Examining DES-based Cipher Suite Support within the TLS Ecosystem

welcome good afternoon welcome to besides Las Vegas this talk is good Oh video recording live streaming yes that's good got the thumbs up thank you guys we'd like to think our thought our sponsors especially the inner circle critical stack and Bali mail also our stellar sponsors who are silenced Microsoft and Robin Hood cellphones please be courteous premier plane mode for a few minutes okay feedbacks are available on the website with further I'd like to introduce our speaker Vanessa frost is currently a cyber security graduate student working with dr. Kevin Butler at the fic research lab at the University of Florida her research interests include protecting consumer data privacy from third parties eliminating the effectiveness of mass surveillance

techniques let's give a hand [Applause] thank you for the introduction and big thank you to B sides for this opportunity one small correction not the MIT lab I wish I'm from the fix lab the Florida Institute of cybersecurity at the University of Florida in Gainesville so a little bit more about me I'm a third year PhD student again interested in protecting consumers mostly I got into the PhD gig because I was super concerned about data mining mass surveillance of populations that whole thing and this research is part of what came out of questions that I had so today we're going to be talking a little bit about does that might surprise some of you because it's 2019 why the hell

are we still talking about does let's get into it so a little bit of background before we had the Advanced Encryption standard AES we had the data encryption standard so the data encryption standard is the evolution of an algorithm developed by IBM in the early 70s just as a note there are three flavors of des there's the og des 56 that has a 56 bit key there's Triple DES which is des three times with 168 bit key and then there's des 40 now the u.s. treats encryption algorithms as a munitions so in order to export des to other countries we had to make a weaker version and does 40 was our solution fat so does 40 as des with

a 40 bit key now des 56 was publicly brute forced in 1997 by participants of the DES challenge shortly after that NIST suggested using Triple DES as a temporary replacement with the longer key length it was more resilient to brute force attacks shortly after that does 56 was deprecated and Triple DES followed just last year all right who cares some standards committee deprecated does why should we care hopefully because their security enthusiastic air encryption using des 56 can be broken in just seconds does 40 with a much smaller key length can be broken less than half a second and Triple DES has suite 32 attacks so suite 32 is an attack that utilizes what's called the birthday

bound of block ciphers so say that you have a cipher with a block length of and it's the birthday bound of that cipher would be 2 to the N over 2 basically what that means that if you have in cypher blocks you would need about 2 to the N over 2 blocks to find a collision between 2 of them so using these attacks researchers were able to find a collision between blocks in less than 25 minutes now aside from that are also downgrade attacks which will roll back the version of TLS you have to probably an earlier version that may only support des ciphers and there are also middlemen servers that exclusively advertised that servers for

handshake negotiations so you're locked into using DES encryption alright it's been 22 years now where is des 22 years since it was cracked is it still out there we weren't the only ones curious about this there are some prior research that looked at recorded connections from 2012 this first paper finds that 1.4 percent of connections are using Triple DES and it went down last year and only 0.3 percent of connections which is great we're going down that's the direction we need to head second paper takes a look at does 56 there were des 56 accepted handshakes in point nine percent of connections in just last year and now according to their website that's less than 0.01 five percent today

so looks like we did it defecation it does works we don't have to worry about it anymore right that's a fast so these period prior papers looked at a passive analysis of existing connections that they observed over time that means they're looking at what servers did in the past not necessarily what servers are capable of doing we wanted to know if servers were still supporting does not necessarily using them so in order to do that we first have to understand how a TLS connection works in a TLS connection when a client wants to connect to a server it'll send a server a client hello as well as a list of cipher suites that client will support their server

will receive this send a server hello and choose the strongest cipher suite to encrypt with that they have in common with the client for purposes of our research we don't care about what happens after this this is important because there are 36 different des ciphers that could be used in an encryption handshake in an encrypted handshake so if you want to find out if a server is supporting this you have to create with just that cipher one IP address 36 times so in order to figure out a server support are supporting this in any efficient manner at all we had to come up with a sort of strategy now first we needed to get a list of IP

addresses just querying randomly random IP addresses that may or may not exist wasn't going to get us anywhere very fast so thanks to the generosity of some researchers up at the university of illinois they gave us access to their census database now census uses a tool called zmapp to probe IP addresses that may be online it will send a hello if that server responds they will cut the connection with it with a reset packet and store that IP address as something that is responsive online so we were able to pull a list of 41 million IP addresses that were responsive on port 443 from census and query them next we needed a some sort of program or

