Saturday, January 20, 2024

Practical Bleichenbacher Attacks On IPsec IKE

We found out that reusing a key pair across different versions and modes of IPsec IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers. These vulnerabilities existed in implementations by Cisco, Huawei, and others.

This week at the USENIX Security conference, I will present our research paper on IPsec attacks: The Dangers of Key Reuse: Practical Attacks on IPsec IKE written by Martin Grothe, Jörg Schwenk, and me from Ruhr University Bochum as well as Adam Czubak and Marcin Szymanek from the University of Opole [alternative link to the paper]. This blog post is intended for people who like to get a comprehensive summary of our findings rather than to read a long research paper.

IPsec and Internet Key Exchange (IKE)

IPsec enables cryptographic protection of IP packets. It is commonly used to build VPNs (Virtual Private Networks). For key establishment, the IKE protocol is used. IKE exists in two versions, each with different modes, different phases, several authentication methods, and configuration options. Therefore, IKE is one of the most complex cryptographic protocols in use.

In version 1 of IKE (IKEv1), four authentication methods are available for Phase 1, in which initial authenticated keying material is established: Two public key encryption based methods, one signature based method, and a PSK (Pre-Shared Key) based method.

Attacks on IKE implementations

With our attacks we can impersonate an IKE device: If the attack is successful, we share a set of (falsely) authenticated symmetric keys with the victim device, and can successfully complete the handshake – this holds for both IKEv1 and IKEv2. The attacks are based on Bleichenbacher oracles in the IKEv1 implementations of four large network equipment manufacturers: Cisco, Huawei, Clavister, and ZyXEL. These Bleichenbacher oracles can also be used to forge digital signatures, which breaks the signature based IKEv1 and IKEv2 variants. Those who are unfamiliar with Bleichenbacher attacks may read this post by our colleague Juraj Somorovsky for an explanation.

The affected hardware test devices by Huawei, Cisco, and ZyXEL in our network lab.

We show that the strength of these oracles is sufficient to break all handshake variants in IKEv1 and IKEv2 (except those based on PSKs) when given access to powerful network equipment. We furthermore demonstrate that key reuse across protocols as implemented in certain network equipment carries high security risks.

We additionally show that both PSK based modes can be broken with an offline dictionary attack if the PSK has low entropy. Such an attack was previously only documented for one of those modes (edit: see this comment). We thus show attacks against all authentication modes in both IKEv1 and IKEv2 under reasonable assumptions.

The relationship between IKEv1 Phase 1, Phase 2, and IPsec ESP. Multiple simultaneous Phase 2 connections can be established from a single Phase 1 connection. Grey parts are encrypted, either with IKE derived keys (light grey) or with IPsec keys (dark grey). The numbers at the curly brackets denote the number of messages to be exchanged in the protocol.

Where's the bug?

The public key encryption (PKE) based authentication mode of IKE requires that both parties exchanged their public keys securely beforehand (e. g. with certificates during an earlier handshake with signature based authentication). RFC 2409 advertises this mode of authentication with a plausibly deniable exchange to raise the privacy level. In this mode, messages three and four of the handshake exchange encrypted nonces and identities. They are encrypted using the public key of the respective other party. The encoding format for the ciphertexts is PKCS #1 v1.5.

Bleichenbacher attacks are adaptive chosen ciphertext attacks against RSA-PKCS #1 v1.5. Though the attack has been known for two decades, it is a common pitfall for developers. The mandatory use of PKCS #1 v1.5 in the PKE authentication methods raised suspicion of whether implementations resist Bleichenbacher attacks.

PKE authentication is available and fully functional in Cisco's IOS operating system. In Clavister's cOS and ZyXEL's ZyWALL USG devices, PKE is not officially available. There is no documentation and no configuration option for it and it is therefore not fully functional. Nevertheless, these implementations processed messages using PKE authentication in our tests.

