Securing Wireless Channels

(Or the Case for Certificate

and Public Key Pinning)

What is OWASP?
The Open Web Application Security
Project
Not just web anymore

Mission Driven
World wide, nonprofit, unbiased organization

Community Driven

30,000 Mail List Participants

200 Active Chapters in 70 countries
1600+ Members, 56 Corporate Supporters
69 Academic Supporters

Around the World

200 Chapters, ~1600 Members, 30000+ Builders, Breakers and Defenders

About Me

Jeffrey Walton
Roles include
Mobile Security Architect
Senior Consultant
Security Engineer

Secure Coding Evangelist

Live and die by SDLCs

Agenda and Topics

Background
Architectures
Expectations

VPN/SSL/TLS Issues
Past Problems
Current Issues

Shared Secret
PSK
SRP

Pinning
Certificate
Public Key

Futures
Pinning (IETF)
Sovereign Keys
Convergence
Wrap Up
Questions

Its All About the Data

Data is the only thing that matters

Who owns it
Who controls it
Who accesses it

Share data with appropriate parties

Must determine identity of parties

Cant determine identity?

Dont share data

Data Attributes

Data Sensitivity
Low
Public Information
Contact Information

Medium
Social Security
Number
Bank Account
Single Sign On?

High
Pending Litigation,
M&A
FERPA, HIPPA, GLBA,

Data States
Data at Rest
Server/Desktop/Devi
ce
Remote and Local

Data on Display
View/Read/Write/Edit
Local

Data in Transit
Secure Channel
Local Remote

Expectations

User Expectations?
End-to-end security

Web Applications
Padlocks tell me its secure
Green Bars tell me its secure
Marketing tells me its secure

How can {VPN|SSL|TLS} not be secure?

When did that happen?

Training (Conditioning?)

Padlock looks secure

Green bar looks secure
$1,500,000 is a lot of money
It looks secure
It must be secure

Two Architectures

Two architectures in play

Employee Organization
VPN

Individual Service Provider

SSL/TLS

Security Boundaries
Sometimes Trust Zones
How many are traversed?

Architecture (Enterprise,
VPN)

Architecture (Mobile,
SSL/TLS)

Comes down to

Infrastructure
Domain Name System (DNS)
Public Key Infrastructure (PKI{X})
Certificate Authorities (CAs)

Employee Organization
Organization

Individual Service Provider

Individual, Provider

Whats Gone Wrong (1)?

Governments Want/Require Interception

Certified Lies: Detecting and Defeating Government Interception Attacks
Against SSL, cryptome.org/ssl-mitm.pdf
http://www.dailymail.co.uk/indiahome/indianews/article-2126277/Nosecrets-Blackberry-Security-services-intercept-data-government-getsway-messenger-service.html

Governments Engage in Interception

http://www.thetechherald.com/articles/Tunisian-government-harvestingusernames-and-passwords/12429/

Vendors Provide Interception Taps

http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html

Governments Use Interception Taps

https://www.eff.org/nsa-spying

Mobile Interception is Patented

Lawful interception for targets in a proxy mobile internet protocol
network, http://www.google.com/patents/EP2332309A1

Whats Gone Wrong (2)?

Handset manufactures add trusted roots

http://gaurangkp.wordpress.com/tag/nokias-man-in-the-middle-attack/

Carriers can add trusted roots

No reference yet, but
http://www.theregister.co.uk/2011/12/15/carrier_iq_privacy_latest/

CAs can become compromised

http://isc.sans.edu/diary.html?storyid=11500

Researchers can create Rogue CAs

http://www.win.tue.nl/hashclash/rogue-ca/

DNS can become compromised

http://forums.theregister.co.uk/forum/2/2011/09/05/dns_hijack_service_updated/

Physical plant can become compromised

http://www.pcworld.com/article/119851/paris_hilton_victim_of_tmobiles_web_fla
ws.html

Its easy to set up an AP or Base Station (Chris Paget's IMSI Catcher)

http://www.wired.com/threatlevel/2010/07/intercepting-cell-phone-calls/

Whats Gone Wrong (3)?

