MITM Attacks on SSL/TLS: Types, Defenses, and Detection Techniques

The Man In The Middle MITM attacks on SSL/TLS and Promising Detection Techniques By: John Nuccio IASP 470 Capstone Dr. Yoon

Objectives Overview SSL PKI MITM Types of Attacks Defenses Conclusion

Overview In today s world, we are more connected than ever before; communication is now experienced through social media, emails, and text messages. The modern world is moved by online shopping, banking, and business deals everything we do is, in some way, connected.Through these connections sensitive information is passed daily and on a massive scale Netscape came up with the Secured Socket Layer or SSL in 1994. SSL is meant to provide users with information security and privacy, but it has its downfalls. SSL follows the PKI model which has known exploitations when it comes to validating certificates, causing the PKI to have trust issues.

Overview Pt. 2 One of the most successfully used attacks to steal one's information is the Man In The Middle Attack We will go into detail what exactly MITM attacks are, how they are carried out and new promising ways of detecting and preventing these attacks on SSL

Secure Socket Layer SSL SSL and its successor TLS, which are often used interchangeably now, are encryption protocols designed to provide secure communication and data transfers over the Internet. Both protocols were set up to provide a secure communication channel between two parties: a client and a server, or a client and a client The main services of SSL/TLS are Authenticate users and servers, to ensure that data is sent to the correct destination Encrypt data to prevent data filch during transmission Maintain data integrity during transmission to ensure data is not changed SSL sessions are established using a combination of asymmetric and symmetric key cryptographic protocols

PKI Public Key Infrastructure An X.509 certificate was issued in 1988 and then built up to version 3 in 1996 is a digital certificate that uses a widely accepted international PKI infrastructure that verifies that the public key belongs to the users and computers When you receive a public key from the Internet it is sent in a X.509 PKI certificate. In that certificate, along with the key, is a digital signature from a certificate authority. This signature shows the CA has endorsed the owner of certificate you received. Web browsers today will trust many CAs from all over the world. Since browsers trust all CAs equally, the PKI is only as trustworthy as the least trustworthy CA in the browsers root certificate store. This means that even if just one CA is compromised it could render the whole PKI untrustworthy Lin-Shung Huang presented the first analysis of forged certificates in the wild. It was found that 0.2% of real world connections were being established with forged certificates

MITM Man in the Middle MITM most commonly involve two endpoints; the victims, and a third user in the middle, the attacker. The attacker has the ability to view the entire conversation between the other two parties as well as modify the messages being sent through Man in the Middle attacks have to go through 2 phases for them to work. From the figure on the next slide you see the attack happen between M1 and M2. The intercept phase can be accomplished by a number of different ways. The most common method is spoofing especially IP, ARP and DNS are what most attackers try to intercept and grab the key. The next phase in the attack is the Decryption phase which the attackers need achieve so that the users are unable to detect the attack from coming. This can be achieved by HTTPS spoofing, SSL Hijacking, Beast and Stripping. MITM attack attempts to compromise parts of if not all of the CIA Triad: Continentality: By eavesdropping on the communication Integrity: Intercepting the communication connection and modify the messages being sent Availability: Intercepting and destroying messages or modifying messages to cause one of the communication parties to end to session.

Type of MITM Attacks on SSL Fake Certificate Attacks ARP Cache Poisoning SSL Renegotiation Attack

Fake Certificate Attack The attacker will establish two separate SSL connections with each victim, and relays messages between them, both victims will be completely unaware of the attacker. This setup enables the attacker to record all messages passing through the communication channel, and if desired, modify the transmitted data Scenarios of Forged Certificate MITM attacks; Attacker holds a valid certificate to the target web server. This case is possible if the attacker compromises a CA or is able to force it to issue them a certificate Attacker hold an invalid certificate. In this scenario the attacker may succeed if the victim will ignore the security warnings, which is a common phenomenon MITM+key: attacker has a private key to legitimate server.

