Crypto-researchers have reported bad smells from TLS, the protocol used to provided encrypted HTTPS connections and such like. In particular, there's a strong pong coming from older cipher suites that put netizens at risk of full-blown interception.
Researchers Clemens Hlauschek, Markus Gruber, Florian Fankhauser, and Christian Schanes of Austria's Research Industrial Systems Engineering, say the aging suites have little reason for existing, and are vulnerable to attack through Key Compromise Impersonation (KCI).
"Parts of TLS are so old that their foul smell of rot cannot be easily distinguished from the flowery smell of ‘strong’ cryptography and water-tight security mechanisms," the team noted in their paper Prying open Pandora’s box: KCI attacks against TLS [PDF].
"With an arcane tool (KCI), we put new cracks into Pandora’s box, achieving a full break of TLS security."
The TLS protocol includes a class of key agreement and authentication methods that are vulnerable to KCI attacks: non-ephemeral Diffie-Hellman key exchange with fixed Diffie-Hellman client authentication, both on elliptic curve groups, as well as on classical integer groups modulo a prime.
The team will demonstrate to a USENIX conference in Washington DC this week how TLS clients that support those weak handshakes open "supposedly secure" channels to "full-blown man-in-the-middle attacks."
And they will showcase such an attack against the Safari web browser on OS X:
What lacks widespread insight is the fact that some cipher suites are vulnerable to KCI attacks and that the failure to secure against KCI attacks opens a dangerous security hole, especially when considering the way client certificates are handled in actual systems. Cipher suites that are not resistant to KCI are routinely advertised by most TLS clients such as web browsers. This unnecessarily exposes the communication to an avoidable risk.
Apart from BouncyCastle, the Mac OS X Secure Transport TLS library, and the newest branch of the OpenSSL library, we could not confirm that any other client TLS library that we looked at implements the necessary fixed (Elliptic Curve) Diffie-Hellman handshake. However, since TLS use is widespread, and since TLS is not only used to secure web traffic, but all kinds of client-server communications, we estimate that many more systems might in fact be affected.
The crypto-gang said ignorant software vendors are making the installation of malicious client certificates too easy; these certificates are the "essential ingredients" in exploiting KCI vulnerabilities.
Once a malicious client certificate is installed on a system by an app, for example, it can be exploited by a man-in-the-middle attacker to snoop on a connection and decrypt its contents. That will reveal things like passwords, login cookies, and so on.
The connection has to be established using an old cipher suite that is not resistant to KCI attacks, hence why the researchers want developers to stop using the aging algorithms.
The security quartet also called for the end of insecure client certificate handling, noting that client private keys should not leave machines. "System administrators at universities and industries should update their procedure to distribute client certificates accordingly," the researchers said.
"We conclude that the insecure TLS options that enable KCI attacks should be immediately disabled in TLS clients and removed from future versions and implementations of the protocol: their utility is extremely limited, their raison d'être is practically nil, and the existence of these insecure key agreement options only adds to the arsenal of attack vectors against cryptographically secured communication on the internet."
They offer this advice for affected sysadmins and developers. Server admins should:
- Disable non-ephemeral (EC)DH handshakes,
- Set appropriate X509 Key Usage extension for ECDSA and DSS certificates,
- Disable specifically the KeyAgreement flag.
Software programmers using TLS for secure communications:
- TLS client implementors should:
- Disable non-ephemeral (EC)DH handshake options, or
- At least disable support for fixed (EC)DH authentication.
TLS library developers should:
- Check whether they fully consider X509 Key Usage extensions,
- Mark and properly document non-ephemeral (EC)DH handshakes as deprecated and dangerous.
To demonstrate weaknesses in older cipher suites, the researchers were able to eavesdrop on and decrypt encrypted web connections made by Apple's Safari web browser running on OS X. (OS X versions earlier than 10.5.3 allow man-in-the-middle attacks to work silently against Safari; on later versions, the browser prompts the user to accept a client certificate. OS X 10.8 and higher are immune.) The OpenSSL library's version 1.0.2 branch, and some programs running BouncyCastle and RSA Bsafe, were also found to be vulnerable. ®