Automator that will query these IP addresses with these 36 different DES ciphers for us so the Automator that we created will take this massive list of IP addresses slid it up into a bunch of different sub lists and hand it to these worker threads now the worker threads will take each IP address in that list and query it with a des cipher each one one at a time 36 times it will store the result as a JSON and then we can analyze it using PI spark all right so 36 ciphers times the 31 million IP addresses that we were able to query is 1.1 billion handshakes in a period of about six months all right numbers I'm

boring you what do we find over 40% of servers worldwide still accept some form of des cipher yep I'm going to be going through a lot of graphs and a lot of maps now so feel free to jump in with questions that you have you don't have to wait till the end all right so over 40 percent of servers we query accept some form of des cipher with Triple DES being vastly moved supported it was just deprecated last year that's probably to be expected however we did see a substantial and worrying amount of deaths 56 and does 40 being used we also wanted to know what about the top sites these sites the 40% may be from servers that never get

upgraded that were connected once upon a time by some guy who was tinkering around in his basement and forgot about his Windows PC forever not quite the top 1000 of Alexa websites still except or 34% of them still accept some form of death cipher and the breakdown for the ciphers that get accepted is about the same triple des is definitely overwhelmingly more supported but we also did something a little bit cooler that I think I really appreciate it I was curious to know who was accepting des ciphers so we ended up taking location data from census that were tied to these servers and mapping them per cipher to the countries where these servers are located so these maps

are going to be a percentage of whatever cipher is accepted over how many servers are in that country now there are a couple of countries that are striped out these are countries for which we had fewer than 100 servers reported we left them out just to be as accurate as possible so as you can see most countries do not support des 40 with the notable exception of Kazakhstan here with a thirty two point seven percent of their servers accept does 40 next up is Liberia with 17.8 now without getting legal an analyses and policy experts we can't really say for certain why cause like stay in Liberia except so much does 40 we have looked online at why this

might be the case a lot of countries have either legislation or unofficial policies governing what encryption I guess standards they're following so in instance for Kazakhstan they require both ISPs and individuals to assist in governments don't want to be too speculative that's just something that I'm throwing out there but there seems to be a lot of evidence to that fact but it's ok guys all right now we have does 56 we have nature in the lead with 24% Liberia with 19% Canada with 14% sorry Canadians absolutely blame Canada after three more slides all right now we have triple does the problem child this is where our 40% comes from the majority of countries support does Triple DES on 40% of

servers at least and we do see typically a pattern we see countries that support a little bit of does 40 and then a little bit more does 56 and then a buttload of Triple DES support again probably to be expected it was just deprecated last year if we hold this in 15 years time hopefully this map would look a lot more like does 56 we do see some patterns that are some countries that don't fit this pattern for example cause backs and supports actually less Triple DES and they support des 40 not to sing a lot Kazakhstan it was just a fun country to like look at we also wanted to know are there any countries that are

contributing some sort of imbalance here we can see the percentage per country but worldwide 40 percent really the answer is yeah yeah there is the u.s. either because they were the most servers that we could reach or because it just has a buttload of computers compared to the rest of the world had the most acceptances out of any country for each cypher so as a note the countries are shaded for the total number of des accepting servers that were found in that country and the bubbles are just more localized points where some of those servers were aggregated just as a note there were some very small bubbles that we had to cut just in order to be able to render these maps

and there are some very large bubbles we had to cut that are still represented by the shading of the country just so we can read the map so even though Kazakhstan supports a higher percentage of does 40 the u.s. supports their own export Seifer more than any other country oh yeah no so where we got this geographical information from the server's is not necessarily super accurate um they are supposedly 99% accurate to the country the region is less accurate and then like the city is even less accurate so actually for the majority of our country is the dot that we had the Latin longitude was over like reservoirs and lakes and seas probably no servers there I'd be willing to guess

but so we're not really sure why there's that big bubble over Florida my initial thought was Gainesville and all of the matina they do possibly also NASA don't take my word for that at all yeah all right now we have does 56 so Canada wasn't quite in the lead for percentage accepting but they are second place behind the US for the number of does 56 accepting servers that they have and Triple DES now there are a lot of countries that support Triple DES at 40% of servers but the u.s. definitely Dorf every other country in terms of raw numbers China comes in next now there were some limitations to our study for instance we didn't get a chance to look