Huawei implements a revised mode of the PKE mode mentioned in the RFC that saves one private key operation per peer (we call it RPKE mode). It is available in certain Huawei devices including the Secospace USG2000 series.

We were able to confirm the existence of Bleichenbacher oracles in all these implementations. Here are the CVE entries and security advisories by the vendors (I will add links once they are available):
On an abstract level, these oracles work as follows: If we replace the ciphertext of the nonce in the third handshake message with a modified RSA ciphertext, the responder will either indicate an error (Cisco, Clavister, and ZyXEL) or silently abort (Huawei) if the ciphertext is not PKCS #1 v1.5 compliant. Otherwise, the responder continues with the fourth message (Cisco and Huawei) or return an error notification with a different message (Clavister and ZyXEL) if the ciphertext is in fact PKCS #1 v1.5 compliant. Each time we learn that the ciphertext was valid, we can advance the Bleichenbacher attack one more step.

A Bleichenbacher Attack Against PKE

If a Bleichenbacher oracle is discovered in a TLS implementation, then TLS-RSA is broken since one can compute the Premaster Secret and the TLS session keys without any time limit on the usage of the oracle. For IKEv1, the situation is more difficult: Even if there is a strong Bleichenbacher oracle in PKE and RPKE mode, our attack must succeed within the lifetime of the IKEv1 Phase 1 session, since a Diffie-Hellman key exchange during the handshake provides an additional layer of security that is not present in TLS-RSA. For example, for Cisco this time limit is currently fixed to 60 seconds for IKEv1 and 240 seconds for IKEv2.

To phrase it differently: In TLS-RSA, a Bleichenbacher oracle allows to perform an ex post attack to break the confidentiality of the TLS session later on, whereas in IKEv1 a Bleichenbacher oracle only can be used to perform an online attack to impersonate one of the two parties in real time.

Bleichenbacher attack against IKEv1 PKE based authentication.

The figure above depicts a direct attack on IKEv1 PKE:
  1. The attackers initiate an IKEv1 PKE based key exchange with Responder A and adhere to the protocol until receiving the fourth message. They extract the encrypted nonce from this message, and record the other public values of the handshake.
  2. The attackers keep the IKE handshake with Responder A alive as long as the responder allows. For Cisco and ZyXEL we know that handshakes are cancelled after 60 seconds, Clavister and Huawei do so after 30 seconds.
  3. The attackers initiate several parallel PKE based key exchanges to Responder B.
    • In each of these exchanges, they send and receive the first two messages according to the protocol specifications.
    • In the third message, they include a modified version of the encrypted nonce according to the the Bleichenbacher attack methodology.
    • They wait until they receive an answer or they can reliably determine that this message will not be sent (timeout or reception of a repeated second handshake message).
  4. After receiving enough answers from Responder B, the attackers can compute the plaintext of the nonce.
  5. The attackers now have all the information to complete the key derivation and the handshake. They thus can impersonate Responder B to Responder A.

Key Reuse

Maintaining individual keys and key pairs for each protocol version, mode, and authentication method of IKE is difficult to achieve in practice. It is oftentimes simply not supported by implementations. This is the case with the implementations by Clavister and ZyXEL, for example. Thus, it is common practice to have only one RSA key pair for the whole IKE protocol family. The actual security of the protocol family in this case crucially depends on its cross-ciphersuite and cross-version security. In fact, our Huawei test device reuses its RSA key pair even for SSH host identification, which further exposes this key pair.

A Cross-Protocol Version Attack with Digital Signature Based Authentication

Signature Forgery Using Bleichenbacher's Attack

It is well known that in the case of RSA, performing a decryption and creating a signature is mathematically the same operation. Bleichenbacher's original paper already mentioned that the attack could also be used to forge signatures over attacker-chosen data. In two papers that my colleagues at our chair have published, this has been exploited for attacks on XML-based Web Services, TLS 1.3, and Google's QUIC protocol. The ROBOT paper used this attack to forge a signature from Facebook's web servers as proof of exploitability.

