TLS1.2 IS DEAD BE READY FOR TLS1.3

Transcription

1 TLS1.2 IS DEAD BE READY FOR TLS March 2017 Enterprise Architecture Technology & Operations

2 Presenter Photo Motaz Alturayef Jubial Cyber Security Conference

3

4 70% Privacy and security concerns are driving encrypted traffic growth, which is expected to represent 70 percent of all Internet traffic this year. Source: Sandvine, Global Internet Phenomena Spotlight, 2016

5 The history of SSL and TLS? SSL1 and SSL2 Created by Netscape and contained significant flaws SSL3 Created by Netscape to address SSL2 flaws TLS 1.0 Standardized SSL3 with almost no changes RFC2246 TLS 1.1 Security fixes and TLS extensions RFC4346 TLS 1.2 Added support for authenticated encryption (AES-GCM, CCM modes) and removed hard-coded primitives RFC Crap hits the fan First set of public SSL exploits

6 SSL isn t perfect SSL vulnerabilities exposed August 2009 Insecure renegotiation vulnerability exposes all SSL stacks to DoS attack RFC 5746 TLS extension for secure renegotiation quickly mainstreamed BEAST & CRIME Client-side or MITB attacks leveraging a chosen-plaintext flaw in TLS 1.0 and TLS compression flaws Lucky 13 Another timing attack RC4 Attacks Weakness in CBC cipher making plaintext guessing possible TIME A refinement and variation of CRIME Heartbleed The end of the Internet as we know it! August 2009 February 2010 September 2011 February 2013 March 2013 March 2013 April 2014 POODLE Padding oracle attack on SSLv3 Dire POODLE Padding oracle attack on TLS FREAK Implementation attack on export ciphers LogJam Implementation attack on weak DH

7

8 How TLS1.2 works Client Server Client Hello Support Cipher Suites Server Hello Chosen Cipher Suites Key Share Key Share Finished Finished HTTP GET HTTP Response

9 How TLS1.3 works Client Server Client Hello Support Cipher Suites Key Share Server Hello Chosen Cipher Suites Key Share Finished Certificate and Signature Finished HTTP GET HTTP Response

10 Speeding Up TLS1.2 Resumption Client Server Client Hello Session ID Server Hello Finished Finished HTTP GET HTTP Response

11 TLS1.3 0-RTT Resumption Client Server Client Hello Session Ticket Key Share HTTP GET Server Hello Key Share Finished HTTP Response

12 TLS1.3 is Anti-Downgrade TLS1.3 uses a smart of way of detecting of there is a MiTM trying to downgrade the connection. This Achieved by sending Random number with ClientHello So connection cannot be downgraded if the client support TLS1.3

13 Removed with TLS1.3 Static RSA HandShake CBC RC4 SHA1 MD5 Compression Renegotiation

14 Keeping Your SSL up to Date

15 Understanding SSL? Key Exchange For exchanging keying information at the start of the session Message (bulk) Encryption Uses the master secret to encrypt data between parties RSA DHE_RSA ECDH(E)_RSA ECDH(E)_ECDSA RSA AES DES/3DES RC4 Camellia Message Authentication Produces one-way encrypted hashes of data for data integrity MD5 SHA

16 Reading SSL? Cryptographic notation Protocol Authentication Algorithm Strength Mode TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256 Key Exchange Message (bulk) Encryption Message Authentication Ivan Ristic: Bulletproof SSL and TLS

17 SSL Strength SSL intelligence and best practices Achieving an A+ grade Require Secure Renegotiation [A-] Disable SSLv2 and SSLv3 (default in 11.5+) [B] Disable RC4 [B/C] Disable 3DES SHA1 Certs as no longer accepted Prefer Perfect Forward Secrecy (prioritize ECDHE, DHE) [A-/B], Min 2048 Enable TLS_FALLBACK_SCSV [A] Enable HSTS [A] Patch to TMOS HF7, HF7, or 11.6 [C or F] Use an explicit and strong cipher string Extra credit for PCI compliance Disable TLS 1.0 Reference : NATIVE:!SSLv2:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AES-GCM:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:-MD5:-SSLv3:-RC4

18 Sources CloudFlair: An overview of TLS 1.3 and Q&A Presentation By Filippo Valsorda F5 Networks: SSL Presenation RFC: The Transport Layer Security (TLS) Protocol Version 1.3 draft-ietf-tls-tls13-19