Can't trust some CAs they will sell you out and issue subordinate CAs for
money
http://www.net-security.org/secworld.php?id=12369
http://www.zdnet.com/trustwave-sold-root-certificate-for-surveillance-3040095011/

Can't trust some browsers they will sell you out and elide their responsibility
https://bugzilla.mozilla.org/show_bug.cgi?id=724929

Can't trust some browsers they include questionable certificates out of the box
https://bugzilla.mozilla.org/show_bug.cgi?id=542689

Can't override some browser's CA list

http://my.opera.com/community/forums/topic.dml?id=1580452

Can't override OS's CA list

http://support.google.com/android/bin/answer.py?hl=en&answer=1649774

CRL/OCSP does not work as expected/intended

http://blog.spiderlabs.com/2011/04/certificate-revocation-behavior-in-modernbrowsers.html
https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-webbrowser-collusion

Whats Gone Wrong (4)?

User will break it too (not just bad guys)

http://www.esecurityplanet.com/mobile-security/hacker-bypasses-applesios-in-app-purchases.html
http://www.h-online.com/security/news/item/Apps-for-Windows-8-easilyhacked-1767839.html

Interception proxies add additional risk

http://blog.cryptographyengineering.com/2012/03/how-do-interceptionproxies-fail.html

HTTPS is broken
http://www.thoughtcrime.org/software/sslstrip/

PKI is broken
www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf

The Internet is Broken :)

http://blog.cryptographyengineering.com/2012/02/how-to-fixinternet.html

Decisions, Decisions

Remediation

Stop Conferring Trust!

Cut-out the middle men
Harden the Channel!
Leverage the pre-existing relationship
Verify the Host
Password Authenticated Key Exchange
Shared secret

Public Key Cryptography

Public/Private key pair

Secure Remote Password

(SRP)

Secure Remote Password (SRP)

Thomas Wu, RFC 5054

User knows the password

Client hashes before use

Server knows the verifier

Similar to Unix passwd file

Diffie-Hellman based
Discrete logs (hard problem)
gab g{(salt + password)|verifier} + nonces

Pre Shared Key (PSK)

Pre Shared Key (PSK)

RFC 4279

Three Flavors
PSK Key Exchange
Secret used as Premaster Secret, use only symmetric
key algorithms

DHE_PSK Key Exchange

PSK authenticates Diffie-Hellman exchange

RSA_PSK Key Exchange

combines public-key-based server authentication with
mutual authentication using a PSK

Public Key Cryptography

All we need is a signing key for identity

RSA, DSA, ECDSA

and an ephemeral exchange

DHE, ECDHE, MQV, HMQV, FHMQV, etc

SSH got it right

StrictHostKeyChecking option
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

General Idea

Whitelist expected Certificates or Public

keys
Theres a pre-existing relationship
Or, make a note during first connect
Side step the key distribution problem

Certificate or Public Key Pinning

Libraries offer OnConnect callback
In the callback, inspect certificate or
public key

Bad Cases

Good case
Server is identified by expected cert or key

Bad case
Adversary is using a different public key
Not expected, so fail

Adversary is advertising expected public key

Cant decrypt communications

Really Bad Case

Adversary is using expected public key
Can decrypt communications pwnd

Certificate or Public Key?

X509 Certificate
Binds public key to entity
Version 3 information
Certificate may be rotated

Public Key
Must be static, cannot change
May violate some key rotation policies
Does not depend on certificate

Sample Code

Sample Code
Windows/.Net
Android/Java
iOS/Objective C
OpenSSL/C

Futures

Public Key Pinning Extension for HTTP

draft-ietf-websec-key-pinning-04
http://www.ietf.org/id/draft-ietf-websec-keypinning-04.txt

Sovereign Keys Project

http://www.eff.org/sovereign-keys
DNSSEC to distribute certificates and keys

Convergence
http://convergence.io
Redundant view of sites and certificates/keys

Does It Work?

Wrap Up

Data is all that matters

Identify parties, then share data

PSK, SRP and Pinning

Does not confer trust
Dont care about answers from DNS or CAs
Leverages pre-existing relationship

Sovereign Keys and Convergence

Does confer trust
Still getting answers from others
Useful if no pre-existing relationship

Wrap Up

Questions?
Hopefully useful Answers

Jeffrey Walton
jeffrey.waltn@softwareintegrit
y.cm