IKEv2 With Digital Signatures

Digital signature based authentication is supported by both IKEv1 and IKEv2. We focus here on IKEv2 because on Cisco routers, an IKEv2 handshake may take up to four minutes. This more relaxed timer compared to IKEv1 makes it an interesting attack target.

I promised that this blogpost will only give a comprehensive summary, therefore I am skipping all the details about IKEv2 here. It is enough to know that the structure of IKEv2 is fundamentally different from IKEv1.

If you're familiar with IT-security, then you will believe me that if digital signatures are used for authentication, it is not particularly good if an attacker can get a signature over attacker chosen data. We managed to develop an attack that exploits an IKEv1 Bleichenbacher oracle at some peer A to get a signature that can be used to break the IKEv2 authentication at another peer B. This requires that peer A reuses its key pair for IKEv2 also for IKEv1. For the details, please read our paper [alternative link to the paper].

Evaluation and Results

For testing the attack, we used a Cisco ASR 1001-X router running IOS XE in version 03.16.02.S with IOS version 15.5(3)S2. Unfortunately, Cisco's implementation is not optimized for throughput. From our observations we assume that all cryptographic calculations for IKE are done by the device's CPU despite it having a hardware accelerator for cryptography. One can easily overload the device's CPU for several seconds with a standard PC bursting handshake messages, even with the default limit for concurrent handshakes. And even if the CPU load is kept below 100 %, we nevertheless observed packet loss.

For the decryption attack on Cisco's IKEv1 responder, we need to finish the Bleichenbacher attack in 60 seconds. If the public key of our ASR 1001-X router is 1024 bits long, we measured an average of 850 responses to Bleichenbacher requests per second. Therefore, an attack must succeed with at most 51,000 Bleichenbacher requests.

But another limit is the management of Security Associations (SAs). There is a global limit of 900 Phase 1 SAs under negotiation per Cisco device in the default configuration. If this number is exceeded, one is blocked. Thus, one cannot start individual handshakes for each Bleichenbacher request to issue. Instead, SAs have to be reused as long as their error counter allows. Furthermore, establishing SAs with Cisco IOS is really slow. During the attack, the negotiations in the first two messages of IKEv1 require more time than the actual Bleichenbacher attack.

We managed to perform a successful decryption attack against our ASR 1001-X router with approximately 19,000 Bleichenbacher requests. However, due to the necessary SA negotiations, the attack took 13 minutes.

For the statistics and for the attack evaluation of digital signature forgery, we used a simulator with an oracle that behaves exactly as the ones by Cisco, Clavister, and ZyXEL. We found that about 26% of attacks against IKEv1 could be successful based on the cryptographic performance of our Cisco device. For digital signature forgery, about 22% of attacks could be successful under the same assumptions.

Note that (without a patched IOS), only non-cryptographic performance issues prevented a succesful attack on our Cisco device. There might be faster devices that do not suffer from this. Also note that a too slow Bleichenbacher attack does not permanently lock out attackers. If a timeout occurs, they can just start over with a new attack using fresh values hoping to require fewer requests. If the victim has deployed multiple responders sharing one key pair (e. g. for load balancing), this could also be leveraged to speed up an attack.

Responsible Disclosure

We reported our findings to Cisco, Huawei, Clavister, and ZyXEL. Cisco published fixes with IOS XE versions 16.3.6, 16.6.3, and 16.7.1. They further informed us that the PKE mode will be removed with the next major release.

Huawei published firmware version V300R001C10SPH702 for the Secospace USG2000 series that removes the Bleichenbacher oracle and the crash bugs we identified. Customers who use other affected Huawei devices will be contacted directly by their support team as part of a need-to-know strategy.

Clavister removed the vulnerable authentication method with cOS version 12.00.09. ZyXEL responded that our ZyWALL USG 100 test device is from a legacy model series that is end-of-support. Therefore, these devices will not receive a fix. For the successor models, the patched firmware version ZLD 4.32 (Release Notes) is available.

