(Khan Lin Shenoy) Presentation

8/17/2019 (Khan Lin Shenoy) Presentation

1/16

Preventing DROWN Attack In E-

mailing

Ajay Shenoy

George LinShearyar Khan


2/16

What i a DROWN Attack!• DROWN tan" #or D ecry$ting R SA %ith O & olete

an" W eakene" e N cry$tion '()• A team o# international re earcher anno*nce" on

+arch ( t, .(/ that more than (( million %e& itean" e-mail ervice are v*lnera&le to thi ne%ly"i covere" lo%-co t attack0 ' )

• Even tho*gh the e %e& ite $rotecte" &y the 1LS$rotocol they are 2*ite v*lnera&le to thi attack0

• We& ite *ch a 3ahoo, Ali&a&a, Wei&o, 4*556ee",7Share", an" Sam *ng are v*lnera&le to the eattack '8) 0

https://drownattack.com/top-sites.htmlhttps://drownattack.com/top-sites.html


3/16

' )


4/16

9o% Doe a DROWN AttackWork!

• A DROWN attack i e entially a man in the mi""le

attack &et%een a victim client an" a victim erver0• It i a &a ically a t%i t on the 4leichen&acher: attack• 1he &a ic i"ea i that the attacker treat the erver a

an oracle an" en" it cho en ci$herte;t me age 0•

+o t o# the time the erver re $on" %ith an error &*tometime the "ecry$tion %ork an" erver goe toanother te$0

• 1h* the attacker gain in#ormation a&o*t the $rivatekey0

• A#ter many connection


5/16

• So the DROWN attack act*ally %orklike o?

• 6ir t the attacker o& erve anencry$te" SSL@1LS e ion &et%eena client an" erver that * e RSA keye;change an" it trie to "ecry$t it0

• 1he chance o# thi attack %orking ia&o*t ( in a (... o that attacker

o& erve a tho* an" RSA encry$te"key e;change 0

• ing the (... RSA key e;change

the attacker la*nche tho* an" o#


6/16

• Each o# the e attem$t %ill have anin tr*ction #or the erver to * e the 7.-

&it ci$her0• +o t DROWN attack e;$loit thi really

%eak 7.-&it ymmetric encry$tion #romthe (BB.

• Once the attacker receive the 7.-&itci$herte;t that attacker trie all C7.$o i&ilitie to "ecry$t the ci$herte;t0

• ing the "ecry$te" ci$herte;t to recoverthe encry$te" $re-ma ter ecret #rom thetarget e ion *ch a an email or ame age e;change ' ) 0


7/16

'8)


8/16

on"ition #or DROWNAttack

• 1he 1LS connection m* t * e RSAencry$tion in or"er #or the DROWNattack to %ork0 1h* a DROWN attackon a D9E encry$tion %ill not %ork0

• 1he attacker ho*l" &e a&le to la*nchtho* an" o# connection to a erverr*nning SSLv

• 1hi attack can only &e "one a erverr*nning SSLv ' ) 0


9/16

Analy i o# DROWN Attack• Since the attack re2*ire tho* an" o# SSlv

connection an" in the one connection thatret*rn the 7.-&it ci$herte;t it %ill take at %or t

C7. $o i&ilitie to "ecry$t the ci$herte;t0• 1h* in total there are (... C7. or

a$$ro;imately C>. $o i&ilitie to &reak theencry$tion0

•

Re earcher ay that it %o*l" take an attackera&o*t eight ho*r in the %or t ca e cenario to&reak the encry$tion0


10/16

on e2*ence o# DROWN Attack on 3ahoo Email

• A o# A$ril (.th yahoo email erver arev*lnera&le to the DROWN attack0

• ing a DROWN attack an a"ver ary can ea ilyeave "ro$ an" rea" email me age &et%eent%o in"ivi"*al 0

• An attacker can al o teal the $a %or" to ayahoo email acco*nt an" then mo"i#y a me ageor en" a ne% me age to the reci$ient '/) 0

• 6inally a "ata re$lay attack i not really eFective%hen * ing email &eca* e re$eate" email "onot nece arily $o e a threat an" can &e veri e"0

https://test.drownattack.com/?site=yahoo.comhttps://test.drownattack.com/?site=yahoo.com


11/16

Encry$tion Scheme to PreventDROWN Attack on Email

• We have t%o acco*nt ?• Email? Alice ry$to(Hyahoo0com• Pa %or"? alicealice•

Email? 4o& ry$togra$herHyahoo0com• Pa %or"? &o&&o&&o&• We %ill a *me that the a"ver ary, Eve, kno%

the $a %or" to their acco*nt an" o can rea"

an" mo"i#y email 0• We %ill al o a *me that 4o&: an" Alice: $*&lic

key are certi e" &y a erti cation A*thority

mailto:[email protected]:[email protected]:[email protected]:[email protected]


12/16


13/16

• 1hi %ill en *re "ata con "entiality &eca* e only4o& can "ecry$t the AES ecret key ince he ha

the RSA ecret key0 ing that "ecry$te" AES keyhe can then "ecry$t the AES encry$te" me age0• 1hi %ill al o en *re e ciency &eca* e it %o*l"

take too long to encry$t a %hole me age thro*ghRSA an" o %e only encry$t the key thro*gh RSA0

• 1h* Alice %ill en" an email containing? a RSAencry$te" "igital ignat*re that %a create" * ingthe ha h o# the e ion token an" the me age, aRSA encry$te" AES e ion key, an" an AESencry$te" ci$herte;t that contain the me age0


14/16

• 4o& *$on receiving Alice: email %ill "ecry$t the"igital ignat*re * ing Alice: $*&lic key0

•

1hen he %ill "ecry$t the AES e ion key * ing hiecret key0• ing the AES e ion key he %ill "ecry$t the AES

me age0• 9e %ill veri#y the e ion token at the en" o# the

me age to "etect "ata re$lay attack 0• 6inally he %ill com$*te the S9A-( ha h o# the

me age an" com$are it %ith the "igital ignat*reo# Alice in or"er to en *re that it %a Alice %ho

igne" the me age0• 1h* %e have en *re" "ata con "entiality an"

"etection again t "ata re$lay an" "ata integrityattack 0


15/16

• 1h* o*r encry$tion y tem $revent Eve #rommo"i#ying email %itho*t "etection0

• Al o con "entiality i en *re" ince only Alicean" 4o& can rea" the content o# the email 0

• 6inally Eve can "elete email &e#ore Alice an"4o& can rea" them &*t i# it goe on #or a longeno*gh time Alice an" 4o& %ill kno% omethingi ami i# they comm*nicate thro*gh othermean 0

• 1here#ore o*r encry$tion cheme: only%eakne i that Eve ha the $o%er to "eleteemail %itho*t Alice or 4o& kno%ing imme"iately0


16/16

(Khan Lin Shenoy) Presentation

Documents

Transcript of (Khan Lin Shenoy) Presentation