People have been asking if wolfSSL is vulnerable to the ’Selfie’ attack (https://eprint.iacr.org/2019/347). We are glad to say that we follow all the recommendations made by the authors. First, though, an explanation of the attack.
The attack targets the use of Pre-Shared Keys (PSKs) with TLS 1.3 though TLS 1.2 is also vulnerable. There are very specific use cases that are affected. When a group of computers want to connect to each other then sharing a PSK is a simple way to set things up. Membership of the group is based on the knowledge of the PSK. This means that certificate authentication is not used.
The attack scenario is when a new computer comes into the network that can intercept or Man-in-the-Middle (MitM) the communications between computers. When a computer, let’s call it Alice, acting as a client sends a TLS ClientHello, the MitM, which we’ll call Eve, reflects the message back in a new connection to Alice. Alice acting as a server sees a new TLS ClientHello and in parallel responds with the first round of messages. These messages are sent back by Eve to the client on Alice. Alice as a client uses the messages to establish a connection and sends a response. Eve uses the response to respond to Alice the server and so on and a secure connection is established.
Because everyone is using the same PSK for client and server connections, Alice does not notice anything wrong! Now that a secure connection has been established, which Eve cannot decrypt, it can be hard to see what the issue would be. The attack comes when a message like ‘Delete your copy of this file, I have a copy’ is sent. Eve reflects the message back and Alice decides that the she doesn’t have to keep a copy after all and deletes it.
The paper lists a number of scenarios that may be vulnerable:
- Content Delivery Networks (CDNs) - poisoning caches.
- P2P Networks.
- WiFi networks that rely on PSKs for the entire network.
- Leader-election and consensus protocols.
Mitigations and Recommendations
One way to prevent this attack is to use the Server Name indicator (SNI) extension. This way Alice recognises she didn’t connect to the computer she wanted to but to herself.
The recommendations of the paper are:
- Don’t share PSKs amongst a group of computers unless certificates are used initially to establish identity. This goes against the PSK use case!
- If you must use a shared PSK without certificates, then use the SNI extension.
- TLS toolkits should either not implement PSK or not have it configured by default.
By default in wolfSSL, PSKs are not enabled but are available for use when you need it. wolfSSL also implements the SNI extension and we encourage you to use it.
For more information about the wolfSSL library, please contact firstname.lastname@example.org.