FAQs

  • Why don't you have a cool name for this attack?
    The attack itself already has a name, it's Bleichenbacher's attack. We just show how Bleichenbacher attacks can be applied to IKE and how they can break the protocol's security. So, if you like, call it IPsec-Bleichenbacher or IKE-Bleichenbacher.
  • Do you have a logo for the attack?
    No.
  • My machine was running a vulnerable firmware. Have I been attacked?
    We have no indication that the attack was ever used in the wild. However, if you are still concerned, check your logs. The attack is not silent. If your machine was used for a Bleichenbacher attack, there should be many log entries about decryption errors. If your machine was the one that got tricked (Responder A in our figures), then you could probably find log entries about unfinished handshake attempts.
  • Where can I learn more?
    First of all, you can read the paper [alternative link to the paper]. Second, you can watch the presentation, either live at the conference or later on this page.
  • What else does the paper contain?
    The paper contains a lot more details than this blogpost. It explains all authentication methods including IKEv2 and it gives message flow diagrams of the protocols. There, we describe a variant of the attack that uses the Bleichenbacher oracles to forge signatures to target IKEv2. Furthermore, we describe the quirks of Huawei's implementation including crash bugs that could allow for Denial-of-Service attacks. Last but not least, it describes a dictionary attack against the PSK mode of authentication that is covered in a separate blogpost.