at the longitudinal information for DES support so an IP address that we queried a month ago we couldn't query today and see are they still supporting what they did last last month we just didn't have time and next our list of IP addresses it's from a single snapshot in time that means an hour scan took six months so that means that by the end when we were getting to some of the IP addresses on the lower parts of the list it's possible they were taken offline they're unreachable other machines could have cycled onto the network we have no way of knowing so we do include this Sankey key diagram something that um give us a

breakdown of which servers were responsive and which ones weren't so the servers that gave us unknown errors were actually responsive it's just for some reason our client was not able to communicate with them it could have been a configuration an error on our part could have been a configuration error on their part there was just no way to know we also got some IO timeouts each i/o timeout and connection timeout took us 10 seconds before it actually timed out so the IO timeouts these servers were actually responsive it could be the case where we would query it with one decipher we get an IO timeout we've query it with another and we get an accepted handshake so we had to leave

those in just to record our except two handshakes for the connection timeouts these were servers that weren't reachable that weren't responsive and in order to save time on our polling once we got the first connection timeout we ended up dropping all subsequent connection attempts to that server otherwise we'd be spending 6 minutes on each IP address which was just not feasible all right have you seen the map it's everywhere why why is the still being used we had a couple of ideas one is that these people who are accepting des may see that removing does removing support for DES encryption could remove support for legacy machines and secondly as we saw national policy might influence which encryption ciphers get

used but we don't think these are compelling reasons because 40% of global server's aren't legacy the previous research has blend this out at the highest number that we saw Triple DES when 1.4 percent of connections 1.4 percent of connections we're using des why are they needing 40% support and as we saw on the raw numbers national policy might influence what a country does within its borders but its neighbors are not beholden to its encryption policies so that's not the weighing factor either okay we see does it's everywhere we have a couple of ideas why it could be there but they're not very compelling reasons so how do we get rid of it and we had a couple of

ideas so first one is pretty straightforward maintain support for legacy users only on an as-needed basis take a look at your customer traffic take a look at what encryption ciphers they're using what their handshakes looks like if you drop the support we believe that you will lose a shockingly small number small amount of user traffic and the previous research has borne this out to review your internal encryption policies with some regularity as an example open SSL drop support for Triple DES in 2016 and Triple DES is still being supported in 40% of servers that means either people aren't updating their open SSL or their copy-pasting dragging old configuration files or they're manually adding it back in and

if that's the case probably nothing I say in this talk is going to dissuade you next propose a kind of point for does support if anybody here is familiar with the tale of the renegade YouTube team and killing ie6 you know how effective that is as they step in the right direction most major browsers have announced that they're going to drop support for TLS 1.0 and 1.1 by 2020 which is good news because they still support death ciphers and lastly we have a compelling alternative to DES it's faster it's stronger it's free it's not patented by anybody please use it and now we saw which countries were supporting them how often does was being supported we wanted to know who's still

supporting does so to that end in the future we're hoping to take a finger fingerprints of IP addresses which do advertise support for des we have some preliminary results using reverse T in us and what we find is that typically companies that offer services like cloud computing or leasing computing power have the largest numbers of desk supporting servers now we're assuming this isn't the company's practice it's whoever they're giving these machines out to who's responsible for this configuration but we're not sure all right and to summarize death ciphers are broken they've been broken they don't provide adequate security guarantees for online communication anymore over 40% of servers worldwide still support some form of des cipher

with Triple DES being vastly more supported and des divers are being used less over time which is good and we can probably expect to see a long tail as they gradually fall out of support and we can take more proactive measures to phase out des abort completely otherwise we risk being haunted by our pasts thank you for listening to my talk

any questions yes yeah so for the majority of tillis TLS implementations that I'm aware of you can also you can manually add support for specific ciphers or drop them so but yeah TLS 1.3 by default doesn't software it does yep yeah oh yeah so the question was is there a paper that we published for this research and yes the paper name is examining does BAE cipher suite support within the TLS ecosystem we published it at Asia CCS just this year and feel free to go read it it's got a bunch of pretty graphs in it too yes so the question so the question was the sweet thirty-two effect AES which is also a block cipher

and are there other modes of encryption for AES that you can use that will mitigate that attack and the answer in short is I'm not an encryption expert but I would assume that a es is subjects you suite 32 attacks but because AES is block cipher is much larger than des des is block cipher 64 bits AS is I think 128 it is yeah it will be less susceptible to those attacks yes did i probe email too no we just probed IP addresses that response upon port 443 we would like to look at email as well that's probably why a large number of our does ciphers weren't used ever but we didn't get a chance to yes why not port 22 simple

answer because we had very limited time yeah gotcha all right that's yeah thank you [Applause]