ARP Cache Poisoning The purpose of ARP poisoning is to associate the attackers host MAC address with the IP address of a target host. This will allow the attacker to read any packets passing through the communication line When the attacker finds the victim and the gateway IP address, they will send an ARP reply to the victim which states that the gateway MAC address is now the MAC address of the attacker. Another reply is sent to the gateway IP stating that the victims MAC address is now changed to that of attackers MAC. With this attack, the attacker can hijack the session even if it is secured by SSL/TLS

SSL Renegotiation Attack SSL Renegotiation is used when SSL session becomes routine and has already been established by the user. This is common when you visit sites when payments are needed when you check out. In this process you browse the site anonymously and when you are ready to check out you are asked to login either by a guest or if you have an account. When you login the SSL connection has to be adjusted so that you are authenticated for the site. When the SSL connection makes the adjustments this allows attackers to inject codes into the HTTPS and downgrade it to a HTTP connection and then makes the attack happen

Promising Solutions to MITM Attacks Detection of Forged Certificates Certificate Pinning/SSL Pinning Multi-Path Probing Forced SSL/TLS Connection TLS Extensions

Forged Certificate Detection Certificate Transparency (CT). CT is an experimental Internet standard and open source framework for monitoring and auditing digital certificates. CT aims to create a central audit log of all HTTPS certificates, this will allow efficient identification of certificates that are either legitimate, mistakenly issued or maliciously issued . Google Chrome began requiring CT for newly issued certificates in 2015 ICSI Certificate Nortaries Service is another option in mitigating MITM SSL attacks. ICSI helps clients to identify malicious certificates by providing a third party perspective on what they should expect to receive from a server. ICSI does this by passively collecting certificates at multiple independent internet sites, and then aggregating them into a central database almost in real time

Certificate Pinning/SSL Pinning Certificate Pinning mitigates MITM attacks by associating hosts with their expected X.509 certificates or public keys. In this scenario, servers publish certificates and public keys (which will be used in future handshakes) then users can detect if there were any changes to them SSL pinning is a mechanism that limits the amount of CA s or Certificate Authorities for a website. The main idea is for a client to save a list of trusted server certificates so that the client does not have to find trusted CA s. The list is created when the browser or applications release from the server. SSL pinning was introduced by C.Evans and C. Palmer from google in 2011 and have been implemented with mobile apps and browsers. This method of defense works well when MiTM attacks are trying to spoof servers SSL certificates on the back end

Multi-Path Probing During a MITM attack on SSL/TLS the attack is almost always directed at a specific target. As a result, a distributed voting approach is effective against SSL MITM attacks. Dan Wendlant proposed an idea to combat this with his system Perspectives. The system mitigates many MITM attacks by using a collection of notary hosts that observes a servers public key via multiple network vantage points and keeps a record of the servers key over time. Each notary maintains as local database of known certificates. Depending on the voting mechanics notaries certificates are rejected or accepted. This solution was presented as a firefox plugin Another solution is DoubleCheck. This solution works together with Tor anonymity network. Doublecheck works by retrieving the certificate from a remote host using multiple alternate paths. They use Tor network to check the authenticity of servers certificates due to the ability of making connections to multiple independent paths. This solution allows defense against MITM attacks without requiring new infrastructure and keeps low overhead

Forced SSL/TLS Connection This solution forces communicating parties to use the SSL/TLS connection. When a web server responds to a request from a user's browser it also responds with messages and scripts to indicate redirection to HTTPS. The limitations of this method is the first connection from the user to the server is made over an insecure HTTP connection. An attacker could strip the call to JavaScript API in the response packet, making the HTTPS connection to an insecure HTTP connection leaving an avenue open for a MITM attack. To solve this a solution called HTTP Strict Transport Security (HSTS). HSTS instructs browsers to make SSL/TLS connections mandatory on their sites. The web server attaches a special header in the response packet. This header gives the list of subdomains and forces users browser to make a connection to them over HTTPS. This makes the connection from the user to the server relatively secure right from the start

