8/17/2019 (Khan Lin Shenoy) Presentation
1/16
Preventing DROWN Attack In E-
mailing
Ajay Shenoy
George LinShearyar Khan
8/17/2019 (Khan Lin Shenoy) Presentation
2/16
What i a DROWN Attack!• DROWN tan" #or D ecry$ting R SA %ith O & olete
an" W eakene" e N cry$tion '()• A team o# international re earcher anno*nce" on
+arch ( t, .(/ that more than (( million %e& itean" e-mail ervice are v*lnera&le to thi ne%ly"i covere" lo%-co t attack0 ' )
• Even tho*gh the e %e& ite $rotecte" &y the 1LS$rotocol they are 2*ite v*lnera&le to thi attack0
• We& ite *ch a 3ahoo, Ali&a&a, Wei&o, 4*556ee",7Share", an" Sam *ng are v*lnera&le to the eattack '8) 0
https://drownattack.com/top-sites.htmlhttps://drownattack.com/top-sites.html
8/17/2019 (Khan Lin Shenoy) Presentation
3/16
' )
8/17/2019 (Khan Lin Shenoy) Presentation
4/16
9o% Doe a DROWN AttackWork!
• A DROWN attack i e entially a man in the mi""le
attack &et%een a victim client an" a victim erver0• It i a &a ically a t%i t on the 4leichen&acher: attack• 1he &a ic i"ea i that the attacker treat the erver a
an oracle an" en" it cho en ci$herte;t me age 0•
+o t o# the time the erver re $on" %ith an error &*tometime the "ecry$tion %ork an" erver goe toanother te$0
• 1h* the attacker gain in#ormation a&o*t the $rivatekey0
• A#ter many connection
8/17/2019 (Khan Lin Shenoy) Presentation
5/16
• So the DROWN attack act*ally %orklike o?
• 6ir t the attacker o& erve anencry$te" SSL@1LS e ion &et%eena client an" erver that * e RSA keye;change an" it trie to "ecry$t it0
• 1he chance o# thi attack %orking ia&o*t ( in a (... o that attacker
o& erve a tho* an" RSA encry$te"key e;change 0
• ing the (... RSA key e;change
the attacker la*nche tho* an" o#
8/17/2019 (Khan Lin Shenoy) Presentation
6/16
• Each o# the e attem$t %ill have anin tr*ction #or the erver to * e the 7.-
&it ci$her0• +o t DROWN attack e;$loit thi really
%eak 7.-&it ymmetric encry$tion #romthe (BB.
• Once the attacker receive the 7.-&itci$herte;t that attacker trie all C7.$o i&ilitie to "ecry$t the ci$herte;t0
• ing the "ecry$te" ci$herte;t to recoverthe encry$te" $re-ma ter ecret #rom thetarget e ion *ch a an email or ame age e;change ' ) 0
8/17/2019 (Khan Lin Shenoy) Presentation
7/16
'8)
8/17/2019 (Khan Lin Shenoy) Presentation
8/16
on"ition #or DROWNAttack
• 1he 1LS connection m* t * e RSAencry$tion in or"er #or the DROWNattack to %ork0 1h* a DROWN attackon a D9E encry$tion %ill not %ork0
• 1he attacker ho*l" &e a&le to la*nchtho* an" o# connection to a erverr*nning SSLv
• 1hi attack can only &e "one a erverr*nning SSLv ' ) 0
8/17/2019 (Khan Lin Shenoy) Presentation
9/16
Analy i o# DROWN Attack• Since the attack re2*ire tho* an" o# SSlv
connection an" in the one connection thatret*rn the 7.-&it ci$herte;t it %ill take at %or t
C7. $o i&ilitie to "ecry$t the ci$herte;t0• 1h* in total there are (... C7. or
a$$ro;imately C>. $o i&ilitie to &reak theencry$tion0
•
Re earcher ay that it %o*l" take an attackera&o*t eight ho*r in the %or t ca e cenario to&reak the encry$tion0
