji i više opterećuje mašine (koje nemaju AES-NI instrukcije) od Blowfisha, a kako tamo gde radi postoje i računari od 600MHz na kojima je pfsense i VPN su ruteri, hteo bih da izbegnem promenu na AES u nekom narednom periodu. Takođe, Asus je izbacio fenomenalnu seriju home/soho rutera koji podržavaju OpenVPN, a tu su naravno i *wrt custom ruteri.

Dakle, moj zaključak je ispravan, da za sad ovaj napad na OpenVPN nije izvodljiv u praksi.

_{[Ovu poruku je menjao bachi dana 03.09.2016. u 13:52 GMT+1]}

... Vladimir Vučićević aka. Bachi
~~~ www.bachi.in.rs <<<<>>>> vladimir@vucicevic.in.rs
>>> It's nice to be important, but it's more important to be nice...

Odgovor na temu

mmix
Miljan Mitrović
Chief Software Architect
Financial Intelligence Software Ltd.
Passau, Deutschland

SuperModerator
Član broj: 17944
Poruke: 6050

+4631 Profil

Re: Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN

^{03.09.2016. u 14:00 - pre 105 meseci}

Moras da razumes da je sve to pranje ruku

Oni su naboli posle 705Gb, jer je tada verovatnoca pronalazenja dosla u domen realnog. Sa astronomski malom verovatnocom ti mzoes da nabodes i u dva uzastopna paketa. Cela igra oko kriptografije se vrti oko guranja verovatnoca u domen astronomski mallih velicina.

Za sat vremena ti preko 2Gbps linka preteras 900Gb, dakle u riziku si, zato preporucuju da prebacis sa time-based na quantity-based. I to je to. Ako ti imas spor link koji za cuku ne prebaci ni Gb, ovo te se ne dotice mnogo.

Odgovor na temu