TLS Extensions Channel ID is a TLS extension which strengthens client authentication and provides traceability. A browser stores public/private key pairs which were created during the TLS handshake with a TLS enabled web server Channel IDs are used for identification of a browser across multiple TLS connections. This approach blocks most of the existing MITM attacks, since an attacker is unable to impersonate the client without stealing the self signed private key from the legitimate browser. However it does not prevent an impersonated server from supplying a cacheable malicious javascript file to the client Karaponos came up with a solution for this with his proposal of Server Invariance with Strong Client Authentication (SISCA). The main idea behind the SISCA is to ensure that the browser communicates only with one entity. Either the legitimate server or the attacker but not with both simultaneously. For a MITM to work the users browser needs to communicate with the web server and the client at the same time. Allowing for only a single communication to happen at a time prevents this

Conclusion The team found from our research that the PKI has flawed trustworthiness. Companies and individuals should look into employing the counter measures we discussed until the PKI issues can be solved properly

References Conti, M. (n.d.). A Survey of Man In The Middle Attacks. Retrieved December 5, 2018, from https://ieeexplore.ieee.org/document/7442758. Benton, K. (n.d.). A Protocol To Detect Man In The Middle Attack on SSL. Retrieved December 5, 2018, from https://www.researchgate.net/publication/254005299_SignatureCheck_a_protocol_to_detect_man-in-the-middle_attack_in_SSL. Kumar, S. S. (n.d.). Analysis of Man in the middle attack on SSL. Retrieved December 6, 2018, from https://www.researchgate.net/publication/228333979_Analysis_on_Man_in_the_Middle_Attack_on_SSL. N. Karapanos and S. Capkun, On the effective prevention of tls man-in-the-middle attacks in web applications. IACR Cryptology ePrint Archive, vol. 2014, p. 150, 2014 Known Logs - Certificate Transparency (http://www.certificate-transparency.org/known-logs). Retrieved December 7, 2018 from www.certificate- transparency.org Wendlant, D., Anderson, D. G., & Perrig, A. (n.d.). Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. Retrieved December 8, 2018, from https://www.usenix.org/legacy/event/usenix08/tech/full_paper/wendlant/wendlant_html/ Alicherry, M., & Keromytis, A. D. (n.d.). DoubleCheck: Multi-path Verification Against Man-In-The-Middle Attacks. Retrieved December 6, 2018, from https://www1.cs.columbia.edu/~angelos/Papers/2009/doublecheck.pdf The ICSI Certificate Notary. (n.d.). Retrieved December 8, 2018, from https://notary.icsi.berkeley.edu/

References https://tools.ietf.org/html/rfc2246 Dierks, T., & Allen, C. (n.d.). The TLS Protocol Version 1.0. Retrieved December 9, 2018, from Soghoian, C., & Stamm, S. (n.d.). Certified lies: Detecting and defeating government interception attacks against SSL. Retrieved December 6, 2018, from https://link.springer.com/chapter/10.1007/978-3-642-27576-0_20 Holz, R. G. (n.d.). Empirical Analysis of Public Key Infrastructures and Investigation of Improvements. Retrieved December 7, 2018, from https://mediatum.ub.tum.de/doc/1182735/1182735.pdf Huang, L., Ellingsen, E., & Jackson, C. (n.d.). Analyzing Forged SSL Certificates in the Wild. Retrieved December 5, 2018, from https://ieeexplore.ieee.org/abstract/document/6956558 Dietz, M., Czeskis, A., Balfanz, D., & Wallach, D. S. (n.d.). Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web. Retrieved December 9, 2018, from https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final162.pdf D. Balfanz and R. Hamilton, Transport Layer Security (TLS) Channel IDs. IETF Internet Draft v01, 2013.