8/17/2019 (Khan Lin Shenoy) Presentation
10/16
on e2*ence o# DROWN Attack on 3ahoo Email
• A o# A$ril (.th yahoo email erver arev*lnera&le to the DROWN attack0
• ing a DROWN attack an a"ver ary can ea ilyeave "ro$ an" rea" email me age &et%eent%o in"ivi"*al 0
• An attacker can al o teal the $a %or" to ayahoo email acco*nt an" then mo"i#y a me ageor en" a ne% me age to the reci$ient '/) 0
• 6inally a "ata re$lay attack i not really eFective%hen * ing email &eca* e re$eate" email "onot nece arily $o e a threat an" can &e veri e"0
https://test.drownattack.com/?site=yahoo.comhttps://test.drownattack.com/?site=yahoo.com
8/17/2019 (Khan Lin Shenoy) Presentation
11/16
Encry$tion Scheme to PreventDROWN Attack on Email
• We have t%o acco*nt ?• Email? Alice ry$to(Hyahoo0com• Pa %or"? alicealice•
Email? 4o& ry$togra$herHyahoo0com• Pa %or"? &o&&o&&o&• We %ill a *me that the a"ver ary, Eve, kno%
the $a %or" to their acco*nt an" o can rea"
an" mo"i#y email 0• We %ill al o a *me that 4o&: an" Alice: $*&lic
key are certi e" &y a erti cation A*thority
mailto:[email protected]:[email protected]:[email protected]:[email protected]
8/17/2019 (Khan Lin Shenoy) Presentation
12/16
8/17/2019 (Khan Lin Shenoy) Presentation
13/16
• 1hi %ill en *re "ata con "entiality &eca* e only4o& can "ecry$t the AES ecret key ince he ha
the RSA ecret key0 ing that "ecry$te" AES keyhe can then "ecry$t the AES encry$te" me age0• 1hi %ill al o en *re e ciency &eca* e it %o*l"
take too long to encry$t a %hole me age thro*ghRSA an" o %e only encry$t the key thro*gh RSA0
• 1h* Alice %ill en" an email containing? a RSAencry$te" "igital ignat*re that %a create" * ingthe ha h o# the e ion token an" the me age, aRSA encry$te" AES e ion key, an" an AESencry$te" ci$herte;t that contain the me age0
8/17/2019 (Khan Lin Shenoy) Presentation
14/16
• 4o& *$on receiving Alice: email %ill "ecry$t the"igital ignat*re * ing Alice: $*&lic key0
•
1hen he %ill "ecry$t the AES e ion key * ing hiecret key0• ing the AES e ion key he %ill "ecry$t the AES
me age0• 9e %ill veri#y the e ion token at the en" o# the
me age to "etect "ata re$lay attack 0• 6inally he %ill com$*te the S9A-( ha h o# the
me age an" com$are it %ith the "igital ignat*reo# Alice in or"er to en *re that it %a Alice %ho
igne" the me age0• 1h* %e have en *re" "ata con "entiality an"
"etection again t "ata re$lay an" "ata integrityattack 0
8/17/2019 (Khan Lin Shenoy) Presentation
15/16
• 1h* o*r encry$tion y tem $revent Eve #rommo"i#ying email %itho*t "etection0
• Al o con "entiality i en *re" ince only Alicean" 4o& can rea" the content o# the email 0
• 6inally Eve can "elete email &e#ore Alice an"4o& can rea" them &*t i# it goe on #or a longeno*gh time Alice an" 4o& %ill kno% omethingi ami i# they comm*nicate thro*gh othermean 0
• 1here#ore o*r encry$tion cheme: only%eakne i that Eve ha the $o%er to "eleteemail %itho*t Alice or 4o& kno%ing imme"iately0
8/17/2019 (Khan Lin Shenoy) Presentation
16/16
Top Related