无需 VPN？针对 OPC UA 协议的加密攻击.pdf

1、#BHUSA BlackHatEventsNo VPN Needed?No VPN Needed?Cryptographic Cryptographic Attacks Against the OPC UA ProtocolAttacks Against the OPC UA ProtocolTom TervoortINTRO2#BHUSA BlackHatEventsOutlineWhat is OPC UA?OPC UA CryptographyAttack 1:signing oracle auth bypassAttack 2:padding oracle auth bypassFol

2、low-up and conclusions#BHUSA BlackHatEventsWhat is OPC UA?Photos by Magda Ehlers,Tom Fisk,Pixabay,Mattcmoi#BHUSA BlackHatEventsWhy investigate it?#BHUSA BlackHatEventsOPC UA securityImage by OPC FoundationSecurity ModeClient/Server AuthIntegrityConfidentialityNoneSign SignAndEncrypt Client/server au

3、thentication:X.509 certificatesUser authentication:password,JWT,cert,etc.Can have both,either or neitherTrust models:pre-configured,first-time approval,PKISecurity Mode,user authentication method,and ciphers are negotiated between client and server#BHUSA BlackHatEventsSecure channel handshakeSecurit

4、y PolicyEncryption schemeSigning schemeNone-Basic128Rsa15RSA PKCS#1v1.5SHA1+RSA PKCS#1v1.5Basic256RSA-OAEP-SHA1SHA1+RSA PKCS#1v1.5 Basic256Sha256RSA-OAEP-SHA1SHA256+RSA PKCS#1v1.5 Aes128_Sha256_RsaOaepRSA-OAEP-SHA1SHA256+RSA PKCS#1v1.5 Aes256_Sha256_RsaPssRSA-OAEP-SHA256SHA256+RSA-PSS(simplified)Als

5、o various ECC policies;rarely used yet#BHUSA BlackHatEventsSession handshake Symmetric crypto based on AES and HMAC Challenge signing with same certificates as channel phase Password-based user auth:encrypt password with server public key,even with None policy Certificate-based user auth:sign same s

6、erver challenge with“user certificate”Session bound to channel+key Very inefficient protocol:three expensive RSA decrypt/sign operations on each side!But is it secure?#BHUSA BlackHatEventsAttacking the session handshakeIn servers CreateSessionResponse:In clients ActivateSessionResponse:Looks rather