Media Coverage, Blogs, and more

English

German

Related word


  1. Hack Apps
  2. Hacking Tools Software
  3. Hacker Tools
  4. Pentest Tools Subdomain
  5. Hacker Tools For Ios
  6. Pentest Tools Free
  7. Underground Hacker Sites
  8. Hacker Tools Apk Download
  9. Hacking Tools Windows
  10. Hack Tools Online
  11. Pentest Tools Open Source
  12. Free Pentest Tools For Windows
  13. Pentest Tools Windows
  14. Underground Hacker Sites
  15. Tools 4 Hack
  16. Hacking Tools For Pc
  17. Hack And Tools
  18. Hacking App
  19. Nsa Hack Tools Download
  20. Beginner Hacker Tools
  21. Hacker Techniques Tools And Incident Handling
  22. Hackers Toolbox
  23. Hacking Tools 2019
  24. Hacks And Tools
  25. Hack Tools
  26. Growth Hacker Tools
  27. Hack Tools For Mac
  28. Pentest Tools List
  29. Pentest Tools Kali Linux
  30. Hack Tools 2019
  31. Pentest Tools Port Scanner
  32. Hacking Apps
  33. Hacker Hardware Tools
  34. Top Pentest Tools
  35. Hacker Search Tools
  36. Hack Tools Mac
  37. Hacker
  38. Nsa Hack Tools Download
  39. Wifi Hacker Tools For Windows
  40. Underground Hacker Sites
  41. Hacking Tools
  42. Github Hacking Tools
  43. Android Hack Tools Github
  44. Hacker Tools List
  45. Hacker Tools Windows
  46. Hacker Tools For Mac
  47. Hacker Tools Linux
  48. Hacking Tools For Games
  49. Hacking Tools For Kali Linux
  50. Pentest Tools Github
  51. Pentest Tools For Mac
  52. Hacking Tools Mac
  53. Pentest Tools Github
  54. Hack Tools For Ubuntu
  55. Hacking Apps
  56. Install Pentest Tools Ubuntu
  57. Hackrf Tools
  58. Hacker Tools Free Download
  59. Hacking Tools Name
  60. Hack Rom Tools
  61. Pentest Tools Download
  62. Hackrf Tools
  63. New Hacker Tools
  64. Hacker Search Tools
  65. Pentest Tools For Ubuntu
  66. Blackhat Hacker Tools
  67. Hacker Tools List
  68. Beginner Hacker Tools
  69. Game Hacking
  70. Pentest Tools Tcp Port Scanner
  71. Hacking Apps
  72. Hack And Tools
  73. Pentest Tools Github
  74. Pentest Tools Url Fuzzer
  75. Pentest Tools Linux
  76. Pentest Tools For Ubuntu
  77. Hack Tools For Ubuntu
  78. Hacker Tools Mac
  79. Hack Tools Mac
  80. Hacker Tools Hardware
  81. What Is Hacking Tools
  82. Hacking Apps
  83. Hackers Toolbox
  84. Tools For Hacker
  85. How To Install Pentest Tools In Ubuntu
  86. Hacker Tools For Pc
  87. How To Make Hacking Tools
  88. Hacker Tools
  89. Hacking Tools For Windows 7
  90. Hacking Tools Free Download
  91. Hackrf Tools
  92. Nsa Hack Tools Download
  93. Easy Hack Tools
  94. Nsa Hack Tools
  95. Hacking Tools Usb
  96. Pentest Tools Online
  97. Best Pentesting Tools 2018
  98. Computer Hacker
  99. Android Hack Tools Github
  100. Hacking App
  101. Free Pentest Tools For Windows
  102. Hack Tools For Ubuntu
  103. Hacker Tools Software
  104. Hacking Tools For Beginners
  105. Hacking Tools Download
  106. Pentest Tools Website
  107. Pentest Tools For Android
  108. Pentest Tools Nmap
  109. Tools For Hacker
  110. Tools 4 Hack
  111. Pentest Tools Apk
  112. Pentest Tools Kali Linux
  113. Hacker Tools 2019
  114. Hack Tools
  115. Bluetooth Hacking Tools Kali
  116. Hacking Tools For Beginners
  117. What Are Hacking Tools
  118. Pentest Tools Port Scanner
  119. Hacker Tools 2019
  120. Hacker Tools Free Download
  121. Easy Hack Tools
  122. New Hacker Tools
  123. Pentest Tools Open Source
  124. Hacker Tool Kit
  125. Hacker Tools Windows
  126. Wifi Hacker Tools For Windows
  127. Install Pentest Tools Ubuntu
  128. Hacking Tools 2020
  129. Hack Rom Tools
  130. Pentest Tools Android
  131. Best Pentesting Tools 2018
  132. Hacking Tools For Beginners
  133. Pentest Tools Android
  134. Hacking Tools For Kali Linux
  135. Blackhat Hacker Tools
  136. Hacker Tools Apk Download
  137. Black Hat Hacker Tools
  138. Hack Tools Pc
  139. Hacking Tools Usb
  140. Hacker Tools Mac
  141. Hacker Search Tools
  142. Pentest Tools Port Scanner
  143. Hacker Tools For Windows
  144. Pentest Tools Find Subdomains
  145. Tools Used For Hacking
  146. Pentest Reporting Tools
  147. Pentest Box Tools Download
  148. Pentest Tools Website
  149. Usb Pentest Tools
  150. Pentest Tools Android
  151. Hack App
  152. Hacks And Tools
  153. Kik Hack Tools
  154. How To Make Hacking Tools
  155. Tools Used For Hacking
  156. Hacking Tools Pc
  157. Hacker Tool Kit
  158. Growth Hacker Tools
  159. Pentest Tools Alternative
  160. Hacker Tools 2020
  161. Pentest Box Tools Download
  162. Top Pentest Tools
  163. Hacker Hardware Tools
  164. Ethical Hacker Tools
  165. How To Hack
  166. Computer Hacker
  167. Hack Tools
  168. Pentest Tools Url Fuzzer
  169. Hacker
  170. Hacker Tools List
  171. Hacker Security Tools
  172. Pentest Tools For Ubuntu
  173. How To Install Pentest Tools In Ubuntu
  174. Hacking Tools 2020
  175. Hacking Tools Windows
  176. Hacker Hardware Tools
  177. New Hacker Tools
  178. Hack Tools Mac

No comments:

Post a Comment